CN115589321A - Security context isolation policy negotiation method, device, equipment and storage medium - Google Patents
Security context isolation policy negotiation method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115589321A CN115589321A CN202211242578.9A CN202211242578A CN115589321A CN 115589321 A CN115589321 A CN 115589321A CN 202211242578 A CN202211242578 A CN 202211242578A CN 115589321 A CN115589321 A CN 115589321A
- Authority
- CN
- China
- Prior art keywords
- security context
- service
- security
- context isolation
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 198
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000009795 derivation Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 9
- 238000010295 mobile communication Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 239000001110 calcium chloride Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000004846 x-ray emission Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The disclosure provides a security context isolation policy negotiation method, a security context isolation policy negotiation device, electronic equipment and a computer readable storage medium, and relates to the technical field of mobile communication security. The method comprises the following steps: the method comprises the steps of obtaining factor information of system performance, service scenes and the like of a system, generating security context isolation strategies of multiple levels, obtaining security requirement information of the service when the system is added with support services, determining one or more security context isolation strategies corresponding to the service, and determining the security context isolation strategy with the highest priority as a target security context isolation strategy to complete service security establishment according to the security context isolation strategies supported by multiple service participants and candidate security context isolation strategies. The embodiment of the disclosure can provide differentiated security context isolation capability for different services and different subdivided applications, and optionally provide a policy negotiation mechanism, and the system can provide flexible and extensible security guarantee capability for multiple types of application services.
Description
Technical Field
The present disclosure relates to the field of mobile communication security technologies, and in particular, to a method and an apparatus for negotiating a security context isolation policy, an electronic device, and a computer-readable storage medium.
Background
When providing services for different objects, a communication system has different requirements on security, which mainly reflects aspects of security context isolation, such as whether to share a key with other services, how often a key is refreshed, and the like.
However, in the existing system, the design of security context isolation is mainly divided into two cases: in the first case, all services use the same set of security context isolation mechanisms; in the second case, a set of security context isolation mechanisms is customized for each service, where the authentication process is highly repeatable. In the first case, flexibility and expandability are lacked, and differentiated security requirements are difficult to meet. In the second case, the time from system design to service availability will be increased, while increasing the complexity of the system authentication architecture.
It is noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure and therefore may include information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
The present disclosure provides a security context isolation policy negotiation method, apparatus, electronic device and computer readable storage medium, which at least to some extent overcome the problem in the related art that the system cannot provide flexible and extensible security guarantee capability for multi-type application services.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, there is provided a security context isolation policy negotiation method, including:
when a system is added with a support service, acquiring security requirement information of the service;
determining one or more security context isolation policies corresponding to the service according to the security requirement information;
and negotiating and determining a target security context isolation strategy according to the security information of the service participants.
In one embodiment of the present disclosure, further comprising:
acquiring factor information of the system, wherein the factor information comprises: system performance, service scenario, or industry security information;
and generating a plurality of levels of security context isolation strategies according to the factor information.
In one embodiment of the present disclosure, the security information includes: a security context isolation policy and a candidate security context isolation policy supported by the service participants themselves;
the negotiating and determining a target security context isolation policy according to the security information of the plurality of service participants comprises:
determining a target security context isolation policy set according to the security information of the plurality of service participants;
obtaining the level information of one or more security context isolation policies in the target security context isolation policy set;
and determining the security context isolation policy with the highest priority as the target security context isolation policy.
In one embodiment of the present disclosure, further comprising:
the service participant performs identity authentication and key derivation according to the target security context isolation policy.
In one embodiment of the disclosure, the security context isolation policy comprises: key sharing mode and key freshness.
In one embodiment of the present disclosure, further comprising:
and when the security requirement information of the service is changed, re-determining one or more security context isolation strategies corresponding to the service according to the changed security requirement information.
In one embodiment of the present disclosure, further comprising:
when a service request is initiated, the service request includes the candidate security context isolation policy.
In one embodiment of the present disclosure, further comprising:
when the same service request is initiated again, judging whether the safety requirement information or the safety information is changed;
and if so, re-acquiring the target security context isolation strategy.
According to another aspect of the present disclosure, there is also provided a security context isolation policy negotiation apparatus, including:
the system comprises a safety demand acquisition module, a safety demand management module and a safety demand management module, wherein when a system is added with a support service, the safety demand acquisition module acquires safety demand information of the service;
the service policy determining module is used for determining one or more security context isolation policies corresponding to the service according to the security requirement information;
and the target strategy negotiation module negotiates and determines a target security context isolation strategy according to the security information of the plurality of service participants.
According to another aspect of the present disclosure, there is also provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform any one of the security context isolation policy negotiation methods described above via execution of the executable instructions.
According to another aspect of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the security context isolation policy negotiation method of any one of the above.
The security context isolation policy negotiation method, apparatus, electronic device, and computer-readable storage medium provided by the embodiments of the present disclosure acquire factor information of system performance, service scenario, and the like of a system, generate security context isolation policies of multiple levels, acquire security requirement information of a service when the system increases support services, determine one or more security context isolation policies corresponding to the service, determine a security context isolation policy with a highest priority as a target security context isolation policy to complete service security establishment according to security context isolation policies and candidate security context isolation policies supported by multiple service participants themselves, can provide differentiated security context isolation capabilities for different services and different subdivided applications, and optionally provide a policy negotiation mechanism, and the system can provide flexible and extensible security guarantee capabilities for multiple types of application services.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 is a flow chart illustrating a method for negotiating security context isolation policies in an embodiment of the present disclosure;
FIG. 2 is a flow chart illustrating a method for determining target security context quarantine policy negotiation in an embodiment of the present disclosure;
FIG. 3 is a flow chart illustrating a method for configuring and negotiating security context isolation policies according to an embodiment of the present disclosure;
FIG. 4 is a schematic diagram illustrating a root key isolation approach in an embodiment of the present disclosure;
FIG. 5 is a schematic diagram illustrating another root key isolation approach in an embodiment of the present disclosure;
FIG. 6 is a schematic diagram illustrating another root key isolation method in an embodiment of the present disclosure;
FIG. 7 is a diagram illustrating a security context isolation policy negotiation of a Ranging service in an embodiment of the present disclosure;
FIG. 8 is a diagram illustrating an apparatus for negotiating a full-context isolation policy according to an embodiment of the present disclosure;
FIG. 9 is a flow diagram illustrating a method for security context isolation policy communication in an embodiment of the present disclosure;
fig. 10 shows a block diagram of an electronic device in an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
SideLink (object direct connection technology) provides support for broadcast, multicast and unicast communication in out-of-coverage and in-network coverage scenarios.
Ranging service is a service based on The SideLink technology newly introduced in The 3gpp r18 (The 3rd Generation Partnership Project, version 18, third Generation Partnership Project) phase.
V2X (Vehicle To Vehicle attachment) is a communication system, which is dedicated To Vehicle attachment To the surroundings.
ProSe (Proximity Service) means that user data can be directly transmitted between terminals without network transit.
The present exemplary embodiment will be described in detail below with reference to the drawings and examples.
First, an embodiment of the present disclosure provides a security context isolation policy negotiation method, which may be executed by any electronic device with computing processing capability.
Fig. 1 shows a flowchart of a security context isolation policy negotiation method in an embodiment of the present disclosure, and as shown in fig. 1, the security context isolation policy negotiation method provided in the embodiment of the present disclosure includes the following steps:
s102, when the system is added with the support service, the safety requirement information of the service is obtained.
The security requirement information is requirement information for maintaining confidentiality of the service.
S104, according to the security requirement information, one or more security context isolation strategies corresponding to the service are determined.
In one embodiment, factor information of a system is obtained, and a plurality of levels of security context isolation policies are generated according to the factor information.
In one embodiment, factor information includes, but is not limited to: system performance, service scenario, or industry security information.
In one embodiment, the security context isolation policies include, but are not limited to: key sharing mode and key freshness.
For example, the same root key may be shared between the same type of services that do not require high security context isolation; root keys may not be shared between the same type of service for which security context isolation requirements are high.
For example, keys with lower key freshness may be set between the same type of services that do not require high security context isolation; keys with higher key freshness can be set between the same type of services that require higher security context isolation.
In one embodiment, when the security requirement information of the service is changed, one or more security context isolation policies corresponding to the service are determined again according to the changed security requirement information.
And S106, negotiating and determining a target security context isolation strategy according to the security information of the plurality of service participants.
In one embodiment, the security information includes: the service participants themselves support a security context isolation policy and a candidate security context isolation policy.
It should be noted that the candidate security context isolation policies include, but are not limited to: a security context isolation policy that is desired or preferred by the service participants.
In one embodiment, when a service request is initiated, the service request includes, but is not limited to, a candidate security context isolation policy.
In one embodiment, the service participant performs identity authentication and key derivation according to a target security context isolation policy.
In one embodiment, when the same service request is initiated again, whether the security requirement information or the security information is changed is judged; if yes, the target security context isolation strategy is obtained again; if not, directly obtaining a target security context isolation strategy corresponding to the service.
In the above embodiment, a plurality of levels of security context isolation requirements are defined for the system in a multidimensional manner, the service may configure one or more security context isolation policies according to security requirements, the service participants negotiate to select the security context isolation requirements for the current service according to the security capabilities and the security policies of the service participants, and perform identity authentication and key derivation, so that differentiated security context isolation capabilities can be provided for different services and different segmentation applications in the same type of scene, and optionally a policy negotiation mechanism is provided, the service participants jointly select the security policies, the authentication process can be highly multiplexed, and the method is suitable for providing flexible, extensible, and dynamically configurable security guarantee capabilities when the communication system supports multiple types of application services.
Fig. 2 is a flowchart illustrating a method for determining a target security context isolation policy negotiation in an embodiment of the present disclosure, and as shown in fig. 2, the method for determining a target security context isolation policy negotiation provided in the embodiment of the present disclosure includes the following steps:
s202, determining a target security context isolation policy set according to the security information of the plurality of service participants.
It should be noted that the security context isolation policies in the target security context isolation policy set all need to satisfy the security context isolation policy and the candidate security context isolation policy that are supported by the service participant itself.
S204, acquiring the level information of one or more security context isolation policies in the target security context isolation policy set;
s206, the security context isolation strategy with the highest priority is determined as a target security context isolation strategy.
It should be noted that the security context isolation policy with the highest priority may be the security context isolation policy with the highest security level as the target security context isolation policy set.
In the above embodiment, the service participants negotiate and select the security context isolation requirement for the current service according to the security capability and the security policy of the service participants, and can provide differentiated security context isolation capabilities for different services and different segmentation applications in the same type of scene, and optionally provide a policy negotiation mechanism, and the service participants jointly select the security policy, and the authentication process can be highly multiplexed, thereby saving resources.
Fig. 3 is a flowchart illustrating a security context isolation policy configuration and negotiation method in an embodiment of the present disclosure, and as shown in fig. 3, the security context isolation policy configuration and negotiation method provided in the embodiment of the present disclosure includes the following steps:
s302, defining a plurality of levels of security context isolation strategies for the system from multiple dimensions such as service key sharing mode, freshness and the like.
In one embodiment, the definition of dimensions and levels may be set by taking into account a variety of factors including system design, typical service scenarios, industry security compliance, and the like.
Taking the root key sharing manner as an example, in the implementation process, root key sharing manners of different levels can be provided for different services and subdivided applications in the services.
A root key is generated after performing an authentication procedure based on the authentication vector. The same root key can be shared among the same type of services with low requirements on security context isolation; the same type of service with higher requirement on security context isolation may not share the root key, and when the authentication process is executed, the specific root key is derived by using the user information, the session parameter and the security parameter which are specific to the service, and the root key is shared between subdivided applications in the service. The root key is not shared among different subdivided applications of the same type of service with higher security context isolation requirements, and application-specific information is added to derive the root key when an authentication procedure is performed. The authentication processes in different modes are highly similar, and only the key derivation exists.
Fig. 4 shows a schematic diagram of a root key isolation method in the embodiment of the present disclosure, as shown in fig. 4, after an authentication process is performed based on a first authentication vector 401, a first root key 402 is generated, and a same first root key 402 is shared among services of a same type that have low security context isolation requirements, where the services of the same type include: a first service A, a first service B and a first service C;
a first key A403 corresponding to a first service A, a first key B404 corresponding to a first service B, and a first key C405 corresponding to a first service C;
first service a, first service B, first service C share first root key 402.
It should be noted that the authentication vector is a five-tuple: random challenge number RAND, expected authentication response XRES, network authentication token AUTN, confidentiality key CK, integrity key IK.
It should be noted that, hierarchical encryption: typically two or three layers, e.g., two layers being a work key, a root key; the root key encrypts the work key, which encrypts the data.
Note that the root key cannot be stored in plain text in the configuration file, nor can it be added via the command line, and is generally generated from multiple pieces of key material stored in multiple places, respectively.
FIG. 5 is a schematic diagram illustrating another root key isolation method according to an embodiment of the disclosure, as shown in FIG. 5, after performing an authentication procedure based on a second authentication vector 501, a second root key A502, a second root key B503, and a second root key C504 are generated;
the service comprises the following steps: a second service A, a second service B, a second service C;
a second root key A502 corresponding to the second service A, a second root key B503 corresponding to the second service B, and a second root key C504 corresponding to the second service C;
the second service A subdivides a second application service A and a second application service B, the second service B subdivides a second application service C and a second application service D, and the second service C subdivides a second application service E and a second application service F;
the second application service a corresponds to a second key a505, the second application service B corresponds to a second key B506, the second application service C corresponds to a second key C507, the second application service D corresponds to a second key D508, the second application service E corresponds to a second key E509, and the second application service F corresponds to a second key F510;
the second application service A and the second application service B share a second root key A502; the second application service C and the second application service D share a second root key B503; the second application service E, the second application service F share a second root key C504.
Fig. 6 is a schematic diagram illustrating another root key isolation method in the embodiment of the present disclosure, as shown in fig. 6, after performing an authentication procedure based on a third authentication vector 601, a third root key a602, a third root key B603, and a third root key C604 are generated;
the third service subdivides a third application service A, a third application service B and a third application service C;
the third application service a corresponds to a third key a605, the third application service B corresponds to a third key B606, and the third application service C corresponds to a third key C607;
the third application service a applies a third root key a602, the third application service B applies a third root key B603, and the third application service C applies a third root key C604;
the third application service a, the third application service B, and the third application service do not share the root key.
S304, when the system introduces the service, the security context isolation strategy is configured, and the service can configure one or more security context isolation strategies according to the security requirement.
It should be noted that, for services with strictly unified security requirements, only one security context isolation policy may be configured, and for services with flexible and extensible security requirements, multiple security context isolation policies may be configured. Table 1 is a schematic table for security context isolation policy configuration.
Table 1 security context isolation policy configuration schematic table.
In implementation, security context isolation policies, such as ProSe services, may be configured at the service level. If multiple segment applications are carried on top of the service, it is also contemplated to configure security context isolation policies at the segment application level, such as public security applications of ProSe services and some other business application.
In the implementation process, if a plurality of security context isolation policies are configured for a certain service, the security context isolation policies of the service can be negotiated and selected in real time by service participants, and the service participants can perform security negotiation based on a plurality of factors, so that the method has higher degree of freedom.
In one embodiment, when the service security requirement changes, dynamic adjustment can be realized by changing the security context isolation policy configuration, and a guarantee is provided for the system to quickly respond and support.
S306, when the service request and the security establishment process are initiated, the service participants carry out security negotiation, and the security context isolation strategy aiming at the current service is negotiated and selected according to the security capability of the service participants and the candidate security context isolation strategy.
In one embodiment, during the negotiation process, the service participants indicate their own supported security context isolation policies in the security capabilities, indicate desired or preferred security context isolation policies in the service request message, and select the highest priority security context isolation policy among the service participants that each service participant supports.
S308, the service participant executes identity authentication and key derivation under the selected security context isolation strategy to complete service security establishment.
In one embodiment, the authentication flow of the service is substantially the same for different security context isolation policies, except that the input parameters for key derivation, key structure, and key security requirements are different.
In one embodiment, the existing, valid security context policy is reused to the maximum extent if the service participant does not have to change the security context policy when initiating the same service request a second time.
The method can support industry application scenarios including but not limited to: V2X, prose, ranging.
In the above embodiment, multiple levels of security context isolation requirements are defined for the system in multiple dimensions, the service may configure one or more security context isolation policies according to security requirements, the service participants negotiate and select security context isolation requirements for the current service according to security capabilities and security policies of the service participants, and perform identity authentication and key derivation, so that differentiated security context isolation capabilities can be provided for different services and different subdivided applications in the same type of scene, and optionally a policy negotiation mechanism is provided, the service participants jointly select security policies, and the authentication process can be highly multiplexed, and flexible, extensible, and dynamically configurable security guarantee capabilities are provided for multiple types of applications.
Fig. 7 shows a negotiation diagram of a security context isolation policy of a Ranging service in an embodiment of the present disclosure, as shown in fig. 7, the Ranging service includes subdivision services such as device discovery, group service support, side-chain positioning, and the like, and the side-chain positioning may serve multiple application scenarios such as industry, sports, entertainment, and the like.
It should be noted that, for Ranging services based on the SideLink technology, a security context isolation policy different from that of V2X and ProSe services is proposed, and the security context isolation policy between subdivided applications in the Ranging services is also different.
For Ranging services, the configuration of the security context quarantine policy may be set at the segment service level. The services of the control plane attributes such as device discovery, group service support and the like can configure a unified security context isolation policy, that is, the device discovery security policy and the group service support the security policy, and the default requirements of the service participants are all supported. The side chain positioning service can configure various security context isolation strategies, higher freedom degree is provided, such as sports security strategies and entertainment security strategies, the service participants freely negotiate preferred security context isolation strategies, and if the side chain positioning service is applied in industrial scenes, the more strict industrial security strategy I and industrial security strategy II can be independently appointed.
Wherein, the Ranging service vector 701 corresponds to a device discovery root key 702, a group service support root key 703, an industrial side chain positioning root key 704 and a side chain positioning root key 705;
the device discovery service corresponds to a device discovery root key 702 and a device discovery key 706;
the group service support service corresponds to a group service support root key 703 and a group service support key 707;
the industrial sidechain positioning service corresponds to an industrial sidechain positioning root key 704, an industrial sidechain positioning key I708 and an industrial sidechain positioning key II 709;
the sidechain positioning service corresponds to sidechain positioning root key 705, sports sidechain positioning key 710, entertainment sidechain positioning key 711.
In the embodiment, flexible, extensible and dynamically configurable security guarantee capability is provided for Ranging services.
Based on the same inventive concept, the embodiment of the present disclosure further provides a full-context isolation policy negotiation apparatus, as in the following embodiments. Because the principle of the embodiment of the apparatus for solving the problem is similar to that of the embodiment of the method, the embodiment of the apparatus can be implemented by referring to the implementation of the embodiment of the method, and repeated details are not described again.
Fig. 8 is a schematic diagram of an all-context isolation policy negotiation apparatus in an embodiment of the present disclosure, and as shown in fig. 8, the all-context isolation policy negotiation apparatus 8 includes: a security requirement acquisition module 801, a service policy determination module 802 and a target policy negotiation module 803;
a security requirement acquisition module 801, which acquires security requirement information of a service when a system adds a support service;
a service policy determining module 802, configured to determine one or more security context isolation policies corresponding to the service according to the security requirement information;
the target policy negotiation module 803 negotiates and determines a target security context isolation policy according to the security information of the plurality of service participants.
In the above embodiment, multiple levels of security context isolation requirements are defined for the system in multiple dimensions, the service may configure one or more security context isolation policies according to security requirements, the service participants negotiate and select security context isolation requirements for the current service according to security capabilities and security policies of the service participants, and perform identity authentication and key derivation, so that differentiated security context isolation capabilities can be provided for different services and different subdivided applications in the same type of scene, and optionally a policy negotiation mechanism is provided, the service participants jointly select security policies, and the authentication process can be highly multiplexed, and the method is suitable for providing flexible, extensible, and dynamically configurable security guarantee capabilities when supporting multiple types of application services.
Fig. 9 is a flowchart illustrating a security context isolation policy communication method in an embodiment of the present disclosure, and as shown in fig. 9, two service participants, namely, a service participant a and a service participant B, are taken as an example for introduction, and the security context isolation policy communication method provided in the embodiment of the present disclosure includes the following steps:
s902, sending a service request;
s904, a security context isolation strategy is safely negotiated;
s906, bidirectional authentication and key derivation are carried out according to the security context isolation strategy;
s908, receives the service request.
In the above embodiment, the service participants negotiate and select the security context isolation requirement for the current service according to the security capability and the security policy of the service participants, and can provide differentiated security context isolation capabilities for different services and different segmentation applications in the same type of scene, and optionally provide a policy negotiation mechanism, and the service participants jointly select the security policy, and the authentication process can be highly multiplexed, thereby saving resources.
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 1000 according to this embodiment of the disclosure is described below with reference to fig. 10. The electronic device 1000 shown in fig. 10 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 10, the electronic device 1000 is embodied in the form of a general purpose computing device. The components of the electronic device 1000 may include, but are not limited to: the at least one processing unit 1010, the at least one memory unit 1020, and a bus 1030 that couples various system components including the memory unit 1020 and the processing unit 1010.
Wherein the storage unit stores program code that is executable by the processing unit 1010 to cause the processing unit 1010 to perform steps according to various exemplary embodiments of the present disclosure described in the above section "exemplary methods" of the present specification.
For example, the processing unit 1010 may perform the following steps of the above method embodiments: when the system increases the support service, the security requirement information of the service is acquired; determining one or more security context isolation strategies corresponding to the service according to the security requirement information; and negotiating and determining a target security context isolation strategy according to the security information of the plurality of service participants.
For example, the processing unit 1010 may perform the following steps of the above method embodiments: defining a plurality of levels of security context isolation strategies for the system from multiple dimensions such as a service key sharing mode and freshness; configuring a security context isolation strategy when a system introduces a service, wherein the service can configure one or more security context isolation strategies according to security requirements; when a service request and a security establishment process are initiated, security negotiation is carried out between service participants, and a security context isolation policy for the current service is negotiated and selected according to the security capability of the service participants and the candidate security context isolation policy; and the service participant executes identity authentication and key derivation under the selected security context isolation strategy to complete the establishment of service security.
The storage unit 1020 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM) 10201 and/or a cache memory unit 10202, and may further include a read-only memory unit (ROM) 10203.
The memory unit 1020 may also include a program/utility 10204 having a set (at least one) of program modules 10205, such program modules 10205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
The electronic device 1000 may also communicate with one or more external devices 1040 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1000, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1000 to communicate with one or more other computing devices. Such communication may occur through input/output (I/O) interfaces 1050. Also, the electronic device 1000 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 1060. As shown, the network adapter 1060 communicates with the other modules of the electronic device 1000 over the bus 1030. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1000, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium, which may be a readable signal medium or a readable storage medium. Having stored thereon a program product capable of carrying out the methods of the present disclosure. In some possible embodiments, various aspects of the disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the disclosure described in the "exemplary methods" section above of this specification, when the program product is run on the terminal device.
For example, the program product in the embodiments of the present disclosure, when executed by a processor, implements a method comprising: when the system increases the support service, the security requirement information of the service is acquired; determining one or more security context isolation strategies corresponding to the service according to the security requirement information; and negotiating and determining a target security context isolation strategy according to the security information of the plurality of service participants.
For example, the program product in the embodiments of the present disclosure, when executed by a processor, implements a method comprising: defining a plurality of levels of security context isolation strategies for the system from multiple dimensions such as a service key sharing mode and freshness; configuring a security context isolation policy when a system introduces a service, wherein the service can configure one or more security context isolation policies according to security requirements; when a service request and a security establishment process are initiated, security negotiation is carried out between service participants, and a security context isolation policy for the current service is negotiated and selected according to the security capability of the service participants and the candidate security context isolation policy; and the service participant executes identity authentication and key derivation under the selected security context isolation strategy to complete service security establishment.
For example, the program product in the embodiments of the present disclosure, when executed by a processor, implements a method comprising: determining a target security context isolation policy set according to the security information of the plurality of service participants; acquiring the level information of one or more security context isolation policies in a target security context isolation policy set; and determining the security context isolation policy with the highest priority as the target security context isolation policy.
More specific examples of the computer-readable storage medium in the present disclosure may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In the present disclosure, a computer readable storage medium may include a propagated data signal with readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Alternatively, program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
In particular implementations, program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Ja, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that these steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the description of the above embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (11)
1. A method for negotiating a security context isolation policy, comprising:
when a system increases a support service, acquiring security requirement information of the service;
determining one or more security context isolation policies corresponding to the service according to the security requirement information;
and negotiating and determining a target security context isolation strategy according to the security information of the service participants.
2. The security context isolation policy negotiation method of claim 1, further comprising:
acquiring factor information of the system, wherein the factor information comprises: system performance, service scenario or industry security information;
and generating a plurality of levels of security context isolation strategies according to the factor information.
3. The security context isolation policy negotiation method of claim 1, wherein the security information comprises: a security context isolation policy and a candidate security context isolation policy supported by the service participants themselves;
the negotiating and determining a target security context isolation policy according to the security information of the plurality of service participants comprises:
determining a target security context isolation policy set according to the security information of a plurality of the service participants;
obtaining the level information of one or more security context isolation policies in the target security context isolation policy set;
and determining the security context isolation policy with the highest priority as the target security context isolation policy.
4. The security context isolation policy negotiation method of claim 1, further comprising:
the service participant performs identity authentication and key derivation according to the target security context isolation policy.
5. The security context isolation policy negotiation method of claim 1, wherein the security context isolation policy comprises: key sharing mode and key freshness.
6. The security context isolation policy negotiation method of claim 1, further comprising:
and when the security requirement information of the service is changed, re-determining one or more security context isolation strategies corresponding to the service according to the changed security requirement information.
7. The security context isolation policy negotiation method of claim 3, further comprising:
when a service request is initiated, the service request includes the candidate security context isolation policy.
8. The security context isolation policy negotiation method of claim 1, further comprising:
when the same service request is initiated again, judging whether the safety requirement information or the safety information is changed;
and if so, re-acquiring the target security context isolation strategy.
9. An apparatus for security context isolation policy negotiation, comprising:
the system comprises a safety demand acquisition module, a safety demand management module and a safety demand management module, wherein when a system is added with a support service, the safety demand acquisition module acquires safety demand information of the service;
the service policy determining module is used for determining one or more security context isolation policies corresponding to the service according to the security requirement information;
and the target strategy negotiation module negotiates and determines a target security context isolation strategy according to the security information of the plurality of service participants.
10. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the security context isolation policy negotiation method of any one of claims 1 to 8 via execution of the executable instructions.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of security context isolation policy negotiation of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211242578.9A CN115589321A (en) | 2022-10-11 | 2022-10-11 | Security context isolation policy negotiation method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211242578.9A CN115589321A (en) | 2022-10-11 | 2022-10-11 | Security context isolation policy negotiation method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115589321A true CN115589321A (en) | 2023-01-10 |
Family
ID=84779903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211242578.9A Withdrawn CN115589321A (en) | 2022-10-11 | 2022-10-11 | Security context isolation policy negotiation method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115589321A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192922A (en) * | 2006-11-17 | 2008-06-04 | 中兴通讯股份有限公司 | A method for establishing secure channel between both communication parties |
| CN101483860A (en) * | 2009-01-23 | 2009-07-15 | 清华大学 | Negotiation control method based on SIP security policy grade in IMS network |
| US20100063903A1 (en) * | 2008-03-10 | 2010-03-11 | Thayne Whipple | Hierarchically applied rules engine ("hare") |
| CN101854625A (en) * | 2009-04-03 | 2010-10-06 | 华为技术有限公司 | Selective processing method and device of security algorithm, network entity and communication system |
| CN106161378A (en) * | 2015-04-13 | 2016-11-23 | 中国移动通信集团公司 | Security service device, method and business processing device, method and system |
| US9660929B1 (en) * | 2015-01-29 | 2017-05-23 | Amdocs Software Systems Limited | System, method, and computer program for segregated policy decision making in the context of network function virtualization orchestration in a communication network |
-
2022
- 2022-10-11 CN CN202211242578.9A patent/CN115589321A/en not_active Withdrawn
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192922A (en) * | 2006-11-17 | 2008-06-04 | 中兴通讯股份有限公司 | A method for establishing secure channel between both communication parties |
| US20100063903A1 (en) * | 2008-03-10 | 2010-03-11 | Thayne Whipple | Hierarchically applied rules engine ("hare") |
| CN101483860A (en) * | 2009-01-23 | 2009-07-15 | 清华大学 | Negotiation control method based on SIP security policy grade in IMS network |
| CN101854625A (en) * | 2009-04-03 | 2010-10-06 | 华为技术有限公司 | Selective processing method and device of security algorithm, network entity and communication system |
| US9660929B1 (en) * | 2015-01-29 | 2017-05-23 | Amdocs Software Systems Limited | System, method, and computer program for segregated policy decision making in the context of network function virtualization orchestration in a communication network |
| CN106161378A (en) * | 2015-04-13 | 2016-11-23 | 中国移动通信集团公司 | Security service device, method and business processing device, method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3916604B1 (en) | Method and apparatus for processing privacy data of block chain, device, storage medium and computer program product | |
| US10778656B2 (en) | Sharing resources across multiple devices in online meetings | |
| US11509485B2 (en) | Identity authentication method and system, and computing device | |
| EP3627794B1 (en) | Discovery method and apparatus based on service-oriented architecture | |
| US11706617B2 (en) | Authenticating radio access network components using distributed ledger technology | |
| US20170250807A1 (en) | Application Specific Certificate Management | |
| US9226137B2 (en) | Method and apparatus for real-time sharing of multimedia content between wireless devices | |
| US8601135B2 (en) | Supporting WPS sessions using TCP-based connections | |
| WO2018036452A1 (en) | Device and method for managing a communication interface of a communication device | |
| CN108476140A (en) | A kind of method and terminal device of security control smart home | |
| US20200084282A1 (en) | Profiled wireless docking system | |
| WO2022111016A1 (en) | Mobile network access system and method, and storage medium, and electronic device | |
| CN116647425B (en) | IPSec-VPN implementation method and device of OVN architecture, electronic equipment and storage medium | |
| WO2021248647A1 (en) | Display device, and control method for establishing connection with display device | |
| CN115022179A (en) | Cloud desktop system, network redirection method, equipment and storage medium | |
| CN103155646A (en) | Dynamic internetwork load balancing | |
| CN111565382B (en) | Transmission method and electronic equipment | |
| CN112800475A (en) | Data encryption method and device, electronic equipment and medium | |
| CN115589321A (en) | Security context isolation policy negotiation method, device, equipment and storage medium | |
| CN102473219A (en) | Communication channel claim dependent security precautions | |
| CN114173337A (en) | Electronic device, method for executing the same, and computer-readable medium | |
| EP4344162A1 (en) | Information processing method, device, and storage medium | |
| EP4027677A1 (en) | Mobile network access system and method, and storage medium, and electronic device | |
| CN109995774A (en) | Cipher key authentication method, system, equipment and storage medium based on part decryption | |
| CN111510467B (en) | Screen projection code generation method, equipment connection code generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20230110 |
|
| WW01 | Invention patent application withdrawn after publication |