CN107920065A - Dynamic migration access control technology design method based on heterogeneous network - Google Patents

Dynamic migration access control technology design method based on heterogeneous network Download PDF

Info

Publication number
CN107920065A
CN107920065A CN201711114137.XA CN201711114137A CN107920065A CN 107920065 A CN107920065 A CN 107920065A CN 201711114137 A CN201711114137 A CN 201711114137A CN 107920065 A CN107920065 A CN 107920065A
Authority
CN
China
Prior art keywords
network
authentication
access
security
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201711114137.XA
Other languages
Chinese (zh)
Inventor
倪伟传
王凤
邓巧茵
刘少江
万智萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinhua College Of Zhongshan University
Original Assignee
Xinhua College Of Zhongshan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinhua College Of Zhongshan University filed Critical Xinhua College Of Zhongshan University
Priority to CN201711114137.XA priority Critical patent/CN107920065A/en
Publication of CN107920065A publication Critical patent/CN107920065A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses the dynamic migration access control technology design method based on heterogeneous network, comprise the following steps:The system architecture for system of building up mutual trust simultaneously judges mobile node;Establish the secure accessing model of heterogeneous mobile network;The secure accessing of heterogeneous mobile network is authenticated.Framework proposed by the present invention is made of the client on trusted users node and safety service system, safety service system is allowd to obtain the real-time status of mobile node, screen the confidence level of node, the failure or abnormality of mobile node are understood in real time, and service is provided so as to terminate as the node;By the method for modelling, analysis contrast is carried out to various safety access methods, so as to find out safer, more efficient cut-in method;The trust updating algorithm of system is optimized at the same time, system information is carried out to regularly update information, to mitigate security threat of the actual motion in environment.

Description

Heterogeneous network-based dynamic migration access control technology design method
Technical Field
The invention relates to the technical field of public security service, in particular to a dynamic migration access control technology design method based on a heterogeneous network.
Background
Diversification of internet services and popularization of communication technology services have led to rapid development of mobile devices, which has led to a greater demand for wireless network services that are closely related to mobile devices than ever before. The access modes and network types of the heterogeneous mobile wireless network are diverse, and the implementation technologies, transmission mechanisms, organization modes and control mechanisms of different networks are greatly different; and the ubiquity and heterogeneity of networks causes users to frequently change network home and administrative domains. The access control technology proposed for the heterogeneous mobile wireless network needs to adaptively adopt a corresponding identity authentication mode according to the network state of the current access request user, and for the authenticated user, smooth switching is performed among different access modes according to the position and service of the user, so as to provide reliable access service support.
Compared with the mode of carrying out identity authentication through a single access network, the mode of logging in personal account information on the mobile equipment through different access networks to access the service system is more convenient, so that more identity authentication processes are completed on a heterogeneous mobile wireless network. The security key service related to the heterogeneous mobile network needs a strong security access control technology as a support, and it is ensured that security sensitive information such as an account number of a unique legal user is not illegally acquired by others. The heterogeneous mobile wireless network of today provides a plurality of security service forms, and the related security strategies proposed on the basis of the security service forms are as follows: encryption, authentication, access control, key management, certificate management, and the like. Among them, an authentication method based on personal information such as ID/password and digital certificate is one of the most widespread authentication means currently used for network security-sensitive services. However, personal information is leaked due to various negligence of the user himself and other illegal technical intrusion means, such as the loss or theft of a smart card, illegal tracking and collection of access information, and the like. Even though security authentication is currently implemented through both the application layer and the network layer, the security risk that the application layer has remains due to the dependency between the network layer and the application layer, no matter how high the security level the network layer has. Since heterogeneous network services are interactions between users and service providing systems, service security is based on mutual trust between them. The user terminal can simultaneously access the service providing system through different access networks. When the authentication information of the only legal user is illegally stolen by others, the service providing system cannot distinguish whether the accessed object is a legal user. With the continuous development of wireless networks, the amount of privacy service traffic such as information storage and user access performed in heterogeneous mobile networks is increasing, and the security problem of a mutual trust system for authentication between a user terminal and a service providing system is solved.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method for designing a heterogeneous network based dynamic migration access control technology, aiming at the above deficiencies in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows:
the dynamic migration access control technology design method based on the heterogeneous network comprises the following steps:
establishing a system architecture of a mutual trust system and judging a mobile node;
establishing a security access model of the heterogeneous mobile network;
and authenticating the secure access of the heterogeneous mobile network.
Further, the establishing a system architecture of the mutual trust system and determining the mobile node specifically include: the client and the safety service system which are installed on the credible user node judge whether the mobile node has a fault or an abnormal state by verifying the credibility of the mobile node, and if so, the service is terminated for the node.
Further, the verifying the credibility of the mobile node specifically includes: a first trusted authentication security formula and a second trusted authentication security formula, wherein the first trusted authentication security formula is: the system state v is a node state satisfying a trusted verification security formula, iff is a node state of the system, and for any allowed (s, o, a, T) = true, the following formula holds:
(1) When a = r, fc _ c(s) > = fo _ c (o) = fc _ w (o) > = fo _ w(s) ^ Time (trans, s) < = T;
(2) (2) fc _ c(s) < = fo _ c (o) ^ fc _ w (o) < = fo _ w(s) ^ Time (trans, s) < = T when a = w;
a second trusted authentication security formula: system sigma (R, D, W, V) 0 ) Is a security system, each node status iff (V) of the system 0 ,V 1 ,……,V n ) Are all in a safe state V 0
Wherein s is a subject set in the system, o is an object set, and A = { r, w, a, e } represents a subject request access mode, and represents read, write, add and execute respectively; the trusted state set Ts = { trust, untrusty, wtrusty }, which respectively represents a trusted entity, an untrusted entity, and an integrity trusted entity, and corresponds to a trusted zone, an untrusted zone, and a controlled zone in the TNC structure.
Further, the establishing a security access model of the heterogeneous mobile network specifically includes:
network abstraction is carried out on the safety access problem, and a theoretical model is established;
analyzing and comparing various security access methods by a modularization method;
a secure access model is obtained.
Further, the modularization method specifically comprises the following steps:
dividing the network abstraction into a user network plane abstraction layer and a context abstraction layer; the network plane abstraction layer is used for representing heterogeneous network topology and behaviors of users in the network, and the context abstraction layer is used for transferring context; the heterogeneous network topology and the behavior of users in the network are specifically the movement of a mobile node, and the mobile node comprises a home server, a local server and a protocol conversion gateway; when the mobile node moves locally, authentication is carried out through the home server, otherwise, the mobile node carries out home server processing authentication in the process of transferring the context abstraction layer.
Further, the authenticating the secure access of the heterogeneous mobile network specifically includes:
the access control layer controls access, namely which users are allowed to access, when the access is allowed, and where the access is allowed;
the authentication control layer controls the interaction rule of the authentication message, and the user responds to the verification requirement of the service system according to the authentication method and the parameters thereof adopted by the negotiation based on the key mechanism of the service system;
and the authentication implementation layer completes the authentication function on the basis of the selected access and authentication control.
Further, the access modes adopted by the access control layer include a Web authentication mode and an 802.1X authentication mode.
Further, the interaction rule adopts an EAP (extensible authentication protocol) authentication framework to implement authentication between the user and the network.
Further, the access control layer further includes encrypting the identity of the user, the identity of the user is used as a public key, and the mobile node calculates the symmetric key by using non-interactivity.
Further, the authenticating the secure access of the heterogeneous mobile network further includes: and (3) updating the trust of the parameters, wherein the trust updating algorithm of the parameters specifically comprises the following steps:
the security threats of the network are divided into three types, namely warning, error and attack, and the average replacement times of each security analysis information parameter is obtained as q through the security scene test of the system in the actual operating environment Δ Delta is a placeholder, BSD, HSD and RSD are respectively used for replacing the placeholder to obtain the average replacement times of respective index information, and the replacement frequency of each safety degree is f Δ
f Δ =q Δ /T;
The total update frequency of the system can be calculated from the above equation:
f=f BSD +f HSD +f RSD -f BSD *f HSD *f RSD
representing threat frequency as R y Wherein y =1,2,3; respectively representing the three threat levels, and obtaining an attack frequency function g (f), wherein the function expression of the attack frequency function is as follows:
the replacement period T of the system can be calculated to satisfy the following equation:
T=1/f *
wherein
f * Satisfy the requirement of
f * Is the frequency of updates to the system in the presence of security threats, namely warnings, errors and attacks.
The invention has the beneficial effects that:
1. the invention researches the safety problem of access control of the heterogeneous mobile wireless network, and the proposed architecture consists of a client and a safety service system which are installed on a credible user node, so that the safety service system can acquire the real-time state of the mobile node, screen the credibility of the node, and know the fault or abnormal state of the mobile node in real time, thereby terminating the service provided for the node;
2. through a modeling method, a network is abstracted into two layers, one layer is a user network plane and mainly represents heterogeneous network topology and the behaviors of users in the network, particularly the motion of a mobile node; the other is an abstracted context layer which is mainly used for ensuring the security of context transfer and analyzing and comparing various security access methods so as to find out a safer and more efficient access method;
3. after a user enters the system, the security of the system is improved by adopting an 802.1X authentication mode; and in the course of authentication, the identity of the user is used as the public key, thus make the key management easier, and does not need to carry out the certificate of the key revocation; the node reduces communication overhead by using a non-interactive calculation symmetric key;
4. meanwhile, a trust updating algorithm of the system is optimized, and the information of the system is updated regularly to reduce the security threat of the actual operation in the environment.
Drawings
Fig. 1 is a flowchart of a design method of a heterogeneous network-based dynamic migration access control technology according to the present invention;
fig. 2 is a flowchart of the security access model for establishing a heterogeneous mobile network according to the present invention;
fig. 3 is a diagram of the network abstraction layer structure proposed by the present invention;
fig. 4 is a flowchart illustrating authentication of a secure access of a heterogeneous mobile network according to the present invention;
fig. 5 is a flow chart of the identity encryption mechanism according to the present invention.
Detailed Description
The following description of the embodiments of the present invention refers to the accompanying drawings and examples:
referring to fig. 1, a flow chart of a design method of a dynamic migration access control technology based on a heterogeneous network is provided in the present invention;
as shown in fig. 1, the method for designing a heterogeneous network-based dynamic migration access control technology includes the following steps:
step 101, establishing a system architecture of a mutual trust system and judging a mobile node;
step 102, establishing a security access model of a heterogeneous mobile network;
and 103, authenticating the secure access of the heterogeneous mobile network.
The security problem of access control of the heterogeneous mobile wireless network is researched, and the proposed architecture consists of a client installed on a trusted user node and a security service system, so that the security service system can acquire the real-time state of the mobile node and know the fault or abnormal state of the mobile node in real time, and can terminate providing services for the node. Various safe access methods are analyzed and compared through a modeling method, so that a safer and more efficient access method is found out. The security of the system is improved by adopting an 802.1X authentication mode; and the identity of the user is used as a public key in the authentication process, which makes key management easier and does not require a certificate to perform key revocation. The node reduces communication overhead by using a non-interactive calculation symmetric key; and optimizing a trust updating algorithm of the system to reduce the security threat of actually operating in the environment.
In the step 101, establishing a system architecture of a mutual communication system and determining a mobile node specifically includes: the client and the security service system which are installed on the credible user node judge whether the mobile node has a fault or an abnormal state by verifying the credibility of the mobile node, and if so, the client and the security service system terminate the service provided for the node.
The security service system manages users in real time and assigns a unique identifier to each user. The client can manage a plurality of network interfaces, establish and maintain a network link based on a mutual trust system established with the security service system, and send network state information which constantly changes under the moving condition, including a connection state, a network address dynamic change and the like, to the security service system. The research on a mutual trust system in the system is the key for designing the whole system architecture, the mutual trust system enables a security service system to acquire the real-time state of a mobile node and know the fault or abnormal state of the mobile node, if an illegal node chooses not to send state data to the security service system in order to hide the abnormal state information of the illegal node, the mutual trust rule is broken, and the security service system can stop providing services for the node.
The verifying the credibility of the mobile node specifically includes: a first trusted authentication security formula and a second trusted authentication security formula, wherein the first trusted authentication security formula is: the system state v is a node state satisfying the trusted verification security formula, iff is a node state of the system, and for any allowed (s, o, a, T) = true, the following equation holds:
(1) When a = r, fc _ c(s) > = fo _ c (o) = fc _ w (o) > = fo _ w(s) ^ Time (trans, s) < = T;
(2) When a = w, fc _ c(s) < = fo _ c (o) ^ fc _ w (o) < = fo _ w(s) ^ Time (trans, s) < = T;
a second trusted authentication security formula: system sigma (R, D, W, V) 0 ) Is a security system, each node status iff (V) of the system 0 ,V 1 ,……,V n ) Are all in a safe state V 0
Wherein s is a subject set in the system, o is an object set, and A = { r, w, a, e } represents a subject request access mode, which respectively represents reading, writing, appending and executing; the trusted state set Ts = { trust, untrusty, wtrusty }, which respectively represents a trusted entity, an untrusted entity, and an integrity trusted entity, and corresponds to a trusted zone, an untrusted zone, and a controlled zone in the TNC structure.
Aiming at the safety problem of access control of the heterogeneous mobile wireless network, the proposed architecture consists of a client installed on a trusted user node and a safety service system, so that the safety service system can acquire the real-time state of the mobile node, and the credibility of the mobile node is screened by adopting the credibility verification safety formulas 1 and 2 in the text, so that the fault or abnormal state of the mobile node is known in real time, and the service provided for the node can be stopped.
Referring to fig. 2, a flow chart of the security access model for establishing the heterogeneous mobile network according to the present invention is shown.
As shown in fig. 2, establishing a security access model of a heterogeneous mobile network specifically includes:
step 1021, performing network abstraction on the security access problem, and establishing a theoretical model;
step 1022, analyzing and comparing various security access methods by a modularization method;
and step 1023, obtaining a security access model.
In step 1022, the modularization method specifically includes:
dividing the network abstraction into a user network plane abstraction layer and a context abstraction layer; the network plane abstraction layer is used for representing heterogeneous network topology and behaviors of users in the network, and the context abstraction layer is used for transferring context.
The invention abstracts the network into two layers by a modeling method, one layer is a user network plane and mainly represents the heterogeneous network topology and the user behavior in the network, in particular the movement of a mobile node; the other is an abstracted context layer which is mainly used for ensuring the security of context transfer.
The heterogeneous network topology and the behavior of users in the network are specifically the motion of a mobile node, and the mobile node comprises a home server, a local server and a protocol conversion gateway; when the mobile node moves locally, authentication is carried out through the home server, otherwise, the mobile node carries out home server processing authentication in the process of transferring the context abstraction layer.
Referring to fig. 3, a diagram of the network abstraction layer structure according to the present invention is shown; the network is abstracted into two layers, one layer is a user network plane and mainly represents heterogeneous network topology and user behaviors in the network, particularly the motion of a mobile node; the other is an abstracted context layer which is mainly used for ensuring the security of context transfer. There are multiple Diameter nodes in the figure, including an AAA home server (AAAH), an AAA home server (AAAL), and a protocol translation gateway. If the mobile node only moves locally, only the authentication is needed through AAAL, otherwise, the processing of AAAH is needed in the process of context transfer.
Referring to fig. 4, a flowchart for authenticating a secure access of a heterogeneous mobile network is provided.
As shown in fig. 4, authenticating the secure access of the heterogeneous mobile network specifically includes:
step 1031, accessing the control layer, controlling the access, that is, which users are allowed to access, when the access is allowed, and where the access is allowed;
step 1032, the authentication control layer controls the interaction rule of the authentication message, and the user responds to the verification requirement of the service system according to the authentication method and parameters thereof adopted by the negotiation based on the key mechanism of the service system;
step 1033, the authentication implementation layer completes the authentication function based on the selected access and authentication control.
Further, the access modes adopted by the access control layer include a Web authentication mode and an 802.1X authentication mode.
The interaction rule adopts an EAP (extensible authentication protocol) authentication framework to implement authentication between the user and the network.
In the embodiment of the invention, the authentication method comprises account/password, CHAP, AKA and the like, and the authentication control and the authentication are usually combined together to complete the access authentication.
Further, the access control layer further includes encrypting the identity of the user, the identity of the user is used as a public key, and the mobile node calculates the symmetric key by using non-interactivity.
As shown in fig. 5, a flow chart of the identity encryption mechanism is proposed for the present invention.
In the identity encryption mechanism, the identity of the user is used as a public key, which makes key management easier and does not require a certificate to perform key revocation. The nodes reduce communication overhead by using non-interactive computation symmetric keys. This mode of minimizing PKC overhead is very attractive for mobile, resource-constrained heterogeneous mobile networks. Compared with the traditional encryption algorithm, the article uses a symmetric key cryptosystem, so that the article can be effectively prevented from being tampered by an unauthorized attacker. According to the fact that only one key is used, both the sender and the receiver use the key to encrypt and decrypt data, and therefore, the encryption key needs to be known to the encryptor in advance. The symmetric encryption algorithm has the characteristics of public algorithm, small calculated amount, high encryption speed and high encryption efficiency.
Further, the authenticating the secure access of the heterogeneous mobile network further includes: and (3) updating the trust of the parameters, wherein the trust updating algorithm of the parameters specifically comprises the following steps:
the security threats of the network are divided into three types, namely warning, error and attack, and the average replacement times of each security analysis information parameter is obtained as q through the security scene test of the system in the actual operating environment Δ Delta is a placeholder, BSD, HSD and RSD are respectively used for replacing to obtain the average replacement times of respective index information, and the replacement frequency of each safety degree is f Δ
f Δ =q Δ /T;
The total update frequency of the system can be calculated from the above equation:
f=f BSD +f HSD +f RSD -f BSD *f HSD *f RSD
representing threat frequency as R y Wherein y =1,2,3; representing the three threat levels respectively, and obtaining an attack frequency function g (f), wherein the function expression of the attack frequency function is as follows:
the replacement period T of the system can be calculated to satisfy the following equation:
T=1/f *
wherein
f * Satisfy the requirements of
f * Is the frequency of updates to the system in the presence of security threats, namely warnings, errors, and attacks, in three security threat environments。
The algorithm is used in the authentication stage of the system, and the failure rate of the security threat of the network to the system authentication is reduced by calculating the security degree of the system, so that the accuracy and the access success rate of the system are improved.
The invention stops providing service for the node by knowing the fault or abnormal state of the mobile node in real time; the security of the system is improved by adopting an 802.1X authentication mode in the authentication process of the system; and the trust updating algorithm of the system is optimized by combining with the actual operation test, so that the security threat of the actual operation in the environment is reduced.
Although the preferred embodiments of the present invention have been described in detail with reference to the accompanying drawings, the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the spirit of the present invention.
Many other changes and modifications can be made without departing from the spirit and scope of the invention. It is to be understood that the invention is not to be limited to the specific embodiments, but only by the scope of the appended claims.

Claims (10)

1. The dynamic migration access control technology design method based on the heterogeneous network is characterized by comprising the following steps of:
establishing a system architecture of a mutual communication system and judging a mobile node;
establishing a security access model of the heterogeneous mobile network;
and authenticating the secure access of the heterogeneous mobile network.
2. The method according to claim 1, wherein the establishing a system architecture of a mutual trust system and determining the mobile node specifically includes: the client and the safety service system which are installed on the credible user node judge whether the mobile node has a fault or an abnormal state by verifying the credibility of the mobile node, and if so, the service is terminated for the node.
3. The method for designing a mobility migration access control technology based on a heterogeneous network according to claim 2, wherein the verifying the trustworthiness of the mobile node specifically includes: a first trusted authentication security formula and a second trusted authentication security formula, wherein the first trusted authentication security formula is: the system state v is a node state satisfying the trusted verification security formula, iff is a node state of the system, and for any allowed (s, o, a, T) = true, the following equation holds:
(1) When a = r, fc _ c(s) > = fo _ c (o) = fc _ w (o) > = fo _ w(s) = Time (trans, s) <= T;
(2) When a = w, fc _ c(s) < = fo _ c (o) ^ fc _ w (o) < = fo _ w(s) ^ Time (trans, s) < = T;
a second trusted authentication security formula: system sigma (R, D, W, V) 0 ) Is a security system, each node state iff (V) of the system 0 ,V 1 ,……,V n ) Are all in a safe state V 0
Wherein s is a subject set in the system, o is an object set, and A = { r, w, a, e } represents a subject request access mode, which respectively represents reading, writing, appending and executing; the trusted state set Ts = { trust, untrusty, wtrusty }, which respectively represents a trusted entity, an untrusted entity, and an integrity trusted entity, and corresponds to a trusted zone, an untrusted zone, and a controlled zone in the TNC structure.
4. The method for designing a mobility migration access control technology based on a heterogeneous network according to claim 1, wherein the establishing a security access model of the heterogeneous mobile network specifically includes:
network abstraction is carried out on the safety access problem, and a theoretical model is established;
analyzing and comparing various security access methods by a modularization method;
a secure access model is obtained.
5. The heterogeneous network-based dynamic migration access control technology design method according to claim 3, wherein the modularization method specifically comprises:
dividing the network abstraction into a user network plane abstraction layer and a context abstraction layer; the network plane abstraction layer is used for representing heterogeneous network topology and behaviors of users in the network, and the context abstraction layer is used for transferring context; the heterogeneous network topology and the behavior of users in the network are specifically the movement of a mobile node, and the mobile node comprises a home server, a local server and a protocol conversion gateway; when the mobile node moves locally, authentication is carried out through the home server, otherwise, the mobile node carries out home server processing authentication in the process of transferring the context abstraction layer.
6. The method for designing a mobility migration access control technology based on a heterogeneous network according to claim 1, wherein the authenticating the secure access of the heterogeneous mobile network specifically includes:
the access control layer controls access, namely which users are allowed to access, when the access is allowed, and where the access is allowed;
the authentication control layer controls the interaction rule of the authentication message, and based on the key mechanism of the service system, the user responds to the verification requirement of the service system according to the authentication method and the parameters thereof adopted by the negotiation;
and the authentication implementation layer completes the authentication function on the basis of the selected access and authentication control.
7. The method of claim 6, wherein the access modes adopted by the access control layer include a Web authentication mode and an 802.1X authentication mode.
8. The method of claim 6, wherein the interaction rule implements authentication between the user and the network by using an EAP (extensible authentication protocol) authentication framework.
9. The method as claimed in claim 6, wherein the access control layer further includes encrypting the user identity, the user identity being used as a public key, and the mobile node computing a symmetric key by using non-interactivity.
10. The method for designing a heterogeneous network based mobility migration access control technology according to claim 1, wherein the authenticating the secure access of the heterogeneous mobile network further includes: and updating the trust of the parameters, wherein the trust updating algorithm of the parameters specifically comprises the following steps:
the security threats of the network are divided into three types, namely warning, error and attack, and the average replacement times of each security analysis information parameter is obtained as q through the security scene test of the system in the actual operating environment Δ Delta is a placeholder, BSD, HSD and RSD are respectively used for replacing the placeholder to obtain the average replacement times of respective index information, and the replacement frequency of each safety degree is f Δ
f Δ =q Δ /T;
The total update frequency of the system can be calculated from the above equation:
f=f BSD +f HSD +f RSD -f BSD *f HSD *f RSD
representing threat frequency as R y Wherein y =1,2,3; respectively representing the three threat levels, and obtaining an attack frequency function g (f), wherein the function expression of the attack frequency function is as follows:
the replacement period T of the system can be calculated to satisfy the following equation:
T=1/f *
wherein
f * Satisfy the requirement of
f * Is the frequency of updates to the system in the presence of security threats, namely warnings, errors and attacks.
CN201711114137.XA 2017-11-13 2017-11-13 Dynamic migration access control technology design method based on heterogeneous network Withdrawn CN107920065A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711114137.XA CN107920065A (en) 2017-11-13 2017-11-13 Dynamic migration access control technology design method based on heterogeneous network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711114137.XA CN107920065A (en) 2017-11-13 2017-11-13 Dynamic migration access control technology design method based on heterogeneous network

Publications (1)

Publication Number Publication Date
CN107920065A true CN107920065A (en) 2018-04-17

Family

ID=61895473

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711114137.XA Withdrawn CN107920065A (en) 2017-11-13 2017-11-13 Dynamic migration access control technology design method based on heterogeneous network

Country Status (1)

Country Link
CN (1) CN107920065A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495889A (en) * 2018-12-20 2019-03-19 中山大学新华学院 Heterogeneous mobile network access control method based on mutual confidence-building mechanism

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730150A (en) * 2009-01-19 2010-06-09 中兴通讯股份有限公司 Method for controlling network resources during service flow transfer
CN101778099A (en) * 2009-12-31 2010-07-14 郑州信大捷安信息技术有限公司 Architecture accessing trusted network for tolerating untrusted components and access method thereof
CN103873449A (en) * 2012-12-18 2014-06-18 中国电信股份有限公司 Network access method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730150A (en) * 2009-01-19 2010-06-09 中兴通讯股份有限公司 Method for controlling network resources during service flow transfer
CN101778099A (en) * 2009-12-31 2010-07-14 郑州信大捷安信息技术有限公司 Architecture accessing trusted network for tolerating untrusted components and access method thereof
CN103873449A (en) * 2012-12-18 2014-06-18 中国电信股份有限公司 Network access method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FENG WANG, WEICHUAN NI, SHAOJIANG LIU, JIA LU, ZHIPING WAN: "Research and Design of Dynamic Migration Access Control Technology Based on Heterogeneous Network", 《ICMITE 2017》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495889A (en) * 2018-12-20 2019-03-19 中山大学新华学院 Heterogeneous mobile network access control method based on mutual confidence-building mechanism
CN109495889B (en) * 2018-12-20 2022-01-04 中山大学新华学院 Heterogeneous mobile network access control method based on mutual trust mechanism

Similar Documents

Publication Publication Date Title
Liu et al. A survey on secure data analytics in edge computing
Shi et al. A blockchain-empowered AAA scheme in the large-scale HetNet
Yousefnezhad et al. Security in product lifecycle of IoT devices: A survey
Baker et al. A secure fog‐based platform for SCADA‐based IoT critical infrastructure
EP3090520B1 (en) System and method for securing machine-to-machine communications
US20200259667A1 (en) Distributed management system for remote devices and methods thereof
US11201872B2 (en) Inline filtering to secure access and data between user and application to device and between device to device
Vijayakumaran et al. A reliable next generation cyber security architecture for industrial internet of things environment
IL158309A (en) Centralized network control
Oktian et al. BorderChain: Blockchain-based access control framework for the Internet of Things endpoint
CN110474921B (en) Perception layer data fidelity method for local area Internet of things
Rui et al. Research on secure transmission and storage of energy IoT information based on Blockchain
Dramé-Maigné et al. Centralized, distributed, and everything in between: Reviewing access control solutions for the IoT
CN108632251B (en) Credible authentication method based on cloud computing data service and encryption algorithm thereof
Dey et al. MDA: message digest-based authentication for mobile cloud computing
CN113204757A (en) Information interaction method, device and system
CN107920065A (en) Dynamic migration access control technology design method based on heterogeneous network
CN116208401A (en) Cloud master station access control method and device based on zero trust
Zhang et al. A Lightweight Cross-Domain Authentication Protocol for Trusted Access to Industrial Internet
CN114024767B (en) Method for constructing password definition network security system, system architecture and data forwarding method
Zagrouba et al. Authenblue: a new authentication protocol for the industrial Internet of Things
EP3677006B1 (en) Detection of the network logon protocol used in pass-through authentication
Banerjea et al. Data security in the internet of things: Challenges and opportunities
Wu et al. An Integrated Security Framework for OT System Based on Edge Computing
Raniyal et al. An inter-device authentication scheme for smart homes using one-time-password over infrared channel

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20180417