CN100454806C - Safety group broadcast management system and method - Google Patents
Safety group broadcast management system and method Download PDFInfo
- Publication number
- CN100454806C CN100454806C CNB2004100706938A CN200410070693A CN100454806C CN 100454806 C CN100454806 C CN 100454806C CN B2004100706938 A CNB2004100706938 A CN B2004100706938A CN 200410070693 A CN200410070693 A CN 200410070693A CN 100454806 C CN100454806 C CN 100454806C
- Authority
- CN
- China
- Prior art keywords
- information
- multicast
- user
- subsystem
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a safety group broadcast management method, namely that all parties of group broadcast communication are initialized before group broadcast communication; the using environment of group broadcast is collocated to generate a respective public / private key pair for each communicate member; authorization files are certified to generate cipher keys for communication and distribute authorization permission for each communication member; in the process of the group broadcast communication, the cipher keys of the group broadcast communication are updated or distributed for communication parties; information transmitted by group broadcast users is encrypted and signed; the received information of user group broadcast is deciphered and originally certified. If the transmitted group broadcast information is transmitted by claimed senders, data transmission is normally carried out; if false, the group of data is filtered away. In the process of the group broadcast communication, the data of each communication party is collected and recorded in real time, communication conditions and network resources are monitored to discover and process abnormal situations in time. The present invention comprehensively realizes real-time monitoring and safety management for the process of the group broadcast communication and is suitable for various group broadcast application environments.
Description
Technical field
The present invention relates to a kind of computer network multicast environmentAL safety management system and method for being applied to, belong to the computer security technique field.
Background technology
Traditional computer network communication mode is a unicast communication, i.e. the communication of " one to one, point-to-point ", and the information source and the stay of two nights all are clear and definite and concrete.This unicast communication technology fail safe of comparative maturity, network service process is reliable; But the drawback of its maximum is: can only realize the communication of " one to one ".
In order to realize the communication of " one-to-many ", computer network multicast communication mode has appearred.The communication of computer network multicast is an open multicast communication system, be characterized in: information source is determined, the stay of two nights is clearly and not concrete, at any one time promptly, participate in the main frame of certain multi-cast system information source being arranged necessarily, but stay of two nights quantity normally dynamic change, be unfixed, can be a plurality of, even also may be the zero stay of two nights; And multicast communication system does not provide data source to differentiate service mechanism, makes any main frame to send data to any multicast group.This just means that any main frame all can mix and pretend to be the multicast packet of information source main frame, and this is extremely serious safety problem in the present multicast communication system.
In fact the security of multicast of multicast communication system is meant data confidentiality, the integrality of protection multicast content, to the authentication of data source and solve multicast member controlled, authorize and add and problems such as exit confirmation.The content that security of multicast involved of multicast communication system is much more extensive than common point-to-point unicast communication, even resemble authentication and the basic like this problem of the information encryption complexity that also becomes very.And, bring a lot of new problems, as the confidence level at the access control at multicast center, multicast center and dynamically group member's management etc. thereupon.
In addition, because cast communication as unicast communication, pass through " public " internet, particularly wish to transmit valuable data with the IP multicast, in order to prevent that data from being intercepted by other people midway in transmission course on the internet, also need to dispose some mechanism and control visit data.Often a method that adopts is data encryption.Just, data are encrypted at the source end, and decruption key is obtained by the recipient of specific multicast group, so, though the IP cast communication can be intercepted by anyone as other communications on internet, if there is not decruption key, even it is also unavailable to obtain data midway.But, key management method for multicast utilizes unicast technique to realize mostly at present, and the cast communication key management will relate to a plurality of end systems, so its complexity will be considerably beyond the unicast communication key management, so multicast key management is ripe not enough at present.
In addition, in multicast communication, may also have multiple attack, as: pretend to be legal multicast packet transmitting terminal to send data; Pretend to be legal multicast packet receiving terminal to receive data; Eavesdropping and spurious multicasts data; Denial of Service attack to multicast router and multicast user; To the denial that sends or receive data, deny or the like.
In a word, at present, though for existing Nortel framework of multicast security problem and SRM solutions such as (Secure ReliableMulticast), existing solution is in various degree existence deficiency all, and safe multicasting remains technological difficulties.
Summary of the invention
In view of the foregoing, the purpose of this invention is to provide a kind of computer network multicast environmentAL safety multicast management system and method that is applied to, so that realize the cast communication of safety.
For achieving the above object, the present invention takes following technical scheme: a kind of safety group broadcast management system, and it is made up of the user subsystem that is interconnected with one another, authentication center's subsystem, PKI center subsystem, client's subsystem and five parts of monitoring sub;
The information of described user subsystem configuration multicast environment for use, initialize communications each side, for each communication member and each management subsystem person generate separately public affairs/private key to, Certificate Authority file, be that each multicast group of system generates communication set key, and authorize the corresponding authority of member of communicating by letter;
Described authentication center subsystem is used for the communication key that uses in the multicast information transmission is managed, upgrades and distributes;
Described PKI center subsystem is used for client public key that the authentication storage center sends and receive the PKI request that the client proposes, and sends corresponding client public key;
Described client's subsystem is finished the information that the multicast user is sent processings of encrypting, decipher and sign, and the source of finishing multicast information in conjunction with the PKI center subsystem authenticates;
Described monitoring sub real-time collecting and the data that are recorded in communication parties in the cast communication process, monitoring communications situation and Internet resources, the in time state of display communication each side.
Described client's subsystem is made up of authenticated client request, safe transmission and source three modules of authentication;
Described authenticated client request module is used for and the PKI center subsystem is carried out two-way authentication, obtains client's authorization message;
Described safe transmission module is to encryption, signature and the transmission of multicast information;
The multicast information of described source authentication module to receiving, the sender's who provides according to described PKI center subsystem PKI carries out the source authentication, and whether checking is that its sender who claims sends.
For achieving the above object, the present invention has adopted a kind of safe multicasting management method, and the method includes the steps of:
A, before cast communication, the each side of cast communication is carried out initialization, configuration multicast environment for use;
For system's public affairs/private key that the member generates separately of respectively communicating by letter right, the Certificate Authority file, the key when generating communication is each communication member assigns authorized authority;
B, in the cast communication process, be communication parties renewal/distribution multicast communication key; The data of real-time collecting and record communication each side, monitoring communications situation and Internet resources, unusual circumstance in time, and make corresponding processing;
C, the information that the multicast user is sent are encrypted and are signed;
D, the user multicast information that receives is decrypted and source authentication, makes each group membership can verify to the multicast information that receives whether this information is that its sender who claims sends;
Send if the multicast information that E sent is the sender who claims, just carry out normal transfer of data; If not, then filter out this group data.
Described steps A is finished by user subsystem, and it may further comprise the steps:
After a, user subsystem start, the information of receiving management person's input;
B, according to the password of keeper input, from the public private key pair file of this locality storage, read public affairs/private key of keeper;
C, the action type that will carry out according to the keeper are carried out corresponding action;
Be that the keeper can be as required generate new user or give the user's assign group key and the authority of appointment for system
If generate new user, at first to generate public affairs/private key of this user right for the user, and from the public private key pair file that generates, read this user's ID, receive user profile, user's authenticate password then, and according to the authenticate password of importing, generate its hash value, be kept in the Certificate Authority file of system as this user's authentication authority;
If give registered subscriber authorisation, distribute corresponding group key and authority with regard to the user who gives appointment; The generation of group key can make by hand and import, copy other users' group key and generate three kinds of modes at random, and user's authority then is divided into five kinds of authorities:
● only send out: can only send multicast information and can not receive;
● only receive: can only receiving group information and can not send;
● transmitting-receiving: can send multicast information also can receiving group information;
● the PKI center: promptly subscriber authorisation is the keeper at PKI center;
● Surveillance center: promptly subscriber authorisation is the keeper of Surveillance center;
User's group key and authority information will be stored in the Certificate Authority file of system;
D, user subsystem are with user's public affairs/private key of generating and be distributed to each user ID number, simultaneously, system authentication and authority are sent to authentication center;
E, judge whether keeper's operation is finished,, finish if finish; If do not finish, then return step c.
Finishing by authentication center's subsystem among the described step B for communication parties renewal/distribution multicast communication key, it may further comprise the steps:
After a, authentication center's subsystem start, at first, carry out initial work;
B, then handles three kinds of requests and a timer operation, and its workflow is:
(1) if the authentication request that the multicast client proposes when adding multicast group, after authentication center's subsystem is accepted the group key request of multicast client proposition, at first checking group client identity authentication, then according to the mandate of system (as the transmission route of multicast information, receive power etc.) information, this multicast client's group key and corresponding authorization message sent to the multicast client; Authentication center's subsystem sends to the PKI center subsystem with user's PKI; At last, authentication center's subsystem will send the information such as authentication, mandate situation of multicast member to Surveillance center, the multicast group address that time, IP address and the application during as the user name of multicast member, authority, adding multicast group adds etc.;
(2) if authorize the change request: this request is when the unusual circumstance of group Surveillance center, sends according to certain rule.Authentication center's subsystem will upgrade the authorization message of relative users according to the instruction that receives, and send update notification to corresponding user, and change is come into force;
(3) if the management request: this request is sent by the multicast group keeper, makes things convenient for the management of keeper to multicast communication system; The keeper can send instruction and watch or change information such as current subscriber authorisation, group key, if the keeper has changed user's authorization message, authentication center's subsystem sends update notification to corresponding user, and change is come into force;
(4), timer operation: the group key that is used for upgrading multicast group; Authentication center's subsystem at set intervals, new group key will be generated, and the group of notifications broadcasting user authenticates the update group key again, can upgrade the group key that multicast group is used so on the one hand, guarantee the safety of communication, owing to the user who withdraws from multicast group will can not upgrade, make the keeper can determine current multicast member situation on the other hand;
C, end.
Described step C, D are finished by client's subsystem; Described client's subsystem is made up of authentication request, safe transmission and source three modules of authentication;
Described authentication request module is used for and two-way authentication is carried out at the PKI center, obtains client's authorization message, and it may further comprise the steps:
(1), receives user profile, to authentication center's transmission authentication information and user's public key information;
(2), receive authorization message, then it is passed to the safe transmission module;
Described authenticated client request module is born two roles simultaneously, and one is the client as authentication center's subsystem, and another is the key supplier as the safe transmission module; Mutual by between authenticated client request module and the authentication center's subsystem, the CLIENT PROGRAM that successfully obtains authenticating can obtain the transmission security key of the particular multicast group that it applies for, to be used for the encryption and decryption multicast packet;
Described safe transmission module realizes the enciphering/deciphering and the transmission of multicast information, and it may further comprise the steps:
(1), transport multicast information accurately and effectively;
(2), the multicast information to transmission carries out the encryption and decryption processing, the confidentiality and integrity of assurance multicast information;
Described source authentication module is that the achieve a butt joint multicast information received carries out the source authentication, and whether the information that checking receives is the information that its sender who claims sends, and it may further comprise the steps:
(1), the multicast information that sends is signed;
(2), the multicast information of receiving is carried out the source authentication.
Described step F is finished by monitoring sub, and it may further comprise the steps:
(1), after monitoring sub starts, at first carries out initialization;
(2), judge action type to be processed:
(a), and, finish according to the corresponding information of instruction demonstration if user instruction is then accepted user's instruction; If not, then carry out next judgement;
(b), judge whether it is Certificate Authority information, this information is sent by authentication center's subsystem, if, then receive this Certificate Authority information, and the authentification of user authorization message that receives is carried out statistical analysis, log, under the situation that needs are controlled, produce control information according to predetermined rule, send to authentication center's subsystem then, finish; If not Certificate Authority information, then carry out next judgement;
(c), judge whether it is the authentication multicast information, if monitoring sub will be as required, add each multicast group, to corresponding group key of authentication center's subsystem request and mandate, intercept multicast information then, carry out statistical analysis, and log, when abnormal conditions take place when, produce control information according to predetermined rule, send to authentication center's subsystem then, finish; If not the authentication multicast information, then carry out next step;
(d), timer operation: update displayed system status, as group membership's online situation, the group membership sends speed of data or the like;
(3), finish.
The invention has the beneficial effects as follows:
1, monitoring sub and authentication center's subsystem have been realized can effectively detecting the abnormal information in the multicast group to the real-time monitoring of multicast group and effectively management.
2, the content in the cast communication is carried out multicast verification and signature, prevented from illegally to distort, guaranteed the integrality of multicast information, thereby common attacks such as bag are distorted in effectively defence swindle, unauthorized generation, forgery.
3, in the multicast communication process, Content of Communication is encrypted, and optional majority kind symmetric encipherment algorithm, guaranteed the confidentiality of multicast information, strengthened the anti-aggressiveness of system.
4, monitoring sub can be carried out statistical analysis to the information in the communication process, according to predetermined rule, forms the interlock control information, makes necessary response.
When 5, authentication center's subsystem authenticates the client, have and limit the IP address that the user uses, limit user's transmission or receive controlled function such as authority, monitoring sub by with authentication center's subsystems linkage, the behavior of multicast member is limited.
Description of drawings
Fig. 1 is a safety group broadcast management system system configuration schematic diagram of the present invention
Fig. 2 realizes the flow chart of safe multicasting management for the present invention
Fig. 3 is a user subsystem workflow diagram of the present invention
Fig. 4 is an authentication center of the present invention subsystem work flow chart
Fig. 5 is a PKI center subsystem workflow diagram of the present invention
Fig. 6 is client's subsystem work flow chart of the present invention
Fig. 7 is a monitoring sub workflow diagram of the present invention
Embodiment
The present invention is described in further detail below in conjunction with drawings and Examples.
The present invention, is configured the multicast environment for use before cast communication as the manager of cast communication, and communication parties is carried out initialization; When between the multicast user, communicating, at first multicast member is carried out authentication and mandate; In the cast communication process, the information that the multicast user is sent is encrypted and is signed, and the user multicast information that receives is decrypted with the source authenticate; In the cast communication process, also in real time the multicast communication process is monitored and analyzed.As shown in Figure 1, the present invention manages multicast communication, the safe multicasting communication system of realization safe multicasting is made up of user subsystem, authentication center's subsystem, PKI center subsystem, client's subsystem and five parts of Monitor And Control Subsystem, wherein, client's subsystem is made up of authenticated client request, safe transmission and source three modules of authentication again, and the correlation between the each several part as shown in Figure 1.User subsystem is mainly finished configuration multicast environment for use, initialize communications each side, as: for each communication member and each management subsystem person generate separately public affairs/private key to, Certificate Authority file, be that each multicast group of system generates communication key, and authorize the corresponding authority of member of communicating by letter.Authentication center's subsystem is used for the communication key that uses in the multicast information transmission course is managed and upgrades.Client's subsystem is then finished the information that the multicast user is sent processings of encrypting, decipher and sign, and the source of finishing multicast information in conjunction with the PKI center subsystem authenticates.The PKI center subsystem is mainly used to the client public key of authentication storage center transmission and receives the PKI request that the client proposes, and sends corresponding client public key.Monitoring sub is mainly finished real-time collecting and the data that are recorded in communication parties in the cast communication process, monitoring communications situation and Internet resources, the in time state of display communication each side.
Fig. 2 realizes the flow chart of safe multicasting management for safety group broadcast management system of the present invention.As shown in the figure, the present invention realizes that the method for safe multicasting management may further comprise the steps:
1, before cast communication, the each side of cast communication is carried out initialization, configuration multicast environment for use;
For system's public affairs/private key that the member generates separately of respectively communicating by letter right, the Certificate Authority file, the key when generating communication is each communication member assigns authorized authority;
2, in the cast communication process, be communication parties renewal/distribution multicast communication key; The data of real-time collecting and record communication each side, monitoring communications situation and Internet resources, unusual circumstance in time, and make corresponding processing;
3, the information that the multicast user is sent is encrypted and is signed;
4, the user multicast information that receives is decrypted and the source authentication, makes each group membership can verify to the multicast information that receives whether this information is that its sender who claims sends
Send if 5 multicast informations that sent are the senders that claim, just carry out normal transfer of data; If not, then leaching should the group data.
The present invention realizes that the process of safe multicasting is as follows:
At first, user subsystem is carried out initialization to system, and to generate public affairs/private key right for each user of system, and the key when generating communication sends and/or receive authority for each communication member distributes.Then, to after being distributed to respectively communicate by letter member and each management subsystem person, each member that communicates by letter promptly begins to communicate with public affairs/private key.
In communication process, each member that communicates by letter at first carries out authentication with authentication center, obtains corresponding group communication key, communication the member multicast information is encrypted and sign after send; When the communication member receives multicast packet, be decrypted and the source authentication, whether the transmitting terminal of specified data is that its sender who claims sends, and obtains the content of multicast information, finishes whole communication process.
Simultaneously, in the cast communication process, the situation of landing of monitoring sub monitoring user, the time of landing as the user, IP address when landing etc., and join each multicast group as a special communication member, receiving multicast data, and the multicast packet that receives is decrypted and source authentication, monitor the situation of cast communication, the transmitting time of record multicast packet, transmitting terminal etc., to unusual condition wherein, as decipher multicast transmission information failure, the multicast member transmission information etc. of going beyond one's commission, as required, (member authenticates again as group of notifications to produce corresponding action information, change certain group membership's authority, certain member cleared out of multicast group etc.), send to authentication center.
Introduce the function and the workflow of each subsystem below respectively, the invention will be further described.
(1) user subsystem
User subsystem is mainly finished the step 1 in the above-mentioned safe multicasting management method.Before cast communication, user subsystem is right with public affairs/private key that each management subsystem person generates separately for each communication member, and the Certificate Authority file etc., simultaneously, custom system also will generate communication key for each multicast group of system, and authorizes communication corresponding authority of member such as sending permission and/or receive authority etc.
The workflow diagram of user subsystem is as shown in Figure 3:
1, after user subsystem starts, the information of receiving management person's input;
2, according to the password of keeper's input, from the public private key pair file of this locality storage, read public affairs/private key of keeper;
3, the action type that will carry out according to the keeper is carried out corresponding action;
Be that the keeper can be as required generate new user or give the user's assign group key and the authority of appointment for system
If generate new user, at first to generate public affairs/private key of this user right for the user, and from the public private key pair file that generates, read this user's ID, receive user profile, user's contents such as authenticate password then, and according to the authenticate password of importing, generate its hash value, be kept in the Certificate Authority file of system as this user's authentication authority;
If give registered subscriber authorisation, distribute corresponding key and authority with regard to the user who gives appointment; The generation of key can make by hand and import, copy other users' group key and generate three kinds of modes at random, and user's authority then is divided into five kinds of authorities:
● only send out: can only send multicast information and can not receive;
● only receive: can only receiving group information and can not send;
● transmitting-receiving: can send multicast information also can receiving group information;
● the PKI center: promptly subscriber authorisation is the keeper at PKI center;
● Surveillance center: promptly subscriber authorisation is the keeper of Surveillance center;
User's group key and authority information will be stored in the Certificate Authority file of system;
4, user subsystem simultaneously, sends to authentication center with system authentication and authority with user's public affairs/private key of generating be distributed to each user ID number;
5, finish.
ID number of in store user and public and private key in user's public private key pair file that user subsystem generates, need to be distributed to each user by the mode (as manual type) of safety, the system authentication and the authority that generate then need to issue authentication center by the mode of safety.
(2) authentication center's subsystem
Authentication center's subsystem is mainly used to the communication key that uses in the multicast information transmission is managed and upgrades, and it mainly finishes following function:
1, receives user authentication information,, then authorization message is encrypted, and send to the authenticated client request module with the client public key of receiving if authentication is passed through.
2, send client public key and authorization message to the PKI center.
3, send authorization message again according to the control interlock information decision that receives.
4, information such as authentification of user, mandate are sent the IP address when comprising user name, login time, login, the multicast group address of adding and user's transmitting-receiving authority to the multicast monitoring sub.
As shown in Figure 4, authentication center's subsystem at first carries out initial work after starting, and handles three kinds of requests and a timer message then, and its workflow is:
1 if the authentication request that the multicast client proposes when adding multicast group, after authentication center's subsystem is accepted the key request of multicast client proposition, at first checking group client identity authentication, then according to the mandate of system (as the transmission route of multicast information, receive power etc.) information, this multicast client's group key and corresponding authorization message sent to the multicast client.Then, authentication center's subsystem sends to the PKI center subsystem with user's PKI.At last, authentication center's subsystem will send the information such as authentication, mandate situation of multicast member to Surveillance center, the multicast group address that time, IP address and the application during as the user name of multicast member, authority, adding multicast group adds etc.
2 if authorize the change request: this request is when the unusual circumstance of group Surveillance center, sends according to certain rule.Authentication center's subsystem will upgrade the authorization message of relative users according to the instruction that receives, and send update notification to corresponding user, and change is come into force.
3 if the management request: this request is sent by the multicast group keeper, mainly is for convenience of the management of keeper to multicast communication system.The keeper can send instruction and watch or change information such as current subscriber authorisation, group key, if the keeper has changed user's authorization message, authentication center's subsystem sends update notification to corresponding user, and change is come into force.
4, timer: timer is mainly used to upgrade the key of multicast group.After a period of time, authentication center will generate new group key, and the group of notifications broadcasting user authenticates the update group key again, can upgrade the group key that multicast group is used so on the one hand, guarantee the safety of communication, owing to the user who withdraws from multicast group will can not upgrade, make the keeper can determine current multicast member situation on the other hand.
(3) PKI center subsystem
The PKI center is mainly used to the client public key of authentication storage center transmission and receives the PKI request that the client proposes, and sends corresponding client public key.The workflow diagram of PKI center subsystem after authentication center's subsystem startup, at first carries out initial work as shown in Figure 5, authenticates in authentication center's subsystem then, handles two kinds of action type requests then:
1, PKI update request: receive the client public key that authentication center sends and also store, so that provide for other users.
2, PKI request: receive the PKI request that the user sends, search corresponding public key and send to the user.
(4) client's subsystem
Client's subsystem embeds the cast communication part of user application with the dynamic link library form, triggering client's subsystem and authentication center carry out bidirectional identity authentication when the user is by a multicast receipts/message, obtain the cast communication mandate, client's subsystem uses the communication key that is obtained, with message encryption or deciphering, and sign or the source discriminating.Authentication center by with the authentication of client's subsystem after, this client's PKI can be sent to the PKI center, the PKI that client's subsystem needs in the discrimination process of source then obtains from the PKI center.The workflow of client's subsystem after the initialization of client's subsystem, is judged the classification of the information of monitoring as shown in Figure 6;
1 if multicast group information: this request is added by the multicast client sends when multicast group communicates, after client's subsystem is accepted the request of client's proposition, at first authenticate with the authentication center subsystem, obtain corresponding group key and mandate, then, authorize and group key according to group, the multicast information that sends encrypted and signed, to the multicast information that receives be decrypted and the source authentication to determine the information source of receiving group information.
2 if upgrade multicast group group key notice: this notification authentication center subsystem is sent, and client's subsystem will authenticate with authentication center's subsystem after receiving this notice, obtains new group key and group mandate.
Client's subsystem is made up of authentication request, safe transmission and source three modules of authentication, finishes above-mentioned operation.Wherein the authentication request module is mainly used to carry out two-way authentication with the PKI center, obtains client's authorization message, and its concrete function is:
1, receives user profile, send authentication information and user's public key information to authentication center;
2, receive authorization message, then it is passed to the safe transmission module.So the authenticated client request module is born two roles simultaneously, one is the client as authentication center's subsystem, and another is the key supplier as the safe transmission module.Mutual by between authenticated client request module and the authentication center's subsystem, the CLIENT PROGRAM that successfully obtains authenticating can obtain the transmission security key of the particular multicast group that it applies for, to be used for the encryption and decryption multicast packet.
The safe transmission module mainly realizes the encryption and decryption and the transmission of multicast information, and its concrete function is:
1, transport multicast information accurately and effectively.
2, the multicast information to transmission carries out encryption and decryption, guarantees the confidentiality and integrity of multicast information.Current stage provides three kinds of symmetric key encryption algorithms altogether: des encryption, RC5 are encrypted and IDEA encrypts.During encryption, carry out cryptographic calculation to wanting information transmitted according to the cryptographic algorithm and the key of appointment in the authorization message; During deciphering then cryptographic algorithm and the key according to appointment in the authorization message information that receives is decrypted computing.
The source authentication module is that the multicast information of receiving that achieves a butt joint can be verified the sender that it is claimed, the non-repudiation of information is provided.Its concrete function and implementation are:
1, the multicast information that sends is signed.Promptly to wanting information transmitted to adopt the MD5 algorithm to generate summary, the summary to generating adopts RSA Algorithm to carry out cryptographic calculation with user's oneself private key then, generates user's signing messages, wants information transmitted to transmit together with the user then.
2, the multicast information of receiving is carried out the source authentication.The i.e. sender who claims according to the multicast information that receives, PKI to this user of PKI center subsystem application, the client public key that the center of using public-key provides is decrypted with the signing messages of RSA Algorithm to the user in the multicast information, sign successfully if separate, the information that then receives is the information that its sender who claims sends, if unsuccessful then this information is forged the source authentification failure.。
At the beginning of user starts application client's subsystem, user name/password string and authentication password that its application program must be called the client identity authentication initial routine of safe transmission and answer communication member public key cryptography system are to obtain client public key/private key and identity identifier word.In addition, the authentication request in the communication, authentication, communication mandate and safe transmission process are transparent for the user.
(5) monitoring sub
Multicast information data flow in authentification of user authorization message that monitoring sub provides according to the Certificate Authority center and the security of multicast system, provide following information to the multicast control module, the information that provides is provided according to multicast, according to certain control strategy, provide the action that to carry out, and pass to authentication center or system manager, thereby realize control to whole multicast.Its concrete function is:
1, the authentification of user authorization message to receiving adds up forming a multicast information table.User login information comprises: the authority of user ID, IP address, login time and transmitting-receiving.Authorization message comprises: the foundation of multicast group, cancel, the group member adds and to withdraw from etc.
2, the multicast statistic information that receives is analyzed, formed a multicast statistic information table.This process and user are logined error message in the authorization message, carry out analyzing and processing and form the interlock control information, issue authentication center.To the unusual multicast information of finding, undesired as the source authentication by, decryption information, group of notifications Broadcast Control molding piece.The authentification of user authorization conditions is transferred to the multicast log pattern.Condition information is gone beyond one's commission, is organized in display abnormality source analysis situation, deciphering abnormal conditions, data flux statistics, read-write.When deciphering is not got with transmission information inconsistency, IP and user binding are inconsistent by, access limit, inform that authentication center cancels the authority of multicast member.
3, the various information that will analyze show.
4, with user login information, multicast information and control interlock information all write daily record.
The workflow diagram of monitoring sub after the monitoring sub startup, at first carries out initialization as shown in Figure 7, handles information and a timer information of three types then:
1, user instruction: accept user's instruction, and show corresponding information according to instruction.
2, Certificate Authority information: this information is sent by authentication center's subsystem, monitoring sub is carried out statistical analysis to receiving the authentification of user authorization message, and log, under the situation that needs are controlled, produce control information according to predetermined rule, send to authentication center's subsystem then.
3, multicast information: monitoring sub will be as required, add each multicast group, to corresponding group key of authentication center's subsystem request and mandate, intercept multicast information then, carry out statistical analysis, and log, when unusual circumstance, produce control information according to predetermined rule, send to authentication center's subsystem then, the abnormal conditions and the corresponding control information of system handles are as follows at present:
A) source authentification failure: show this abnormal information, and charge to daily record.
B) source authentication success, deciphering multicast information failure: show this abnormal information, and charge to daily record.Simultaneously, send control information, notify this user to authenticate again, obtain mandate to authentication center's subsystem.
C) source authentication, all successes of deciphering multicast information, but this user does not have sending permission: show this abnormal information, and charge to daily record.Simultaneously, send control information, cancel this user's mandate to authentication center's subsystem.
The IP address of using when d) authentification of user is with the transmission multicast is inequality: show this abnormal information, and charge to daily record.Simultaneously, send control information, notify this user to authenticate again, obtain mandate to authentication center's subsystem.
4, timer: timer is mainly used to the system status of update displayed, and as group membership's online situation, the group membership sends speed of data or the like.
Monitoring sub has write down 4 types daily record, and the daily record main contents are as follows:
1, authentification of user authority record, the IP address during comprising user name, login time, login, the multicast group of participation and the authority of transmitting-receiving.
2, multicast group information is comprising number, the member of multicast group, the authority of multicast group.
3, multicast data stream information is comprising the IP address of sender, purpose multicast group address, transmitting time, transmission main frame.
4, control information is comprising multicast member, the authority reason that is cancelled.These contents provide foundation for analysis and assessment in the future.
Safe multicasting management method disclosed by the invention embeds in the cast communication application program with the dynamic link library form, in communication process, remove the user name/password and the authentication password of answering communication member public key cryptography system, outside acquisition client public key/private key and identity identifier word, processes such as other authentication request, authentication, communication mandate and safe transmission are transparent for the user.
The above is preferred embodiment of the present invention only, and protection scope of the present invention is not limited thereto.Anyly all belong within the protection range of the present invention based on the equivalent transformation on the technical solution of the present invention.
Claims (10)
1, a kind of safety group broadcast management system is characterized in that: it is made up of the user subsystem that is interconnected with one another, authentication center's subsystem, PKI center subsystem, client's subsystem and five parts of monitoring sub;
The information of described user subsystem configuration multicast environment for use, initialize communications each side, for each communication member and each management subsystem person generate separately public affairs/private key to, Certificate Authority file, be that each multicast group of system generates communication set key, and authorize the corresponding authority of member of communicating by letter;
Described authentication center subsystem is used for the communication key that uses in the multicast information transmission is managed, upgrades and distributes;
Described PKI center subsystem is used for client public key that the authentication storage center sends and receive the PKI request that the client proposes, and sends corresponding client public key;
Described client's subsystem is finished the information that the multicast user is sent processings of encrypting, decipher and sign, and the source of finishing multicast information in conjunction with the PKI center subsystem authenticates;
Described monitoring sub real-time collecting and the data that are recorded in communication parties in the cast communication process, monitoring communications situation and Internet resources, the in time state of display communication each side.
2, safety group broadcast management system according to claim 1 is characterized in that: described client's subsystem is made up of authenticated client request, safe transmission and source three modules of authentication;
Described authenticated client request module is used for and the PKI center subsystem is carried out two-way authentication, obtains client's authorization message;
Described safe transmission module is to encryption, signature and the transmission of multicast information;
The multicast information of described source authentication module to receiving, the sender's who provides according to described PKI center subsystem PKI carries out the source authentication, and whether checking is that its sender who claims sends.
3, a kind of safe multicasting management method, it is characterized in that: the method includes the steps of:
A, before cast communication, the each side of cast communication is carried out initialization, configuration multicast environment for use;
For system's public affairs/private key that the member generates separately of respectively communicating by letter right, the Certificate Authority file, the key when generating communication is each communication member assigns authorized authority;
B, in the cast communication process, be communication parties renewal/distribution multicast communication key;
C, the information that the multicast user is sent are encrypted and are signed;
D, the user multicast information that receives is decrypted and source authentication, makes each group membership can verify to the multicast information that receives whether this information is that its sender who claims sends;
Send if the multicast information that E sent is the sender who claims, just carry out normal transfer of data; If not, then filter out this group data;
F, in the cast communication process, the data of real-time collecting and record communication each side, monitoring communications situation and Internet resources, unusual circumstance in time, and handling.
4, a kind of safe multicasting management method according to claim 3, it is characterized in that: described steps A is finished by user subsystem, and it may further comprise the steps:
After a, user subsystem start, the information of receiving management person's input;
B, according to the password of keeper input, from the public private key pair file of this locality storage, read public affairs/private key of keeper;
C, the action type that will carry out according to the keeper are carried out corresponding action;
Be that the keeper can be as required generate new user or give the user's assign group key and the authority of appointment for system;
If generate new user, at first to generate public affairs/private key of this user right for the user, and from the public private key pair file that generates, read this user's ID, receive user profile, user's authenticate password then, and according to the authenticate password of importing, generate its hash value, be kept in the Certificate Authority file of system as this user's authentication authority;
If give registered subscriber authorisation, distribute corresponding group key and authority with regard to the user who gives appointment; The generation of group key can make by hand and import, copy other users' group key and generate three kinds of modes at random, and user's authority then is divided into five kinds of authorities:
● only send out: can only send multicast information and can not receive;
● only receive: can only receiving group information and can not send;
● transmitting-receiving: can send multicast information also can receiving group information;
● the PKI center: promptly subscriber authorisation is the keeper at PKI center;
● Surveillance center: promptly subscriber authorisation is the keeper of Surveillance center;
User's group key and authority information will be stored in the Certificate Authority file of system;
D, user subsystem are with user's public affairs/private key of generating and be distributed to each user ID number, simultaneously, system authentication and authority are sent to authentication center;
E, judge whether keeper's operation is finished,, finish if finish; If do not finish, then return step c.
5, a kind of safe multicasting management method according to claim 3 is characterized in that: finishing by authentication center's subsystem among the described step B for communication parties renewal/distribution multicast communication key, and it may further comprise the steps:
After a, authentication center's subsystem start, at first, carry out initial work;
B, then handles three kinds of requests and a timer operation, and its workflow is:
(1) if the authentication request that the multicast client proposes when adding multicast group, after authentication center's subsystem is accepted the group key request of multicast client proposition, at first checking group client identity authentication, then according to the authorization message of system, this multicast client's group key and corresponding authorization message sent to the multicast client; Authentication center's subsystem sends to the PKI center subsystem with user's PKI; At last, authentication center's subsystem will send authentication, the mandate condition information of multicast member to Surveillance center;
(2) if authorize the change request: this request is sent when the unusual circumstance of group Surveillance center; Authentication center's subsystem will upgrade the authorization message of relative users according to the instruction that receives, and send update notification to corresponding user, and change is come into force;
(3) if the management request: this request is sent by the multicast group keeper, makes things convenient for the management of keeper to multicast communication system; The keeper can send instruction and watch or change current subscriber authorisation, group key information, if the keeper has changed user's authorization message, authentication center's subsystem sends update notification to corresponding user, and change is come into force;
(4), timer operation: the group key that is used for upgrading multicast group; Authentication center's subsystem will generate new group key, and the group of notifications broadcasting user authenticates the update group key again at set intervals;
C, end.
6, a kind of safe multicasting management method according to claim 3, it is characterized in that: described step C, D are finished by client's subsystem; Described client's subsystem is made up of authentication request, safe transmission and source three modules of authentication;
Described authentication request module is used for and two-way authentication is carried out at the PKI center, obtains client's authorization message, and it may further comprise the steps:
(1), receives user profile, to authentication center's transmission authentication information and user's public key information;
(2), receive authorization message, then it is passed to the safe transmission module;
So the authenticated client request module is born two roles simultaneously, one is the client as authentication center's subsystem, and another is the key supplier as the safe transmission module; Mutual by between authenticated client request module and the authentication center's subsystem, the CLIENT PROGRAM that successfully obtains authenticating can obtain the transmission security key of the particular multicast group that it applies for, to be used for the encryption and decryption multicast packet;
Described safe transmission module realizes the enciphering/deciphering and the transmission of multicast information, and it may further comprise the steps:
(1), transport multicast information accurately and effectively;
(2), the multicast information to transmission carries out the encryption and decryption processing, the confidentiality and integrity of assurance multicast information;
Described source authentication module is that the achieve a butt joint multicast information received carries out the source authentication, and whether the information that checking receives is the information that its sender who claims sends, and it may further comprise the steps:
(1), the multicast information that sends is signed;
(2), the multicast information of receiving is carried out the source authentication.
7, a kind of safe multicasting management method according to claim 6, it is characterized in that: the method that described transport multicast information is carried out encryption and decryption is: during encryption, carry out cryptographic calculation according to the cryptographic algorithm and the key of appointment in the authorization message to wanting information transmitted; During deciphering then cryptographic algorithm and the key according to appointment in the authorization message information that receives is decrypted computing.
8, a kind of safe multicasting management method according to claim 6, it is characterized in that: the method that the multicast information of described transmission is signed is: adopt the MD5 algorithm to generate summary to wanting information transmitted, summary to generating then, adopt RSA Algorithm to carry out cryptographic calculation with user's oneself private key, generate user's signing messages, want information transmitted to transmit together with the user then.
9, a kind of safe multicasting management method according to claim 6, it is characterized in that: the method for the described multicast information of receiving being carried out source authentication is: the sender who claims according to the multicast information that receives, to this user's of PKI center subsystem application PKI; The client public key that the center of using public-key provides is separated signature with RSA Algorithm to the signing messages of the user in the multicast information, sign successfully if separate, the information that then receives is the information that its sender who claims sends, if unsuccessful then this information is forged the source authentification failure.
10, a kind of safe multicasting management method according to claim 3, it is characterized in that: described step F is finished by monitoring sub, and it may further comprise the steps:
(1), after monitoring sub starts, at first carries out initialization;
(2), judge action type to be processed:
(a), and, finish according to the corresponding information of instruction demonstration if user instruction is then accepted user's instruction; If not, then carry out next judgement;
(b), judge whether it is Certificate Authority information, this information is sent by authentication center's subsystem, if, then receive this Certificate Authority information, and the authentification of user authorization message that receives is carried out statistical analysis, log, under the situation that needs are controlled, produce control information according to predetermined rule, send to authentication center's subsystem then, finish; If not Certificate Authority information, then carry out next judgement;
(c), judge whether it is the authentication multicast information, if monitoring sub will be as required, add each multicast group, to corresponding group key of authentication center's subsystem request and mandate, intercept multicast information then, carry out statistical analysis, and log, when abnormal conditions take place when, produce control information according to predetermined rule, send to authentication center's subsystem then, finish; If not the authentication multicast information, then carry out next step;
(d), timer operation: update displayed system status;
(3), finish.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100706938A CN100454806C (en) | 2004-07-29 | 2004-07-29 | Safety group broadcast management system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100706938A CN100454806C (en) | 2004-07-29 | 2004-07-29 | Safety group broadcast management system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1588839A CN1588839A (en) | 2005-03-02 |
CN100454806C true CN100454806C (en) | 2009-01-21 |
Family
ID=34604518
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2004100706938A Expired - Fee Related CN100454806C (en) | 2004-07-29 | 2004-07-29 | Safety group broadcast management system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100454806C (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100442723C (en) * | 2005-06-30 | 2008-12-10 | 华为技术有限公司 | Apparatus for monitoring group broadcasting user and realizing method |
KR100663443B1 (en) * | 2005-09-15 | 2007-01-02 | 삼성전자주식회사 | Apparatus and method of interlock between entities for protecting service, and the system thereof |
CN1866857A (en) * | 2005-09-19 | 2006-11-22 | 华为技术有限公司 | PON system multicast authority managing and controlling method |
CN101170404B (en) * | 2006-10-24 | 2010-05-19 | 华为技术有限公司 | Method for secret key configuration based on specified group |
CN101159556B (en) * | 2007-11-09 | 2011-01-26 | 清华大学 | Group key server based key management method in sharing encryption file system |
JP5256097B2 (en) * | 2009-03-31 | 2013-08-07 | 株式会社日立ソリューションズ | Login processing apparatus, login processing method and program |
CN103312514B (en) * | 2013-06-21 | 2016-06-29 | 中国人民解放军信息工程大学 | Multicast receivers based on unicast forwarding pattern accesses verification method |
CN105468939B (en) * | 2015-11-24 | 2018-12-14 | 苏州铭冠软件科技有限公司 | Mobile terminal safety guard system |
CN106571951B (en) * | 2016-10-19 | 2020-02-07 | 北京神州绿盟信息安全科技股份有限公司 | Audit log obtaining method, system and device |
CN106686002A (en) * | 2017-02-28 | 2017-05-17 | 北京潘达互娱科技有限公司 | Data transmission and reception methods and device |
CN107065750B (en) * | 2017-05-15 | 2019-04-02 | 中国工程物理研究院计算机应用研究所 | The industrial control network dynamic security method of interior raw safety |
CN109995786B (en) * | 2019-04-08 | 2020-11-13 | 北京深思数盾科技股份有限公司 | Method and device for authorizing data in organization |
CN112423007B (en) * | 2020-11-09 | 2022-07-08 | 杭州叙简科技股份有限公司 | Multicast-based webrtc video stream transmission system |
CN113794645A (en) * | 2021-09-16 | 2021-12-14 | 上海子午线新荣科技有限公司 | Communication interaction system and method based on secure multicast |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1359574A (en) * | 1999-07-06 | 2002-07-17 | 松下电器产业株式会社 | Distributed group key management scheme for secure many-to-many communication |
WO2004049737A2 (en) * | 2002-11-25 | 2004-06-10 | Nokia Corporation | System and method for user-initiated group messaging |
-
2004
- 2004-07-29 CN CNB2004100706938A patent/CN100454806C/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1359574A (en) * | 1999-07-06 | 2002-07-17 | 松下电器产业株式会社 | Distributed group key management scheme for secure many-to-many communication |
WO2004049737A2 (en) * | 2002-11-25 | 2004-06-10 | Nokia Corporation | System and method for user-initiated group messaging |
Also Published As
Publication number | Publication date |
---|---|
CN1588839A (en) | 2005-03-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111049660B (en) | Certificate distribution method, system, device and equipment, and storage medium | |
CN101401387B (en) | Access control protocol for embedded devices | |
DE60212577T2 (en) | METHOD AND DEVICE FOR CERTIFYING DATA | |
CN101981889B (en) | Secure communications in computer cluster systems | |
KR101205385B1 (en) | Method and system for electronic voting over a high-security network | |
CN101321165B (en) | Authentication for licensing in an embedded system | |
US7231526B2 (en) | System and method for validating a network session | |
CN101547095B (en) | Application service management system and management method based on digital certificate | |
CN1905436B (en) | Method for ensuring data exchange safety | |
CN100454806C (en) | Safety group broadcast management system and method | |
US20080276309A1 (en) | System and Method for Securing Software Applications | |
CN108566395A (en) | A kind of document transmission method, apparatus and system based on block chain | |
WO2007071041A1 (en) | System and method for end-to-end electronic mail encryption | |
CN101715638A (en) | Secure electronic messaging system requiring key retrieval for deriving decryption key | |
CN101547096B (en) | Net-meeting system and management method thereof based on digital certificate | |
CN111666553A (en) | Block chain identity authority management method based on distributed PKI | |
JP2001265729A (en) | Multicast system, authentication server terminal, multicast recipient terminal managing method and recording medium | |
Wei et al. | Blockchain-based electronic voting protocol | |
CN116566705A (en) | Authentication method, system, client and server based on key derivation function | |
CN100477647C (en) | E-mail management system and method | |
JPH0981523A (en) | Authentication method | |
CN113347004A (en) | Encryption method for power industry | |
CN112422563A (en) | Weather data encryption and decryption service system based on hybrid cryptography | |
CN112035820A (en) | Data analysis method used in Kerberos encryption environment | |
CN110855444A (en) | Pure software CAVA identity authentication method based on trusted third party |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090121 |