CN107846279A - Safety block interconnection architecture system and implementation method - Google Patents

Safety block interconnection architecture system and implementation method Download PDF

Info

Publication number
CN107846279A
CN107846279A CN201711072942.0A CN201711072942A CN107846279A CN 107846279 A CN107846279 A CN 107846279A CN 201711072942 A CN201711072942 A CN 201711072942A CN 107846279 A CN107846279 A CN 107846279A
Authority
CN
China
Prior art keywords
credible
module
safety block
request
metric
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711072942.0A
Other languages
Chinese (zh)
Other versions
CN107846279B (en
Inventor
陶源
李明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Priority to CN201711072942.0A priority Critical patent/CN107846279B/en
Publication of CN107846279A publication Critical patent/CN107846279A/en
Application granted granted Critical
Publication of CN107846279B publication Critical patent/CN107846279B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses safety block interconnection architecture system and implementation method; this programme is realized by key distribution module, credible metric module and credible delivery module; key distribution module is as authentic authentication base; support host credentials request and issue, receive and handle trusted identity checking request;Credible metric module is used for the credible metric request for receiving safety block, and metric request is sent into key distribution module, receives measurement successful result and then forwards connection request to receive measurement failure result to credible delivery module and then terminate communication;Credible delivery module is used for the credible delivery request for receiving safety block, and carries out arranging key, and key exchanges.The present invention ensures the credibility of communication component by reliable computing technology, realizes that part connects credible by passage integrity protection.

Description

Safety block interconnection architecture system and implementation method
Technical field
The present invention relates to network security technology, and in particular to safety block interconnection architecture technology.
Background technology
Traditional communication mode, it is in interprocess communication, sends connection request by connecting initiator, recipient's processing connects Request is received, connection procedure success is then established passage and communicated.
By taking TCP connection procedure three-way handshake connection procedures as an example, so-called three-way handshake (Three-Way Handshake) is i.e. TCP connections are established, it is necessary to which client and service end send 3 bags to confirm to connect altogether when just referring to establish a TCP connection Foundation.In socket programmings, this process is triggered by client executing connect, as shown in figure 1, whole flow process is such as Under:
(1) shake hands for the first time:Flag bit SYN is set to 1 by Client, randomly generates a value seq=J, and by the data Bag is sent to Server, and Client enters SYN_SENT states, waits Server to confirm.
(2) second handshake:Server is received knows that connection is established in Client requests after packet by flag bit SYN=1, Flag bit SYN and ACK are set to 1, ack=J+1 by Server, randomly generate a value seq=K, and the packet is sent To Client to confirm connection request, Server enters SYN_RCVD states.
(3) shake hands for the third time:After Client receives confirmation, check whether ack is J+1, and whether ACK is 1, if correctly Flag bit ACK is then set to 1, ack=K+1, and sends the packet to Server, Server checks whether ack is K+1, Whether ACK is 1, connects and is successfully established if correct, and Client and Server enter ESTABLISHED states, complete three times Shake hands, can start to transmit data between subsequent Client and Server.
Two safety problems be present in conventional communication mode:1st, the main body Client and Server of communication identity may be emitted With;2nd, communication process be easily trapped, eavesdrop even the communication information be maliciously tampered.
The content of the invention
For existing communication mode in the problems of secure context, it is necessary to a kind of new Secure Communication.
Therefore, it is an object of the invention to provide a kind of safety block interconnection architecture system and implementation method, with Realize the structuring of safety block communication connection.
In order to achieve the above object, safety block interconnection architecture system provided by the invention, including:
Key distribution module, the key distribution module are supported host credentials request and issued, connect as authentic authentication base Receive and handle trusted identity checking request;
Credible metric module, the credible metric module is used for the credible metric request for receiving safety block, by degree Amount request is sent to key distribution module, receives measurement successful result and then forwards connection request to credible delivery module, degree of receiving Amount failure result then terminates communication;
Credible delivery module, the credible delivery module are used for the credible delivery request for receiving safety block, gone forward side by side Row arranging key, key exchange.
Further, the system also includes information interception module, and connection request is pacified in the interception of described information interception module, and Gone to credible metric module.
Further, described information interception module is hook module.
In order to achieve the above object, safety block interconnection architecture implementation method provided by the invention, protected in safety Protect before the connection setup connection between part, to the credible measurement of identity of communicating pair, in safety after credible measurement passes through Trusted channel is established between guard block.
Further, the implementation method includes:
Interception is as the communication connection request between the safety block of communicating pair;
The confidence level of the credible measurement modularity amount counterparting communications main frame of communicating pair;
The credible delivery module of communicating pair is consulted after credible measurement passes through and receives connection key;
Foundation encryption can communication port between communicating pair.
Further, the implementation method also includes:Safety block as communicating pair is in key distribution module Registered, the step of key distribution module issues letter of identity to safety block.
Further, credible measurement modularity amount counterparting communications main frame confidence level includes:
After credible metric module obtains identity metric request, actively initiate to ask to key distribution module;
Key distribution module obtains communicating pair communication security guard block certificate information, and carries out identity measurement, measures By rear, check results are returned into credible metric module.
The present invention ensures the credibility of communication component by reliable computing technology, and part is realized by passage integrity protection What is connected is credible.
The present invention is credible to support safety block trust authentication and connection communication, and structure foundation of trust checking is flat Platform, as the safe foundation of trust of trusted technology;Key distribution module is built, credible measurement support module and credible delivery are supported Module, as the registering of support part, credible measurement, communicate credible linkage function support.
Furthermore the present invention program has fully demonstrated security mechanism versatility, is transformed by communication process, and communication process is drawn Lead in the module of this programme, realize that communication agent identity is credible, the purpose of communication process integrity protection.
Brief description of the drawings
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
Fig. 1 is TCP three-way handshake schematic flow sheet;
Fig. 2 is the system architecture diagram of safety block interconnection architecture system in present example;
Fig. 3 is the communication flow diagram of safety block interconnection architecture in present example.
Embodiment
In order that the technical means, the inventive features, the objects and the advantages of the present invention are easy to understand, tie below Conjunction is specifically illustrating, and the present invention is expanded on further.
According to《The requirement of GB/T25070 information system hierarchical protection safety design technical》To safety block interconnection architecture The description of change, technology focus on:1st, the credibility of other side is mutually authenticated by trust authentication mechanism;2nd, safeguard protection portion is ensured Credible connection between part.
Mode is varied when resource apparatus communicates, and can be connected by TCP, UDP communicates, HTTP communicates, FTP communications Etc..No matter which kind of communication mode, the main body of communication is program, process or service, and this example is by the program or process of communication As safety block, and realize the structuring of safety block connection.
Accordingly, this example realizes checking communication to realize safety block interconnection architecture by reliable computing technology The credibility of both sides, build corresponding safety block interconnection architecture system.
Referring to Fig. 2, the safety block interconnection architecture system 100 of this example structure is mainly by key distribution module 110, credible metric module 120 and credible delivery module 130, these three key core modules, which coordinate, to be formed.
Wherein, key distribution module 110:The module supports host credentials request and issues work(as authentic authentication basis Can, receive and handle trusted identity checking request.
Credible metric module 120:It is run in corresponding main frame, for receiving the credible of safety block in the main frame Metric request, metric request is sent to key distribution module, and connection request is then forwarded to can receiving measurement successful result Believe transport module 130, communication is then terminated receiving measurement failure result.
Credible delivery module 130:It is run in corresponding main frame, and is coordinated with credible metric module 120, is pacified for receiving The credible delivery request of total event, arranging key, key exchange.
On this basis, the system also travels further into information interception module 140, and the information interception module 140 operates in In main frame, and coordinate with credible metric module 120 and credible delivery module 130, for intercepting corresponding connection request, and by its The credible metric module 120 gone in main frame, to realize before connection setup connection, to the identity of communication security guard block Credible measurement.
Specifically, if the place main frame of information interception module 140 is connection request initiator, the information interception module 140 is then Directly intercept the connection request that safety block is initiated;If the place main frame of information interception module 140 is connection request recipient, The information interception module 140 connection request that then directly interception safety block receives.
The information interception module 140 can be realized by corresponding hook module.
The safety block interconnection architecture system 100 built accordingly, it realizes safety block interconnection architecture Basic process it is as follows:
(1) communication connection request for asking the information interception module intercepts safety block of initiator to be initiated, and reach Credible metric module.
(2) communication connection request that the information interception module intercepts safety block of request recipient receives, and reach Credible metric module.
(3) metric request is sent to key distribution by the credible metric module of communicating pair after connection request is received Module, the credible measurement of identity of communicating pair is completed by key distribution module;And then forward connection receiving measurement successful result Credible delivery module is asked, communication is then terminated receiving measurement failure result.
(4) the credible delivery module of communicating pair is consulted after credible measurement passes through and receives connection key;
(5) the connection key for consulting to obtain based on both sides' credible delivery module between communicating pair establishes communicating for encryption Passage.
Thus, can be in the connection setup between safety block based on safety guard block interconnection architecture system Before connection, to the credible measurement of identity of communicating pair, established after credible measurement passes through between safety block credible Passage.
Illustrate this programme below by way of a concrete application example.
By taking Windows as an example, hook is a technical essential of message processing facility in Windows, various by installing Hook, application program can set the message transmission that corresponding subroutine comes in monitoring system and reach target in these message The pre-treatment of window writing routine they.The species of hook is a lot, and every kind of hook can be intercepted and captured and handle corresponding message, such as keyboard hook Son can intercept and capture Keyboard Message, and Mouse hook can intercept and capture mouse information, and shell hook, which can intercept and capture startup and close, applies journey The message of sequence, JournalRecord Hook can monitor and record incoming event.
Present case utilizes hook and similar mechanism, builds corresponding information interception module to transform communications connection procedure, and With reference to key distribution module, credible metric module, credible delivery module, before connection setup connection, realize that communication security is protected The credible measurement of identity, the communication integrity protection of part are protected, realizes final safety block interconnection architecture (such as Fig. 2 institutes Show).
Accordingly, the safety block before operation first as communicating pair in key distribution module, it is necessary to be noted Volume, key distribution module give the safety block each registered to issue corresponding letter of identity.
Referring to Fig. 2 and 3, the flow that present case carries out the communication of safety block interconnection architectureization is as follows:
When the communication security guard block 1 in A main frames initiates connection request, connection request is obtained by the hook in A main frames Take, the safety block in A main frames asks credible metric module to carry out communication security guard block identity metric request.It is credible After metric module obtains identity metric request, actively initiate to ask to key distribution module;Communication security protection portion in B main frames When part 2 receives connection request, receive connection request and obtained by the hook in B main frames, the safety block request in B main frames Credible metric module carries out communication security guard block identity metric request, after credible metric module obtains identity metric request, Actively initiate to ask to key distribution module.
Key distribution module obtains communicating pair communication security guard block certificate information, and carries out identity measurement, measures By rear, check results are returned to the credible metric module of respective host, credible metrics process terminates;If measurement not by, Then show that communication security guard block identity is insincere, forbid connecting, connection procedure terminates.
After metrics process terminates, encrypted into the second procedure communication, request credible delivery module and target credible delivery mould Block carries out key agreement, consults after determining key, finally between communication security guard block 1 and communication security guard block 2 A believable interface channel is established, realizes that communication integrity is protected.
The credibility that other side is mutually authenticated by trust authentication mechanism is finally realized by above procedure, may insure simultaneously Credible connection between safety block.
General principle, principal character and the advantages of the present invention of the present invention has been shown and described above.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the simply explanation described in above-described embodiment and specification is originally The principle of invention, without departing from the spirit and scope of the present invention, various changes and modifications of the present invention are possible, these changes Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its Equivalent thereof.

Claims (7)

1. safety block interconnection architecture system, it is characterised in that including:
Key distribution module, the key distribution module are supported host credentials request and issued, receive simultaneously as authentic authentication base Handle trusted identity checking request;
Credible metric module, the credible metric module are used for the credible metric request for receiving safety block, please by measurement Ask and be sent to key distribution module, receive measurement successful result and then forward connection request to receive measurement to credible delivery module and lose Lose result and then terminate communication;
Credible delivery module, the credible delivery module is used for the credible delivery request for receiving safety block, and is assisted Business's key, key exchange.
2. safety block interconnection architecture system according to claim 1, it is characterised in that the system also includes Information interception module, described information interception module interception peace connection request, and gone to credible metric module.
3. safety block interconnection architecture system according to claim 2, it is characterised in that described information intercepts mould Block is hook module.
4. safety block interconnection architecture implementation method, it is characterised in that the connection setup between safety block Before connection, to the credible measurement of identity of communicating pair, established after credible measurement passes through between safety block credible Passage.
5. safety block interconnection architecture implementation method according to claim 4, it is characterised in that the realization side Method includes:
Interception is as the communication connection request between the safety block of communicating pair;
The confidence level of the credible measurement modularity amount counterparting communications main frame of communicating pair;
The credible delivery module of communicating pair is consulted after credible measurement passes through and receives connection key;
Foundation encryption can communication port between communicating pair.
6. safety block interconnection architecture implementation method according to claim 5, it is characterised in that the realization side Method also includes:Safety block as communicating pair is registered in key distribution module, and key distribution module is to safety Guard block issues the step of letter of identity.
7. safety block interconnection architecture implementation method according to claim 6, it is characterised in that credible measurement mould Lumpiness amount counterparting communications main frame confidence level includes:
After credible metric module obtains identity metric request, actively initiate to ask to key distribution module;
Key distribution module obtains communicating pair communication security guard block certificate information, and carries out identity measurement, and measurement passes through Afterwards, check results are returned into credible metric module.
CN201711072942.0A 2017-11-04 2017-11-04 Security protection component interconnection structured system and implementation method Active CN107846279B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711072942.0A CN107846279B (en) 2017-11-04 2017-11-04 Security protection component interconnection structured system and implementation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711072942.0A CN107846279B (en) 2017-11-04 2017-11-04 Security protection component interconnection structured system and implementation method

Publications (2)

Publication Number Publication Date
CN107846279A true CN107846279A (en) 2018-03-27
CN107846279B CN107846279B (en) 2021-08-27

Family

ID=61681315

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711072942.0A Active CN107846279B (en) 2017-11-04 2017-11-04 Security protection component interconnection structured system and implementation method

Country Status (1)

Country Link
CN (1) CN107846279B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951388A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Remote attestation method in credible computing environment
CN106411524A (en) * 2016-08-31 2017-02-15 广州世安信息技术有限公司 Bluetooth-based trusted computing method of mobile terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951388A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Remote attestation method in credible computing environment
CN106411524A (en) * 2016-08-31 2017-02-15 广州世安信息技术有限公司 Bluetooth-based trusted computing method of mobile terminal

Also Published As

Publication number Publication date
CN107846279B (en) 2021-08-27

Similar Documents

Publication Publication Date Title
CN112218294B (en) 5G-based access method and system for Internet of things equipment and storage medium
CN111835752B (en) Lightweight authentication method based on equipment identity and gateway
CN104811455B (en) A kind of cloud computing identity identifying method
US20200169539A1 (en) System and method for a multi system trust chain
KR102382474B1 (en) System and method for establishing trust using secure transmission protocols
JP2020064668A5 (en)
US20180013727A1 (en) Transport layer security latency mitigation
JP5248621B2 (en) Trusted network access control system based on ternary equivalence identification
US8468347B2 (en) Secure network communications
US8037306B2 (en) Method for realizing network access authentication
US20130339736A1 (en) Periodic platform based web session re-validation
EP3711274B1 (en) Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system
CN107896150A (en) Link block chain network and the system of Internet of Things
EP2421215B1 (en) Method for establishing trusted network connect framework of tri-element peer authentication
CN114389916B (en) Networking communication method, device, system and network equipment
EP2811401B1 (en) Method and apparatus for inputting data
CN110855561A (en) Intelligent gateway of Internet of things
US20200351248A1 (en) Intermediary handling of identity services to guard against client side attack vectors
CN114448706A (en) Single package authorization method and device, electronic equipment and storage medium
CN113810391A (en) Cross-machine-room communication bidirectional authentication and encryption method
CN101938428B (en) Message transmission method and equipment
CN113645115A (en) Virtual private network access method and system
CN114157509B (en) Encryption method and device with SSL and IPsec based on cryptographic algorithm
CN107846279A (en) Safety block interconnection architecture system and implementation method
US10601802B2 (en) Method for distributed application segmentation through authorization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant