CN105939353B - Safety management and information feedback system based on GDOI protocol - Google Patents

Safety management and information feedback system based on GDOI protocol Download PDF

Info

Publication number
CN105939353B
CN105939353B CN201610405991.0A CN201610405991A CN105939353B CN 105939353 B CN105939353 B CN 105939353B CN 201610405991 A CN201610405991 A CN 201610405991A CN 105939353 B CN105939353 B CN 105939353B
Authority
CN
China
Prior art keywords
unit
management
key
information
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610405991.0A
Other languages
Chinese (zh)
Other versions
CN105939353A (en
Inventor
朱云
李元骅
张晓囡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shudun Information Technology Co ltd
Original Assignee
Beijing Shudun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shudun Information Technology Co ltd filed Critical Beijing Shudun Information Technology Co ltd
Priority to CN201610405991.0A priority Critical patent/CN105939353B/en
Publication of CN105939353A publication Critical patent/CN105939353A/en
Application granted granted Critical
Publication of CN105939353B publication Critical patent/CN105939353B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a large-scale network security management system based on a GDOI protocol, which is used for collecting, classifying and managing information of assets, managing and controlling encryption equipment and key management equipment associated with the assets, managing configuration information of the key management equipment and the encryption equipment, configuring group strategies of the key management equipment and the encryption equipment, and checking state information of the key management equipment and the encryption equipment; the method can maintain the assets and the encryption equipment thereof and monitor and check the assets and the encryption equipment at any time, can take remedial measures in the first time when a problem occurs, provides a Group encryption deployment model of a key management server and Group Members (GM), provides a whole network negotiation mechanism (Group SA), uses the Group SA to encrypt and decrypt the flow among nodes, and provides safe communication for any node IP.

Description

Safety management and information feedback system based on GDOI protocol
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a system for security management and information feedback based on a GDOI protocol.
Background
The global internet has become indispensable in people's work and life, but the threat of network information security is exacerbated year by year. In the event of a famous prism door in the field of network security in 2013, the existing network architecture taking a switch and a router as a core is very easy to monitor. A lot of information leaks through switches and routers, sounding an alarm clock for all network users.
For large-scale enterprises or government departments interconnected networks on a global scale, they often employ a network topology as shown in fig. 1. The whole network is divided into three layers, wherein a group ring network platform consists of a plurality of data centers, a plurality of 10G networks form a ring network among the data centers, and services such as application service access, data summarization and the like are provided for a complete group; the regional center platform consists of a plurality of regional centers, and the regional centers gather data of regional companies according to regions and provide data channels leading to the group ring network; the regional company platform consists of local area networks or metropolitan area networks of regional companies and bears network access of basic applications of the regional companies. In order to facilitate the mutual addressing and data exchange among the objects in the network, the existing standard TCP/IP protocol adopts a plaintext transmission mode on a channel, and a large amount of data is transmitted without any safety protection; the routing mechanism of the network ensures that no 'country' exists in the virtual space of the network between different regions and countries, the transmitted data can be arbitrarily intercepted and recombined, and the original data information is restored to cause data information leakage. More dangerous is that most of the switches and routers used in China are foreign brands, and even the foreign brands are designed by using foreign core chips, so that the data of the domestic transmission network can be monitored by foreign organizations. Therefore, in order to ensure the secure transmission of information in the network, a large number of independently developed network switching devices, data encryption devices, key management devices, security management devices, and the like are required to be used in the system interconnection. The system comprises a security management device (security management center), a key management device and a key management device, wherein the security management device (security management center) is used for controlling the encryption device and the key management device in a centralized manner from the whole, managing configuration information of the key management device and the encryption device, configuring group strategies of the key management device and the encryption device, checking state information of the key management device and the encryption device, discovering problematic assets or the encryption device and the key management device in time, and alarming and correcting to ensure that various distributed computing, voice, video and other services in the internet need to operate among branches at any time and any place, and a Hub-Spoke and point-to-point IPSec tunnel solution in the traditional sense can not meet the requirements of users. The GDOI (Group Domain of interworking) protocol provides a Group encryption deployment model of a key management server and Group Members (GM), and a whole network negotiation mechanism (Group SA) uses the Group SA to encrypt and decrypt traffic among nodes, thereby providing possibility for IP secure communication of any node. Therefore, the development of a large-scale network security management center under the GDOI protocol has important theoretical and practical significance.
Disclosure of Invention
In order to solve the problems, the invention provides a safety management and information feedback system based on a GDOI protocol, which comprises an encryption device for encrypting asset device information, a control device for controlling and managing the encryption device, and a safety management and feedback regulation device for encrypting the encrypted asset device;
furthermore, the system comprises a high-speed encryption module, a key management center, a key management control terminal, a security management center and an information feedback management center, wherein the high-speed encryption module is used for encrypting the key;
the high-speed encryption module is used for providing a double-channel encryption method for asset equipment information and encryption equipment;
the key management center is used for carrying out local identity authentication, data storage encryption protection and identity key management on the whole network encryption equipment on the encryption equipment;
a key management control terminal; the key management control terminal is used for inputting key information and distributing an identity public key of a key management center in an off-line state;
the security management center is used for describing, defining, classifying and registering the asset equipment and setting the function configuration and the function information of the encryption equipment and the key management center which are associated with the asset equipment;
the information feedback management center is used for monitoring the real-time states of the asset equipment and the encryption equipment and carrying out safety management and feedback regulation according to the monitoring condition;
furthermore, the encryption module comprises a first processing channel, a second processing channel and a shared module, wherein the first processing channel and the second processing channel are respectively provided with an independent user information input interface, a management information input interface and an identity authentication interface, the shared module receives key information and verification information input by a user through the user information input interface, the shared module receives operation information of an administrator through the management information input interface, and the shared module receives verification information of the administrator through the identity authentication interface;
furthermore, the shared module comprises a control center unit, an editing integration unit, a flash memory unit and a configuration interface, and the first processing channel and the second processing channel respectively comprise a data processing unit, a data cache unit, a verification unit, a micro control unit and an expansion unit, wherein the data processing unit, the data cache unit, the verification unit, the micro control unit and the expansion unit are respectively connected with the first processing channel and the second processing channel;
the control center unit is used for processing the configuration operation command of the manager received through the management information input interface;
the editing and integrating unit is used for converting all operation commands in the control center unit into digital information through logic editing and digital integration;
the flash memory unit is used for caching key information and verification information;
a data processing unit including a block symmetric cryptographic operation that encrypts data through an SM4 algorithm and a HASH cryptographic operation that hashes data encrypted through a HASH operation through an SM3 algorithm;
the micro control unit receives the operation information of a user and the operation information of a manager through the management information input interface and the user information input interface respectively and sends the operation information to the control center unit through the data processing unit;
further, the key management center comprises an equipment management module, an algorithm processing module, a key management module, a communication processing module, a local state monitoring module and an integrated management module, wherein the equipment management module comprises a remote state inquiry and monitoring unit, a group policy processing unit and an identity key management unit, the key management module comprises a noise code processing unit, a local key data storage protection unit, a Session Encryption Key (SEK) management unit, a group policy Key Encryption Key (KEK) management unit and a group policy transmission encryption working key (TEK) management unit, the communication processing module comprises a security management communication interface unit, a GDOI protocol processing unit and a multicast communication processing unit, and the management module comprises a key management center management unit and a log maintenance unit;
furthermore, the state monitoring module comprises a flow information acquisition unit, a flow statistic analysis unit, a flow information display unit and an abnormal flow alarm unit;
further, the device management module is used for management, state monitoring, management of identity keys and maintenance of group cipher policies of the whole network encryption device, the algorithm processing module performs key information calculation on the encryption device through SM2, SM3 and SM4 algorithms, the key management module is connected with the algorithm processing module, performs storage protection on local key data and maintenance and management on whole network session encryption keys, group policy key encryption keys and group policy transmission encryption working keys through SM2, SM3 and SM4 algorithms in the algorithm processing module, the communication processing module is used for realizing communication connection between the key management module and the key management control terminal, between the device management module and the key management control terminal and between the key management module and the device management module, the communication processing module provides an oi protocol interface to the outside uniformly, and distribution of keys is implemented by using GDOI protocol, the local state monitoring module is used for collecting the running states of the equipment management module, the algorithm processing module, the key management module, the integrated management module and the communication processing module, checking the integrity of key data and triggering alarm in abnormal state, the integrated management module manages and maintains the equipment management module, the algorithm processing module, the key management module, the communication processing module and the local state monitoring module based on a WEB mode and records and forms logs on operation information, state information and maintenance information, the remote state query and monitoring unit is used for collecting and monitoring the running states of encryption equipment, the group policy processing unit is used for realizing the maintenance of group policy information, including adding and deleting operation on encryption equipment members of a group policy, the identity key management unit comprises an encryption key and an authentication key, and the encryption key is used for realizing the initial installation and injection of key parameters of the encryption equipment, the authentication key is used for realizing a local identity authentication function when the encryption equipment is started, the noise code processing unit is used for acquiring and randomly detecting noise data of a physical noise source, the local key data storage protection unit realizes the local identity authentication function through the authentication key of the identity key management unit, acquires a storage protection key and performs storage protection on local sensitive information, the Session Encryption Key (SEK) management unit performs IKE exchange with the encryption equipment to maintain and manage SEK keys among the whole network encryption equipment, the group policy Key Encryption Key (KEK) management unit updates and manages the whole network KEK key according to the group policy state of the equipment management module, the group policy transmission encryption working key (TEK) management unit maintains and manages TEK key data according to the group policy state and the key updating period, the safety management communication interface unit is used for analyzing and processing the communication protocol of the key management module and the equipment management module, collecting group strategy information, and reporting the command analysis and information of the equipment management module, the GDOI protocol processing unit is used for realizing the communication connection between the key management control terminal and the key management and establishing and maintaining IKE SA, KEK SA and TEK SA according to the GDOI protocol, the multicast communication processing unit is used for realizing the communication connection between the equipment management module and the key management control terminal and multicasting and distributing the TEK key, the key management center management unit is used for carrying out parameter configuration and operation management on various units of the key management center based on a WEB mode, the log maintenance unit is used for collecting the operation information, state information and maintenance information of various units of the key management center and forming log records, for retrieval and querying;
further, the key management control terminal comprises an identity card information input module and a public key distribution module, and is a key management console;
further, the security management center comprises an asset management module and a configuration management module, wherein the asset management module comprises an asset information acquisition unit, an asset information management unit, a responsible person information management unit and an asset topology management unit, and the configuration management module comprises a group information management unit, a group member information management unit, a group policy management unit and an encryption equipment state monitoring unit;
the system comprises an asset information acquisition unit, a data processing unit and a data processing unit, wherein the asset information acquisition unit is used for completing acquisition and entry of asset data and establishment of an asset model in cooperation with a manager, and the acquisition and entry of the asset data comprises automatic acquisition and manual entry;
the asset information management unit is used for assisting an administrator to complete asset information display and realizing asset query, asset information modification and asset deletion according to different attributes;
the system comprises a responsible person information management unit, a management unit and a management unit, wherein the responsible person information management unit is used for establishing, maintaining and managing responsible person information of the asset, and the responsible person is a manager who needs to be responsible for the asset;
the asset topology management unit is used for acquiring and establishing an asset network topology map and regularly maintaining asset network topology map information, and performing real-time display and asset topology interactive management on the asset topology map;
the group information management unit is used for assisting an administrator to acquire parameters of key management equipment of assets in the group encryption network;
the group member information management unit is used for assisting an administrator to acquire the information of the encryption equipment of the asset from the perspective of a group member;
the group policy management unit is used for issuing a group policy instruction to a key management center in the key management system, and the key management center executes a group policy and simultaneously issues the group policy instruction to a specified group member, so that the cryptographic system completes the task of cryptographic system organization structure or cryptographic parameter updating according to the instruction of a network administrator, wherein the group member is encryption equipment;
the encryption equipment state monitoring unit is used for monitoring the running states of the key management center and the group members;
further, the information feedback management center comprises a state monitoring module, a statistical analysis module and a system management module, wherein the state monitoring module comprises a flow information acquisition unit, a flow statistical analysis unit, a flow information display unit and an abnormal flow alarm unit, and the statistical analysis management module comprises a performance alarm management unit, a fault alarm management unit, a comprehensive association analysis unit and a safety risk alarm unit;
the state monitoring module helps a network administrator to master various communication flows and scales thereof in a backbone network in real time through flow analysis, and finds abnormal flows in time and positions the abnormal flows;
the statistical analysis module is connected with the state monitoring module and carries out safety statistical analysis according to the data information returned by the state monitoring module;
the system management module is used for monitoring information of an administrator and an administrator role and storing logs of the operation of logging in the system;
furthermore, the flow information acquisition unit acquires relevant flow information data from network equipment through standard docking with various mainstream flows in the industry, and performs certain formatting treatment for further statistical analysis; the flow statistic analysis unit carries out deep analysis and detection on the collected classification data by using a DFI statistic analysis method; the flow information display unit presents the result of the flow statistic analysis unit to a network administrator according to a reasonable display mode to assist the network administrator to perform daily flow monitoring work, including displaying various periods and various types of charts; the abnormal flow alarm unit reports suspicious abnormal flow in the flow statistic analysis process to a network administrator so that the network administrator can know and take treatment measures in time, the performance alarm management unit is used for collecting abnormal events related to the performance of network equipment in the network equipment unit and providing the abnormal events to the safety risk alarm unit for alarming, the fault alarm management unit is used for collecting network equipment fault events in the network equipment unit and providing the network equipment fault events to the safety risk alarm unit for alarming, the comprehensive correlation analysis unit obtains the suspicious risk events by SYSLOG and SNMP modes, the aggregation engine is used for merging and treating the suspicious risk events, the correlation analysis engine is used for comprehensively analyzing the suspicious risk events and finally reporting the analysis result to the safety risk alarm unit, and the safety risk alarm unit mainly reports the analysis result to the performance alarm management unit, The safety risk prompt and analysis report generated by the fault alarm management unit and the comprehensive correlation analysis unit alarms in time and informs related network managers and responsible persons so as to investigate risks in time;
the invention has the following beneficial effects:
1) through an innovative encryption module structure, the high-speed encryption module realizes that the high-performance encryption module can support the encryption and decryption of 40Gbps service data, has clear function division and excellent service processing performance and can provide an expanded customized function for a user;
2) through a Group encryption deployment model of a key management server and Group Members (GM), a whole network negotiation mechanism (Group SA) uses the Group SA to encrypt and decrypt traffic among nodes, and safe communication is provided for any node IP;
3) the method can maintain the assets and the encryption equipment thereof and monitor and check the assets and the encryption equipment at any time, supports NETSTREAM, SPAN, SNMP various modes of acquiring the link flow of the backbone network from the router and the switch in real time, displays and monitors the flow condition of the whole network in real time, and can take remedial measures in the first time when a problem occurs.
Drawings
FIG. 1 is a diagram of the hardware architecture of the encryption module of the present invention;
FIG. 2 is a flow chart of the encryption module firmware of the present invention;
FIG. 3 is a flow chart of the cryptographic module administrator authentication of the present invention;
FIG. 4 is a flow chart of the operator identity verification for the encryption module of the present invention;
fig. 5 is a flow chart of the encryption module KP1 and device identity key generation and storage according to the present invention;
FIG. 6 is a flowchart of the general ARM firmware software of the encryption module of the present invention;
FIG. 7 is a diagram of a key management center and a key management control terminal hardware according to the present invention;
fig. 8 is a schematic topology diagram of a large-scale worldwide interconnect network according to the background art of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. On the contrary, the invention is intended to cover alternatives, modifications, equivalents and alternatives which may be included within the spirit and scope of the invention as defined by the appended claims. Furthermore, in the following detailed description of the present invention, certain specific details are set forth in order to provide a better understanding of the present invention. It will be apparent to one skilled in the art that the present invention may be practiced without these specific details.
The invention is further described with reference to the following figures and specific examples, which are not intended to be limiting. The following are preferred examples of the present invention:
as shown in the figure, the invention provides a management system of a safety management and information feedback system based on a GDOI protocol, which comprises an asset management module, a configuration management module, a state monitoring module, a statistical analysis module and a system management module.
The encryption module comprises a first processing channel, a second processing channel and a shared module, the first processing channel and the second processing channel respectively and independently process encryption services, the shared module is simultaneously connected with the first processing channel and the second processing channel, and the shared module is used for inputting and controlling information of the first processing channel and the second processing channel.
The first processing channel and the second processing channel are respectively provided with an independent user information input interface, a management information input interface, an identity authentication interface, a data processing unit, a data cache unit, a verification unit, a micro control unit and an expansion unit.
The shared module comprises a control center unit, an editing integrated unit, a flash memory unit and a configuration interface, wherein the control center unit, the editing integrated unit, the flash memory unit and the configuration interface are sequentially connected, and the control center unit, the editing integrated unit and the flash memory unit are all connected with the first processing channel and the second processing channel.
The control center unit is used for processing the configuration operation commands of management personnel received through the management information input interface, the editing integration unit is used for converting all the operation commands in the control center unit into digital information through logic editing and digital integration, the digital information is sent to the data processing unit through the editing integration unit, the data processing unit can process 20Gbps service data, and the flash memory unit is used for caching the key information and the verification information which are received through the control center unit and come from the verification unit and the authentication interface.
The control center unit is connected with a user information input interface through a data processing unit, the user information input interface sends key information of a user to a control center unit management information input interface, the identity authentication interface is connected with the control center unit and sends identity authentication information of a manager and the user to the control center unit for authentication, the management information input interface, the micro control unit, the data processing unit and the control center unit are sequentially connected, the management information input interface sends an operation instruction and authentication information of the manager to the control center unit, if the authentication is successful, the micro control unit can directly input the operation instruction of the manager, the data cache unit is connected with the control center unit and stores partial key information and authentication information, the expansion unit is used for connecting external equipment, and the data processing unit comprises grouping symmetric password operation and hash password operation, the block cipher operation encrypts data through an SM4 algorithm, and the HASH cipher operation hashes data encrypted through a HASH operation through an SM3 algorithm. The verification unit is used for providing a digital signature and verification of the digital signature. The control center unit is a microcontroller ARM, the editing integration unit is a CPLD, the FLASH memory unit is a FLASH 128Mb memory, the data processing unit is a DPU, the data cache unit is a 1MBSRAM data cache, the verification unit is a security chip SSX1408, the micro control unit is an Ethernet PHY, and the expansion unit is used for connecting user-defined encryption equipment.
The KEY management center is server equipment with the height of 2U, the server equipment comprises an X86 architecture main board, a special PCI-E password card, a storage component, a network card, an identity card driver, an identity card reader-writer and a power supply, the KEY management center is arranged on the X86 architecture main board, Usb-KEY is configured on the main board and used for local identity authentication when the system is started, encryption protection of data storage and identity KEY management of password equipment of the whole network, the KEY management center is connected with a KEY management control terminal, and the KEY management control terminal is used for registration of the password machine identity card used in the whole network and identity public KEY distribution of the KEY management center in an off-line state.
The key management center comprises an equipment management module, an algorithm processing module, a key management module, a communication processing module, a local state monitoring module and a management module.
The equipment management module is used for completing management, state monitoring and maintenance work of a group password strategy of the whole network password equipment and realizing management of a whole network identity key, and comprises a remote state inquiry and monitoring unit, a group strategy processing unit and an identity key management unit.
The remote state inquiry and monitoring unit is used for collecting and monitoring the running state of the password equipment, and if abnormity occurs, the running state is reported to the equipment management module in time, and the equipment management module maintains and manages the password equipment in the abnormal state. The group strategy processing unit is used for realizing the maintenance of group strategy information, supporting the addition and deletion operation of the cryptographic equipment members of the group strategy, the maximum group strategy items supported by the whole network are not more than 10000, and each group strategy supports not more than 1000 members. The identity key management unit comprises an encryption key and an authentication key, the encryption key is used for realizing initial installation and injection of key parameters of the password equipment, and the authentication key is used for realizing a local identity authentication function when the password equipment is started.
The algorithm processing module processes through SM2, SM3 and SM4 algorithms, and the algorithm processing module performs key information calculation on the cryptographic devices through SM2, SM3 and SM4 algorithms, so that the registration and authentication of at most 200 cryptographic devices are supported.
The key management module comprises a noise code processing unit, a local key data storage protection unit, a Session Encryption Key (SEK) management unit, a group policy Key Encryption Key (KEK) management unit and a group policy transmission encryption working key (TEK) management unit, wherein the noise code processing unit is used for acquiring noise data of a physical noise source, performing randomness detection on the acquired noise data and ensuring the randomness of a currently-made key. The local key data storage protection unit realizes a local identity authentication function through an authentication key of the identity key management unit, acquires a storage protection key and realizes storage protection of local sensitive information. The Session Encryption Key (SEK) management unit performs IKE exchange with the password equipment to realize the maintenance and management of the SEK key between the Session Encryption Key (SEK) management unit and the whole network password equipment and complete the transmission protection of the KEK data. And the group policy Key Encryption Key (KEK) management unit maintains the updating and management of the whole network KEK key according to the group policy state, so as to realize the transmission protection of TEK data. And the group strategy transmission encryption working key (TEK) management unit maintains the management of TEK key data according to the group strategy state and the key updating period, and realizes the transmission protection of the group strategy data.
The algorithm processing module is connected with the key management module, and realizes the storage protection of local key data and the maintenance and management of a whole network session encryption key, a group policy key encryption key and a group policy transmission encryption working key through SM2, SM3 and SM4 algorithms.
The communication processing module comprises a safety management communication interface unit, a GDOI protocol processing unit and a multicast communication processing unit, the communication processing module is used for realizing the communication connection between the key management module and the key management control terminal, the communication connection between the equipment management module and the key management control terminal and the communication connection between the key management module and the equipment management module, the communication processing module provides a GDOI protocol interface to the outside in a unified way, and the distribution of the key is implemented by adopting a GDOI protocol. The safety management communication interface unit is used for realizing the analysis and processing of the communication protocol of the key management module and the equipment management module, the collection of group strategy information, the command analysis of the equipment management module and the information report. The GDOI protocol processing unit is used for realizing communication connection between the key management control terminal and the key management and finishing the establishment and maintenance of the IKE SA, the KEK SA and the TEK SA according to the GDOI protocol. The multicast communication processing unit is used for realizing the communication connection between the equipment management module and the key management control terminal and carrying out multicast distribution on the TEK key.
The local state monitoring module is used for collecting the running state of each unit, checking the integrity of key data and triggering alarm in an abnormal state.
The management module comprises a key management center management unit and a log maintenance unit, wherein the key management center management unit is used for carrying out parameter configuration and operation management on the key management center based on the management maintenance function of a WEB mode, and the log maintenance unit is used for collecting various operation information, state information and maintenance information which run in the key management center, forming log records and facilitating retrieval and query.
The key management control terminal comprises an identity card information input module and a public key distribution module, and is a key management console.
The safety management center comprises an asset management module, a configuration management module and a system management module, wherein the asset management module is mainly used for describing and defining information assets and classifying and registering the assets by combining the basic situation of an organization, the asset management is one of the cores of the system and is the basis for developing all other safety operation and maintenance management works, the asset management module comprises an asset information acquisition unit, an asset information management unit, a responsible person information management unit and an asset topology management unit, the asset information acquisition unit is used for completing the acquisition and the entry of asset data by matching with an administrator and establishing an asset model, including an automatic acquisition mode and a personnel entry mode, and the asset information management unit is used for assisting the administrator to complete the asset information display, and realizing asset query, asset information modification and asset deletion management works according to different attributes, the information management unit of the responsible person is used for establishing, maintaining and managing information of the asset responsible person, the responsible person mainly refers to a manager who needs to be responsible for the asset, the asset topology management unit is used for completing acquisition and establishment, periodic maintenance, real-time display and interaction management of an asset topology map, the configuration management module is used for setting function configuration and function information of the asset, the configuration management module assists a network manager to complete information key monitoring, management of key network equipment, maintenance of key password parameters (encryption algorithm and parameters), formulation, issuing and cancellation management of a group password strategy of a backbone encryption communication network, and the configuration management module comprises a group information management unit, a group member information management unit, a group strategy management unit and a password equipment state monitoring unit, the group information management unit is used for assisting an administrator to acquire the details of all or part of encryption group parameters in the group encryption network. The group member information management unit mainly assists an administrator to complete acquisition and understanding of corresponding key information from the perspective of group members. The group policy management unit assists a network administrator to issue a group policy instruction to a group key server (KMC) by using an interface provided by a security management center, and the KMC issues the group policy instruction to a designated group member while executing a group policy, so that the cryptographic system completes a cryptographic system organization structure or cryptographic parameter updating task according to the instruction of the network administrator. The cipher device state monitoring unit is used for monitoring the running states of a key management center KMC and group members, the key management center KMC is the key management device, the group members are encryption devices, the encryption devices are high-speed encryption modules, the encryption modules can be directly embedded into existing core switches and router network devices, all safety services and functions related to ciphers are borne, the encryption modules are divided into a left channel and a right channel which are independent, and each channel can process 20Gbps service data. Each channel provides an independent service interface, a management interface and an authentication interface; while both channels share a configuration interface. The encryption module is completely independently researched and developed. The internal hardware of the 40G encryption module is divided into three parts: a channel 0 data processing part, a channel 1 data processing part and a shared function part of the two channels. The data processing part of the channel 0/1 consists of a data processing unit, an Ethernet PHY, a data cache SRAM, a security chip and an expansion module; the shared part consists of a CPLD, a microcontroller ARM and a FLASH memory. The key management device is a key management center, and the center consists of 4 core modules, which are respectively: the device comprises an equipment management module, an algorithm processing and key management module, a communication processing module and a local state monitoring and management module. The identity authentication and network access control management of the cipher machine, the management of various keys in the whole network and the online dynamic distribution function are realized through a safely customized Linux system kernel, a special driver, a cipher service and management module.
The information feedback management center comprises a state monitoring module, a statistical analysis module and a system management module, wherein the state monitoring module helps a network administrator to master various communication flows and scales thereof in a backbone network in real time through an accurate and efficient flow analysis function, and finds abnormal flows and positions the abnormal flows in time, the state monitoring module comprises a flow information acquisition unit, a flow statistical analysis unit, a flow information display unit and an abnormal flow alarm unit, and the flow information acquisition unit is in butt joint with the flow standards of various main flows in the industry to acquire related flow information data from network equipment and perform certain formatting processing for further statistical analysis. And the flow statistical analysis unit carries out deep analysis and detection on the collected classification data by using a DFI statistical analysis method. And the flow information display unit presents the result of the flow statistic analysis unit to a network administrator according to a reasonable display mode, and assists the network administrator to perform daily flow monitoring work. Including various cycles, various types of charts. The abnormal flow alarm unit reports suspicious abnormal flow in the flow statistical analysis process to a network administrator in a reasonable mode so that the network administrator can know and take treatment measures in time.
The statistical analysis module is connected with the state monitoring module and carries out safety statistical analysis according to data information returned by the state monitoring module, the statistical analysis module collects safety events related to operation risks in network equipment, comprehensively analyzes the possible safety operation risks in the network, gives an alarm, assists a network administrator to complete positioning and troubleshooting of the equipment operation risks, and ensures that the whole network operates stably. The statistical analysis module comprises a performance alarm management unit, a fault alarm management unit, a comprehensive association analysis unit and a safety risk alarm unit. The performance alarm management unit is used for collecting abnormal events related to the performance of the network equipment in the network equipment unit and providing the abnormal events for the safety risk alarm unit to alarm. And the fault alarm management unit is used for collecting network equipment fault events in the network equipment unit and providing the network equipment fault events for the safety risk alarm unit to alarm. The comprehensive correlation analysis unit acquires the suspicious risk events by SYSLOG and SNMP modes, merges and processes the suspicious risk events by using an aggregation engine, comprehensively analyzes the suspicious risk events by using a correlation analysis engine, and finally notifies the analysis result to a safety risk alarm unit. The system comprises a security risk alarm unit, a performance alarm management unit, a fault alarm management unit, a comprehensive association analysis unit, a system management module and a log storage module, wherein the security risk alarm unit is mainly used for giving an alarm in time for security risk prompts and analysis reports generated by the performance alarm management unit, the fault alarm management unit and the comprehensive association analysis unit and informing relevant network managers and responsible persons so as to check risks in time, and the system management module is used for monitoring information of roles of the managers and storing logs of operation of logging in the system.
The above-described embodiment is only one of the preferred embodiments of the present invention, and general changes and substitutions by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention.

Claims (8)

1. A safety management and information feedback system based on GDOI protocol is characterized in that the system comprises a high-speed encryption module, a key management center, a key management control terminal, a safety management center and an information feedback management center, wherein the asset device information is encrypted by an encryption device, the encryption device is controlled and managed, and the asset device encrypted by the encryption device is subjected to safety management and feedback regulation, and the system comprises the high-speed encryption module, the key management center, the key management control terminal, the safety management center and the information feedback management center, wherein:
the high-speed encryption module is used for providing a double-channel encryption method for asset equipment information and encryption equipment;
the key management center is used for carrying out local identity authentication, data storage encryption protection and identity key management on the whole network encryption equipment on the encryption equipment;
a key management control terminal; the key management control terminal is used for inputting key information and distributing an identity public key of a key management center in an off-line state;
the security management center is used for describing, defining, classifying and registering the asset equipment and setting the function configuration and the function information of the encryption equipment and the key management center which are associated with the asset equipment;
the information feedback management center is used for monitoring the real-time states of the asset equipment and the encryption equipment and carrying out safety management and feedback regulation according to the monitoring condition;
the encryption module comprises a first processing channel, a second processing channel and a sharing module, wherein the first processing channel and the second processing channel are respectively provided with an independent user information input interface, a management information input interface and an identity authentication interface, the sharing module receives key information and verification information input by a user through the user information input interface, the sharing module receives operation information of a manager through the management information input interface, and the sharing module receives the verification information of the manager through the identity authentication interface.
2. The system of claim 1, wherein the common module comprises a control center unit, an editing integration unit, a flash memory unit and a configuration interface, and the first processing channel and the second processing channel each further comprise a data processing unit, a data cache unit, a verification unit, a micro control unit and an expansion unit, wherein;
the control center unit is used for processing the configuration operation command of the manager received through the management information input interface;
the editing and integrating unit is used for converting all operation commands in the control center unit into digital information through logic editing and digital integration;
the flash memory unit is used for caching key information and verification information;
a data processing unit including a block symmetric cryptographic operation that encrypts data through an SM4 algorithm and a HASH cryptographic operation that hashes data encrypted through a HASH operation through an SM3 algorithm;
the micro control unit receives the operation information of a user and the operation information of a manager through the management information input interface and the user information input interface respectively and sends the operation information to the control center unit through the data processing unit.
3. The system of claim 2, wherein the key management center comprises a device management module, an algorithm processing module, a key management module, a communication processing module, a local status monitoring module, and an integrated management module, the equipment management module comprises a remote state inquiry and monitoring unit, a group policy processing unit and an identity key management unit, the key management module comprises a noise code processing unit, a local key data storage protection unit, a Session Encryption Key (SEK) management unit, a group policy Key Encryption Key (KEK) management unit and a group policy transmission encryption working key (TEK) management unit, the communication processing module comprises a safety management communication interface unit, a GDOI protocol processing unit and a multicast communication processing unit, and the management module comprises a key management center management unit and a log maintenance unit.
4. The system of claim 3, wherein the device management module is used for management of the whole network encryption device, status monitoring, management of the identity key and maintenance of the group cipher policy, the algorithm processing module performs key information calculation on the encryption device through SM2, SM3 and SM4 algorithms, the key management module is connected with the algorithm processing module, performs storage protection on local key data and maintenance and management on the whole network session encryption key, the group policy key encryption key and the group policy transmission encryption work key through SM2, SM3 and SM4 algorithms in the algorithm processing module, the communication processing module is used for realizing communication connection between the key management module and the key management control terminal, between the device management module and the key management control terminal and between the key management module and the device management module, and the communication processing module provides a GDOI protocol interface to the outside uniformly, the distribution of the key is implemented by adopting a GDOI protocol, the local state monitoring module is used for collecting the running states of the equipment management module, the algorithm processing module, the key management module, the integrated management module and the communication processing module, checking the integrity of key data and triggering an alarm in an abnormal state, the integrated management module manages and maintains the equipment management module, the algorithm processing module, the key management module, the communication processing module and the local state monitoring module based on a WEB mode and forms a log for operation information, state information and maintenance information records, the remote state query and monitoring unit is used for collecting and monitoring the running state of encryption equipment, the group policy processing unit is used for realizing the maintenance of group policy information and comprises the addition and deletion operations of encryption equipment members of a group policy, the identity key management unit comprises a secret key and an authentication key, the key is used for realizing initial installation and injection of key parameters of encryption equipment, the authentication key is used for realizing a local identity authentication function when the encryption equipment is started, the noise code processing unit is used for acquiring and randomly detecting noise data of a physical noise source, the local key data storage protection unit realizes the local identity authentication function through an authentication key of an identity key management unit, acquires a storage protection key and stores and protects local sensitive information, the Session Encryption Key (SEK) management unit performs IKE exchange with the encryption equipment to maintain and manage SEK keys among the whole-network encryption equipment, the group policy Key Encryption Key (KEK) management unit updates and manages the whole-network KEK keys according to a group policy state of an equipment management module, and the group policy transmission encryption working key (TEK) management unit updates and manages the whole-network KEK keys according to the group policy state and a key updating period, the system comprises a security management communication interface unit, a GDOI protocol processing unit, a key management control terminal, a key management center management unit, a log maintenance unit, a group strategy information acquisition unit, a group management control unit, a group distribution unit, a group management center management unit and a group management unit, wherein the security management communication interface unit is used for analyzing and processing communication protocols of the key management module and the device management module, analyzing commands of the device management module and reporting information, the GDOI protocol processing unit is used for realizing communication connection between the key management control terminal and key management and establishing and maintaining IKE SA, the group management communication processing unit is used for realizing communication connection between the device management module and the key management control terminal and carrying out group distribution on TEK keys, the key management center management unit carries out parameter configuration and operation management on various units of the key management center based on a WEB mode, the log maintenance unit is used for collecting operation information of various units of the key management center, State information, maintenance information, and forming log records for retrieval and query.
5. The management system according to claim 4, wherein the key management control terminal comprises an identity card information input module and a public key distribution module, and the key management control terminal is a key management console.
6. The system according to claim 5, wherein the security management center comprises an asset management module and a configuration management module, the asset management module comprises an asset information acquisition unit, an asset information management unit, a responsible person information management unit and an asset topology management unit, and the configuration management module comprises a group information management unit, a group member information management unit, a group policy management unit and an encryption device status monitoring unit, wherein;
the system comprises an asset information acquisition unit, a data processing unit and a data processing unit, wherein the asset information acquisition unit is used for completing acquisition and entry of asset data and establishment of an asset model in cooperation with a manager, and the acquisition and entry of the asset data comprises automatic acquisition and manual entry;
the asset information management unit is used for assisting an administrator to complete asset information display and realizing asset query, asset information modification and asset deletion according to different attributes;
the system comprises a responsible person information management unit, a management unit and a management unit, wherein the responsible person information management unit is used for establishing, maintaining and managing responsible person information of the asset, and the responsible person is a manager who needs to be responsible for the asset;
the asset topology management unit is used for acquiring and establishing an asset network topology map and regularly maintaining asset network topology map information, and performing real-time display and asset topology interactive management on the asset topology map;
the group information management unit is used for assisting an administrator to acquire parameters of key management equipment of assets in the group encryption network;
the group member information management unit is used for assisting an administrator to acquire the information of the encryption equipment of the asset from the perspective of a group member;
the group policy management unit is used for issuing a group policy instruction to a key management center in the key management system, and the key management center executes a group policy and simultaneously issues the group policy instruction to a specified group member, so that the cryptographic system completes the task of cryptographic system organization structure or cryptographic parameter updating according to the instruction of a network administrator, wherein the group member is encryption equipment;
and the encryption equipment state monitoring unit is used for monitoring the running states of the key management center and the group members.
7. The system of claim 6, wherein the information feedback management center comprises a state monitoring module, a statistical analysis module and a system management module, wherein the state monitoring module comprises a flow information acquisition unit, a flow statistical analysis unit, a flow information display unit and an abnormal flow alarm unit, and the statistical analysis management module comprises a performance alarm management unit, a fault alarm management unit, a comprehensive association analysis unit and a safety risk alarm unit, wherein;
the state monitoring module helps a network administrator to master various communication flows and scales thereof in a backbone network in real time through flow analysis, and finds abnormal flows in time and positions the abnormal flows;
the statistical analysis module is connected with the state monitoring module and carries out safety statistical analysis according to the data information returned by the state monitoring module;
and the system management module is used for monitoring the information of the administrator and the administrator role and storing the log of the operation of logging in the system.
8. The system of claim 7, wherein the traffic information collecting unit obtains relevant flow information data from network devices by interfacing with various mainstream flow standards in the industry, and performs certain formatting for further statistical analysis; the flow statistic analysis unit carries out deep analysis and detection on the collected classification data by using a DFI statistic analysis method; the flow information display unit presents the result of the flow statistic analysis unit to a network administrator according to a reasonable display mode to assist the network administrator to perform daily flow monitoring work, including displaying various periods and various types of charts; the abnormal flow alarm unit reports suspicious abnormal flow in the flow statistic analysis process to a network administrator so that the network administrator can know and take treatment measures in time, the performance alarm management unit is used for collecting abnormal events related to the performance of network equipment in the network equipment unit and providing the abnormal events to the safety risk alarm unit for alarming, the fault alarm management unit is used for collecting network equipment fault events in the network equipment unit and providing the network equipment fault events to the safety risk alarm unit for alarming, the comprehensive correlation analysis unit obtains the suspicious risk events by SYSLOG and SNMP modes, the aggregation engine is used for merging and treating the suspicious risk events, the correlation analysis engine is used for comprehensively analyzing the suspicious risk events and finally reporting the analysis result to the safety risk alarm unit, and the safety risk alarm unit mainly reports the analysis result to the performance alarm management unit, And the safety risk prompt and analysis report generated by the fault alarm management unit and the comprehensive correlation analysis unit timely alarms and informs related network managers and responsible persons so as to timely investigate risks.
CN201610405991.0A 2016-06-10 2016-06-10 Safety management and information feedback system based on GDOI protocol Active CN105939353B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610405991.0A CN105939353B (en) 2016-06-10 2016-06-10 Safety management and information feedback system based on GDOI protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610405991.0A CN105939353B (en) 2016-06-10 2016-06-10 Safety management and information feedback system based on GDOI protocol

Publications (2)

Publication Number Publication Date
CN105939353A CN105939353A (en) 2016-09-14
CN105939353B true CN105939353B (en) 2022-03-25

Family

ID=57152663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610405991.0A Active CN105939353B (en) 2016-06-10 2016-06-10 Safety management and information feedback system based on GDOI protocol

Country Status (1)

Country Link
CN (1) CN105939353B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818517B (en) * 2020-06-16 2022-02-11 郑州信大捷安信息技术股份有限公司 Multi-channel secure communication module, communication system and method
CN113958377B (en) * 2020-07-03 2023-04-07 东方电气股份有限公司 Real-time online monitoring system and method for network security of steam turbine
CN114640880B (en) * 2020-11-30 2023-06-30 腾讯科技(深圳)有限公司 Account login control method, device and medium
CN114244900B (en) * 2021-12-14 2023-10-20 乾讯信息技术(无锡)有限公司 VPN cipher machine remote safety management method based on unstable channel connection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150404A (en) * 2006-09-21 2008-03-26 国际商业机器公司 System and method for managing and generating device cipher key used for cipher communication
CN101212489A (en) * 2006-12-27 2008-07-02 财团法人工业技术研究院 Asset management monitoring method and switching device for asset management monitoring
CN101420686A (en) * 2008-11-28 2009-04-29 重庆邮电大学 Industrial wireless network security communication implementation method based on cipher key
CN103310278A (en) * 2013-06-17 2013-09-18 广东华大集成技术有限责任公司 Ticket application system based on cryptographic algorithm, ticket purchasing method and ticket management method
CN104038481A (en) * 2014-05-22 2014-09-10 国家电网公司 Communication method of power asset management master station system and RFID (radio frequency identification device) terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150404A (en) * 2006-09-21 2008-03-26 国际商业机器公司 System and method for managing and generating device cipher key used for cipher communication
CN101212489A (en) * 2006-12-27 2008-07-02 财团法人工业技术研究院 Asset management monitoring method and switching device for asset management monitoring
CN101420686A (en) * 2008-11-28 2009-04-29 重庆邮电大学 Industrial wireless network security communication implementation method based on cipher key
CN103310278A (en) * 2013-06-17 2013-09-18 广东华大集成技术有限责任公司 Ticket application system based on cryptographic algorithm, ticket purchasing method and ticket management method
CN104038481A (en) * 2014-05-22 2014-09-10 国家电网公司 Communication method of power asset management master station system and RFID (radio frequency identification device) terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邱斌 ; 孟德欣 ; 汪志达.基于Android手机平台的资产管理数据终端实现方案.《软件导刊》.2015,第92-94页. *

Also Published As

Publication number Publication date
CN105939353A (en) 2016-09-14

Similar Documents

Publication Publication Date Title
CN111787073B (en) Current limiting fusing platform for unified service and method thereof
CN103391185B (en) A kind of cloud security storage of track traffic Monitoring Data and processing method and system
CN105939353B (en) Safety management and information feedback system based on GDOI protocol
CN111752795A (en) Full-process monitoring alarm platform and method thereof
CN106341397A (en) Industrial safety isolation GAP
CN101197715B (en) Method for centrally capturing mobile data service condition
CN103560911A (en) Method and system for financial self-service equipment initiative preventive maintenance
CN101282208B (en) Method for updating safety connection association master key as well as server and network system
CN102111349A (en) Security certificate gateway
CN204465588U (en) A kind of host monitor based on server architecture and auditing system
CN112738200B (en) Convenient operation and maintenance tool and method based on closed public network system
CN103020542B (en) Store the technology of the secret information being used for global data center
CN105245336B (en) A kind of file encryption management system
CN104519055A (en) VPN (virtual private network) service implementation method, VPN service implementation device and VPN server
CN112311555A (en) Enterprise information monitoring and checking system and method
CN114466038B (en) Communication protection system of electric power thing networking
CN114189515B (en) SGX-based server cluster log acquisition method and device
CN206364832U (en) One kind is based on safety management and information feedback system under GDOI agreements
CN112565367B (en) Data exchange platform and data exchange method based on symmetric algorithm
CN106130752B (en) Large-scale network management system based on GDOI protocol
CN105939354A (en) Large-scale network key management system based on GDOI protocol
CN206364833U (en) One kind is based on large scale network key management system under GDOI agreements
CN106230856A (en) A kind of System of Industrial Device Controls based on Internet of Things
CN1453700A (en) Network method of safety management of firewall equipment
CN110278127A (en) A kind of Agent dispositions method and system based on secure transfer protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 100000 901, Floor 9, Building 7, Yard 8, Auto Museum East Road, Fengtai District, Beijing

Patentee after: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

Address before: Room 101-502, 5 / F, building 10, courtyard 3, fengxiu Middle Road, Haidian District, Beijing 100083

Patentee before: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.