CN109617875A - A kind of the secure accessing platform and its implementation of terminal communication network - Google Patents
A kind of the secure accessing platform and its implementation of terminal communication network Download PDFInfo
- Publication number
- CN109617875A CN109617875A CN201811506062.4A CN201811506062A CN109617875A CN 109617875 A CN109617875 A CN 109617875A CN 201811506062 A CN201811506062 A CN 201811506062A CN 109617875 A CN109617875 A CN 109617875A
- Authority
- CN
- China
- Prior art keywords
- terminal
- public access
- data
- access
- access device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 120
- 230000005540 biological transmission Effects 0.000 claims abstract description 24
- 238000012544 monitoring process Methods 0.000 claims abstract description 10
- 238000012216 screening Methods 0.000 claims abstract description 5
- 238000007726 management method Methods 0.000 claims description 61
- 238000000034 method Methods 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 10
- 238000007689 inspection Methods 0.000 claims description 6
- 238000012550 audit Methods 0.000 claims description 4
- 238000004519 manufacturing process Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 12
- 238000002955 isolation Methods 0.000 description 8
- 230000004224 protection Effects 0.000 description 8
- 238000003756 stirring Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000013019 agitation Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000007634 remodeling Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H02J13/0013—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of secure accessing platform of terminal communication network and its implementation, can be realized terminal device in the safe and reliable efficient access of terminal communication network;Realize the unified security access of the transregional business of terminal communication access net.A kind of secure accessing platform of terminal communication network disclosed by the invention includes: terminal device: terminal device generates service application data and includes terminal security module, by terminal security module to the data encrypting and deciphering of the access layer of terminal communication network;Terminal communicates public access device: terminal communication public access device is responsible for establishing exit passageway and accesses control to terminal, guarantees the safety of access transmission and the safety of the internal application system being accessed;Data exchange component: as the hardware device of business datum parsing, parsing and screening operation for network data;Terminal communicates public access management system: carrying out unified monitoring to the state of terminal security module, terminal communication public access device, data exchange component.
Description
Technical field
The invention patent relates to a kind of security protections and its implementation for electric power terminal communication access net, especially relate to
And be 10kV access net and authentication, encryption and access control when 0.4kV accesses terminal access business network off the net etc.
The realization principle and method of security hardening.
Background technique
Existing terminal access net guard technology is as follows:
The major technique that terminal communication access net uses includes EPON, Industrial Ethernet, power line carrier communication, channel radio
Letter etc., since EPON uses point-to-multipoint tree topology, downlink data transmission uses broadcast mode, and there are eavesdroppings, vacation
Emit and refuse the security threats such as service.For such threat, the Ministry of Information Industry has issued " access network technology requirement-EPON system
Intercommunity requirement " requires to make EPON encryption standard using triple stirring algorithm.
The mechanism of triple stirring is encrypted to the downlink broadcast of OLT, and different ONU has different encryptions close
Key, referred to as agitation key.Stirring key is that 3 byte datas extracted from ONU uplink user data and 3 bytes produce at random
It is that the exclusive or of raw number is added as a result, it is 48 bits that the actual key of triple stirring, which is length, total number of keys is 248 bits, domestic
Mainstream EPON equipment quotient is provided with triple stirring algorithm tenability, and the function distributing is relatively easy, does not need to increase additionally
Hardware device.
The shortcomings that existing terminal access net guard technology, is as follows:
Triple stirring cannot separate transregional business datum, and now net equipment does not largely have triple stirring function, have
Three layers of agitation function can not directly upgrade software, need replacing equipment.
Existing technology of network isolation is as follows:
For EPON technology, security module, which is not added, certainly cannot realize the isolation of great Qu, and EPON downlink is using point-to-multipoint
Physical topological structure, downlink physical signal can monitor by other ONU.
For ethernet technology, topological structure is whether star-like or annular, and both link ends are all the structures of point-to-point, from object
It manages on layer, there is no the monitoring risk of EPON, interchanger will not be sent to incoherent end in addition to broadcasting packet with broadcast mode
Mouthful.
Channel security module carries out encryption and decryption for the data of access, and safety zone mark is added in the data of encryption
(or safety zone mark is combined into the group of the terminal device IP network address or physical address of integrated planning and IP address), decryption
It is forwarded afterwards according to safety zone mark, can guarantee that different safety zone data are obstructed when afore-mentioned occurs:
(1) no matter how VLAN configuration is tampered, the data pair of terminal data different safety zones after encryption and decryption process
The mark answered will not change, and legal data can forward, and illegal data are shielded;
(2) any interface of invalid data access to communication networks can not generate correct safety zone by decryption process and mark
Know, will be shielded;The invalid data for not having legal mark of access security module does not have correct safety zone to identify, and is passing through
It is shielded after encryption and decryption process;
To access security module illegal mould terminal data mark data, can by preparatory Verification System interface into
Row shielding, certification policy include the strategy based on address and physical port binding, and safety zone identifies the strategy etc. of uniqueness;
(3) it even if invalid data includes legal VLAN tag, will also be shielded due to not having legitimate secure area mark.
Summary of the invention
In view of the above-mentioned deficiencies in the prior art, the technical problem to be solved by the present invention is that providing a kind of terminal communication
The secure accessing platform and its implementation of net can be realized terminal device and efficiently connect in the safe and reliable of terminal communication network
Enter;Realize the unified security access of the transregional business of terminal communication access net.
In order to achieve the above object, a kind of secure accessing platform of terminal communication network disclosed by the invention uses following technology
Scheme is achieved:
A kind of secure accessing platform of terminal communication network, the terminal communication network include main website layer, transport layer and access layer;
The main website layer includes management information great Qu and production control great Qu;It is characterized by: the secure accessing platform includes:
Terminal device: terminal device generates service application data and includes terminal security module, passes through terminal security module
To the data encrypting and deciphering of the access layer of terminal communication network;
The terminal security module communicates public access device with terminal using secure communication protocols and establishes exit passageway;Eventually
End security module is complete by communicating public access device progress Diffie-Hellman, data encryption algorithm and data with terminal
Property check the negotiation of algorithm, the two-way authentication of client and server-side and determine session key, establish exit passageway, prevent from counting
According to being ravesdropping in transmission process, distorting, destroying, being inserted into Replay Attack, guarantee the safety of data transmission;
Terminal communicates public access device: terminal communication public access device be responsible for establishing exit passageway and to terminal into
Row access control guarantees the safety of access transmission and the safety of internal accessed application system;
Terminal communicates public access device and carries out authentication to the identity of the terminal device;Terminal communication is public to be connect
Enter device control the terminal device disconnected while being connected into Intranet with the connection of public network;The identity carries out authentication
Authentication mode be greater than two kinds;
Data exchange component: as the hardware device of business datum parsing, parsing and screening work for network data
Make;
Terminal communicates public access management system: handing over terminal security module, terminal communication public access device, data
The state for changing component carries out unified monitoring, and service channel strategy is managed for configuration.
The preferred embodiment of secure accessing platform as a kind of above-mentioned terminal communication network: the terminal device setting
In the access layer of terminal communication network;Terminal communication network is arranged in the terminal communication public access device and data exchange component
Between transport layer and main website layer;The terminal communication public access management system is arranged in the management information great Qu of main website layer.
The preferred embodiment of secure accessing platform as a kind of above-mentioned terminal communication network: the terminal security module
Public access device, which is communicated, with terminal by secure communication protocols establishes two-way encryption tunnel guarantee data transmission security;Terminal is logical
Letter public access device is authenticated and is accessed arbitration to terminal device identity based on digital certificate system;Data exchange group
Data content parsing of part as unit of main website layer boundary is realized by exit passageway by information flow;
Terminal communication public access management system includes endpoint to register information management, terminal and safety equipment operation monitoring pipe
Reason and safety behavior audit management;Terminal communication public access management system is connect by the management with each module of common access platform
Mouth connection.
The invention also discloses a kind of implementation methods of the secure accessing platform of terminal communication network, use any above-mentioned
Secure accessing platform executes following steps:
(1) terminal communication public access device is by bus communication, by public access device equipment of itself, access service and
The basic information of access terminal is stored into the database of terminal communication public access management system;
(2) content in terminal communication public access management system reading database, analyzes by calculating, passes through webpage shape
Formula shows the facility information and access situation of common access platform;
(3) terminal communication public access management system nets the interface specification that IMS is provided according to state, interior in reading database
Hold, summarizing and reporting to IMS service device;
(4) the terminal communication public access management system relevant parameter incoming by analysis public access device, inspection connect
The legitimacy for entering terminal identity protects access terminal not counterfeit.
A kind of preferred embodiment as above-mentioned implementation method: the IMS service device in the step (3) is state's household electrical appliances
The IMS service device of net company.
A kind of preferred embodiment as above-mentioned implementation method: terminal device accesses to the secure accessing platform
Process is as follows:
S1: terminal device accesses wireless private network or wired private network;
S2: designated lane is successfully established;
S3: terminal device submits terminal certificate, application access common access platform to terminal communication public access device;
S4: terminal communicates public access device and verifies terminal certificate, after success, returns to server-side certificate;
S5: terminal device service for checking credentials end certificate;
S6: terminal device communicates public access device requests verification terminal identity to terminal;
S7: terminal communicates public access device and communicates the application of public administration system forwards to terminal;
S8: terminal communicates public administration system and verifies terminal identity;
S9: terminal communicates public administration system and returns to verification result to terminal communication public access device;
S10: after authentication success, terminal communication public access device is returned the result to terminal device;
S11: terminal device communicates public access device with terminal and carries out key agreement according to verification result;
S12: terminal device communicates public access device with terminal and establishes secure tunnel;
S13: terminal device sends encrypted business datum to terminal and communicates public access device;
S14: after terminal communicates the decryption of public access device, it is forwarded to data exchange component;
S15: according to service resolution clear data, the clear data for meeting service observation condition will be sent data exchange component
To operation system;
S16: operation system returns to clear data to data exchange component;
S17: according to service resolution clear data, the clear data for meeting service observation condition will be sent data exchange component
Public access device is communicated to terminal;
S18: after terminal communication public access device encrypts clear data, it is back to terminal device.
The medicine have the advantages that
The present invention utilizes existing communication technology, and the research communication resource is distributed strategy rationally, business isolation, data encryption, led to
The common access platforms key technology such as road security protection disposes common access platform on the management boundary great Qu, it is ensured that nucleus
It is safe and reliable;The AM access module of service terminal equipment safety is designed according to adapted electric industry service type, realizes terminal side service identification
It is protected with data safety, realizes the shunting to different subregions business, accomplish to be uniformly accessed into, subregion uploads;Construct unified terminal
It communicates public access and manages platform, unified service access and network resource management function are provided, improve the intelligence of access net
Management level.Terminal of the invention communicates public access management system, provides accessing gateway equipment, access website service and access
The storage of terminal-based information shows and reports and the functions such as terminal identity safety inspection.
Detailed description of the invention
Fig. 1 is a kind of architecture diagram of the secure accessing platform of terminal communication network of the invention;
Fig. 2 is a kind of architecture diagram for specific embodiment that terminal of the invention communicates public access management system;
Fig. 3 is a kind of a kind of architecture diagram of specific embodiment of the secure accessing platform of terminal communication network of the invention;
Fig. 4 is the logical architecture figure that terminal of the invention communicates public access management system.
Description of symbols:
1- access terminal security component, 2- application system security component, 3- transmission channel security component, 4- access layer, 5-
Main website layer, 6- transport layer, 7- data presentation layer, 8- data analysis layer, 9- data storage layer, 10- data collection layer.
Specific embodiment
The specific embodiment of the invention is described with reference to the accompanying drawings and embodiments:
As shown in figures 1-4, it illustrates a specific embodiment of the invention, as shown, a kind of end disclosed by the invention
Hold the secure accessing platform of communication network, wherein the terminal communication network includes main website layer 5, transport layer 6 and access layer 4;The master
Layer of standing includes management information great Qu and production control great Qu;The secure accessing platform of the invention includes:
Terminal device: terminal device generates service application data and includes terminal security module, passes through terminal security module
To the data encrypting and deciphering of the access layer of terminal communication network;
The terminal security module communicates public access device with terminal using secure communication protocols and establishes exit passageway;Eventually
End security module is complete by communicating public access device progress Diffie-Hellman, data encryption algorithm and data with terminal
Property check the negotiation of algorithm, the two-way authentication of client and server-side and determine session key, establish exit passageway, prevent from counting
According to being ravesdropping in transmission process, distorting, destroying, being inserted into Replay Attack, guarantee the safety of data transmission;
Terminal communicates public access device: terminal communication public access device be responsible for establishing exit passageway and to terminal into
Row access control guarantees the safety of access transmission and the safety of internal accessed application system;
Terminal communicates public access device and carries out authentication to the identity of the terminal device;Terminal communication is public to be connect
Enter device control the terminal device disconnected while being connected into Intranet with the connection of public network;The identity carries out authentication
Authentication mode be greater than two kinds;
Data exchange component: as the hardware device of business datum parsing, parsing and screening work for network data
Make;
Terminal communicates public access management system: handing over terminal security module, terminal communication public access device, data
The state for changing component carries out unified monitoring, and service channel strategy is managed for configuration.
As a kind of preferred embodiment of secure accessing platform of the invention, as shown in Figure 3: the terminal device setting exists
The access layer of terminal communication network;The biography of terminal communication network is arranged in the terminal communication public access device and data exchange component
Between defeated layer and main website layer;The terminal communication public access management system is arranged in the management information great Qu of main website layer.
As a kind of preferred embodiment of secure accessing platform of the invention, as shown in Figure 2,3, 4: the terminal security mould
Block is communicated public access device with terminal by secure communication protocols and establishes two-way encryption tunnel guarantee data transmission security;Terminal
Communication public access device is authenticated and is accessed arbitration to terminal device identity based on digital certificate system;Data exchange
Data content parsing of component as unit of main website layer boundary is realized by exit passageway by information flow;
Terminal communication public access management system includes endpoint to register information management, terminal and safety equipment operation monitoring pipe
Reason and safety behavior audit management;Terminal communication public access management system is connect by the management with each module of common access platform
Mouth connection.
The invention also discloses a kind of implementation methods of the secure accessing platform of terminal communication network, use any above-mentioned
Secure accessing platform executes following steps:
(1) terminal communication public access device is by bus communication, by public access device equipment of itself, access service and
The basic information of access terminal is stored into the database of terminal communication public access management system;
(2) content in terminal communication public access management system reading database, analyzes by calculating, passes through webpage shape
Formula shows the facility information and access situation of common access platform;
(3) terminal communication public access management system nets the interface specification that IMS is provided according to state, interior in reading database
Hold, summarizing and reporting to IMS service device;
(4) the terminal communication public access management system relevant parameter incoming by analysis public access device, inspection connect
The legitimacy for entering terminal identity protects access terminal not counterfeit.
As a kind of preferred embodiment of above-mentioned implementation method, as shown in Figure 4: the IMS service device in the step (3) is
The IMS service device of State Grid Corporation of China.
As a kind of preferred embodiment of above-mentioned implementation method, as shown in Figure 3: terminal device accesses to the secure accessing
The process of platform is as follows:
S1: terminal device accesses wireless private network or wired private network;
S2: designated lane is successfully established;
S3: terminal device submits terminal certificate, application access common access platform to terminal communication public access device;
S4: terminal communicates public access device and verifies terminal certificate, after success, returns to server-side certificate;
S5: terminal device service for checking credentials end certificate;
S6: terminal device communicates public access device requests verification terminal identity to terminal;
S7: terminal communicates public access device and communicates the application of public administration system forwards to terminal;
S8: terminal communicates public administration system and verifies terminal identity;
S9: terminal communicates public administration system and returns to verification result to terminal communication public access device;
S10: after authentication success, terminal communication public access device is returned the result to terminal device;
S11: terminal device communicates public access device with terminal and carries out key agreement according to verification result;
S12: terminal device communicates public access device with terminal and establishes secure tunnel;
S13: terminal device sends encrypted business datum to terminal and communicates public access device;
S14: after terminal communicates the decryption of public access device, it is forwarded to data exchange component;
S15: according to service resolution clear data, the clear data for meeting service observation condition will be sent data exchange component
To operation system;
S16: operation system returns to clear data to data exchange component;
S17: according to service resolution clear data, the clear data for meeting service observation condition will be sent data exchange component
Public access device is communicated to terminal;
S18: after terminal communication public access device encrypts clear data, it is back to terminal device.
To sum up, in the present invention, channel security encryption is combined with the safe encryption certification of application, completes terminal communication access net
The unified security of transregional business accesses.
Wherein:
Secure accessing platform mainly includes terminal security module, terminal communication public access device and data exchange component.
Terminal security module is communicated public access device with terminal by secure communication protocols and establishes two-way encryption tunnel guarantee data biography
Defeated safety reduces leaking data and is tampered risk;It is right based on digital certificate system that terminal communicates public access device
Terminal identity carries out high-intensitive certification and access arbitration, it is ensured that only legal terminal could access, and realize terminal access information
Safety, controllability reduce illegal terminal access risk, and by establishing between different two-way encryption tunnels realization different business
Logic isolation, reduce data by unauthorized access risk, different business data exchange is in controlled area charactert;Data exchange component
Data content parsing as unit of main website boundary is realized by exit passageway by information flow, and boundary is realized based on this
Isolation, data exchange and the high-precision behaviour control of internal-external network can formulate stringent Approving system for different service types
The customization, it can be achieved that secure transmission tunnel is spent, prevents illegally link from penetrating main website, terminal and industry is realized in the case where ensuring secured premise
Business system safety, correct data exchange.
According to " comprehensive, practicability, economy, safety, otherness " principle, access net networking model, a variety of is proposed
Information security integral protection system, common access platform architecture design, the design of common access platform security module of communication mode
Deng solving that the access net property taken into account is poor, the problems such as resource utilization is low, multi-service enabling capabilities are insufficient.
The present invention is directed to terminal communication access net Problems Existing, using existing communication technology, studies communication resource optimization and matches
The common access platforms key technologies such as strategy, business isolation, data encryption, channel security protection are set, in management great Qu boundary portion
Affix one's name to common access platform, it is ensured that nucleus it is safe and reliable;Service terminal secure accessing is designed according to adapted electric industry service type
Module realizes that terminal side service identification is protected with data safety, and shunting of the realization to different subregions business is accomplished to be uniformly accessed into,
Subregion uploads;Unified terminal communication public access management platform is constructed, unified service access and network resource management are provided
Function improves the intelligent management level of access net.
Terminal communication public access management system of the invention provides each module of common access platform, terminal-based information is deposited
Storage and the functions such as security policy manager, specifically include endpoint to register information management, terminal and safety equipment operation monitoring management and
Safety behavior audit management configures security strategy for terminal and realizes that safety management function provides flexible convenient and fast means.Terminal is logical
Letter public access management system by connect management of the realization to all modules with the management interface of each module of common access platform,
Management information is after encryption by communication network in each intermodule communication of common access platform.
Terminal of the invention communicates public access management system, provides accessing gateway equipment, access website service and access
The storage of terminal-based information shows and reports and the functions such as terminal identity safety inspection.
The present invention solves the problems, such as secure accessing: realizing the secure accessing of different great Qu different business terminals;It solves
Business datum safe transmission problem: the privacy concerns by wired wireless private network channel transmission data are solved;Solves end
End safety permission problem: the inherently safe protection question of all kinds of service terminals has been standardized;Solves different business cascade protection: solution
The certainly security protection problem of different safety class service;Solve different great Qu business isolating problems: solve production great Qu and
Manage the security isolation problem of great Qu difference security level business;It solves the problems, such as business identification: solving the standard of different business
Really identification problem.
Terminal communication network common access platform security architecture of the invention is logical by access terminal security component 1, transmission
Road security component 3 and 2 three parts of application system security component composition, can be realized the closed loop safe transmission of data.Public access
Platform is as shown in Figure 1 to the security architecture of terminal communication network.
Common access platform realizes admission control to terminal by public access device;By terminal security module and public
The secure encryption tunnel that access device is established, is encrypted business datum outside network boundary;Pass through data exchange component
Realize the security isolation and safety inspection in each area and each operation system data.The Technical Architecture of common access platform is as shown in Figure 3;
From the common access platform overall architecture in Fig. 3, common access platform is broadly divided into four parts, is respectively as follows:
1) terminal device (module containing terminal security): terminal device generates service application data, passes through terminal security module
To data application layer encryption and decryption;The function of terminal security module is that public access device is communicated with terminal using secure communication protocols
Exit passageway is established, guarantees the safety of transmission data.Terminal security module exchanges calculation by carrying out key with public access device
Method, data encryption algorithm and data integrity check the two-way authentication and determination of the negotiation of algorithm, client and server-side
Session key establishes exit passageway, prevents data to be ravesdropping in transmission process, distorts, destroying, being inserted into Replay Attack, guarantees
The safety of data transmission.
2) terminal communicates public access device: it is one of core of common access platform that terminal, which communicates public access device,
It is responsible for establishing exit passageway and accesses control to terminal, can guarantees the safety and internal accessed application of access transmission
The safety of system.Meanwhile terminal communication public access device can also carry out authentication to the identity of terminal, guarantee terminal
It is credible.Terminal communication public access device can also ensure that terminal is disconnected while being connected into Intranet with the connection of public network, it is anti-
Only there is the case where " two net of a machine " in mobile terminal, and the communication between terminal and Intranet has safety same as Intranet.Eventually
End communication public access device is capable of providing the identity of a variety of authentication mode verifying users.For the user of different security domains, eventually
End communication public access device can control the access authority of user according to corresponding rule, assign the smallest spy of user
Power guarantees that terminal can only access internal resource corresponding with the role of its own and permission, guarantees the peace of internal applications system
Entirely.
3) data exchange component: as the hardware device of business datum parsing, it is responsible for the parsing and screening work of network data
Make.
4) terminal communicates public access management system: handing over terminal security module, terminal communication public access device, data
The state for changing component carries out unified monitoring, and service channel strategy is managed for configuration.
The preferred embodiment for the present invention is explained in detail above in conjunction with attached drawing, but the present invention is not limited to above-mentioned implementations
Mode within the knowledge of a person skilled in the art can also be without departing from the purpose of the present invention
It makes a variety of changes, these variations are related to the relevant technologies well-known to those skilled in the art, these both fall within the invention patent
Protection scope.
Many other changes and remodeling can be made by not departing from the spirit and scope of the present invention.It should be appreciated that the present invention is not
It is limited to specific embodiment, the scope of the present invention is defined by the following claims.
Claims (6)
1. a kind of secure accessing platform of terminal communication network, the terminal communication network includes main website layer, transport layer and access layer;Institute
Stating main website layer includes management information great Qu and production control great Qu;It is characterized by: the secure accessing platform includes:
Terminal device: terminal device generates service application data and includes terminal security module, by terminal security module to end
Hold the data encrypting and deciphering of the access layer of communication network;
The terminal security module communicates public access device with terminal using secure communication protocols and establishes exit passageway;Terminal peace
Full module carries out Diffie-Hellman, data encryption algorithm and data integrity inspection by communicating public access device with terminal
It looks into the negotiation of algorithm, the two-way authentication of client and server-side and determines session key, establish exit passageway, prevent data from existing
It is ravesdropping, distorts in transmission process, destroying, being inserted into Replay Attack, guaranteeing the safety of data transmission;
Terminal communicates public access device: terminal communication public access device is responsible for establishing exit passageway and be visited terminal
It asks control, guarantees the safety of access transmission and the safety of internal accessed application system;
Terminal communicates public access device and carries out authentication to the identity of the terminal device;Terminal communicates public access dress
The control terminal device is set to disconnect while being connected into Intranet and the connection of public network;The identity carries out recognizing for authentication
Card mode is greater than two kinds;
Data exchange component: as the hardware device of business datum parsing, parsing and screening operation for network data;
Terminal communicates public access management system: communicating public access device, data exchange group to terminal security module, terminal
The state of part carries out unified monitoring, and service channel strategy is managed for configuration.
2. a kind of secure accessing platform of terminal communication network as described in claim 1, it is characterised in that: the terminal device is set
Set the access layer in terminal communication network;The terminal communication public access device and data exchange component are arranged in terminal communication network
Transport layer and main website layer between;The management information great Qu of main website layer is arranged in the terminal communication public access management system
It is interior.
3. a kind of secure accessing platform of terminal communication network as described in claim 1, it is characterised in that: the terminal security mould
Block is communicated public access device with terminal by secure communication protocols and establishes two-way encryption tunnel guarantee data transmission security;Terminal
Communication public access device is authenticated and is accessed arbitration to terminal device identity based on digital certificate system;Data exchange
Data content parsing of component as unit of main website layer boundary is realized by exit passageway by information flow;
Terminal communication public access management system include endpoint to register information management, terminal and safety equipment operation monitoring management and
Safety behavior audit management;Terminal communicates public access management system by connecting with the management interface of each module of common access platform
It connects.
4. a kind of implementation method of the secure accessing platform of terminal communication network, it is characterised in that: any using such as claim 1-3
The secure accessing platform executes following steps:
(1) terminal communication public access device is by bus communication, by public access device equipment of itself, access service and access
The basic information of terminal is stored into the database of terminal communication public access management system;
(2) content in terminal communication public access management system reading database, analyzes by calculating, passes through form web page exhibition
Show the facility information and access situation of common access platform;
(3) terminal communication public access management system nets the interface specification that IMS is provided according to state, the content in reading database,
Summarizing and reporting is to IMS service device;
(4) the terminal communication public access management system relevant parameter incoming by analysis public access device, checks access eventually
The legitimacy for holding identity, protects access terminal not counterfeit.
5. implementation method as claimed in claim 4, it is characterised in that: the IMS service device in the step (3) is national grid
The IMS service device of company.
6. implementation method as claimed in claim 4, it is characterised in that: terminal device accesses to the stream of the secure accessing platform
Journey is as follows:
S1: terminal device accesses wireless private network or wired private network;
S2: designated lane is successfully established;
S3: terminal device submits terminal certificate, application access common access platform to terminal communication public access device;
S4: terminal communicates public access device and verifies terminal certificate, after success, returns to server-side certificate;
S5: terminal device service for checking credentials end certificate;
S6: terminal device communicates public access device requests verification terminal identity to terminal;
S7: terminal communicates public access device and communicates the application of public administration system forwards to terminal;
S8: terminal communicates public administration system and verifies terminal identity;
S9: terminal communicates public administration system and returns to verification result to terminal communication public access device;
S10: after authentication success, terminal communication public access device is returned the result to terminal device;
S11: terminal device communicates public access device with terminal and carries out key agreement according to verification result;
S12: terminal device communicates public access device with terminal and establishes secure tunnel;
S13: terminal device sends encrypted business datum to terminal and communicates public access device;
S14: after terminal communicates the decryption of public access device, it is forwarded to data exchange component;
S15: for data exchange component according to service resolution clear data, the clear data for meeting service observation condition will be sent to industry
Business system;
S16: operation system returns to clear data to data exchange component;
S17: for data exchange component according to service resolution clear data, the clear data for meeting service observation condition will be sent to end
End communication public access device;
S18: after terminal communication public access device encrypts clear data, it is back to terminal device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811506062.4A CN109617875A (en) | 2018-12-10 | 2018-12-10 | A kind of the secure accessing platform and its implementation of terminal communication network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811506062.4A CN109617875A (en) | 2018-12-10 | 2018-12-10 | A kind of the secure accessing platform and its implementation of terminal communication network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109617875A true CN109617875A (en) | 2019-04-12 |
Family
ID=66008896
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811506062.4A Pending CN109617875A (en) | 2018-12-10 | 2018-12-10 | A kind of the secure accessing platform and its implementation of terminal communication network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109617875A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110099314A (en) * | 2019-04-30 | 2019-08-06 | 广东省广播电视网络股份有限公司中山分公司 | Network system and its control method based on optical fiber and coaxial cable |
| CN110430220A (en) * | 2019-08-28 | 2019-11-08 | 四川省东宇信息技术有限责任公司 | A kind of power transmission and transforming equipment safety access method and system |
| CN111510304A (en) * | 2020-04-20 | 2020-08-07 | 中国人民解放军陆军勤务学院 | Information transmission method, information management method, system, device and electronic equipment |
| CN111988328A (en) * | 2020-08-26 | 2020-11-24 | 中国电力科学研究院有限公司 | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station |
| CN112272048A (en) * | 2020-10-24 | 2021-01-26 | 青岛鼎信通讯股份有限公司 | Network port locking method applied to medium-voltage carrier communication equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733747A (en) * | 2017-07-28 | 2018-02-23 | 国网江西省电力公司上饶供电分公司 | Towards the common communication access system of multiple service supporting |
-
2018
- 2018-12-10 CN CN201811506062.4A patent/CN109617875A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733747A (en) * | 2017-07-28 | 2018-02-23 | 国网江西省电力公司上饶供电分公司 | Towards the common communication access system of multiple service supporting |
Non-Patent Citations (1)
| Title |
|---|
| 廖勤武: ""终端通信接入网公共接入平台研究"", 《电力信息与通信技术》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110099314A (en) * | 2019-04-30 | 2019-08-06 | 广东省广播电视网络股份有限公司中山分公司 | Network system and its control method based on optical fiber and coaxial cable |
| CN110099314B (en) * | 2019-04-30 | 2021-08-10 | 广东省广播电视网络股份有限公司中山分公司 | Network system based on optical fiber and coaxial cable and control method thereof |
| CN110430220A (en) * | 2019-08-28 | 2019-11-08 | 四川省东宇信息技术有限责任公司 | A kind of power transmission and transforming equipment safety access method and system |
| CN111510304A (en) * | 2020-04-20 | 2020-08-07 | 中国人民解放军陆军勤务学院 | Information transmission method, information management method, system, device and electronic equipment |
| CN111510304B (en) * | 2020-04-20 | 2023-06-20 | 中国人民解放军陆军勤务学院 | Information transmission and information management method, system and device and electronic equipment |
| CN111988328A (en) * | 2020-08-26 | 2020-11-24 | 中国电力科学研究院有限公司 | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station |
| CN112272048A (en) * | 2020-10-24 | 2021-01-26 | 青岛鼎信通讯股份有限公司 | Network port locking method applied to medium-voltage carrier communication equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Da Xu et al. | Embedding blockchain technology into IoT for security: A survey | |
| CN109617875A (en) | A kind of the secure accessing platform and its implementation of terminal communication network | |
| CN110069918B (en) | Efficient double-factor cross-domain authentication method based on block chain technology | |
| CN103491072B (en) | A kind of border access control method based on double unidirection insulation network brakes | |
| CN106888084A (en) | A kind of quantum fort machine system and its authentication method | |
| CN110535653A (en) | A kind of safe distribution terminal and its means of communication | |
| CN106789015B (en) | Intelligent power distribution network communication safety system | |
| CN105959111B (en) | Information security big data resource access control system based on cloud computing and trust computing | |
| CN106789029B (en) | A kind of auditing system and auditing method and quantum fort machine system based on quantum fort machine | |
| CN104796261A (en) | Secure access control system and method for network terminal nodes | |
| CN105162808B (en) | A kind of safe login method based on national secret algorithm | |
| US9015825B2 (en) | Method and device for network communication management | |
| CN101686127A (en) | Novel USBKey secure calling method and USBKey device | |
| CN105306483B (en) | A kind of Anonymizing networks communication means and system safely and fast | |
| CN108848111A (en) | A kind of decentralization Virtual Private Network construction method based on block chain technology | |
| CN104065485A (en) | Power grid dispatching mobile platform safety guaranteeing and controlling method | |
| CN105610837A (en) | Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system | |
| CN108964897A (en) | Identity authorization system and method based on group communication | |
| CN111988328A (en) | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station | |
| CN110417739A (en) | It is a kind of based on block chain technology safety Netowrk tape in measurement method | |
| CN110602083B (en) | Secure transmission and storage method of digital identity authentication data | |
| CN109150906A (en) | A kind of real-time data communication safety method | |
| CN108833113A (en) | A kind of authentication method and system of the enhancing communication security calculated based on mist | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| Thomas et al. | A secure way of exchanging the secret keys in advanced metering infrastructure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190412 |
|
| RJ01 | Rejection of invention patent application after publication |