CN112995139B - Trusted network, trusted network construction method and trusted network construction system - Google Patents
Trusted network, trusted network construction method and trusted network construction system Download PDFInfo
- Publication number
- CN112995139B CN112995139B CN202110155603.9A CN202110155603A CN112995139B CN 112995139 B CN112995139 B CN 112995139B CN 202110155603 A CN202110155603 A CN 202110155603A CN 112995139 B CN112995139 B CN 112995139B
- Authority
- CN
- China
- Prior art keywords
- information
- trusted
- trust
- mapping
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The invention provides a trusted network, a method and a system for constructing the trusted network, and solves the technical problem that the existing network cannot form trusted processing efficiently. The trusted network comprises: the trust anchor is used for distributing the identity identifier to the trust entity, forming the binding between the verification information of the trust entity and the identity identifier, and forming a trust process by responding to the trust request through the verification information; the identification analysis component is used for establishing regional characteristic dynamic mapping of IP address information, public domain name information and identity identifier information, and responding to an information request according to the regional characteristic dynamic mapping; and the authentication component is used for carrying out dynamic mapping of the regional characteristics and caching of the verification information, receiving access data in the region or transmission data outside the region to form a credit request, and acquiring the verification information of the credit process through the dynamic mapping of the regional characteristics. The function and the form of the name and address analysis system in the original STIP model are separated and improved, the problem of functional redundancy in the original system is solved, and the overall efficiency of the system is effectively improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a trusted network, a construction method and a construction system of the trusted network.
Background
In the prior art, there is a secure network configuration formed by using a STiP (Secure and Trusted internet Protocol) model for security and mobility requirements. The STiP model solves the network security problems of source address spoofing, route hijacking, denial of service and the like from the source by introducing the intrinsic security mechanisms of message signature and verification, address/identity authentication, decentralization key management and the like, and is beneficial to constructing an autonomous, controllable, safe and reliable Internet environment. The existing secure network configuration is shown in fig. 1. In fig. 1, the STiP model separates the dual functions of IP addresses, and is divided into an access network and a backbone network on the network structure. The backbone network realizes the management and data routing of the locations, and mainly comprises an ingress tunnel router ITR (Ingress Tunnel Router), an egress tunnel router ETR (Egress Tunnel Router), a backbone router, a name-address mapping analysis server and other entities. The access network completes the access of the terminal host, and mainly comprises an access authentication server, the terminal host and other entities. The StiP model uses a globally unique secure host identifier SHI (Secure Host Identifier) to identify each end host accessed in the network, the host identification not participating in the global routing.
The security network configuration introduces an intrinsic security mechanism such as address/identity authentication, message signature and verification, decentralization key management and the like, in an access network, an access authentication server verifies the authenticity of a terminal host, a mapping server binds information such as a host identifier, an RLOC in a region where the terminal host is located, a pair of public and private keys and the like for the terminal host, the terminal host signs a message by using the private key, and the access authentication server can acquire the public key bound with the source host identifier through inquiring the mapping server to authenticate a data packet from the terminal host, so that the address/identity authenticity problem is fundamentally solved from the source.
In the prior secure network configuration, the access authentication server performs identity and data content verification on the sender by inquiring corresponding public key information from a secure host identifier SHI (Secure Host Identi +. ier) of the sender to a mapping analysis server, and the mapping analysis server has multiple functions of address analysis, access authentication, key management and the like. The service function logic processing chain is too long, the function logic is not divided, and the technical problems of network identification ID (identity) indefinite length, privacy protection, coordination and integration of real name or anonymous verification of data packets and the like are required to be solved. Existing security network configurations biased towards theoretical models cannot form an improvement in the overall system efficiency of the security network.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide a trusted network, a method for constructing the trusted network, and a system for constructing the trusted network, which solve the technical problem that the existing network cannot efficiently form trusted processing.
The trusted network of the embodiment of the invention comprises the following components:
the trust anchor is used for distributing an identity identifier to the trust entity, forming the binding between the verification information of the trust entity and the identity identifier, and forming a trust process by responding to the trust request through the verification information;
the identification analysis component is used for establishing regional characteristic dynamic mapping of IP address information, public domain name information and the identity identifier information, and responding to an information request according to the regional characteristic dynamic mapping;
and the authentication component is used for carrying out the dynamic mapping of the regional characteristics and the caching of the verification information, receiving access data in the region or transmission data outside the region to form a trust request, and acquiring the verification information of the trust process through the dynamic mapping of the regional characteristics.
The trusted network construction method of the embodiment of the invention comprises the following steps:
distributing an identity identifier to a credit entity, forming the binding between verification information of the credit entity and the identity identifier, and forming a credit process by responding to a credit request through the verification information;
establishing regional characteristic dynamic mapping of IP address information, public domain name information and the identity identifier information, and responding to an information request according to the regional characteristic dynamic mapping;
and carrying out dynamic mapping of the regional characteristics and caching of verification information, receiving access data in the region or transmission data outside the region to form a credit request, and acquiring the verification information of the credit process through the dynamic mapping of the regional characteristics.
The trusted network construction system of the embodiment of the invention comprises:
the memory is used for respectively storing the program codes of the independent processing procedures in the trusted network construction method;
and a processor for executing the program codes, respectively.
The trusted network, the method and the system for constructing the trusted network separate and improve the functions and the forms of the name and address resolution system in the original STIP model to form independent identification resolution components and trust anchors, and combine the functions of a local mapping resolution server and an access authentication server to be completed by the authentication components related to regions. The three are cooperated to complete the main functions of name and address analysis, key management, access authentication and the like in the trust process of data transmission, so that the problem of functional redundancy in the original system is solved, and the overall efficiency of the system is effectively improved.
Drawings
Fig. 1 is a schematic diagram of a trusted network model in the prior art.
Fig. 2 is a schematic diagram of a trusted network according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a trusted network according to an embodiment of the present invention.
Fig. 4 is a flowchart of a trusted network construction method according to an embodiment of the present invention.
Detailed Description
The present invention will be further described with reference to the drawings and the detailed description below, in order to make the objects, technical solutions and advantages of the present invention more apparent. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
A trusted network according to an embodiment of the present invention is shown in fig. 2. In fig. 2, the present embodiment includes:
the trust anchor 10 is used for distributing an identity identifier to a trusted entity, forming the binding between the authentication information of the trusted entity and the identity identifier, and forming a trusted process by responding to a trusted request through the authentication information.
Those skilled in the art will appreciate that trusted entities include, but are not limited to, devices, users, services, applications or business systems, etc. that require a trusted network for data transmission. The trust process comprises the trust processing process of registration, authentication, verification and other different types or stages of the determined entity. The registration process of the trusted entity obtains the determined identity identifier, and then effective verification can be provided according to the trusted requirement, so that other trusted processes of the trusted entity are realized.
As will be appreciated by those skilled in the art, trust anchors may be constructed using a decentralised trusted federation architecture to form a unified identity registration authentication system for a whole network trusted entity. In one embodiment of the invention the trust process may be implemented by a smart contract or business process.
The identifier resolution component 20 is configured to establish a dynamic mapping of the area characteristics of the IP address information, the public domain name information, and the identity identifier information, and to respond to the information request according to the dynamic mapping of the area characteristics.
It will be appreciated by those skilled in the art that IP address information in existing public networks includes, but is not limited to, address coding information, geographical range information, etc., and that public domain name information in existing public networks includes, but is not limited to, hierarchical information, domain name membership information, address information, etc. And the identity information includes, but is not limited to, trusted information such as identity character content, encoded content, and logic level information. By implementing dynamic mapping, public network information and trusted information can be associated as necessary, and information dimension representation of real-time region characteristics aiming at mobility of a trusted entity can be formed. The information request includes a query request and a cache request for address information and identity information within the region.
The authentication component 30 is configured to perform dynamic mapping of the regional characteristics and buffering of verification information, receive access data in the region or transmit data outside the region to form a trust request, and obtain verification information of the trust process through dynamic mapping of the regional characteristics.
The authentication component performs necessary caching on the regional characteristic dynamic mapping in the region and the verification information in the repeated trust process. The trust request can come from the authentication component or can come from the trust entity and form through the authentication component. The authentication component is used as an access node, has regionality, can determine the approximate region range of the trusted entity pointed by the source address or the destination address of the transmission data by combining the region characteristic dynamic mapping, can reduce the retrieval range of the verification information, and improves the retrieval efficiency. The regional characteristic dynamic mapping data may be associated with the region in which the authentication component is located to form a regional characteristic dynamic mapping subset.
The trusted network structure of an embodiment of the present invention is shown in fig. 3. In fig. 3, an authentication component 30 is provided at the backbone transport network edge, forming a data connection with the trust anchor 10 and the identity resolution component 20, respectively, in response to a connection request and a trust request of a trusted entity.
The trusted network of the embodiment of the invention separates and improves the functions and the forms of the name and address analysis system in the original STIP model to form an independent identification analysis component and a trust anchor, and combines the functions of a local mapping analysis server and an access authentication server to be completed by an authentication gateway related to a region. The three are cooperated to complete the main functions of name and address analysis, key management, access authentication and the like in the trust process of data transmission, so that the problem of functional redundancy in the original system is solved, and the overall efficiency of the system is effectively improved.
As shown in fig. 2, in one embodiment of the present invention, the trust anchor 10 comprises:
identifier setting means 11 for forming unique identification information of the trusted entity according to the type of the trusted request.
Those skilled in the art will appreciate that the trust request may be from a hardware device or a user included in the trust entity, and the trust request type may be a registration request procedure or a verification request procedure of the trust entity in the trust anchor. The unique identification information at least comprises an identity identifier, and can also comprise an asymmetric key pair correspondingly distributed and can also comprise correspondingly formed unique hash data. The identity identifier may have a combined likelihood between the identifiers based on an association between the device and the user. One of the asymmetric key pair and the identity identifier are granted to the trusted requestor.
An identifier storage means 12 for forming a storage data structure storing the formed identity identifier information.
In one embodiment of the invention, hierarchical naming may employ a domain name naming mechanism. The high-level radix tree storage data structure is adopted to store the identity identifiers, so that the storage processing efficiency and the query efficiency of mass identity identifiers can be effectively improved, and the associated information mapping storage of the identity identifiers is formed.
Authentication information forming means 13 for mapping standard authentication information of the trusted entity with identity identifier forming information.
The standard verification information at least comprises a hash value and public key information corresponding to the identity identifier, the hash value and the public key information can be used for inquiring each other, the hash value can be used for inquiring the identity identifier, and the standard verification information is used for anonymously verifying the data package by each node in the data transmission process of the trusted network.
As shown in FIG. 2, in one embodiment of the present invention, trust anchor system trust anchor 10 further comprises:
authentication information adding means 14 for mapping additional authentication information of the device or user with the identity identifier forming information.
The additional authentication information includes, but is not limited to, various trusted entity identity information such as biometric fingerprint information, face information, etc. So that the difficulty of forging the information of the trusted entity can be improved, the uniqueness and the safety of the trusted digital identity of the user can be ensured,
the trusted network of the embodiment of the invention can realize end-to-end anonymous verification on both communication parties. In order to solve the problems of the network identification ID with indefinite length and privacy protection, the trusted network hashes the identity identifier to form identifier substitution information with fixed length. Meanwhile, the trust process of trust entity registration, inquiry and verification is more flexible and diversified, the inscription form of the registration, inquiry and verification process is avoided, and the digital identity authentication experience is brought to the user very conveniently and rapidly. The problem of processing efficiency reduction caused by continuous storage of mass network identifiers is effectively solved, tree depth is further reduced under the condition of guaranteeing nondestructive storage content, and retrieval efficiency of mass data in a system can be effectively improved.
As shown in fig. 2, in an embodiment of the present invention, the identity resolution component 20 includes:
the public domain information mapping device 21 is configured to establish a public domain mapping table of IP address information and public domain information, and form a conversion path between the IP address information and corresponding public domain information in the existing public network.
The prior art information of the existing public network is fully extracted, and the planning stability of the existing public network is utilized to form the mapping of the IP address, the physical address, the spatial position and other geographic dimension information and the geographic characteristics between the information.
The trusted information mapping device 22 is configured to establish an identification mapping table of the hash value and the identity identifier, and form a conversion path between public trusted information and other trusted information in the trusted network.
And the low information load characteristic data in the trusted network is used as public data to establish limited mapping with other important data, so that the safety of the important data is fully ensured.
The geographic dimension mapping device 23 is configured to form geographic filtering conditions between the existing public network and the trusted network, and establish dynamic mapping of the regional characteristics of the identification mapping table in the geographic space of the public domain mapping table.
The formation of the regional characteristic dynamic mapping (table) takes geographical dimensions such as addresses, space positions and the like as dividing conditions and searching conditions of massive important data in the trusted network, and realizes efficient query and regional division of massive identity identifier information by utilizing specific information dimensions of the public network.
The trusted network of the embodiment of the invention constructs a mapping relation table of the identity identifier-hash value and a mapping relation table of the new IP address and public domain information. Through the mapping relation analysis in the complex network environment, the corresponding information (such as address, space position and the like) of the object identification can be accurately and efficiently acquired. The public domain mapping table which stores IP address information-public domain information in the identification analysis component is used for converting the IP address information and the corresponding public domain information in the existing network. Meanwhile, the identification analysis component also stores an identification mapping table of hash value-network identification ID, and because of the huge number of network identification IDs and low searching efficiency, the identification mapping table is divided according to public domains (domain name and other information) to improve the searching efficiency, and when a data packet is anonymously transmitted in a network, the corresponding real network identification ID can be restored according to the hash value of the network identification ID of a sender so as to achieve the effect of real name verification. Meanwhile, in the anonymous transmission process of the data packet, anonymous verification or real-name verification can be carried out on the data packet according to requirements.
As shown in fig. 2, in one embodiment of the present invention, the authentication component 30 includes:
and the regional mapping caching device 31 is used for caching the regional characteristic dynamic mapping of the region.
The public domain mapping table and the identification mapping table of the local area can be dynamically mapped by the regional characteristics, and the identity verification of anonymity or real name can be carried out on the accessed trusted entity according to the requirements.
When the trusted entity moves, firstly, the authentication component in the area is informed to update relevant information, and the authentication component informs the identification analysis component to synchronize the dynamic mapping of the area characteristics.
The access information identifying device 32 is configured to receive access data of the trusted entity and identify data to be verified.
The data to be verified includes, but is not limited to, an identity identifier, a hash value and a digital signature of both the trusted entity and the authentication component. The trusted authority may hash the identity identifier in the message to anonymize it. Identifying the data to be verified comprises interacting with an identification analysis component to obtain identification information of a gateway or a trusted entity in the area.
And the access authentication response means 33 is used for forming a credit process by the data to be verified in response to the authentication request of the credit entity.
The trust anchor is used for forming a trust request through the identification information and interacting with the trust anchor to form a trust process for confirming a trust entity. The data to be verified comprises identification information of the gateway or the trusted entity in the area obtained through interaction with the identification analysis component.
And the transmission data identification device 34 is used for identifying the data to be trusted and the data load in the transmission data.
When the gateways communicate, the data to be trusted contains but is not limited to IP address information of the gateways of the two parties, the identity identifiers of the gateways of the two parties, hash values of the identity identifiers and digital signatures. The data to be trusted comprises identification information of a gateway or a trusted entity in the area obtained through interaction with the identification analysis component.
The transmission authentication response means 35 is configured to form a trust procedure by the data to be trusted in response to the trust request of the data payload.
The trust anchor is used for forming a trust request through the identification information and interacting with the trust anchor to form a trust process for confirming a trust entity.
The trusted network of the embodiment of the invention provides the trusted access authentication of various trusted entities, and ensures the safety and reliability of the network from the source. The trusted entity is accessed to the trusted network through mutual authentication with the authentication component to form a trusted entity, so that authenticity and credibility authentication of the access message of the trusted entity in the area are realized. Acquiring the identity information bound with the identity identifier by querying the trust anchor through the authentication component simplifies the system overhead of the trust process, and the identity identifier Fu Haxi is formed by the authentication component to be normalized and hidden, so that the privacy of the identity identifier in the message is increased. The regional characteristic dynamic mapping can carry out anonymous or real-name identity and data content verification on the sender according to the requirements, and the verification efficiency is effectively improved.
The trusted network construction method according to an embodiment of the present invention is shown in fig. 4. In fig. 4, the present embodiment includes:
step 110: and distributing the identity identifier to the credit giving entity, forming the binding between the verification information of the credit giving entity and the identity identifier, and forming a credit giving process by responding to the credit giving request through the verification information.
Step 120: the method is used for establishing the regional characteristic dynamic mapping of the IP address information, the public domain name information and the identity identifier information, and responding to the information request according to the regional characteristic dynamic mapping.
Step 130: and carrying out dynamic mapping of the regional characteristics and caching of verification information, receiving access data in the region or transmission data outside the region to form a credit request, and obtaining the verification information of the credit process through the dynamic mapping of the regional characteristics.
As shown in fig. 4, in an embodiment of the present invention, step 110 includes:
step 111: and forming unique identification information of the credit entity according to the credit request type.
Step 112: a storage data structure is formed, storing the formed identity identifier information.
Step 113: and forming an information mapping between the standard verification information of the trusted entity and the identity identifier.
As shown in fig. 4, in an embodiment of the present invention, step 110 further includes:
step 114: additional authentication information of the device or user is mapped with the identity identifier.
As shown in fig. 4, in an embodiment of the present invention, step 120 includes:
step 121: and establishing a public domain mapping table of the IP address information and the public domain information to form a conversion path between the IP address information and the corresponding public domain information in the existing public network.
Step 122: and establishing an identification mapping table of the hash value and the identity identifier to form a conversion path between public trusted information and other trusted information in the trusted network.
Step 123: and forming geographic filtering conditions between the existing public network and the trusted network, and establishing regional characteristic dynamic mapping of the identification mapping table in the geographic space of the public domain mapping table.
As shown in fig. 4, in an embodiment of the present invention, step 130 includes:
step 131: and caching the regional characteristic dynamic mapping of the region.
Step 132: and receiving access data of the trusted entity to identify the data to be verified.
Step 133: and forming a credit authorization process through the data to be verified in response to the authentication request of the credit authorization entity.
Step 134: data to be trusted and data loads are identified in the transmission data.
Step 135: and responding to the trust request of the data load to form a trust process through the data to be trusted.
The trusted network construction system according to an embodiment of the present invention includes:
the memory is used for respectively storing the program codes of the independent processing procedures in the trusted network construction method;
and the processor is used for respectively executing the program codes of the independent processing procedures in the trusted network construction method.
The processor may employ a DSP (Digital Signal Processor) digital signal processor, an FPGA (Field-Programmable Gate Array) Field programmable gate array, a MCU (Microcontroller Unit) system board, a SoC (system on a chip) system board, or an PLC (Programmable Logic Controller) minimum system including I/O.
The anonymous/real name verification process by using the trusted network in one embodiment of the invention is as follows:
and the transmitting end:
1. the transmitting terminal carries out hash operation on the identity identifier, signs the data packet, and transmits the data packet to the transmitting terminal authentication component after signing;
2. the sending end authentication component verifies the received data packet according to the corresponding information in the cache or the trust anchor;
3. the sender authentication component converts the public domain information of the two parties into corresponding IP address information according to the corresponding information in the cache or the identification analysis component;
4. the transmitting end authentication component transmits the data packet to the receiving end authentication component;
the receiving end:
5. the receiving end authentication component performs anonymity or real name verification on the received data packet according to the corresponding information in the cache, the trust anchor or the identification analysis component;
6. after verification is successful, the receiving end authentication component searches the identity identifier of the receiving end terminal;
7. the receiving end authentication component sends the data packet to the receiving end terminal corresponding to the identity identifier.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.
Claims (10)
1. A trusted network, comprising:
the trust anchor is used for distributing an identity identifier to the trust entity, forming the binding between the verification information of the trust entity and the identity identifier, and forming a trust process by responding to the trust request through the verification information;
the identification analysis component is used for establishing regional characteristic dynamic mapping of IP address information, public domain name information and the identity identifier information, and responding to an information request according to the regional characteristic dynamic mapping;
the authentication component is used for carrying out dynamic mapping of the regional characteristics and caching of verification information, receiving access data in the region or transmission data outside the region to form a trust request, and acquiring the verification information of the trust process through the dynamic mapping of the regional characteristics;
the identification parsing component includes:
the public domain information mapping device is used for establishing a public domain mapping table of the IP address information and the public domain information to form a conversion path between the IP address information and the corresponding public domain information in the existing public network;
the trusted information mapping device is used for establishing an identification mapping table of the hash value and the identity identifier to form a conversion path between public trusted information and other trusted information in the trusted network.
2. The trusted network of claim 1, wherein said trust anchor comprises:
identifier setting means for forming unique identification information of the trusted entity according to the type of the trusted request;
identifier storage means for forming a storage data structure to store the formed identity identifier information;
and the verification information forming device is used for mapping the standard verification information of the trusted entity with the identity identifier forming information, wherein the standard verification information comprises hash value information and public key information.
3. The trusted network of claim 2, wherein said identifier storage means stores the formed identity identifier information in accordance with a hierarchical naming-forming radix tree storage data structure;
and authentication information adding means for mapping the additional authentication information of the device or the user with the identity identifier forming information.
4. The trusted network of claim 1, wherein the identity resolution component further comprises:
and the geographic dimension mapping device is used for forming geographic filtering conditions between the existing public network and the trusted network, and establishing regional characteristic dynamic mapping of the identification mapping table in the geographic space of the public domain mapping table.
5. The trusted network of claim 1, wherein the authentication component comprises:
the regional mapping caching device is used for caching regional characteristic dynamic mapping of the region;
the access information identification device is used for receiving access data identification to-be-verified data of the trusted entity;
the access authentication response device is used for responding to the authentication request of the trusted entity and forming a trusted process through the data to be verified;
the transmission data identification device is used for identifying data to be trusted and data loads in the transmission data;
and the transmission authentication response device is used for responding to the trust request of the data load and forming a trust process through the data to be trusted.
6. A method of trusted network construction, comprising:
distributing an identity identifier to a credit entity, forming the binding between verification information of the credit entity and the identity identifier, and forming a credit process by responding to a credit request through the verification information;
establishing regional characteristic dynamic mapping of IP address information, public domain name information and the identity identifier information, and responding to an information request according to the regional characteristic dynamic mapping;
carrying out dynamic mapping of the regional characteristics and caching of verification information, receiving access data in a region or transmission data outside the region to form a credit request, and obtaining the verification information of the credit process through the dynamic mapping of the regional characteristics;
the establishing the dynamic mapping of the IP address information, the public domain name information and the area characteristics of the identity identifier information comprises the following steps:
establishing a public domain mapping table of IP address information and public domain information to form a conversion path between the IP address information and corresponding public domain information in the existing public network;
and establishing an identification mapping table of the hash value and the identity identifier to form a conversion path between public trusted information and other trusted information in the trusted network.
7. The trusted network building method of claim 6, wherein said assigning an identity identifier to a trusted entity, forming a binding of authentication information of said trusted entity with said identity identifier comprises:
forming unique identification information of a credit entity according to the credit request type;
forming a storage data structure to store the formed identity identifier information;
and forming an information mapping between the standard verification information of the trusted entity and the identity identifier.
8. The trusted network building method of claim 6, wherein said establishing a regional feature dynamic mapping of IP address information, public domain name information and said identity identifier information further comprises:
and forming geographic filtering conditions between the existing public network and the trusted network, and establishing regional characteristic dynamic mapping of the identification mapping table in the geographic space of the public domain mapping table.
9. The method of claim 6, wherein the receiving access data or transmission data in the area to form a trust request, and the obtaining verification information of the trust process through the dynamic mapping of the area features comprises:
caching the regional characteristic dynamic mapping of the region;
receiving access data identification to-be-verified data of a trusted entity;
forming a credit authorization process through data to be verified in response to an authentication request of a credit authorization entity;
identifying data to be trusted and a data load in the transmission data;
and responding to the trust request of the data load to form a trust process through the data to be trusted.
10. A trusted network building system, comprising:
a memory for storing program codes of the independent processes in the trusted network constructing method as claimed in any one of claims 6 to 9, respectively;
and a processor for executing the program codes, respectively.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110155603.9A CN112995139B (en) | 2021-02-04 | 2021-02-04 | Trusted network, trusted network construction method and trusted network construction system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110155603.9A CN112995139B (en) | 2021-02-04 | 2021-02-04 | Trusted network, trusted network construction method and trusted network construction system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112995139A CN112995139A (en) | 2021-06-18 |
| CN112995139B true CN112995139B (en) | 2023-06-02 |
Family
ID=76347107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110155603.9A Active CN112995139B (en) | 2021-02-04 | 2021-02-04 | Trusted network, trusted network construction method and trusted network construction system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112995139B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116963050B (en) * | 2023-09-21 | 2023-11-28 | 明阳时创(北京)科技有限公司 | Trusted communication method and system based on end-to-end IPv6 password identification |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055812A (en) * | 2009-11-02 | 2011-05-11 | 中兴通讯股份有限公司 | Method and system for realizing identifier and locator mapping |
| CN102164149A (en) * | 2011-05-17 | 2011-08-24 | 北京交通大学 | Method for guarding against mapping cheat based on identifying separation mapping network |
| CN105162602A (en) * | 2015-09-01 | 2015-12-16 | 中国互联网络信息中心 | Trusted network identity management and verification system and method |
| WO2016075467A1 (en) * | 2014-11-12 | 2016-05-19 | Thales Holdings Uk Plc | Network based identity federation |
| CN108243190A (en) * | 2018-01-09 | 2018-07-03 | 北京信息科技大学 | The credible management method and system of a kind of network identity |
-
2021
- 2021-02-04 CN CN202110155603.9A patent/CN112995139B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055812A (en) * | 2009-11-02 | 2011-05-11 | 中兴通讯股份有限公司 | Method and system for realizing identifier and locator mapping |
| CN102164149A (en) * | 2011-05-17 | 2011-08-24 | 北京交通大学 | Method for guarding against mapping cheat based on identifying separation mapping network |
| WO2016075467A1 (en) * | 2014-11-12 | 2016-05-19 | Thales Holdings Uk Plc | Network based identity federation |
| CN105162602A (en) * | 2015-09-01 | 2015-12-16 | 中国互联网络信息中心 | Trusted network identity management and verification system and method |
| CN108243190A (en) * | 2018-01-09 | 2018-07-03 | 北京信息科技大学 | The credible management method and system of a kind of network identity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112995139A (en) | 2021-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11330008B2 (en) | Network addresses with encoded DNS-level information | |
| CN111373704B (en) | Method, system and storage medium for supporting multimode identification network addressing progressive-entry IP | |
| CN108366138A (en) | Domain name operating method, system and electronic equipment | |
| JP2003289340A (en) | Identifier inquiry method, communication terminal and network system | |
| US11582241B1 (en) | Community server for secure hosting of community forums via network operating system in secure data network | |
| CN111885604B (en) | Authentication method, device and system based on heaven and earth integrated network | |
| US20170155645A1 (en) | User Identity Differentiated DNS Resolution | |
| WO2021036707A1 (en) | Post ip sovereign network architecture | |
| US20240015010A1 (en) | Crypto tunnelling between two-way trusted network devices in a secure peer-to-peer data network | |
| US20230012373A1 (en) | Directory server providing tag enforcement and network entity attraction in a secure peer-to-peer data network | |
| Matsumoto et al. | Authentication challenges in a global environment | |
| CN112995139B (en) | Trusted network, trusted network construction method and trusted network construction system | |
| EP2276206B1 (en) | A method, device and communication system for managing and inquiring mapping information | |
| CN112132581B (en) | PKI identity authentication system and method based on IOTA | |
| CN106027555A (en) | Method and system for improving network security of content delivery network by employing SDN (Software Defined Network) technology | |
| CN106685979B (en) | Security terminal mark and authentication method and system based on STiP model | |
| CN108243190A (en) | The credible management method and system of a kind of network identity | |
| Leshov et al. | Content name privacy in tactical named data networking | |
| US20220399995A1 (en) | Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network | |
| CN111541710B (en) | Authentication and authorization method for data content in network and computer readable storage medium | |
| CN108768853B (en) | Distributed mixed domain name system and method based on domain name router | |
| KR20180099293A (en) | Method for communicating between trust domains and gateway therefor | |
| Kakoi et al. | Design and implementation of a client based DNSSEC validation and alert system | |
| Raheem et al. | Supporting communications in the iots using the location/id split protocol: a security analysis | |
| CN111786943B (en) | Anonymous transmission method and system for network identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |