CN101383823B - Network resource access control method in reliable access - Google Patents

Abstract

The invention relates to an access control method of network resources in trusted access, which belongs to the field of network communication. The method comprises the following steps: a trusted access server carries out system initialization, key document distribution and resource access control; wherein the system initialization of the trusted access server comprises the steps of using an SEA algorithm to establish elliptic curves randomly and selecting a point G as a first base point on the elliptic curves randomly; the key document distribution comprises the steps of key distribution of resource owners st and key distribution of terminal mt'; the resource access control comprises the steps of using a private key kt'->t to carry out signing to request information when a terminal mt' accesses a resource owner st and using a public key Gx#-t and a second base point Gm#-t'->t to carry out checking to the terminal mt' when the resource owner st receives the request information. Only passing the checking, the terminal mt' can be proved to own the private key kt'->t, thereby being the terminal authorized by the trusted access server. The invention can effectively reduce the space occupied by the resource owner for storing the terminal information and reduce the expenditure of the checking calculation simultaneously.

Description

Network resource access control method in a kind of credible access

Technical field

The present invention relates to a kind of network resource access control method, relate in particular to the network resource access control method in a kind of credible access, belong to network communication field.

Background technology

In recent years, along with popularizing of various access technologies, number of network users also is explosive trend growth, and according to the statistics of China Internet association, by the end of the year 2006, China netizen number has reached 1.3 hundred million, and annual growth has reached 30%.The increase of network user's number, also make network increased greatly by the possibility of security attack, network hacker is stolen credit card number by computer network transmitted virus easily, and utilize cyberspace vulnerability to obtain commercial interest, brought a large amount of network crime activities thus.According to the data of China's public security issue, nearly 30,000 of China in 2005 coprocessing network security crime, about 1,000,000,000 yuans of the direct economic loss that causes.The Panda burning incense virus in the end of the year 2006 in a short period of time, has swept across whole the Internet, has caused the economic loss of more than one hundred million units to China.

The key that solves network security problem is how effectively to control disabled user's access, so Virtual network operator has adopted various access authentication techniques to come the access of limiting terminal node.Yet IETF NEA working group is thought: it is not enough only using traditional access authentication technique, and Malware may utilize infected legal terminal attacking network.Several credible access security technology have appearred thus, the main thought of these technology is to set about from terminal, security strategy by keeper's appointment, main frame to access network carries out the fail safe detection, automatically the unsafe main frame access network of refusal is till these main frames meet security strategy in the network.Representative technology comprises at present: the network insertion control technology NAC of Cisco, the network insertion resist technology NAP of Microsoft, and the trustable network interconnection technique of TNC tissue.The basic ideas of these credible access technologies are that terminal is carried out integrity detection and assessment, and on the basis of assessment terminal are carried out access control, and limiting terminal is to the visit of specific resources.

The elementary object of credible access is the access control to terminal.Access control is divided into two kinds of methods usually: a kind of is that key is shared in configuration between accessed Internet resources and the terminal, both sides authenticate by sharing key, and according to authentication result to the terminal control that conducts interviews, yet this method need be on network access equipment configurating terminal information, when network size is big, the encryption key distribution workload will be very big, causes the memory space requirements of key also can be very big; Another kind is based on digital certificate mechanism, have only the terminal use that digital certificate can be provided to visit the particular network resource, yet this method need be verified digital certificate, has increased the time delay of access control, and the transmission of digital certificate simultaneously also needs extra bandwidth.

Summary of the invention

The present invention proposes network resource access control method in a kind of credible access for the storage that solves existing credible access control technology and exist and the problem aspect the checking computing cost in large-scale network-estabilishing.

Network resource access control method in a kind of credible access is characterized in that comprising the steps:

The first step: trusted access server is carried out system initialization, and initialization procedure is as follows:

(1) creates Elliptic Curve y at random with the SEA algorithm ²=x ³+ ax+bmodp, and to calculate its rank be the first prime number n;

(2) choose 1 G as first basic point on elliptic curve, choosing method is:

A. select one second prime number G at random _x, make x=G _x

B. solving equation y ²=x ³+ ax+bmod p obtains corresponding y, first basic point G=＜x then, y 〉;

Wherein: p is an odd prime, F _pBe the finite field in the SEA algorithm, coefficient a, b ∈ F _p

Second step: the key material distribution comprises Resource Owner s _tKey distribution and terminal m _{T '}Key distribution:

(1) Resource Owner s _tKey distribution, comprise the steps:

A. for each Resource Owner s _t∈ S, one of trusted access server picked at random is the Resource Owner s of integer _t∈ Z _n

B. calculate PKI $G_{s_t}=s_{t}G=G+...+G;$

That c. the trusted access server maintenance is chosen is the Resource Owner s of integer _tBe private information, and with PKI

Distribute to corresponding Resource Owner s _t

(2) terminal m _{T '}Key distribution, for each terminal m _{T '}∈ M, trusted access server is determined its addressable resource collection S ' ∈ S according to its confidence level, at each the Resource Owner s among the addressable resource collection S ' _t, trusted access server is carried out following operation:

A. produce a random number m _{T ' → t}∈ Z _n, because n is a prime number, so gcd (m _{T ' → t}, n)=1, thus m _{T ' → t} ^-1Mod n exists and can use the Euclidean algorithm of expansion to calculate.

B. calculate second basic point $G_{m_{t^{\′}\→t}}=\left({m_{t^{\′}\→t}}^{-1}\mathrm{mod}n\right)G;$

C. calculate private key k _{T ' → t}=m _{T ' → t}* s _tMod n;

D. with the key material that calculates

Be distributed to terminal m _{T '}

Wherein: S is the total resources set, Z _nBe the positive integer set less than n, M is the terminal set;

The 3rd step: resource access control comprises the steps:

(1) as terminal m _{T '}Need access resources owner s _tThe time, terminal m _{T '}Request message is comprised second basic point

Send to Resource Owner s with the time of current computer _t, and use private key k _{T ' → t}Request message is signed;

(2) Resource Owner s _tReceive terminal m _{T '}Behind the request message of sending, use public-key

With second basic point To terminal m _{T '}Verify to have only terminal m by checking _{T '}Could prove and oneself have private key k _{T ' → t}

Described private key k _{T ' → t}It promptly is the key that trusted access server is distributed to terminal.

Description of drawings

The present invention is the network resource access control method in a kind of credible access, and trusted access server is distributed a key material for each Resource Owner, and according to the confidence level of terminal, generates the access token of visit respective resources for terminal temporarily.Because each Resource Owner only need preserve the token that a key material just can be verified all terminals, so in the large-scale network-estabilishing communication, this method can effectively reduce the Resource Owner for preserving the end message occupation space, reduces to verify computing cost simultaneously.

Fig. 1: network resource accession controlling models figure;

Embodiment

Wherein: Resource Owner's 1 expression label is 1 Resource Owner.。。。。。The expression Resource Owner, Resource Owner t represents that label is the Resource Owner of t, terminal 1 expression label is 1 terminal.。。The expression terminal, terminal t ' expression label is the terminal of t '.

Network resource accession controlling models figure as shown in Figure 1, trusted access server is the security centre of whole system, also is the network entity that Resource Owner and terminal are all trusted, and is responsible for the management and the distribution of safe material.

For realizing this method, all must set up Security Association between trusted access server and Resource Owner and the terminal, trusted access server is to Resource Owner and terminal distributed key material under the protection of Security Association.Trusted access server is distributed a key material for each Resource Owner, and is the access token that terminal generates the visit respective resources temporarily according to the confidence level of terminal, and the terminal of only holding legal token just can access certain resources.

The present invention proposes the network resource access control method in a kind of credible access, its key step comprises: trusted access server is carried out system initialization, key material distribution and resource access control.Wherein, the trusted access server system initialization comprise again with the SEA algorithm create elliptic curve at random and on elliptic curve 1 G of picked at random as two steps of basic point; The key material distribution comprises Resource Owner s again _tKey distribution and terminal m _{T '}Key distribution two step; Resource access control comprises again as terminal m _{T '}Access resources owner s _tThe time use private key k _{T ' → t}Request message is signed and worked as Resource Owner s _tUse PKI after receiving request message And basic point

To terminal m _{T '}Verified for two steps.Has only terminal m by checking _{T '}Could prove and oneself have private key k _{T ' → t}, become terminal through the trusted access server mandate, reached effective reduction Resource Owner for preserving the end message occupation space, reduce to verify the purpose of computing cost simultaneously.

This method comprises following detailed step:

The first step: trusted access server is carried out system initialization, and initialization procedure is as follows:

(1) creates Elliptic Curve y at random with the SEA algorithm ²=x ³+ ax+b mod p, and to calculate its rank be the first prime number n;

(2) choose 1 G as first basic point on elliptic curve, choosing method is:

A. select one second prime number G at random _x, make x=G _x

B. solving equation y ²=x ³+ ax+b mod p obtains corresponding y, first basic point G=＜x then, y 〉;

Wherein: p is an odd prime, F _pBe the finite field in the SEA algorithm, coefficient a, b ∈ F _p

Second step: the key material distribution comprises Resource Owner s _tKey distribution and terminal m _{T '}Key distribution:

(1) Resource Owner s _tKey distribution, comprise the steps:

A. for each Resource Owner s _t∈ S, one of trusted access server picked at random is the Resource Owner s of integer _t∈ Z _n

B. calculate PKI Because the calculating of the multiplication on the elliptic curve is to use addition to calculate, i.e. PKI

That c. the trusted access server maintenance is chosen is the Resource Owner s of integer _tBe private information, and with PKI

Distribute to corresponding Resource Owner s _t

(2) terminal m _{T '}Key distribution, for each terminal m _{T '}∈ M, trusted access server is determined its addressable resource collection S ' ∈ S according to its confidence level, at each the Resource Owner s among the addressable resource collection S ' _t, trusted access server is carried out following operation:

A. produce a random number m _{T ' → t}∈ Z _n, because n is a prime number, so gcd (m _{T ' → t}, n)=1 (the i.e. first prime number n and random number m _{T ' → t}Greatest common divisor be 1), thereby m _{T ' → t} ^-1Mod n exists and can use the Euclidean algorithm of expansion to calculate.

B. calculate second basic point $G_{m_{t^{\′}\→t}}=\left({m_{t^{\′}\→t}}^{-1}\mathrm{mod}n\right)G,$

C. calculate private key k _{T ' → t}=m _{T ' → t}* s _tMod n;

D. with the key material that calculates

Be distributed to terminal m _{T '}

Wherein: S is the total resources set, Z _nBe the positive integer set less than n, M is the terminal set;

Because PKI

Therefore Constituted terminal m _{T '}Access resources owner s _tThe time public private key pair;

The 3rd step: resource access control comprises the steps:

(1) as terminal m _{T '}Need access resources owner s _tThe time, terminal m _{T '}Request message is comprised second basic point

Send to Resource Owner s with the time of current computer _t, and use private key k _{T ' → t}Request message is signed;

(2) Resource Owner s _tReceive terminal m _{T '}Behind the request message of sending, use public-key

With second basic point

To terminal m _{T '}Verify to have only terminal m by checking _{T '}Could prove and oneself have private key k _{T ' → t}

Private key k wherein _{T ' → t}Be the key that trusted access server is distributed to terminal, other nodes can't obtain private key k _{T ' → t}, just can not use private key k _{T ' → t}Sign.So can all be terminal by the terminal of checking through the trusted access server mandate.

Claims (1)

1. the network resource access control method in the credible access is characterized in that comprising the steps:

The first step: trusted access server is carried out system initialization, and initialization procedure is as follows:

(1) creates Elliptic Curve y at random with the SEA algorithm ²=x ³+ ax+b mod p, and to calculate its rank be the first prime number n;

(2) choose 1 G as first basic point on elliptic curve, choosing method is:

A. select one second prime number G at random _x, make x=G _x

B. solving equation y ²=x ³+ ax+b mod p obtains corresponding y, first basic point G=＜x then, y 〉;

Wherein: p is an odd prime, F _pBe the finite field in the SEA algorithm, coefficient a, b ∈ F _p

Second step: the key material distribution comprises Resource Owner s _tKey distribution and terminal m _{T '}Key distribution:

(1) Resource Owner s _tKey distribution, comprise the steps:

A. for each Resource Owner s _t∈ S, one of trusted access server picked at random is the Resource Owner s of integer _t∈ Z _n

B. calculate PKI $G_{s_t}=s_{t}G=G+...+G;$

That c. the trusted access server maintenance is chosen is the Resource Owner s of integer _tBe private information, and with PKI

Distribute to corresponding Resource Owner s _t

(2) terminal m _{T '}Key distribution, for each terminal m _{T '}∈ M, trusted access server is determined its addressable resource collection S ' ∈ S according to its confidence level, at each the Resource Owner s among the addressable resource collection S ' _t, trusted access server is carried out following operation:

A. produce a random number m _{T ' → t}∈ Z _n, because n is a prime number, so gcd (m _{T ' → t}, n)=1, thus m _{T ' → t} ^-1Mod n exists and can use the Euclidean algorithm of expansion to calculate.

B. calculate second basic point $G_{m_{t^{\′}\→t}}=\left({m_{t^{\′}\→t}}^{-1}\mathrm{mod}n\right)G;$

C. calculate private key k _{T ' → t}=m _{T ' → t}* s _tMod n;

D. with the key material that calculates

Be distributed to terminal m _{T '}

Wherein: S is the total resources set, Z _nBe the positive integer set less than n, M is the terminal set;

The 3rd step: resource access control comprises the steps:

(1) as terminal m _{T '}Need access resources owner s _tThe time, terminal m _{T '}Request message is comprised second basic point

Send to Resource Owner s with the time of current computer _t, and use private key k _{T ' → t}Request message is signed;

(2) Resource Owner s _tReceive terminal m _{T '}Behind the request message of sending, use public-key

With second basic point

To terminal m _{T '}Verify to have only terminal m by checking _{T '}Could prove and oneself have private key k _{T ' → t}

Described private key k _{T ' → t}It promptly is the key that trusted access server is distributed to terminal.

Images