CN107846279A - Safety block interconnection architecture system and implementation method - Google Patents
Safety block interconnection architecture system and implementation method Download PDFInfo
- Publication number
- CN107846279A CN107846279A CN201711072942.0A CN201711072942A CN107846279A CN 107846279 A CN107846279 A CN 107846279A CN 201711072942 A CN201711072942 A CN 201711072942A CN 107846279 A CN107846279 A CN 107846279A
- Authority
- CN
- China
- Prior art keywords
- credible
- module
- safety block
- request
- metric
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses safety block interconnection architecture system and implementation method; this programme is realized by key distribution module, credible metric module and credible delivery module; key distribution module is as authentic authentication base; support host credentials request and issue, receive and handle trusted identity checking request;Credible metric module is used for the credible metric request for receiving safety block, and metric request is sent into key distribution module, receives measurement successful result and then forwards connection request to receive measurement failure result to credible delivery module and then terminate communication;Credible delivery module is used for the credible delivery request for receiving safety block, and carries out arranging key, and key exchanges.The present invention ensures the credibility of communication component by reliable computing technology, realizes that part connects credible by passage integrity protection.
Description
Technical field
The present invention relates to network security technology, and in particular to safety block interconnection architecture technology.
Background technology
Traditional communication mode, it is in interprocess communication, sends connection request by connecting initiator, recipient's processing connects
Request is received, connection procedure success is then established passage and communicated.
By taking TCP connection procedure three-way handshake connection procedures as an example, so-called three-way handshake (Three-Way Handshake) is i.e.
TCP connections are established, it is necessary to which client and service end send 3 bags to confirm to connect altogether when just referring to establish a TCP connection
Foundation.In socket programmings, this process is triggered by client executing connect, as shown in figure 1, whole flow process is such as
Under:
(1) shake hands for the first time:Flag bit SYN is set to 1 by Client, randomly generates a value seq=J, and by the data
Bag is sent to Server, and Client enters SYN_SENT states, waits Server to confirm.
(2) second handshake:Server is received knows that connection is established in Client requests after packet by flag bit SYN=1,
Flag bit SYN and ACK are set to 1, ack=J+1 by Server, randomly generate a value seq=K, and the packet is sent
To Client to confirm connection request, Server enters SYN_RCVD states.
(3) shake hands for the third time:After Client receives confirmation, check whether ack is J+1, and whether ACK is 1, if correctly
Flag bit ACK is then set to 1, ack=K+1, and sends the packet to Server, Server checks whether ack is K+1,
Whether ACK is 1, connects and is successfully established if correct, and Client and Server enter ESTABLISHED states, complete three times
Shake hands, can start to transmit data between subsequent Client and Server.
Two safety problems be present in conventional communication mode:1st, the main body Client and Server of communication identity may be emitted
With;2nd, communication process be easily trapped, eavesdrop even the communication information be maliciously tampered.
The content of the invention
For existing communication mode in the problems of secure context, it is necessary to a kind of new Secure Communication.
Therefore, it is an object of the invention to provide a kind of safety block interconnection architecture system and implementation method, with
Realize the structuring of safety block communication connection.
In order to achieve the above object, safety block interconnection architecture system provided by the invention, including:
Key distribution module, the key distribution module are supported host credentials request and issued, connect as authentic authentication base
Receive and handle trusted identity checking request;
Credible metric module, the credible metric module is used for the credible metric request for receiving safety block, by degree
Amount request is sent to key distribution module, receives measurement successful result and then forwards connection request to credible delivery module, degree of receiving
Amount failure result then terminates communication;
Credible delivery module, the credible delivery module are used for the credible delivery request for receiving safety block, gone forward side by side
Row arranging key, key exchange.
Further, the system also includes information interception module, and connection request is pacified in the interception of described information interception module, and
Gone to credible metric module.
Further, described information interception module is hook module.
In order to achieve the above object, safety block interconnection architecture implementation method provided by the invention, protected in safety
Protect before the connection setup connection between part, to the credible measurement of identity of communicating pair, in safety after credible measurement passes through
Trusted channel is established between guard block.
Further, the implementation method includes:
Interception is as the communication connection request between the safety block of communicating pair;
The confidence level of the credible measurement modularity amount counterparting communications main frame of communicating pair;
The credible delivery module of communicating pair is consulted after credible measurement passes through and receives connection key;
Foundation encryption can communication port between communicating pair.
Further, the implementation method also includes:Safety block as communicating pair is in key distribution module
Registered, the step of key distribution module issues letter of identity to safety block.
Further, credible measurement modularity amount counterparting communications main frame confidence level includes:
After credible metric module obtains identity metric request, actively initiate to ask to key distribution module;
Key distribution module obtains communicating pair communication security guard block certificate information, and carries out identity measurement, measures
By rear, check results are returned into credible metric module.
The present invention ensures the credibility of communication component by reliable computing technology, and part is realized by passage integrity protection
What is connected is credible.
The present invention is credible to support safety block trust authentication and connection communication, and structure foundation of trust checking is flat
Platform, as the safe foundation of trust of trusted technology;Key distribution module is built, credible measurement support module and credible delivery are supported
Module, as the registering of support part, credible measurement, communicate credible linkage function support.
Furthermore the present invention program has fully demonstrated security mechanism versatility, is transformed by communication process, and communication process is drawn
Lead in the module of this programme, realize that communication agent identity is credible, the purpose of communication process integrity protection.
Brief description of the drawings
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
Fig. 1 is TCP three-way handshake schematic flow sheet;
Fig. 2 is the system architecture diagram of safety block interconnection architecture system in present example;
Fig. 3 is the communication flow diagram of safety block interconnection architecture in present example.
Embodiment
In order that the technical means, the inventive features, the objects and the advantages of the present invention are easy to understand, tie below
Conjunction is specifically illustrating, and the present invention is expanded on further.
According to《The requirement of GB/T25070 information system hierarchical protection safety design technical》To safety block interconnection architecture
The description of change, technology focus on:1st, the credibility of other side is mutually authenticated by trust authentication mechanism;2nd, safeguard protection portion is ensured
Credible connection between part.
Mode is varied when resource apparatus communicates, and can be connected by TCP, UDP communicates, HTTP communicates, FTP communications
Etc..No matter which kind of communication mode, the main body of communication is program, process or service, and this example is by the program or process of communication
As safety block, and realize the structuring of safety block connection.
Accordingly, this example realizes checking communication to realize safety block interconnection architecture by reliable computing technology
The credibility of both sides, build corresponding safety block interconnection architecture system.
Referring to Fig. 2, the safety block interconnection architecture system 100 of this example structure is mainly by key distribution module
110, credible metric module 120 and credible delivery module 130, these three key core modules, which coordinate, to be formed.
Wherein, key distribution module 110:The module supports host credentials request and issues work(as authentic authentication basis
Can, receive and handle trusted identity checking request.
Credible metric module 120:It is run in corresponding main frame, for receiving the credible of safety block in the main frame
Metric request, metric request is sent to key distribution module, and connection request is then forwarded to can receiving measurement successful result
Believe transport module 130, communication is then terminated receiving measurement failure result.
Credible delivery module 130:It is run in corresponding main frame, and is coordinated with credible metric module 120, is pacified for receiving
The credible delivery request of total event, arranging key, key exchange.
On this basis, the system also travels further into information interception module 140, and the information interception module 140 operates in
In main frame, and coordinate with credible metric module 120 and credible delivery module 130, for intercepting corresponding connection request, and by its
The credible metric module 120 gone in main frame, to realize before connection setup connection, to the identity of communication security guard block
Credible measurement.
Specifically, if the place main frame of information interception module 140 is connection request initiator, the information interception module 140 is then
Directly intercept the connection request that safety block is initiated;If the place main frame of information interception module 140 is connection request recipient,
The information interception module 140 connection request that then directly interception safety block receives.
The information interception module 140 can be realized by corresponding hook module.
The safety block interconnection architecture system 100 built accordingly, it realizes safety block interconnection architecture
Basic process it is as follows:
(1) communication connection request for asking the information interception module intercepts safety block of initiator to be initiated, and reach
Credible metric module.
(2) communication connection request that the information interception module intercepts safety block of request recipient receives, and reach
Credible metric module.
(3) metric request is sent to key distribution by the credible metric module of communicating pair after connection request is received
Module, the credible measurement of identity of communicating pair is completed by key distribution module;And then forward connection receiving measurement successful result
Credible delivery module is asked, communication is then terminated receiving measurement failure result.
(4) the credible delivery module of communicating pair is consulted after credible measurement passes through and receives connection key;
(5) the connection key for consulting to obtain based on both sides' credible delivery module between communicating pair establishes communicating for encryption
Passage.
Thus, can be in the connection setup between safety block based on safety guard block interconnection architecture system
Before connection, to the credible measurement of identity of communicating pair, established after credible measurement passes through between safety block credible
Passage.
Illustrate this programme below by way of a concrete application example.
By taking Windows as an example, hook is a technical essential of message processing facility in Windows, various by installing
Hook, application program can set the message transmission that corresponding subroutine comes in monitoring system and reach target in these message
The pre-treatment of window writing routine they.The species of hook is a lot, and every kind of hook can be intercepted and captured and handle corresponding message, such as keyboard hook
Son can intercept and capture Keyboard Message, and Mouse hook can intercept and capture mouse information, and shell hook, which can intercept and capture startup and close, applies journey
The message of sequence, JournalRecord Hook can monitor and record incoming event.
Present case utilizes hook and similar mechanism, builds corresponding information interception module to transform communications connection procedure, and
With reference to key distribution module, credible metric module, credible delivery module, before connection setup connection, realize that communication security is protected
The credible measurement of identity, the communication integrity protection of part are protected, realizes final safety block interconnection architecture (such as Fig. 2 institutes
Show).
Accordingly, the safety block before operation first as communicating pair in key distribution module, it is necessary to be noted
Volume, key distribution module give the safety block each registered to issue corresponding letter of identity.
Referring to Fig. 2 and 3, the flow that present case carries out the communication of safety block interconnection architectureization is as follows:
When the communication security guard block 1 in A main frames initiates connection request, connection request is obtained by the hook in A main frames
Take, the safety block in A main frames asks credible metric module to carry out communication security guard block identity metric request.It is credible
After metric module obtains identity metric request, actively initiate to ask to key distribution module;Communication security protection portion in B main frames
When part 2 receives connection request, receive connection request and obtained by the hook in B main frames, the safety block request in B main frames
Credible metric module carries out communication security guard block identity metric request, after credible metric module obtains identity metric request,
Actively initiate to ask to key distribution module.
Key distribution module obtains communicating pair communication security guard block certificate information, and carries out identity measurement, measures
By rear, check results are returned to the credible metric module of respective host, credible metrics process terminates;If measurement not by,
Then show that communication security guard block identity is insincere, forbid connecting, connection procedure terminates.
After metrics process terminates, encrypted into the second procedure communication, request credible delivery module and target credible delivery mould
Block carries out key agreement, consults after determining key, finally between communication security guard block 1 and communication security guard block 2
A believable interface channel is established, realizes that communication integrity is protected.
The credibility that other side is mutually authenticated by trust authentication mechanism is finally realized by above procedure, may insure simultaneously
Credible connection between safety block.
General principle, principal character and the advantages of the present invention of the present invention has been shown and described above.The technology of the industry
Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the simply explanation described in above-described embodiment and specification is originally
The principle of invention, without departing from the spirit and scope of the present invention, various changes and modifications of the present invention are possible, these changes
Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its
Equivalent thereof.
Claims (7)
1. safety block interconnection architecture system, it is characterised in that including:
Key distribution module, the key distribution module are supported host credentials request and issued, receive simultaneously as authentic authentication base
Handle trusted identity checking request;
Credible metric module, the credible metric module are used for the credible metric request for receiving safety block, please by measurement
Ask and be sent to key distribution module, receive measurement successful result and then forward connection request to receive measurement to credible delivery module and lose
Lose result and then terminate communication;
Credible delivery module, the credible delivery module is used for the credible delivery request for receiving safety block, and is assisted
Business's key, key exchange.
2. safety block interconnection architecture system according to claim 1, it is characterised in that the system also includes
Information interception module, described information interception module interception peace connection request, and gone to credible metric module.
3. safety block interconnection architecture system according to claim 2, it is characterised in that described information intercepts mould
Block is hook module.
4. safety block interconnection architecture implementation method, it is characterised in that the connection setup between safety block
Before connection, to the credible measurement of identity of communicating pair, established after credible measurement passes through between safety block credible
Passage.
5. safety block interconnection architecture implementation method according to claim 4, it is characterised in that the realization side
Method includes:
Interception is as the communication connection request between the safety block of communicating pair;
The confidence level of the credible measurement modularity amount counterparting communications main frame of communicating pair;
The credible delivery module of communicating pair is consulted after credible measurement passes through and receives connection key;
Foundation encryption can communication port between communicating pair.
6. safety block interconnection architecture implementation method according to claim 5, it is characterised in that the realization side
Method also includes:Safety block as communicating pair is registered in key distribution module, and key distribution module is to safety
Guard block issues the step of letter of identity.
7. safety block interconnection architecture implementation method according to claim 6, it is characterised in that credible measurement mould
Lumpiness amount counterparting communications main frame confidence level includes:
After credible metric module obtains identity metric request, actively initiate to ask to key distribution module;
Key distribution module obtains communicating pair communication security guard block certificate information, and carries out identity measurement, and measurement passes through
Afterwards, check results are returned into credible metric module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711072942.0A CN107846279B (en) | 2017-11-04 | 2017-11-04 | Security protection component interconnection structured system and implementation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711072942.0A CN107846279B (en) | 2017-11-04 | 2017-11-04 | Security protection component interconnection structured system and implementation method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107846279A true CN107846279A (en) | 2018-03-27 |
CN107846279B CN107846279B (en) | 2021-08-27 |
Family
ID=61681315
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711072942.0A Active CN107846279B (en) | 2017-11-04 | 2017-11-04 | Security protection component interconnection structured system and implementation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107846279B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951388A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Remote attestation method in credible computing environment |
CN106411524A (en) * | 2016-08-31 | 2017-02-15 | 广州世安信息技术有限公司 | Bluetooth-based trusted computing method of mobile terminal |
-
2017
- 2017-11-04 CN CN201711072942.0A patent/CN107846279B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101951388A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Remote attestation method in credible computing environment |
CN106411524A (en) * | 2016-08-31 | 2017-02-15 | 广州世安信息技术有限公司 | Bluetooth-based trusted computing method of mobile terminal |
Also Published As
Publication number | Publication date |
---|---|
CN107846279B (en) | 2021-08-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112218294B (en) | 5G-based access method and system for Internet of things equipment and storage medium | |
CN111835752B (en) | Lightweight authentication method based on equipment identity and gateway | |
CN104811455B (en) | A kind of cloud computing identity identifying method | |
US20200169539A1 (en) | System and method for a multi system trust chain | |
KR102382474B1 (en) | System and method for establishing trust using secure transmission protocols | |
JP2020064668A5 (en) | ||
US20180013727A1 (en) | Transport layer security latency mitigation | |
JP5248621B2 (en) | Trusted network access control system based on ternary equivalence identification | |
US8468347B2 (en) | Secure network communications | |
US8037306B2 (en) | Method for realizing network access authentication | |
US20130339736A1 (en) | Periodic platform based web session re-validation | |
EP3711274B1 (en) | Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system | |
CN107896150A (en) | Link block chain network and the system of Internet of Things | |
EP2421215B1 (en) | Method for establishing trusted network connect framework of tri-element peer authentication | |
CN114389916B (en) | Networking communication method, device, system and network equipment | |
EP2811401B1 (en) | Method and apparatus for inputting data | |
CN110855561A (en) | Intelligent gateway of Internet of things | |
US20200351248A1 (en) | Intermediary handling of identity services to guard against client side attack vectors | |
CN114448706A (en) | Single package authorization method and device, electronic equipment and storage medium | |
CN113810391A (en) | Cross-machine-room communication bidirectional authentication and encryption method | |
CN101938428B (en) | Message transmission method and equipment | |
CN113645115A (en) | Virtual private network access method and system | |
CN114157509B (en) | Encryption method and device with SSL and IPsec based on cryptographic algorithm | |
CN107846279A (en) | Safety block interconnection architecture system and implementation method | |
US10601802B2 (en) | Method for distributed application segmentation through authorization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |