Background technology
Along with the continuous development of information-based and Internet technology and deep, safety issue in the data transmission procedure becomes increasingly conspicuous, a most frequently used technology that solves Network Transmission safety is IP layer protocol safeguard construction (IPsec, Security Architecture for IP network), IPsec provides security service at the IP layer, it makes system can select security protocol as required, and decision employed algorithm of service and placement demand are served required key to the relevant position.IPsec is used for protecting between one or more main frame and main frame, the path between security gateway and security gateway, between security gateway and main frame.And set up the IPSEC secure network, a wherein most important step is the Security Association (the SecurityAssociation) and the security strategy of configuring IPSEC.Security Association has determined to be used for the life cycle etc. of IPSEC agreement, key and key of protected data bag safety, and which type of safety measure the security strategy decision adopts to data flow.The foundation of Security Association and key management adopt dual mode to realize that a kind of mode is a manual configuration, and all information all needs manual configuration, and the Security Association of configuration (if not carrying out manual modification) exists always.Another kind of mode is automatic configuration, consults as internet key exchange (IKE, Internet Key Exchange Protocol), and Security Association all is to produce through consultation, and every Security Association all has certain life cycle.The configuration of security strategy all is to use the certain Access Control List (ACL) of manual configuration (ACL, Access Control List) rule, in conjunction with the Security Association of configuration, determines safety measure that data flow is adopted with this.Whether the configuration of Security Association and security strategy is no matter adopt ike negotiation, and Configuration Management Officer all needs to be grasped IPSEC rudimentary knowledge, and layoutprocedure is more loaded down with trivial details.
Use for small-sized secure network, be equipped with as long-range calamity, data migration etc., if adopt fire compartment wall or secure router, cost is higher, the deployment cost is bigger.A kind of solution preferably is provided in the prior art, only need original common network interface card is replaced with the IPSEC smart card, not only can solve the safety issue in the data transmission procedure, simultaneously original operation flow not produced any impact, the processing of IPSEC is transparent.Under this applied environment, the configuration of IPSEC still needs the user to participate in, and the user needs to be grasped the deployment that IPSEC rudimentary knowledge just can be finished the IPSEC smart card.
The scheme of a kind of manual configuration IPSEC Security Association of the prior art and security strategy, the user determines IPSEC Security Association and security strategy according to network environment, is configured to then on every equipment.Every Security Association and security strategy need source of configuration IP, purpose IP, source port, destination interface, SPI, security protocol, IPSEC encapsulation mode, tunnel source IP, tunnel purpose IP, key etc.If network environment changes, also need to reconfigure.In this scheme, every Security Association and policy configurations are very complicated, are formulated and configuration by the network management personnel, and mistake appears in workload greatly easily, flow of personnel, and system deployment and configuration cycle are long.Be easy to cause security breaches, have potential safety hazard.
Another implementation of the prior art is to adopt ike negotiation IPSEC Security Association mode, and the IPSEC strategy adopts the manual configuration mode.The IPSEC smart card need be supported the ike negotiation function, and the user formulates IPSEC strategy and ike negotiation rule according to network environment, thereby finishes the configuration of entire I PSEC secure network.
Adopt ike negotiation three kinds of modes to be arranged, wildcard, certificate+digital signature, rsa encryption nonce.Key Management server and authorization identifying (CA Certification Authority) server only just needs to dispose under certificate+digital signature pattern.Adopt ike negotiation, at first consult the Security Association of IKE, consult the Security Association of IPSEC afterwards.The configuration of IPSEC security strategy still needs according to network environment by user's manual configuration.The shortcoming of this scheme is, the layoutprocedure more complicated of ike negotiation, even need to dispose Key Management server and CA server, cost is higher; If adopt the wildcard mode, the complex management of key, and have the risk of divulging a secret; The IPSEC security strategy still needs manual configuration, and the layoutprocedure of IPSEC smart card is still opaque to the user, needs the user to possess the IPSEC knowledge expertise.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In the IPSEC application of IC cards, under the clear and definite situation of internodal communication, do not need to dispose fuzzy Data Stream Processing strategy, the communication of IPSEC intermediate node is point-to-point.Based on the definite situation of this peer node, the method of the configuring IPSEC security strategy that the embodiment of the invention provides and IPSEC smart card, the Security Association of IPSEC and the configuration of security strategy are simplified, automatically dispose by the IPSEC smart card, the user only needs the peer node of configuration communication, and transparent fully about the configuration detail of IPSEC.
Embodiment one
With reference to Fig. 1, the method for a kind of configuring IPSEC security strategy that the embodiment of the invention provides comprises:
S01 utilizes the key and the predetermined correspondent node information that produce at random to generate first Security Association and first security strategy;
The peer node of communicating by letter with this node can be pre-configured according to actual network environment by the user.
S02, hold consultation based on first Security Association of described generation and first security strategy and peer node, determine available Security Association and security strategy, and from described available Security Association and security strategy, select and peer node between the Security Association and the security strategy that adopt and preserve;
S03 utilizes selected Security Association and security strategy that the IPSEC security stack of protocols is configured.
The allocation plan that the embodiment of the invention provides utilizes the key and the predetermined correspondent node information that produce at random to generate Security Association and security strategy; And consult with peer node, determine the Security Association and the security strategy that adopt.Layoutprocedure is independently finished by the IPSEC smart card, greatly simplifies layoutprocedure, reduces the technical ability requirement to the user, quickens layoutprocedure.Can realize automatic configuration according to the present invention, upgrade IPSEC Security Association and security strategy automatically, improve reliability and safe, reduce the system maintenance cost.
Embodiment two
With reference to Fig. 2, a kind of configuring IPSEC Security Association that the embodiment of the invention provides and the method for security strategy comprise:
S201 utilizes the key and the predetermined correspondent node information that produce at random to generate first Security Association and first security strategy;
For configuring IPSEC Security Association and security strategy, the user need be according to the pre-configured peer node of communicating by letter with this node of actual network environment.
S202 holds consultation based on first Security Association that is generated and first security strategy and peer node, determines available Security Association and security strategy;
At first, search the negotiation packet that judges whether to receive from peer node.If receive, then second Security Association that will carry from the negotiation packet of peer node and second security strategy and first Security Association and first security strategy are compared; Determine available Security Association and security strategy according to comparison result.Further, when Security Association that selection is adopted and security strategy, can obtain the IPSEC smart card ID of local terminal and opposite end, can from available Security Association and security strategy, select Security Association and security strategy to be configured according to the IPSEC smart card ID.Particularly, the IPSEC smart card ID value of local terminal and the IPSEC smart card ID value from the negotiation packet of peer node that received are compared, select ID value bigger Security Association and the security strategy of determining final employing, and Security Association and security strategy are saved in the Security Association and security strategy table of configuration.If do not receive negotiation packet, then first Security Association and first security strategy that is generated sent to peer node, and this first Security Association and first security strategy are saved in the Security Association and security strategy table of transmission from peer node.
With reference to Fig. 3, the process that local terminal and peer node are held consultation comprises:
A 1) obtain the IPSEC smart card ID of local terminal; Utilize public key that described first Security Association and first security strategy are encrypted, the line data of going forward side by side is sealed dress, obtains first negotiation packet;
A2) IPSEC smart card ID and this first negotiation packet with local terminal sends to peer node.
A3) with described first Security Association and the first security strategy encrypting storing in Security Association that has sent and security strategy table.
B) receive second negotiation packet of peer node transmission and the IPSEC smart card ID of opposite end, this message comprises second Security Association and second security strategy that peer node generates; And in the Security Association and security strategy table that second Security Association that carries in the second received negotiation packet and second security strategy are saved in reception.
C) obtain described second Security Association and second security strategy, and described second Security Association and second security strategy and described first Security Association and first security strategy are compared; Determine available Security Association and security strategy according to comparison result.
S203, Security Association that adopts between selection and the peer node and security strategy are also preserved;
Obtain the IPSEC smart card ID of local terminal and opposite end, according to the IPSEC smart card ID from available Security Association and security strategy, select and peer node between the Security Association and the security strategy that adopt.
For example, the IPSEC smart card ID value of local terminal and the IPSEC smart card ID value of negotiation packet are compared, Security Association and final Security Association and the security strategy that adopts of security strategy conduct by the bigger IPSEC smart card correspondence of ID value, and Security Association and security strategy be saved in the Security Association and security strategy table of configuration, use for subsequent configuration.
S204 utilizes the Security Association and the security strategy of being preserved that the IPSEC security stack of protocols is configured.
From the Security Association of configuration and security strategy table, obtain Security Association and security strategy, and the IPSEC protocol stack is configured, thereby finish the automatic configuration of IPSEC Security Association and security strategy.
S205, the Security Association and the security strategy of preserving are upgraded.
The transmission of timing scan Security Association and security strategy, reception, allocation list, for Security Association that has sent and security strategy table, if life cycle finishes, then duplicate again and generate Security Association and security strategy, and the negotiation packet of alliance safe to carry and security strategy sent to peer node, negotiating about security alliance and security strategy once more.For the Security Association and the security strategy table that receive,, then directly dispose if life cycle finishes.Security Association and security strategy table for configuration then regenerate, and dispose original Security Association and security strategy again, and call Security Association and security strategy transmitter, negotiating about security alliance and security strategy again.
With reference to Fig. 4, a kind of IPSEC security strategy inking device 400 that the embodiment of the invention provides can be described as the IPSEC smart card, comprising:
Security Association and security strategy generation module 410 utilize the key and the pre-configured correspondent node information that produce at random to generate first Security Association and first security strategy;
Select module 420, hold consultation based on first Security Association that is generated and first security strategy and peer node, determine available Security Association and security strategy, from described available Security Association and security strategy, select the Security Association and the security strategy that adopt;
Particularly, can according to the IPSEC smart card ID from available Security Association and security strategy, select and peer node between the Security Association and the security strategy that adopt.
For example, the IPSEC smart card ID value of local terminal and the IPSEC smart card ID value of negotiation packet are compared, by ID value bigger Security Association and the security strategy of determining final employing, and Security Association and security strategy be saved in the Security Association and security strategy table of configuration, use for subsequent configuration.
Memory module 430 is used to preserve Security Association and the security strategy that described selection module is determined employing;
Be used to preserve and select the Security Association and the security strategy that adopt between that determine and the peer node of module 420 and the Security Association and security strategy table, the Security Association of transmission and the Security Association and the security strategy table of security strategy table and configuration that receive.
Configuration module 440 is used for determining that according to described selection module the Security Association and the security strategy that adopt are configured the IPSEC security stack of protocols.
Particularly, can the IPSEC security stack of protocols be configured from Security Association and the security strategy that memory module 440 is obtained employing.
As shown in Figure 5, a kind of selection module 420 of providing of the embodiment of the invention specifically can comprise:
Receiving element 421 is used to receive second negotiation packet that peer node sends, and described second negotiation packet comprises second Security Association and second security strategy that peer node generates;
Receive second negotiation packet that carries second Security Association and second security strategy that peer node sends; Obtain second Security Association and second security strategy; And in the Security Association and security strategy table that second Security Association that obtained and second security strategy are saved in reception.
Comparing unit 422 is used for described second Security Association and second security strategy and described first Security Association and first security strategy are compared, and obtains comparison result, to determine available Security Association and security strategy.
As shown in Figure 6, a kind of selection module 420 of providing of the embodiment of the invention can comprise:
Acquiring unit 423 is used to obtain the IPSEC smart card ID of local terminal;
Ciphering unit 424 is used to utilize public key that described first Security Association and first security strategy are encrypted, and encapsulates and obtain first negotiation packet;
Transmitting element 425 is used for the IPSEC smart card ID and first negotiation packet of local terminal are sent to peer node, to determine available Security Association and security strategy.
Transmitting element 424 takes out first Security Association and first security strategy to be sent from the Security Association that sends and security strategy table, obtain local IPSEC smart card ID again, after utilizing public secret key encryption, encapsulate and obtain first negotiation packet, and put into the negotiation packet formation, then first negotiation packet is sent.And first Security Association that will send and first security strategy are saved in the Security Association and security strategy table of transmission.
Security strategy inking device 400 also comprises:
Update module 450, the Security Association and the security strategy that are used for described memory module is preserved are upgraded.
Transmission, reception, the allocation list of update module 450 timing scan Security Associations and security strategy, for Security Association that has sent and security strategy table, if life cycle finishes, then duplicate again and generate Security Association and security strategy, and the negotiation packet of alliance safe to carry and security strategy sent to peer node, negotiating about security alliance and security strategy once more.For the Security Association and the security strategy table that receive,, then directly dispose if life cycle finishes.Security Association and security strategy table for configuration then regenerate, and dispose original Security Association and security strategy again, and call Security Association and security strategy transmitter, negotiating about security alliance and security strategy again.
In sum, the IPSEC Security Association that the embodiment of the invention provides and the allocation plan of security strategy utilize the key and the predetermined correspondent node information that produce at random to generate Security Association and security strategy; Hold consultation based on the Security Association that is generated and security strategy and peer node, determine available Security Association and security strategy.Greatly simplify layoutprocedure, the user only needs the peer node of configuration communication, reduces the technical ability requirement to the user, quickens layoutprocedure.Layoutprocedure is independently finished by the IPSEC smart card, does not need the extras support, reduces the system deployment cost.The IPSEC smart card not only on the function and also configuration go up transparently fully to operation system, reduce overhead and management cost, significantly improve the secondary system development rate.Can realize automatic configuration according to the present invention, upgrade IPSEC Security Association and security strategy automatically, improve reliability and safe, reduce the system maintenance cost.
Obviously, those skilled in the art should be understood that, above-mentioned each unit of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of unit in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.All any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.