CN103152350B - The trustable network cut-in method and system of a kind of protection terminal configuration privacy - Google Patents
The trustable network cut-in method and system of a kind of protection terminal configuration privacy Download PDFInfo
- Publication number
- CN103152350B CN103152350B CN201310082307.6A CN201310082307A CN103152350B CN 103152350 B CN103152350 B CN 103152350B CN 201310082307 A CN201310082307 A CN 201310082307A CN 103152350 B CN103152350 B CN 103152350B
- Authority
- CN
- China
- Prior art keywords
- terminal
- platform
- network
- access
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of trustable network cut-in method of protection terminal configuration privacy and system, trustable network access system is made up of following entity:Access terminal, Policy Enforcement Point, policy decision point and network service, method is:1)Access terminal obtains access network after platform identity, sets up safe lane;There is no the access terminal of platform identity to need to apply obtaining platform identity;2)Access terminal carries out platform security policy by Policy Enforcement Point to be proved and platform identity checking;3)The access terminal access network service, conducts interviews after being proved to be successful to network.Providing terminal security attribute for network service proves service, protects the configuration privacy of terminal platform.
Description
Technical field
High trustable network access is required the present invention relates to trustable network cut-in method, more particularly to terminal configuration privacy
System, belongs to field of information security technology.
Background technology
With popularizing for the applications such as network technology and ecommerce, the business transaction such as online shopping is more and more,
And the corresponding various safety for network and terminal computer increase in volatile at present --- it is based particularly on net
Virus and wooden horse that network is propagated, and the terminal calculating platform security breaches of main flow are even more to emerge in an endless stream.Traditional side of resolving safely
Case(Fire wall, antivirus software etc.)Developing always for many years, but its control dynamics propagated malicious code in network is also
Not enough, cause virus, worm and trojan horse program these Malwares all to cause many losses every year, or even cause substantial amounts of
Enterprise security accident, brings huge economic impact.Therefore, malicious code can not only be solved with traditional security solution
The problem of bringing.For above-mentioned situation, Internet industry circle, which is proposed, is combined the safe condition of terminal with network access technique
Network access control technology, both solutions are protected with the network admittance of the control of the network admittance of Cisco and Microsoft at present
For main flow.But it is due to Intellectual Property Rights Issues, the Network access control scheme generally existing poor compatibility and autgmentability of industrial circle
Poor the problems such as, this brings unnecessary financial burden to user.
For this problem, Trusted Computing Group propose a kind of opening Network access control scheme --- trustable network connects
Enter, and be proposed a whole set of specification including architecture specification, component interoperability interface specification, technical support class specification
System.Trustable network access is based on existing network control technology, such as 802.1X frameworks, VPN(VPN)IPsec、
Safe transmission layer protocol(TLS), terminal platform identity and terminal platform configuration are authenticated before accessing terminal to network,
Ensure access terminal identity and the legitimacy of safe condition.For from technological layer, trustable network access is that trust computing will
A kind of mode of the trusted-extension to network, it is intended to set up believable network environment, is a kind of method of Initiative Defense network harm.
From after Trusted Computing Group issue reliable network access framework, trustable network access frame is set about by many research institutions
Frame realizes work, has at present had multiple open source projects support reliable network access frameworks.
The Trust@FHH research groups of Hanoverian, Germany application technology university are the members of trustable network cut-in operation group,
The open source projects TNC@FHH that it is presided over realize reliable network access framework.Integrity assessment layers of the TNC@FHH in access platform
By implementing user-defined access control, prevent the secret configuration information of user from revealing, reached by this method certain
Protecting platform configuration information purpose.But it is not improved in terms of integrity information management and quarantine domain.
Open source projects libTNC is intended to set up the unrelated trustable network access system of increasing income of an operating system, at present
Through supporting Windows, multiple class Unix operating systems and Mac OS X operating systems, but it is only trustable network access
Realize that the shortcoming to TNC is not improved in the part of framework.
Some other projects, such as Open1X projects, are the open-source cross-platform 802.1X visitors supported by OpenSEA alliances
Family end, also strongSwan, are that the IPsec on (SuSE) Linux OS is realized, are simply provided in network access layer to credible
The support of network insertion.
In addition, the product of many enterprises also begins to support reliable network access framework, particularly Juniper
Networks manufacturers, multiple products under it have already been through the certification of international Trusted Computing Group.At home, Huawei, day melt
Believe the Network access control scheme for having released one after another and oneself having been accessed based on trustable network with Qing great An Ke Deng companies.
Trustable network access architecture employs binary system proof scheme traditional in trust computing, but traditional binary system
Proof scheme has the disadvantage that:First, Integrity Management is complicated, and authentication is usually that service is provided in the Internet, applications
Side, service provider needs to record the platform configuration of all proof sides, includes the different editions of all kinds of softwares and each software,
This causes very big administrative burden to service provider;Secondly, this scheme has revealed the platform configuration information of user, service
Provider results in all configuration informations of terminal, and opportunity is provided to service provider counting user information;Finally,
This scheme can result in software discrimination, such as the access strategy of service provider require client must install some software or
Person forbids installing some software.And disadvantages mentioned above is introduced in trustable network access with the use of binary system proof scheme.
The content of the invention
The deficiency of terminal configuration privacy can not be protected for current trustable network access solution, the present invention proposes one
The trustable network cut-in method proved based on attribute is planted, the configuration information of user terminal can be protected and interconnection Webweb can be mitigated
The Integrity Management load of network service provider.Networking component is divided into access terminal, strategy and held by the cut-in method of the present invention
Main four part such as row point, policy decision point and network service provider.Access terminal is the end of various request access networks
End, it is desirable to TPM/TCM chips.Policy Enforcement Point be perform access decision-making the network equipment, generally include all kinds of interchangers,
Router and wireless aps etc..Policy decision point provides the services such as platform identity management, platform security policy proof.Platform identity
Management service is responsible for the management of access terminal platform identity, and platform security policy proves the proof of service providing platform security attribute
And the function such as security attribute certificate authority.Network service provider is disparate networks online service on internet, such as WEB clothes
Business, mail service etc..
Below in the method, the trustable network cut-in method for protecting terminal configuration privacy is described in detail:
1)Access terminal obtains platform identity, and the terminal without platform identity needs the platform first into policy decision point
Identity management services application platform identity;
2)Terminal platform access network, policy decision point gives the platform identity and completeness of platform of access terminal respectively
Platform identity management service and platform security policy prove that service is verified.Conjunction of the platform identity management service to platform identity
Method is verified.Platform security policy proves that platform integrity data is mapped as the security attribute that platform has by service,
And security attribute certificate is issued to this terminal.After platform identity and platform security policy are verified, policy decision point according to
The result of these two aspects provides access decision-making, and notification strategy implements point and implements this decision-making, and safety certificate and access are determined
Plan notifies access terminal;
3)Terminal access network is serviced, the network service request access the platform identity of terminal, security attribute certificate and
The configuration information of specific software, accesses terminal using platform identity to the complete of oneself security attribute certificate and specific software
Property information carry out signature be sent to network service, network service is respectively to platform identity, security attribute certificate and specific software
Integrity information verified that this terminal access can be allowed by being verified.Verify that the terminal not passed through need to change oneself
Platform configuration, makes itself configuration meet continuation application after the requirement of network service and accesses.
The method that the terminal obtains platform identity is:
The platform identity application agreement that A, access terminal and platform identity management service are supported by TPM/TCM chips, than
Such as PrivacyCA or DAA agreements, consult platform identity;
The method of the accessing terminal to network is:
A, terminal start according to credible Booting sequence, and network insertion request is sent to policy decision point after startup;
B, the policy decision point set up a safe lane with the terminal in the communication channel that the network equipment is provided,
Communication all in the policy decision point and terminal is carried out all in this safe lane afterwards;
C, policy decision point, which send platform identity, proves that request and platform integrity certification are asked to terminal;
D, terminal prove that the corresponding integrality collection assembly of request call is completed according to the completeness of platform of policy decision point
Integrality is collected, and by the integrity data list platform identity key signature being collected into, is then sent to policy decision point;
The platform identity key signature calling platform identity management services that E, the policy decision point are sended over to terminal
Verified, giving platform security policy by integrity data list after being verified proves that service carries out platform security policy card
It is bright;
F, platform security policy prove that platform integrity data list mapping is phase according to its attribute method of proof by service
The security attribute answered, and prove that the signature key of service is carried out to this security attribute and platform identity certificate with platform security policy
Signature is used as security attribute certificate;
G, the policy decision point prove the result of service according to platform identity management service and platform security policy
Provide access decision-making;
H, policy decision point notification strategy perform point and perform access decision-making, and will access result and security attribute certificate hair
Give access terminal;
I, access terminal are by security attribute certificate extension to safety chip.
The method that the trusted end-user starts is:
After a, terminal power-up, platform loads, measures and run trusted bootstrap successively since the credible measurement root CRTM of static state
Program BootLoader, operating system nucleus and system fail-safe software, and measurement results are extended into safety chip.
The attribute method of proof is:
A, terminal send BootLoader, operating system and system fail-safe software metric, and platform identity key
Signature to policy decision point;
Signature is given platform identity management service and verified by b, policy decision point, by Endpoint integrity after being verified
Information, which gives platform security policy, proves that service is verified, platform security policy proves that service utilizes the integrality-peace of itself
Full attribute mapping method provides the highest level security attribute of terminal satisfaction, then to this security attribute and platform identity certificate
The security attribute certificate signed as access terminal.
The method of the integrality-security attribute mapping is:
A, the mapping mode of sign flag security attribute can be carried out as follows:
Security attribute is marked with symbol P1:Platform possesses legal safety chip,
P2 marks security attribute:The metric of trusted end-user bootstrap is equal to the measurement of normal trusted bootstrap program
Value,
P3-v1 to P3-vm marks security attribute respectively:The metric of operating system meets the operation of some type or version
System metric value,
P4-v1 to P4-vn marks security attribute respectively:The metric of terminal security software meets the system peace of some version
Full software metrics value,
P5 marks security attribute:The running environment of terminal platform is credible.
B, terminal have already been through platform identity signature authentication, so security attribute P1 is met, and platform possesses legal
Safety chip;
C, on the basis of security attribute P1, check Endpoint integrity whether meet P2, if meet if derive terminal
Trusted bootstrap program meet security requirement, mark platform reaches security attribute P2 ranks;
D, on the basis of security attribute P2, check whether Endpoint integrity meets any one of P3-v1 to P3-vm,
Derive that the operating system of terminal meets security requirement if meeting, mark platform reaches security attribute P3 ranks;
E, on the basis of security attribute P3, check whether Endpoint integrity meets any one of P4-v1 to P4-vn,
Derive that the fail-safe software of terminal meets security requirement if meeting, mark platform reaches security attribute P4 ranks.
The method of the accessing terminal to network service is:
A, the terminal by checking access network send access request to network service;
B, network service request access the security attribute and the configuration information of some specific software of terminal and one is chosen
War random number;
C, access terminal measure specific software to safety chip, then to challenge random number, security attribute certificate and net
Software platform identity key signature that network service is specified simultaneously is sent to network service;
D, network service are checked the security attribute and specific software configuration that access terminal, if passed through, are permitted
Perhaps terminal access own services, if fruit is not over allowing terminal access own services, the terminal needs to re-start please
Ask.
Binding has safety chip TCM or TPM in the terminal.
The present invention also propose based on protection terminal configuration privacy trustable network access system, trustable network access system by
Following entity composition:Access terminal, Policy Enforcement Point, policy decision point and network service;
The access terminal corresponds to the terminal platform of an access network;Accessed including network insertion engine, terminal network
Service and integrality collection assembly;
The network insertion engine is responsible for the network service of bottom, the net for being responsible for bottom for different network environments
Network communicates,
The terminal network access service be responsible for the registration and management of platform identity, the forwarding of completeness of platform message and
The management of integrality collection assembly,
The integrality collection assembly is responsible for the integrity data of terminal in a certain respect and collected, and can have many in a terminal
Individual integrality collection assembly,
The Policy Enforcement Point is responsible for the implementation of specific access strategy, including multiple network access equipments;
The policy decision point proves that service is constituted by platform identity management service and platform security policy, platform identity pipe
The functions such as the issuing of platform identity, certification and revocation are responsible in reason service, and platform security policy proves that platform safety is responsible in service
The certification of attribute and security attribute certificate issue function;
The network service can provide the specific network service that the disparate networks service provider on internet provides.
Beneficial effects of the present invention are:
, using the traditional binary system method of proof in trust computing field, there is exposure in current reliable network access framework
The problems such as platform configuration information and complicated network services Integrity Management, method for network access proposed by the present invention is using protection
The attribute method of proof of platform configuration information, 1)Providing terminal security attribute for network service proves service, and terminal platform is only
Need to provide the security attribute of itself platform, 2 to network services)The configuration privacy of terminal platform is protected, while also subtracting
The light burden of network service provider completeness of platform management, 3) cut-in method in the present invention requires specific software for some
The network service that configuring to access, which is provided, to be supported.
Brief description of the drawings
Fig. 1 is that the present invention protects the structure of the system in the embodiment of trustable network cut-in method one of terminal configuration privacy to show
It is intended to;
Fig. 2 be the present invention protection terminal configuration privacy the embodiment of trustable network cut-in method one in accessing terminal to network
Method flow schematic diagram;
Fig. 3 be the present invention protection terminal configuration privacy the embodiment of trustable network cut-in method one in access terminal access net
The method flow schematic diagram of network service.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is to be understood that described embodiment is only a part of embodiment of the invention, rather than whole implementation
Example.Based on the embodiment in the present invention, it is all that those skilled in the art are obtained under the premise of creative work is not made
Other embodiment, belongs to the scope of protection of the invention.
As shown in figure 1, the method for the present invention is made up of following entity:Access terminal, Policy Enforcement Point, policy decision point
And network service.Access terminal corresponds to the terminal platform of access network.Policy Enforcement Point is responsible for the implementation of specific access strategy.
Policy decision point proves that service is constituted by platform identity management service and platform security policy, and platform identity management service is responsible for flat
The functions such as the issuing of abutment body part, certification and revocation, platform security policy prove service be responsible for the certification of platform security policy with
And security attribute certificate issues function.It is specific that the disparate networks service provider that network service corresponds on internet provides
Network service, such as social network sites, scientific paper service platform etc..
Access terminal system specifically includes network insertion engine, terminal network access service and integrality collection assembly.
Network insertion engine is directed to different network environments(Such as WLAN, Ethernet and VPN etc.)It is responsible for the network of bottom
Communication, specific manifestation form is VPN client or 802.1X clients;The registration of platform identity is responsible in terminal network access service
With management, the forwarding of completeness of platform message and the management of integrality collection assembly;Integrality collection assembly is responsible for terminal
The integrity data of one side is collected, and can be had multiple integrality collection assemblies in a terminal, typically be provided by network service
Side is provided.
Policy Enforcement Point is embodied in network access equipment, such as interchanger, secure network and WAP etc.
Deng.
The trustable network cut-in method of the protection terminal configuration privacy of the present invention comprises the following steps:
1)Access terminal starts platform by trusted bootstrap
1st, after powering up, the static credible measurement root CRTM on platform is loaded and is measured trusted bootstrap program BootLoader,
Metric is extended in PCR4, then BootLoader is given by control;
2nd, BootLoader loadings and metric operations system kernel, extend to PCR8 by metric, then hand over control
To operating system;
3rd, operating system loading and gauging system fail-safe software, PCR9 is extended to by metric, and system starts.
2)Access terminal obtains platform identity to platform identity management service
1st, access terminal initiates platform body by platform identity management service of the network insertion engine into policy decision point
Part registration request;
2nd, policy decision point and network insertion engine set up a safe lane by tls handshake protocol, later all
Message is forwarded all in this safe lane;
3rd, platform identity management service and access terminal carry out PrivacyCA or DAA agreements, are finally issued for access terminal
Platform identity certificate.
2)Accessing terminal to network, is the trustable network cut-in method one of present invention protection terminal configuration privacy as shown in Figure 2
The method flow schematic diagram of accessing terminal to network in embodiment;
1st, access terminal sends network insertion to policy decision point by network insertion engine and asked;
2nd, policy decision point and network insertion engine set up a safe lane by tls handshake protocol, later all
Message is all protected by this safe lane;
3rd, in policy decision point platform identity management service and platform security policy proves that service sends platform body respectively
Part certification request and platform security policy certification request, and a challenge random number N once;
4th, the terminal network access service in access terminal utilizes platform identity key A IK or PIK to TPM's or TCM
Integrity data in PCR4, PCR8 and PCR9, is signed plus Nonce in addition, and platform identity certificate, AIK or PIK are signed
Name, platform integrity data are sent to policy decision point;
5th, platform credential and platform identity signature are sent to platform identity management service and verified by policy decision point,
Platform identity signature and platform integrity data are given platform security policy card by platform identity management service after being verified
Bright service is verified;
6th, platform security policy proves that service completes the mapping of completeness of platform-security attribute according to following mapping management:
6-1, with symbol P1 mark security attribute:Platform possesses legal TPM or TCM, P2 mark security attribute:PCR4's
Metric is equal to the metric of normal trusted bootstrap program, P3 mark security attributes:Operating system is measured to PCR8, P4-
V1 to P4-vm marks security attribute respectively:PCR4 value meets the operating system metric of some version, P5 mark safety category
Property:System fail-safe software is measured to PCR9, P6-v1 to P6-vn marks security attribute respectively:PCR9 value meets some version
System fail-safe software metric, P7 mark security attribute:The running environment of terminal platform is credible.Terminal has already been through AIK
Or PIK signature authentications, so meeting security attribute P1;
6-2, on the basis of security attribute P1 is met, if Endpoint integrity meets P2, derive Endpoint integrity
Meet security attribute P3;
Whether 6-3, inspection Endpoint integrity meet any one of P4-v1 to P4-vm, and terminal is derived if meeting
Complete sexual satisfaction security attribute P5;
Whether 6-4, inspection Endpoint integrity meet any one of P6-v1 to P6-vn, and terminal is derived if meeting
Complete sexual satisfaction security attribute P7.
7th, platform security policy proves that service carries out signature work with the signature key of oneself to the highest security attribute of terminal
For the security attribute certificate of terminal, and access decision-making is provided according to platform identity and security attribute authentication result, finally notify plan
Point is slightly performed to perform access decision-making and security attribute certificate is sent into access terminal;
8th, access terminal by security attribute certificate extension into safety chip PCR10.
3)Terminal access network is serviced, as shown in figure 3, being the trustable network access side of present invention protection terminal configuration privacy
The method flow schematic diagram of access terminal access network services in the embodiment of method one, terminal is as follows to network service
Conduct interviews:
1st, access terminal sends access request to network service provider;
2nd, network service provider sends platform identity, platform security policy, specific software configuration information to access terminal
Certification request, and send a challenge random number N once;
3rd, the request of specific software configuration authentification of message is forwarded the information to corresponding integrality collect components by access terminal
Component, integrality collection assembly is collected the integrity information of corresponding software and expanded in PCR11, and then access terminal utilizes flat
Platform identity key is to the platform security policy certificate and specific software configuration information that are stored in safety chip PCR10 and PCR11
Metric and the challenge random number N once of network service provider signed, finally by platform identity certificate and this sign
Name is sent to network service provider;
4th, the configuration information of network service provider verification platform identity signature, platform security policy and specific software,
If meeting visiting demand, this terminal access is allowed to service.
Claims (9)
1. a kind of trustable network cut-in method of protection terminal configuration privacy, is access terminal, strategy by component clustering in network
Point, policy decision point and network service provider are performed, its step is:
1) access terminal obtains access network after platform identity, sets up safe lane;There is no the access terminal needs of platform identity
Application obtains platform identity;
The access terminal, which obtains access network after platform identity, to be included:
A, access terminal start according to credible Booting sequence, and network insertion request is sent to policy decision point after startup;
B, the policy decision point set up a safe lane with the terminal in the communication channel that the network equipment is provided, afterwards
All communication is carried out all in this safe lane in the policy decision point and terminal;
C, the policy decision point, which send platform identity, proves that request and platform integrity certification are asked to terminal;
D, the access terminal prove the corresponding integrality collection assembly of request call according to the completeness of platform of policy decision point
Complete integrality to collect, and by the integrity data list platform identity key signature being collected into, be then sent to strategy and sentence
Fixed point;
E, the platform identity key signature sended over to terminal, the policy decision point calling platform identity management services are carried out
Checking, giving platform security policy by integrity data list after being verified proves that service carries out platform security policy and proved;
F, platform security policy prove that platform integrity data list mapping is corresponding peace according to attribute method of proof by service
Full attribute, and prove that the signature key of service carries out signature work to this security attribute and platform identity certificate with platform security policy
For security attribute certificate;
G, the policy decision point prove that the result of service is provided according to platform identity management service and platform security policy
Access decision-making;
H, policy decision point notification strategy perform point and perform access decision-making, and access result and security attribute certificate are sent to
Access terminal;
I, access terminal are by security attribute certificate extension to safety chip;
2) access terminal carries out platform security policy by Policy Enforcement Point proves and platform identity checking;
It is by the policy decision point that the platform identity and platform of terminal is complete 2-1) after the access terminal access network
Property be sent to platform service and verified, the platform service feeds back authentication knot to the platform identity by checking and integrality
Fruit and issue security attribute certificate;
2-2) platform identity and verifying completeness of platform are after, and policy decision point provides access decision-making according to the result,
Notification strategy performs point and implements the decision-making, and by security attribute certificate and accesses decision notification access terminal;
3) the access terminal access network service, conducts interviews after being proved to be successful to network;
What 3-1) network service request accessed the platform identity, security attribute certificate and specific software of terminal matches somebody with somebody confidence
Breath;
3-2) access terminal utilizes platform identity to the security attribute certificate of oneself and the integrity information of specific software
Carry out signature and be sent to network service,
3-2) network service is tested the integrity information of platform identity, security attribute certificate and specific software respectively
Card, this terminal access can be allowed by being verified.
2. the trustable network cut-in method of terminal configuration privacy is protected as claimed in claim 1, it is characterised in that the attribute
Method of proof is:
I sends BootLoader, operating system and system fail-safe software metric, and platform identity in the access terminal
The signature of key is to policy decision point;
Signature is given platform identity management service and verified by II policy decision point, by Endpoint integrity information after being verified
Giving platform security policy proves that service is verified, platform security policy proves service using the integrality of itself-safety category
Property mapping method provide the highest level security attribute of terminal satisfaction, then this security attribute and platform identity certificate are carried out
The security attribute certificate signed as access terminal.
3. the trustable network cut-in method of terminal configuration privacy is protected as claimed in claim 2, it is characterised in that described complete
Property-security attribute mapping method be:
A, the mapping mode of sign flag security attribute are carried out as follows:
Security attribute is marked with symbol P1:Platform possesses legal safety chip,
P2 marks security attribute:The metric of trusted end-user bootstrap is equal to the metric of normal trusted bootstrap program,
P3-v1 to P3-vm marks security attribute respectively:The metric of operating system meets some type or the operating system of version
Metric,
P4-v1 to P4-vn marks security attribute respectively:The system that the metric of terminal security software meets some version is soft safely
Part metric,
P5 marks security attribute:The running environment of terminal platform is credible;
B, terminal have already been through platform identity signature authentication, so meeting security attribute P1, i.e. platform possesses legal safety
Chip;
C, on the basis of security attribute P1, check whether Endpoint integrity meets P2, that derives terminal if meeting can
Letter bootstrap meets security requirement, and mark platform reaches security attribute P2 ranks;
D, on the basis of security attribute P2, check whether Endpoint integrity meets any one of P3-v1 to P3-vm, if
Meet and then derive that the operating system of terminal meets security requirement, mark platform reaches security attribute P3 ranks;
E, on the basis of security attribute P3, check whether Endpoint integrity meets any one of P4-v1 to P4-vn, if
Meet and then derive that the fail-safe software of terminal meets security requirement, mark platform reaches security attribute P4 ranks.
4. the trustable network cut-in method of terminal configuration privacy is protected as claimed in claim 1, it is characterised in that the terminal
Access network service method be:
A, the terminal by checking access network send access request to network service;
B, network service request access terminal security attribute and the configuration information of some specific software and one challenge with
Machine number;
C, access terminal measure specific software to safety chip, and then challenge random number, security attribute certificate and network are taken
It is engaged in the software platform identity key signature specified and being sent to network service;
D, network service are checked the security attribute and specific software configuration that access terminal, if passed through, and are allowed eventually
End access own services, if not over, terminal access own services are not allowed, the terminal need re-start request.
5. the trustable network cut-in method of terminal configuration privacy is protected as claimed in claim 1, it is characterised in that the terminal
The method for obtaining platform identity is as follows:
The platform identity application protocol negotiation platform body that access terminal is supported with platform identity management service by TPM/TCM chips
Part.
6. the trustable network cut-in method of terminal configuration privacy is protected as claimed in claim 1, it is characterised in that set up safety
Channel is:
The 802.1X frameworks that the network equipment is provided, the communication letter in VPN VPN IPsec, TLS safe transmission layer protocols
It is one or more in road.
7. the trustable network cut-in method of terminal configuration privacy is protected as claimed in claim 1, it is characterised in that access terminal
The method of credible startup is as follows:
Terminal powers up rear platform and loads, measures and run trusted bootstrap program successively since the credible measurement root CRTM of static state
BootLoader, operating system nucleus and system fail-safe software, and measurement results are extended into safety chip.
8. the trustable network cut-in method of terminal configuration privacy is protected as claimed in claim 1, it is characterised in that the terminal
Upper binding has one or more safety chips TCM or TPM.
9. a kind of trustable network access system of protection terminal configuration privacy, it is characterised in that by access terminal, strategy execution
Point, policy decision point and network service composition,
The access terminal corresponds to the terminal platform of an access network;Including network insertion engine, terminal network access service
And integrality collection assembly;
The network insertion engine is responsible for the network service of bottom for different network environments;
The registration and management of platform identity, the forwarding of completeness of platform message and complete are responsible in the terminal network access service
The management of property collection assembly;
The integrality collection assembly is responsible for the integrity data of terminal in a certain respect and collected, and can have multiple complete in a terminal
Whole property collection assembly;
The Policy Enforcement Point is responsible for the implementation of specific access strategy, including multiple network access equipments;
The policy decision point proves that service is constituted by platform identity management service and platform security policy, platform identity management clothes
The issuing of platform identity, certification and revocation function are responsible in business, and platform security policy proves the responsible platform security policy of service
Certification and security attribute certificate issue function;
The network service can provide the specific network service that the disparate networks service provider on internet provides.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310082307.6A CN103152350B (en) | 2013-03-14 | 2013-03-14 | The trustable network cut-in method and system of a kind of protection terminal configuration privacy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310082307.6A CN103152350B (en) | 2013-03-14 | 2013-03-14 | The trustable network cut-in method and system of a kind of protection terminal configuration privacy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103152350A CN103152350A (en) | 2013-06-12 |
| CN103152350B true CN103152350B (en) | 2017-08-04 |
Family
ID=48550212
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310082307.6A Expired - Fee Related CN103152350B (en) | 2013-03-14 | 2013-03-14 | The trustable network cut-in method and system of a kind of protection terminal configuration privacy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103152350B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270383B (en) * | 2014-10-17 | 2018-10-26 | 国家电网公司 | A kind of across subnetwork access control method of electric power mobile terminal |
| CN109426736A (en) * | 2017-08-22 | 2019-03-05 | 鸿富锦精密工业(武汉)有限公司 | Credible main board system |
| CN112104653B (en) * | 2020-09-15 | 2023-03-14 | 全球能源互联网研究院有限公司 | Trusted computing management method and device for charging system and storage medium |
| CN112422516B (en) * | 2020-10-27 | 2022-08-16 | 中国南方电网有限责任公司 | Trusted connection method and device based on power edge calculation and computer equipment |
| CN112333288B (en) * | 2021-01-04 | 2021-04-27 | 三盟科技股份有限公司 | Intelligent classroom data safety protection method, system and readable storage medium |
| CN113660249A (en) * | 2021-08-11 | 2021-11-16 | 国网河北省电力有限公司营销服务中心 | Trusted access system and method for power Internet of things environment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101344903A (en) * | 2008-09-02 | 2009-01-14 | 中国科学院软件研究所 | Multi-case dynamic remote certification method based on TPM |
| CN102035838A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Trust service connecting method and trust service system based on platform identity |
-
2013
- 2013-03-14 CN CN201310082307.6A patent/CN103152350B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101344903A (en) * | 2008-09-02 | 2009-01-14 | 中国科学院软件研究所 | Multi-case dynamic remote certification method based on TPM |
| CN102035838A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Trust service connecting method and trust service system based on platform identity |
Non-Patent Citations (1)
| Title |
|---|
| 基于属性证明的可信网络接入方案;赵世军等;《武汉大学学报(理学版)》;20121231;第58卷(第6期);第2.1-2.4节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103152350A (en) | 2013-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ali et al. | Security in cloud computing: Opportunities and challenges | |
| US11165579B2 (en) | Decentralized data authentication | |
| EP3061027B1 (en) | Verifying the security of a remote server | |
| US8671439B2 (en) | Techniques for authenticated posture reporting and associated enforcement of network access | |
| US8763071B2 (en) | Systems and methods for mobile application security classification and enforcement | |
| Doelitzscher et al. | An agent based business aware incident detection system for cloud environments | |
| CN103152350B (en) | The trustable network cut-in method and system of a kind of protection terminal configuration privacy | |
| CN105493439A (en) | Proxy authentication for single sign-on | |
| Lonea et al. | Identity management for cloud computing | |
| KR20110093939A (en) | Trusted network connection implementing method based on tri-element peer authentication | |
| Kumar et al. | Exploring security issues and solutions in cloud computing services–a survey | |
| Liu et al. | A trusted access method in software-defined network | |
| Deshpande et al. | Major web application threats for data privacy & security–detection, analysis and mitigation strategies | |
| Serrao | Network access control (NAC): An open source analysis of architectures and requirements | |
| Madan et al. | Securely adopting mobile technology innovations for your enterprise using ibm security solutions | |
| Kuzminykh et al. | Mechanisms of ensuring security in Keystone service | |
| Sailakshmi | Analysis of Cloud Security Controls in AWS, Azure, and Google Cloud | |
| KR102534012B1 (en) | System and method for authenticating security level of content provider | |
| Viegas et al. | IT Security Technical Controls | |
| Foltz et al. | Enterprise Security with Endpoint Agents | |
| Foltz et al. | Secure Endpoint Device Agent Architecture. | |
| Pavelka et al. | Practical Aspects of Attacks Against Remote MS Windows Corporate Environment | |
| Paya et al. | Securesdp: a novel software-defined perimeter implementation for enhanced network security and scalability | |
| Tesfaye | An analysis of BYOD architectures in relation to mitigating security risks | |
| Qazi | Comparative Study of Network Access Control Technologies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170804 Termination date: 20190314 |