CN109150290B - Satellite lightweight data transmission protection method and ground safety service system - Google Patents

Satellite lightweight data transmission protection method and ground safety service system Download PDF

Info

Publication number
CN109150290B
CN109150290B CN201811234171.5A CN201811234171A CN109150290B CN 109150290 B CN109150290 B CN 109150290B CN 201811234171 A CN201811234171 A CN 201811234171A CN 109150290 B CN109150290 B CN 109150290B
Authority
CN
China
Prior art keywords
user equipment
resource
satellite
information
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811234171.5A
Other languages
Chinese (zh)
Other versions
CN109150290A (en
Inventor
王利明
徐建峰
唐鼎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201811234171.5A priority Critical patent/CN109150290B/en
Publication of CN109150290A publication Critical patent/CN109150290A/en
Application granted granted Critical
Publication of CN109150290B publication Critical patent/CN109150290B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/1851Systems using a satellite or space-based relay
    • H04B7/18517Transmission equipment in earth stations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/1851Systems using a satellite or space-based relay
    • H04B7/18519Operations control, administration or maintenance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • General Physics & Mathematics (AREA)
  • Radio Relay Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a satellite lightweight data transmission protection method and a ground security service system. The ground safety service system constructs a new resource request message according to access requests of different user equipment to the same satellite resource information, replaces a plurality of user equipment to send the request message to the satellite, and realizes the conversion from a plurality of requests to a plurality of responses to one request to one response through the identity-based forwarding mechanism and the request convergence. In addition, after the safety response resource information of the satellite passes through the safety service system, the safety response resource information can be correctly distributed to all user equipment requesting the same resource information, and the validity of the resource information is verified. The invention can solve the problem of high link bandwidth overhead brought by the satellite in the process of information transmission with the ground, and realizes the transmission protection of lightweight satellite data.

Description

Satellite lightweight data transmission protection method and ground safety service system
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a lightweight satellite data transmission protection method and a ground security service system.
Background
With the continuous advance of ground networking and the rapid development of mobile communication networks represented by 5G, users have made specific requirements for next-generation network infrastructure, such as ultra-high-speed transmission, ultra-large bandwidth, ultra-high reliability, seamless coverage, anytime and anywhere access, and the like. The space-ground integrated network comprehensively integrates a space-based information network, a future internet and a mobile communication network, realizes interconnection and intercommunication of space-based, space-based and land-based networks, fully meets the complex requirements of the future networks, and has strong advantages in constructing a high-speed, mobile, safe and ubiquitous new-generation information infrastructure. However, the satellite, which is the core of the integrated network, is very different from the existing ground network devices in terms of spatial location, service mode, available resources, communication mode, operating environment, protocol system, and the like. In particular, the satellite-to-ground transmission link, as a typical open channel, faces security threats such as signal interception, interference, denial of service attacks, and the like. How to provide reasonable safety protection for data transmission between the satellite and the ground and guarantee confidentiality, integrity, availability and source authenticity of data transmitted between the satellite and the ground is a practical problem to be solved urgently. Meanwhile, the limited satellite-ground link resources bring high overhead problem for communication between the satellite and the ground.
The difference between the space network and the traditional ground network causes new changes to many traditional problems, and the satellite-ground link is more sensitive to the problems of calculation overhead, transmission overhead and the like in the data transmission protection scheme. The traditional ground communication protocol and the safety scheme have certain limitations, cannot well meet the strict requirements of data transmission service between the satellite and the ground, and do not have the operability of direct transplantation. Document "realizing network security of satellite IP network based on PEP-IPSec" applies IPSec in performance enhancement gateway PEP of satellite IP network, thereby forming PEP-IPSec, and on one hand, improving the performance of TCP/IP on satellite IP network; and on the other hand, the network security of the satellite IP network is greatly enhanced. Document a multimedia IP security protocol for TCP performance enhancement in wireless networks analyzes the conflict of IPSec applied to a TCP protocol scene using a performance enhancement proxy PEP, and proposes a multilayer IPSec model (ML-IPSec) to provide layered security protection and fine-grained access control. The document "A Cross-Layer Architecture for Security Network Security:CL-IPsec" introduces a Layer-extension Architecture extension CL-IPSec in IPSec, which can provide authentication and integrity services. Document "Perform-Aware Security of UnicastCommunication in Hybrid software Networks" perfects the key exchange protocol on the basis of the original IPSec-PEP, proposes a key exchange protocol based on multiple modes of certificates, and avoids the problem of key distribution. However, the above scheme does not guarantee the transmission efficiency of data on the resource-limited satellite-ground link while protecting the security. The IPSec protocol is widely applied to protection of unicast communication, namely, a satellite needs to respond to each user request, so that the problem of repeated response exists; hierarchical IPSec will increase data transmission by up to three times; IPsec and its enhanced protocols incur complex design costs and overhead of distribution of overly heavy keys.
In summary, the current scheme almost fails to satisfy both transmission security and transmission efficiency, and causes a large overhead to the bandwidth of the satellite-ground link. The lightweight data transmission protection scheme provided by the invention greatly reduces the consumption of satellite-ground link bandwidth on the premise of safe communication between satellites and the ground.
Disclosure of Invention
The invention solves the problems: the method overcomes the defects of the prior art, provides a satellite lightweight data transmission protection method and a ground safety service system for satellite-ground communication aiming at a satellite-ground link with limited resources, and is used for reducing the occupation of bandwidth resources on the premise of safety communication.
In order to achieve the purpose, the invention adopts the following technical scheme:
the ground safety service system consists of five modules, namely an access management module, an identity management module, a key management module, a message distribution module and a state audit module;
access management module
(1) The ground safety service system is considered as a server side, the network equipment which intends to communicate with the satellite is considered as a client side, and the ground safety service system needs to realize the requirement of receiving the information of a plurality of user equipment; the access management module monitors SOCKET firstly and waits for the connection of user equipment;
(2) after receiving the registration request, the access management module firstly checks the legality of the user equipment, then generates an identity for the equipment and returns the identity to the registered user equipment;
(3) after receiving the resource access request, the access management equipment module verifies the authenticity of the user equipment identifier and judges whether the equipment authority can access the requested resource information;
the identity management module is implemented as follows:
(1) after the registration request is processed, the identity management module receives the execution result of the access management module and stores the newly-built user equipment identification, the user equipment authority and other related information so as to ensure the persistence of data;
(2) when the user equipment requesting resources is verified, the identity management module provides all information of the user equipment for the access management module;
a key management module: relevant information such as an identity mark, a public key and the like of the space satellite is stored so as to ensure the persistence of data;
the message distribution module is implemented as:
(1) the message distribution module maintains a forwarding state table, and the stored table entry format is < resource i, [ dev1, dev2, dev n ] >. The table entry indicates that, in the current state, the user equipment dev1, dev2, dev n initiates an access request to the same resource; the message distribution module stores information in a request aggregation mode, so that the waste of storage resources is reduced;
(2) the message distribution module receives the request for accessing the resource information, and firstly inquires whether the forwarding state table has the table items simultaneously requesting the same resource information. If the table entry exists, the identity of the user equipment is directly added into the table entry, and the request message is discarded; if the user equipment does not exist, the message distribution module uses the identity identification of the user equipment and the identification of the request resource information to newly establish a table entry in the forwarding state table and forwards the resource information access request to the satellite;
(3) the message distribution module receives the security response resource information of the satellite, firstly obtains the public key information corresponding to the satellite at the key management module, verifies the correctness and the validity of the security response resource information, then sends the security response resource information of the satellite to all user equipment requesting the resource information according to the forwarding state table, and finally deletes the table entry from the forwarding state table.
The state auditing module realizes the process:
(1) the state auditing module periodically clears the inactive user equipment and releases the storage for storing the user equipment information;
(2) the state auditing module detects the forwarding state table in the message distribution module in real time so as to prevent the table from being attacked by denial of service. Specifically, when the forwarding state table entry sharply increases and the state lasts for a period of time, it is determined that a denial of service attack occurs, and an alarm mechanism is punished immediately to locate malicious user equipment.
The invention provides a satellite lightweight data transmission protection method, which realizes the high efficiency and safety of data transmission between satellites and the ground through an identity-based forwarding mechanism and request convergence, and comprises the following steps:
(1) according to the received registration request, distributing identity identification information and authority information for each registered user equipment to realize subsequent access control on resources;
(2) according to the identity generated in the registration process, resource requests of legal user equipment are converged, and the conversion from a plurality of unicast requests of a plurality of users for the same resource to the transmission of only one request to a satellite is realized;
(3) after receiving the resource information with additional signature information issued by the satellite, firstly verifying the legality and the safety of the resource; and after the resource request is correct, the received safe resource information is distributed to a plurality of user equipment requesting the resource information according to the condition of resource request aggregation, so that the high-efficiency utilization of the satellite-ground link is realized.
The specific process is as follows:
(1) equipment registration: the user equipment initiates a registration request to a ground security service system, an access management module verifies the validity of the user equipment and generates an identity and authority information for the user equipment; the identity management module stores the generated user equipment information to realize the persistence of the user equipment data; and the access management module returns the identity identification information of the user equipment to the user equipment.
(2) Resource access: the access management module receives the resource request message of the user equipment, and inquires whether the user equipment is registered or not and whether the authority for accessing the resource information exists or not from the identity management module, and the one-step operation of the access management module can avoid the user equipment which is not registered or has insufficient authority from accessing the resource information, thereby realizing access control; for a legal user equipment with enough authority, the resource information request is transmitted to the message distribution module, and the message distribution module firstly inquires whether the forwarding state table has an item which simultaneously requests the same resource information. If the list item exists, which indicates that other user equipment has a request for the resource information, the identity of the user equipment is directly added into the list item, and the request message is discarded; if the resource information does not exist, the user equipment is the current first user equipment requesting the resource information, and the message distribution module uses the identity identification of the user equipment and the identification requesting the resource information to newly establish a table entry in the forwarding state table and forwards the resource information access request to the satellite;
after the message distribution module receives the security response resource information after the satellite signature processing, a public key corresponding to the satellite is extracted from the key management module, the key is used for verifying the signature of the security response resource information, and the integrity and the source authenticity of the security response resource information are proved; the message distribution module retrieves the forwarding state table to obtain all user equipment requesting for safety response resource information; the message distribution module forwards the security response resource information of the satellite to all user equipment requesting the resource information, and deletes the released storage resource of the table entry corresponding to the forwarding state table; after receiving the security response resource information of the satellite, the user equipment verifies the integrity and source authenticity of the satellite by using a public key corresponding to the satellite;
(3) system monitoring and auditing
The state auditing module periodically inquires the active state of the registered user equipment and timely cleans the inactive user equipment, such as the user equipment which does not communicate with the ground safety service system for a long time.
The state auditing module detects the forwarding state table in the message distribution module in real time and discovers the denial of service attack aiming at the forwarding state table in time. The judgment standard of the state audit module is that the forwarding state table entries are continuously and sharply increased. When the denial of service attack is judged to occur, the module immediately penalizes an alarm mechanism to locate the malicious user equipment.
Compared with the prior art, the invention has the beneficial effects that:
(1) the invention realizes a ground safety service system, which is used for maintaining user equipment information, satellite information and resource information requests, wherein a message distribution module can realize request convergence and realize the conversion from a plurality of requests-a plurality of responses into one request-one response;
(2) the invention provides an identity-based satellite-ground data transmission mechanism, realizes an identity-based authority management system, and realizes a transmission mode similar to 'multicast' by combining the mechanism with a ground security service system;
(3) in the satellite-ground transmission system, a ground safety service system and an identity-based transmission mechanism are introduced, so that a lightweight satellite data transmission protection method is realized, and the consumption of satellite-ground link bandwidth is greatly reduced on the premise of safety communication between satellites and the ground;
(4) the invention can solve the problem of high link bandwidth overhead brought by the satellite in the process of information transmission with the ground, and realizes the transmission protection of lightweight satellite data.
Drawings
FIG. 1 is a block diagram of a ground security service system according to the present invention;
FIG. 2 is a flowchart of an apparatus registration of the satellite lightweight data transmission protection method of the present invention;
FIG. 3 is a flowchart of a resource access request of the method for protecting lightweight satellite data transmission according to the present invention;
fig. 4 is a safety information distribution flow chart of the satellite lightweight data transmission protection method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1. The ground safety service system of the invention consists of an access management module, an identity management module, a key management module, a message distribution module and a state audit module. The access management module realizes the requirement of communication with the multi-user equipment by utilizing a multithreading Socket communication mechanism and completes the functions of generating and authenticating the identity of the user equipment. The identity management module is used for storing the information of all the registered user equipment to the database so as to realize the data persistence of the user equipment. The key management module is used for transmitting the relevant information such as the identification and the public key of the satellite to the database so as to realize the satellite data persistence. The message distribution module is used for converging the resource information request of the user equipment, replacing the user equipment to request the resource information from the satellite, verifying the legality and safety of the satellite safety response resource information and distributing the safety response resource information to the user equipment. The ground safety service system is used as a key part in a satellite lightweight data transmission protection scheme, and the state auditing module detects the running condition of the message distribution module in real time and finds whether the satellite is under a denial of service attack.
The above is explained in detail below.
And the access management module realizes the requirement of communication with the multi-user equipment by utilizing a multithreading Socket communication mechanism and completes the functions of generating the user equipment identity identifier, registering the user equipment and verifying the user equipment identity and authority.
And the identity management module is used for storing the information of all the registered user equipment to the database so as to realize the data persistence of the user equipment and provide deletion, modification and query operations for an administrator.
And the key management module is used for storing relevant information such as the identification and the public key of the satellite to the database so as to realize satellite data persistence and provide addition, deletion, modification and query operations for an administrator.
And the message distribution module is used for converging the resource information request of the user equipment, replacing the user equipment to request the resource information from the satellite, verifying the legality and safety of the satellite response resource information and distributing the response resource information to the user equipment.
And the state auditing module detects the running condition of the message distribution module in real time and discovers whether the forwarding state table in the message distribution module is under the attack of denial of service.
As shown in fig. 2, the access management module starts multi-thread Socket listening and waits for a registration request of the user equipment. When the user equipment successfully establishes connection with the access management module and sends a registration request, the access management module establishes a new thread to receive and process the registration request of the user equipment. The access management module identifies the legality of the user equipment through password + mailbox/mobile phone verification, generates a user equipment identifier and returns the user equipment identifier to the equipment. Next, the access management module allocates a right to the user equipment, and transmits all information of the user equipment to the identity management module, the identity management module stores all information of the user equipment into a device table in the mysql database to implement persistent storage of user equipment data, and the structure of the device table is as shown in table 1 below:
TABLE 1 device data sheet structure
Name of field Type (B) Length of Description of the invention
Dev_id int 4bytes User equipment identification
Dev_level int 4bytes User device permission level
Dev_type int 4bytes User equipment type
Pin varchar 20bytes User equipment Pin code
Extend varchar 200bytes Additional information
As shown in fig. 3, the access management module starts multi-thread Socket listening and waits for a resource request of the ue. The access management module receives a resource information request of the user equipment, extracts the identity of the user equipment from the request, and then inquires whether the user equipment exists and whether the authority for accessing the resource information exists to the identity management module.
For a legal user equipment with enough authority, the resource information request is transmitted to the message distribution module, and the message distribution module firstly inquires whether the forwarding state table has an item which simultaneously requests the same resource information. The present invention uses a dictionary type data structure < key, value > to store the forwarding state table, where key is the resource information identifier and value is the list of the ue ids that contains all the requested resource information. If the forwarding state table has such an entry, which indicates that other user equipment has a request for the same resource information, the identity of the user equipment is directly added to the value, and the resource information request is discarded; if the user equipment does not exist, the user equipment is the current first user equipment requesting the resource information, and the message distribution module uses the identity identifier of the user equipment and the requested resource information identifier to establish a new table entry in the forwarding state table and forwards the request for accessing the resource information to the satellite;
the resource information request process is illustrated as an example. When the current ue dev1, dev2 has an entry < r1, [ dev1, dev 2] > in the request resource information r1, i.e. in the forwarding state table, the message distribution module receives the request for dev3 to access the resource information of r1, i.e. updates the entry to < r1, [ dev1, dev2, dev3] >, and discards the request. If the message distribution module receives a request of dev4 for accessing r2, the forwarding state table is inquired, and no table entry of r2 exists, so the message distribution module newly establishes table entries < r2, [ dev 4] >, and sends an access request of resource information to the satellite instead of dev 4.
As shown in fig. 4, after receiving the security response resource information after the satellite signature processing, the message distribution module extracts the public key corresponding to the satellite in the key management module, and verifies the security response resource information by using the key, thereby proving the integrity and the source authenticity of the response resource information; the message distribution module retrieves the forwarding state table to obtain all user equipment requesting for safety response resource information; the message distribution module forwards the security response resource information of the satellite to all the requested user equipment through the access management module, and deletes the released storage resource of the table entry corresponding to the forwarding state table; after receiving the security response resource information of the satellite, the user equipment verifies the integrity and the source authenticity of the security response resource information by using a public key corresponding to the satellite;
following the above example, the message distribution module receives the security response resource information r1 with the satellite signature, after verifying its security and validity, queries the forwarding state table to obtain the table entry < r1, [ dev1, dev2, dev3] >, and knows that all the user equipments dev1, dev2, and dev3 have initiated an access request to r1, so the message distribution module sends r1 with the satellite signature to dev1, dev2, and dev3 through the access management module. And after receiving the security response resource information of the satellite, the three user devices verify the integrity and the source authenticity of the r1 by using the public keys corresponding to the satellite until the access of the resource information is finished. If the access of the same resource information by the three user equipment in the example is realized by using a unicast mode, the satellite-ground link needs to pass through three request data packets and three response data packets, but only one request data packet and one response data packet are needed by using the mechanism of the invention, so that the occupation of the satellite-ground link bandwidth is greatly reduced, and the transmission efficiency is improved.
The above examples are provided only for the purpose of describing the present invention, and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalent substitutions and modifications can be made without departing from the spirit and principles of the invention, and are intended to be within the scope of the invention.

Claims (6)

1. A satellite lightweight data transmission protection method is characterized in that high efficiency and safety of data transmission between satellites and the ground are achieved through identity-based forwarding mechanisms and request aggregation, and the method comprises the following steps:
(1) according to the received registration request, distributing identity identification information and authority information for each registered user equipment to realize subsequent access control on resources;
(2) according to the identity generated in the registration process, resource requests of legal user equipment are converged, and the conversion from a plurality of unicast requests of a plurality of users for the same resource to the transmission of only one request to a satellite is realized;
(3) after receiving the resource information with additional signature information issued by the satellite, firstly verifying the legality and the safety of the resource; after the resource request is correct, the received safe resource information is distributed to a plurality of user equipment requesting resource information according to the condition of resource request aggregation, so that the high-efficiency utilization of the satellite-ground link is realized;
the specific process is as follows:
(1) equipment registration: the user equipment initiates a registration request to a ground security service system, an access management module verifies the validity of the user equipment and generates an identity and authority information for the user equipment; the identity management module stores the generated identity identification and the authority information of the user equipment so as to realize the persistence of the data of the user equipment; the access management module returns the identity identification information of the user equipment to the user equipment;
(2) resource access: the access management module receives the resource request message of the user equipment, and inquires whether the user equipment is registered or not and whether the authority for accessing the resource information exists or not from the identity management module, and the one-step operation of the access management module can avoid the user equipment which is not registered or has insufficient authority from accessing the resource information, thereby realizing access control; for legal user equipment with enough authority, a resource information request is transmitted to a message distribution module, the message distribution module firstly inquires whether a forwarding state table has an item which simultaneously requests the same resource information, if the item exists, the resource information request is indicated to be made by other user equipment, the identity of the user equipment is directly added into the item, and the request message is discarded; if the resource information does not exist, the user equipment is the current first user equipment requesting the resource information, and the message distribution module uses the identity identification of the user equipment and the identification requesting the resource information to newly establish a table entry in the forwarding state table and forwards the resource information access request to the satellite;
after the message distribution module receives the security response resource information after the satellite signature processing, a public key corresponding to the satellite is extracted from the key management module, the key is used for verifying the signature of the security response resource information, and the integrity and the source authenticity of the security response resource information are proved; the message distribution module retrieves the forwarding state table to obtain all user equipment requesting for safety response resource information; the message distribution module forwards the security response resource information of the satellite to all user equipment requesting the resource information, and deletes the released storage resource of the table entry corresponding to the forwarding state table; after receiving the security response resource information of the satellite, the user equipment verifies the integrity and source authenticity of the satellite by using a public key corresponding to the satellite;
(3) system monitoring and auditing: the state auditing module periodically inquires the active state of the registered user equipment and timely cleans the inactive user equipment, such as the user equipment which does not communicate with the ground safety service system for a long time;
the state auditing module detects the forwarding state table in the message distribution module in real time and finds the denial of service attack aiming at the forwarding state table, the judgment standard of the state auditing module is that the forwarding state table entries are continuously and rapidly increased, and when the denial of service attack is judged to occur, the module immediately penalizes an alarm mechanism to position malicious user equipment.
2. A ground security service system, characterized by: the system comprises an access management module, an identity management module, a key management module, a message distribution module and a state audit module, wherein:
the access management module is used as an inlet of a ground security service system, and is used for preprocessing messages entering other modules and realizing the functions of generating user equipment identity identification, registering the user equipment and verifying the user equipment identity and authority;
the identity management module is used for storing the result of the access management module processing the user equipment registration request, namely, the information of all registered user equipment is sent to the database to realize the persistence of the equipment information data, and the operations of deleting, modifying and inquiring are provided for an administrator, wherein the information of the user equipment comprises the following steps: the method comprises the steps of identifying user equipment, types of the user equipment, authority of the user equipment and a Pin code; in addition, the module provides an interface for verifying the authority of the user equipment for other modules;
the key management module is used for storing the information of the satellite to a database so as to realize the data persistence storage of the satellite in the controlled space and provide addition, deletion, modification and query operations for an administrator; the information of the satellite includes: satellite identity, public key and satellite type; in addition, the module provides a satellite public key inquiry interface for other modules;
the message distribution module is used for realizing request aggregation of a plurality of user equipment on the resource through a forwarding state table, sending a uniform request to the satellite instead of a user, verifying the legality of a satellite resource response information signature through an exposed interface of the key management module after receiving the resource response information of the satellite so as to ensure the safety of the resource response information, finally acquiring all the user equipment requesting the resource response information, transmitting the resource response information to the access management module and distributing the resource response information;
the state auditing module is used for detecting whether a forwarding state table in the message forwarding module is under the denial of service attack in real time, and is specifically realized by judging whether the forwarding state table is in a state of continuously and rapidly increasing to judge whether the denial of service attack occurs or not; in addition, the module periodically cleans the inactive user equipment to release the storage resource of the identity management module by detecting the user equipment which does not communicate with the satellite for a set period of time and determining the user terminal as the inactive user equipment.
3. A ground security service system according to claim 2, wherein: in the access management module, a multithreading Socket communication mechanism is utilized to realize that a plurality of user equipment simultaneously communicate with the access management module, and after connection with the user equipment is successfully established, new threads are respectively established to independently process the identity identification generation, user registration, user identity verification, authority authentication and subsequent resource response information transmission of each user equipment.
4. A ground security service system according to claim 2, wherein: in the message distribution module, a dictionary is used to maintain a forwarding state table, and the table entry format stored in the forwarding state table is < resource i, [ dev1, dev2, dev n ] >, where resource i is a resource identifier, and dev1, dev2, and dev3 are all user equipment identifiers requesting resource i.
5. A ground security service system according to claim 2, wherein: the resource request aggregation mode in the message distribution module is as follows: after receiving a resource access request, firstly inquiring whether a forwarding state table has a table entry requesting the same resource; if the table entry exists, directly adding the identity of the user equipment currently requesting the resource into the table entry, and discarding the received resource access request message; and if the request does not exist, establishing a forwarding state table entry, and forwarding the resource access request to the satellite.
6. A ground security service system according to claim 2, wherein: after receiving the resource response information of the satellite, the data distribution mode in the message distribution module ensures the safety of the resource response information by verifying the correctness of the signature of the resource response information, then sends the safety response information of the satellite to all user equipment requesting the resource response information according to the forwarding state table, and deletes the corresponding table entry from the forwarding state table.
CN201811234171.5A 2018-10-23 2018-10-23 Satellite lightweight data transmission protection method and ground safety service system Active CN109150290B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811234171.5A CN109150290B (en) 2018-10-23 2018-10-23 Satellite lightweight data transmission protection method and ground safety service system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811234171.5A CN109150290B (en) 2018-10-23 2018-10-23 Satellite lightweight data transmission protection method and ground safety service system

Publications (2)

Publication Number Publication Date
CN109150290A CN109150290A (en) 2019-01-04
CN109150290B true CN109150290B (en) 2020-09-15

Family

ID=64809482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811234171.5A Active CN109150290B (en) 2018-10-23 2018-10-23 Satellite lightweight data transmission protection method and ground safety service system

Country Status (1)

Country Link
CN (1) CN109150290B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822072A (en) * 2020-12-31 2021-05-18 鲸灵科技股份有限公司 TCP-based two-way communication protocol for lightweight computing task
CN113553323A (en) * 2021-05-25 2021-10-26 安徽国戎科技有限公司 Satellite image information management method
CN116095664B (en) * 2023-04-10 2023-06-16 商飞软件有限公司 Method for realizing service registration of newly-added Beidou user machine in system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101626363A (en) * 2008-07-07 2010-01-13 华为技术有限公司 Convergence service device and system, and convergence service establishing and using methods
US7835693B2 (en) * 2007-11-01 2010-11-16 General Dynamics C4 Systems, Inc. Providing service in a satellite communications system to disadvantaged terminals
CN103476094A (en) * 2012-06-06 2013-12-25 中兴通讯股份有限公司 Access network method, terminal and interworking gateway
CN103873134A (en) * 2014-03-20 2014-06-18 中国空间技术研究院 Subscription method of satellite data compatible with multiple data formats
CN104038937A (en) * 2014-06-24 2014-09-10 中国科学院软件研究所 Network access authentication method applicable to satellite mobile communication network
CN105100070A (en) * 2015-06-29 2015-11-25 北京奇虎科技有限公司 Method and device for preventing malicious attacks to interface service
CN106027456A (en) * 2015-03-25 2016-10-12 瞻博网络公司 Apparatus and method for authenticating network devices
CN106790617A (en) * 2016-12-30 2017-05-31 北京邮电大学 Collaborative content cache control system and method
CN106850674A (en) * 2016-12-02 2017-06-13 中国电子科技集团公司第三十研究所 A kind of satellite in orbit identity identifying method
CN107950038A (en) * 2015-05-20 2018-04-20 康维达无线有限责任公司 Subscribe to and notify to carry efficient method and apparatus with clustering service layer for analyzing
CN108289026A (en) * 2017-12-22 2018-07-17 北京邮电大学 Identity identifying method and relevant device in a kind of satellite network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8660085B2 (en) * 2006-12-04 2014-02-25 Qualcomm Incorporated Methods and apparatus for transferring a mobile device from a source eNB to a target eNB
US9356962B2 (en) * 2013-09-10 2016-05-31 Vmware, Inc. Extensible multi-tenant cloud-management system and methods for extending functionalities and services provided by a multi-tenant cloud-managment system
CN108156069A (en) * 2017-12-26 2018-06-12 中兴通讯股份有限公司 A kind of integration message system and message treatment method

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7835693B2 (en) * 2007-11-01 2010-11-16 General Dynamics C4 Systems, Inc. Providing service in a satellite communications system to disadvantaged terminals
CN101626363A (en) * 2008-07-07 2010-01-13 华为技术有限公司 Convergence service device and system, and convergence service establishing and using methods
CN103476094A (en) * 2012-06-06 2013-12-25 中兴通讯股份有限公司 Access network method, terminal and interworking gateway
CN103873134A (en) * 2014-03-20 2014-06-18 中国空间技术研究院 Subscription method of satellite data compatible with multiple data formats
CN104038937A (en) * 2014-06-24 2014-09-10 中国科学院软件研究所 Network access authentication method applicable to satellite mobile communication network
CN106027456A (en) * 2015-03-25 2016-10-12 瞻博网络公司 Apparatus and method for authenticating network devices
CN107950038A (en) * 2015-05-20 2018-04-20 康维达无线有限责任公司 Subscribe to and notify to carry efficient method and apparatus with clustering service layer for analyzing
CN105100070A (en) * 2015-06-29 2015-11-25 北京奇虎科技有限公司 Method and device for preventing malicious attacks to interface service
CN106850674A (en) * 2016-12-02 2017-06-13 中国电子科技集团公司第三十研究所 A kind of satellite in orbit identity identifying method
CN106790617A (en) * 2016-12-30 2017-05-31 北京邮电大学 Collaborative content cache control system and method
CN108289026A (en) * 2017-12-22 2018-07-17 北京邮电大学 Identity identifying method and relevant device in a kind of satellite network

Also Published As

Publication number Publication date
CN109150290A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
CN109842906B (en) Communication method, device and system
EP1994673B1 (en) Role aware network security enforcement
US7263610B2 (en) Secure multicast flow
CN109150290B (en) Satellite lightweight data transmission protection method and ground safety service system
CN110278181B (en) Instant protocol conversion system for cross-network data exchange
US20080160959A1 (en) Method for Roaming User to Establish Security Association With Visited Network Application Server
JP2005516544A (en) Controlled multicast system and method of execution
US10868835B2 (en) Method for managing data traffic within a network
US12126602B2 (en) Crypto-signed switching between two-way trusted network devices in a secure peer-to-peer data network
US20130042316A1 (en) Method and apparatus for redirecting data traffic
US12058258B2 (en) Crypto tunnelling between two-way trusted network devices in a secure peer-to-peer data network
CN101309272A (en) Authentication server and mobile communication terminal access controlling method of virtual private network
WO2023065969A1 (en) Access control method, apparatus, and system
US10742751B2 (en) User based mDNS service discovery
CN109936515B (en) Access configuration method, information providing method and device
CN102571811A (en) User access authority control system and method thereof
CN110290176B (en) Point-to-point information pushing method based on MQTT
US12126728B2 (en) Anti-replay protection based on hashing encrypted temporal key in a secure peer-to-peer data network
Bissmeyer et al. Security in hybrid vehicular communication based on ITS-G5, LTE-V, and mobile edge computing
CN112887339B (en) Distributed grouping management method of terminal equipment
CN113473456A (en) Million-level Internet of things terminal security access method and system based on domestic passwords
CN114501440B (en) Authentication key protocol for block chain application at edge of wireless sensor network
CN102136985A (en) Access method and equipment
WO2022237794A1 (en) Packet transmission method and apparatus
Wi et al. Group key based session key establishment protocol for a secure remote vehicle diagnosis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant