CN115865606A - A distributed network construction method under zero trust - Google Patents

A distributed network construction method under zero trust Download PDF

Info

Publication number
CN115865606A
CN115865606A CN202211556084.8A CN202211556084A CN115865606A CN 115865606 A CN115865606 A CN 115865606A CN 202211556084 A CN202211556084 A CN 202211556084A CN 115865606 A CN115865606 A CN 115865606A
Authority
CN
China
Prior art keywords
trust
customer
center
message
pep
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211556084.8A
Other languages
Chinese (zh)
Other versions
CN115865606B (en
Inventor
何金
张琛馨
李烁
范柏翔
龚亚强
殷博
林永峰
程凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Tianjin Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Tianjin Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Tianjin Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Tianjin Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Tianjin Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Tianjin Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202211556084.8A priority Critical patent/CN115865606B/en
Publication of CN115865606A publication Critical patent/CN115865606A/en
Application granted granted Critical
Publication of CN115865606B publication Critical patent/CN115865606B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种零信任框架下分布式网络构建方法,包括以下步骤:步骤1、新客户接入时和代理中心建立连接;步骤2、客户向代理发起订阅消息进行主题订阅;步骤3、客户根据步骤2所订阅的主题进行消息发布。本发明能够在很大程度上提高分布式体系的安全性。

Figure 202211556084

The invention relates to a method for constructing a distributed network under a zero-trust framework, comprising the following steps: step 1, establishing a connection with an agent center when a new client accesses; step 2, the client initiates a subscription message to the agent for topic subscription; step 3, the client Publish messages according to the topics subscribed in step 2. The invention can greatly improve the security of the distributed system.

Figure 202211556084

Description

一种零信任下的分布式网络构建方法A distributed network construction method under zero trust

技术领域technical field

本发明属于信息通信技术领域,涉及一种分布式网络构建方法,尤其是一种零信任下的分布式网络构建方法。The invention belongs to the technical field of information communication, and relates to a distributed network construction method, in particular to a distributed network construction method under zero trust.

背景技术Background technique

如今信息技术日新月异,开放共享成为时代的主流,云计算、分布式计算等开放式计算环境的出现,标志着信息系统逐渐从单域、封闭式向跨域、协作式的方向发展。大数据环境下网络信息资源的繁杂性,使得信息资源和隐私数据的保护更加困难,传统的访问控制模型已无法实现复杂网络环境下隐私信息的保护和机密数据的安全交互,亟需细粒度、灵活性高的访问控制模型,因此基于属性的访问控制模型(ABAC)应运而生。基于属性的访问控制模型能够以细粒度的方式适应复杂网络环境,同时利用属性描述用户和资源,使得自身在灵活性和可扩展性方面有足够的优势,在大型的分布式环境中能够保证匿名访问的安全性。Nowadays, information technology is changing with each passing day, and open sharing has become the mainstream of the times. The emergence of open computing environments such as cloud computing and distributed computing marks the gradual development of information systems from single-domain and closed to cross-domain and collaborative. The complexity of network information resources in the big data environment makes the protection of information resources and private data more difficult. The traditional access control model has been unable to realize the protection of private information and the secure interaction of confidential data in a complex network environment. There is an urgent need for fine-grained, A flexible access control model, so the attribute-based access control model (ABAC) came into being. The attribute-based access control model can adapt to complex network environments in a fine-grained manner, and at the same time use attributes to describe users and resources, so that it has sufficient advantages in flexibility and scalability, and can guarantee anonymity in large-scale distributed environments Security of Access.

针对传统的网络安全模型无法满足内网安全需求,基于零信任的网络安全模型应运而生。对任一访问网络的主体,包括发起访问的人员、发起访问的设备以及被访问的应用,在每次访问时都默认为不可信状态,需要通过持续的身份验证以及访问授权来构建动态访问的信任。这是零信任网络安全模型的核心思想,其本质是以访问主体的身份为中心来进行访问控制。In view of the fact that the traditional network security model cannot meet the security needs of the intranet, a network security model based on zero trust came into being. For any subject that accesses the network, including the person who initiates the access, the device that initiates the access, and the application that is accessed, it is in an untrusted state by default every time it visits, and it is necessary to build a dynamic access system through continuous identity verification and access authorization. trust. This is the core idea of the zero-trust network security model, and its essence is to control access based on the identity of the access subject.

零信任网络和动态访问控制技术的结合是当下物联网安全的研究热点,也是新的发展方向。现有分布式网络安全防护技术因存在“终端(设备)-应用(行为)-用户(角色)”安全认证不足、终端网络访问行为安全监控不足和终端访问控制精细度与动态适应度不足等问题,面临非法终端接入、合法终端被利用攻击和终端非授权恶意访问等安全隐患。The combination of zero-trust network and dynamic access control technology is the current research hotspot of IoT security, and it is also a new development direction. The existing distributed network security protection technology has problems such as insufficient security authentication of "terminal (equipment)-application (behavior)-user (role)", insufficient security monitoring of terminal network access behavior, insufficient fineness and dynamic adaptability of terminal access control, etc. , facing security risks such as illegal terminal access, legitimate terminal attacks, and unauthorized malicious terminal access.

经检索,未发现与本发明相同或相似的已公开的专利文献。After searching, no published patent documents identical or similar to the present invention have been found.

发明内容Contents of the invention

本发明的目的在于克服现有技术的不足,提出一种设计合理、高灵活性和安全可靠的零信任下的分布式网络构建方法,能够在很大程度上提高分布式体系的安全性。The purpose of the present invention is to overcome the deficiencies of the prior art, and propose a method for building a distributed network under zero trust with reasonable design, high flexibility, safety and reliability, which can greatly improve the security of the distributed system.

本发明解决其现实问题是采取以下技术方案实现的:The present invention solves its practical problems and is realized by taking the following technical solutions:

一种零信任框架下分布式网络构建方法,包括以下步骤:A method for constructing a distributed network under a zero-trust framework, comprising the following steps:

步骤1、新客户接入时和代理中心建立连接;Step 1. Establish a connection with the agency center when a new customer accesses;

步骤2、客户向代理发起订阅消息进行主题订阅;Step 2. The client initiates a subscription message to the agent for topic subscription;

步骤3、客户根据步骤2所订阅的主题进行消息发布。Step 3. The client publishes the message according to the topic subscribed in step 2.

而且,所述步骤1的具体步骤包括:And, the concrete steps of described step 1 include:

(1)新客户向信任评估模块的认证中心提出认证申请,认证中心查询新客户是否存在于现有的黑白名单:①若存在于黑名单,则拒绝返回证书②若存在于白名单,则返回带有主体属性的证书,具有初始信任值③若不存在于白名单上,同样返回带有主体属性的证书,不具有初始信任值;(1) The new customer applies for certification to the certification center of the trust evaluation module, and the certification center queries whether the new customer exists in the existing black and white list: ① If it exists in the black list, refuse to return the certificate ② If it exists in the white list, return A certificate with a subject attribute has an initial trust value ③ If it does not exist on the whitelist, a certificate with a subject attribute will also be returned without an initial trust value;

(2)新客户向代理中心发起连接请求并附带有证书,由策略执行点PEP截获该请求,PEP首先将客户信息转交信任评估模块的信任评估中心,由信任评估中心计算该客户当前信任值;(2) A new customer initiates a connection request to the agency center with a certificate attached, and the request is intercepted by the policy enforcement point PEP. The PEP first transfers the customer information to the trust evaluation center of the trust evaluation module, and the trust evaluation center calculates the current trust value of the customer;

(3)获取客户信任值后,PEP依据信任阈值判断是否允许本次连接请求;若信任值满足,则向代理转发连接请求,同时向认证中心更新名单;(3) After obtaining the trust value of the client, PEP judges whether to allow the connection request according to the trust threshold; if the trust value is satisfied, it forwards the connection request to the agent and updates the list to the authentication center at the same time;

(4)代理中心成功与客户建立连接后,反馈连接确认信息,该消息同样由PEP截获,再次进行信任评估,此次信任评估将对客户和代理中心同时进行,而后转发连接确认信息。(4) After the agency center successfully establishes a connection with the customer, it will feed back the connection confirmation message, which is also intercepted by the PEP, and the trust evaluation will be performed again.

而且,所述步骤2的具体步骤包括:And, the concrete steps of described step 2 include:

(1)客户向代理发起订阅消息,由PEP截获,首先转交信任评估中心对当前客户进行信任评估,若信任等级低于该主题订阅所需信任阈值则直接拒绝本次申请,并更新黑名单;(1) The customer initiates a subscription message to the agent, which is intercepted by the PEP, and first transferred to the trust assessment center to conduct a trust assessment for the current customer. If the trust level is lower than the trust threshold required for the topic subscription, the application will be directly rejected and the blacklist will be updated;

(2)PEP向访问控制模块中的策略决策点PDP提供客户的当前信任值,信任度将作为一项重要的主体属性参与授权过程,PDP依据各项属性信息以及客户信任值在策略管理点PAP处查找满足的访问控制策略,若拒绝请求则向客户返回拒绝消息,若允许则向代理转发订阅消息;(2) PEP provides the customer's current trust value to the policy decision point PDP in the access control module, and the trust degree will participate in the authorization process as an important subject attribute. Find the satisfied access control policy at the location, if the request is rejected, a rejection message will be returned to the client, and if the request is allowed, the subscription message will be forwarded to the agent;

(3)代理接受订阅请求,向客户转发订阅成功/失败消息,同样由PEP截获并转交信任评估中心,对代理中心和客户进行信任评估并更新信任名单。(3) The agent accepts the subscription request and forwards the subscription success/failure message to the customer, which is also intercepted by the PEP and forwarded to the trust evaluation center, which conducts trust evaluation on the agent center and the customer and updates the trust list.

而且,所述步骤3的具体步骤包括:And, the specific steps of described step 3 include:

(1)客户向代理中心依主题发布消息,由PEP截获,首先转交信任评估中心对当前客户进行信任评估,若信任值过低则直接拒绝本次发布,并更新黑名单;(1) The customer releases a message to the agency center according to the topic, which is intercepted by PEP and first transferred to the trust evaluation center to conduct a trust evaluation for the current customer. If the trust value is too low, the release will be directly rejected and the blacklist will be updated;

(2)PEP向PDP提供客户的当前信任值,PDP依据各项属性信息以及客户信任值在PAP处查找满足的访问控制策略,若拒绝发布则向客户返回拒绝消息,若允许则向代理中心转发发布消息;(2) PEP provides the current trust value of the customer to the PDP, and the PDP searches for the satisfied access control policy at the PAP according to various attribute information and the customer trust value. If it refuses to publish, it returns a rejection message to the customer, and if it is allowed, it forwards it to the agency center make an announcement;

(3)代理中心接收客户发布信息,向信任评估中心查询最新信任名单,依据信任值向符合该主题信任等级的订阅客户转发主题消息,若客户信任值未达到接受消息所需的信任阈值,则向该客户发送消息拒发通知,告知该客户有此主题的未收到消息并附明原因;(3) The agency center receives the information released by the customer, queries the latest trust list from the trust evaluation center, and forwards the topic message to the subscribing customers who meet the trust level of the topic according to the trust value. If the customer trust value does not reach the trust threshold required for accepting the message, then Send a message refusal notification to the customer, informing the customer that there is an unreceived message on this topic and specifying the reason;

(4)代理中心向发布客户反馈发布成功/失败信息,同样由PEP截获并转交信任评估中心,对代理和客户进行信任评估并更新信任名单。(4) The agency center feedbacks the release success/failure information to the issuing customer, which is also intercepted by the PEP and forwarded to the trust evaluation center to conduct trust evaluation on the agent and customer and update the trust list.

本发明的优点和有益效果:Advantages and beneficial effects of the present invention:

1、本发明提出了一种零信任框架下分布式网络构建方法,包括:客户、代理中心、访问控制模块和信任评估模块;客户和代理中心是订阅/发布模式中的基本组件,客户既是消息的发布者也是消息的订阅者,代理负责接受客户请求,管理消息的订阅和发布。本发明在传统订阅/发布模式的框架下加入访问控制模块和信任评估模块,利用ABAC模型细粒度,高灵活性的优势,结合动态持续信任评估,在很大程度上提高分布式体系的安全性。1. The present invention proposes a distributed network construction method under a zero-trust framework, including: a client, an agent center, an access control module, and a trust evaluation module; the client and the agent center are basic components in the subscription/publishing mode, and the client is both a message The publisher of the message is also the subscriber of the message, and the broker is responsible for accepting client requests and managing the subscription and publishing of messages. The present invention adds an access control module and a trust evaluation module under the framework of the traditional subscription/publishing mode, utilizes the fine-grained and high-flexibility advantages of the ABAC model, and combines dynamic and continuous trust evaluation to greatly improve the security of the distributed system .

2、本发明将ABAC访问控制模型和持续信任评估进行结合,提出一种零信任框架下,基于订阅/发布模式的分布式网络构建方法。利用ABAC模型细粒度,高灵活性的特点,满足分布式网络中动态访问的安全需求,致力于弥补现有分布式物联网的安全空缺,具有一定可行性。2. The present invention combines the ABAC access control model with continuous trust assessment, and proposes a distributed network construction method based on a subscription/publishing model under a zero-trust framework. It is feasible to make use of the fine-grained and high-flexibility features of the ABAC model to meet the security requirements of dynamic access in distributed networks and to make up for the security gaps in the existing distributed Internet of Things.

附图说明Description of drawings

图1是本发明的步骤1的新客户接入时和代理中心建立连接的处理流程框图;Fig. 1 is the block diagram of the processing flow that connects with agent center when the new client of step 1 of the present invention connects;

图2是本发明的步骤2的客户向代理发起订阅消息进行主题订阅的处理流程框图;Fig. 2 is the block diagram of the processing flow of the client initiating a subscription message to the agent in step 2 of the present invention to subscribe to a topic;

图3是本发明客户进行消息发布的处理流程框图;Fig. 3 is a block diagram of the processing flow of message release by the client of the present invention;

图4是ABAC模型对用户行为进行授权流程的框图;Fig. 4 is a block diagram of the authorization process of user behavior by the ABAC model;

图5是信任评估模块中信任评估中心(PEC)对用户进行信任评估的框图。Fig. 5 is a block diagram of a trust evaluation performed by a trust evaluation center (PEC) on a user in the trust evaluation module.

具体实施方式Detailed ways

以下结合附图对本发明实施例作进一步详述:Embodiments of the present invention are described in further detail below in conjunction with the accompanying drawings:

一种零信任框架下分布式网络构建方法,如图1至图3所示,包括以下步骤:A method for building a distributed network under a zero-trust framework, as shown in Figures 1 to 3, comprising the following steps:

步骤1、新客户接入时和代理中心建立连接;Step 1. Establish a connection with the agency center when a new customer accesses;

所述步骤1的具体步骤包括:The concrete steps of described step 1 include:

(1)新客户向信任评估模块的认证中心提出认证申请,认证中心查询新客户是否存在于现有的黑白名单:①若存在于黑名单,则拒绝返回证书②若存在于白名单,则返回带有主体属性的证书,具有初始信任值③若不存在于白名单上,同样返回带有主体属性的证书,不具有初始信任值;(1) The new customer applies for certification to the certification center of the trust evaluation module, and the certification center queries whether the new customer exists in the existing black and white list: ① If it exists in the black list, refuse to return the certificate ② If it exists in the white list, return A certificate with a subject attribute has an initial trust value ③ If it does not exist on the whitelist, a certificate with a subject attribute will also be returned without an initial trust value;

(2)新客户向代理中心发起连接请求并附带有证书,由策略执行点(PolicyEnforcementPoint,PEP)截获该请求,PEP首先将客户信息转交信任评估模块的信任评估中心,由信任评估中心计算该客户当前信任值;(2) A new customer initiates a connection request to the agency center with a certificate attached, and the request is intercepted by the Policy Enforcement Point (PEP). The PEP first transfers the customer information to the trust assessment center of the trust assessment module, and the trust assessment center calculates the current trust value;

信任评估中心可与访问控制模块中的策略决策点PDP和策略信息点PIP进行联动,收集用户的交互记录并量化为综合信任值;The trust evaluation center can be linked with the policy decision point PDP and policy information point PIP in the access control module to collect user interaction records and quantify them into comprehensive trust values;

(3)获取客户信任值后,PEP依据信任阈值判断是否允许本次连接请求;若信任值满足,则向代理转发连接请求,同时向认证中心更新名单。(3) After obtaining the client's trust value, PEP judges whether to allow the connection request according to the trust threshold; if the trust value is satisfied, it forwards the connection request to the agent and updates the list to the authentication center.

(4)代理中心成功与客户建立连接后,反馈连接确认信息,该消息同样由PEP截获,再次进行信任评估,此次信任评估将对客户和代理中心(通常具有较高信任值)同时进行,而后转发连接确认信息。(4) After the agency center successfully establishes a connection with the customer, it will feed back the connection confirmation message, which is also intercepted by the PEP, and the trust evaluation will be performed again. Then forward the connection confirmation information.

将代理作为信任评估对象之一能有效避免不可信代理带来的安全隐患,很大程度上提高了该分布式系统的安全性。Taking the agent as one of the objects of trust evaluation can effectively avoid the security risks brought by untrusted agents, and greatly improve the security of the distributed system.

在本实施例中,新客户接入时需要和代理中心建立连接,建立连接前需要向认证中心申请认证,获取证书后方可提出连接申请,此时申请由PEP截获并转交信任评估中心,对新客户进行信任评估,然后转发代理进行连接建立。代理反馈建立成功/失败信息,由PEP转发并对代理和客户再次进行信任评估。In this embodiment, when a new client accesses, a connection needs to be established with the agency center. Before the connection is established, an application for authentication to the authentication center is required, and a connection application can only be made after obtaining the certificate. At this time, the application is intercepted by the PEP and forwarded to the trust evaluation center. The client does the trust evaluation, and the forward proxy does the connection establishment. The agent feedbacks the establishment success/failure information, which is forwarded by the PEP and conducts trust evaluation on the agent and the client again.

步骤2、客户向代理发起订阅消息进行主题订阅;Step 2. The client initiates a subscription message to the agent for topic subscription;

客户接收消息前需要进行主题订阅,订阅消息由客户向代理发起;The client needs to subscribe to the topic before receiving the message, and the subscription message is initiated by the client to the agent;

所述步骤2的具体步骤包括:The concrete steps of described step 2 include:

(1)客户向代理发起订阅消息,由PEP截获,首先转交信任评估中心对当前客户进行信任评估,若信任等级低于该主题订阅所需信任阈值则直接拒绝本次申请,并更新黑名单;无需进行后续授权过程,减少访问控制带来的开销;(1) The customer initiates a subscription message to the agent, which is intercepted by the PEP, and first transferred to the trust assessment center to conduct a trust assessment for the current customer. If the trust level is lower than the trust threshold required for the topic subscription, the application will be directly rejected and the blacklist will be updated; No subsequent authorization process is required, reducing the overhead caused by access control;

(2)PEP向访问控制模块中的策略决策点(PolicyDecisionPoint,PDP)提供客户的当前信任值,信任度将作为一项重要的主体属性参与授权过程,PDP依据各项属性信息以及客户信任值在策略管理点(PolicyAdministrationPoint,PAP)处查找满足的访问控制策略,若拒绝请求则向客户返回拒绝消息,若允许则向代理转发订阅消息。(2) PEP provides the current trust value of the customer to the policy decision point (PolicyDecisionPoint, PDP) in the access control module, and the trust degree will participate in the authorization process as an important subject attribute. The policy administration point (PolicyAdministrationPoint , PAP) looks for the satisfied access control policy, if the request is rejected, it will return a rejection message to the client, and if it is allowed, it will forward the subscription message to the agent.

由于本发明中不存在客户主体直接申请访问资源客体的过程,所以本发明对访问控制过程作出一定的改动,其访问控制策略制定和实施将基于主题进行。其中主题以树状形式存在,访问控制策略依据主题树创建,管理员可对每一主题分配与其匹配的访问权限,授权过程依据该主题下的权限、约束以及策略进行;Since there is no process in which the client subject directly applies for access to resource objects in the present invention, the present invention makes some changes to the access control process, and its access control policy formulation and implementation will be based on themes. Topics exist in a tree form, and access control policies are created based on the topic tree. Administrators can assign matching access rights to each topic, and the authorization process is based on the permissions, constraints, and policies under the topic;

(3)代理接受订阅请求,向客户转发订阅成功/失败消息,同样由PEP截获并转交信任评估中心,对代理中心和客户进行信任评估并更新信任名单。(3) The agent accepts the subscription request and forwards the subscription success/failure message to the customer, which is also intercepted by the PEP and forwarded to the trust evaluation center, which conducts trust evaluation on the agent center and the customer and updates the trust list.

在本实施例中,取消订阅的过程与订阅申请过程相似,故不在赘述。In this embodiment, the process of unsubscribing is similar to the process of applying for subscription, so details are not repeated here.

在本实施例中,客户接收消息前需要进行主题订阅,订阅消息由客户向代理发起,由PEP截获,首先转交信任评估中心对当前客户进行信任评估,PEP向PDP提供客户的当前信任值,PDP依据各项属性信息以及客户信任值在策略管理点处查找满足的访问控制策略;代理接受订阅请求,向客户转发订阅成功/失败消息,同样由PEP截获并转交信任评估中心,对代理和客户进行信任评估并更新信任名单。In this embodiment, the client needs to subscribe to the topic before receiving the message. The subscription message is initiated by the client to the agent and intercepted by the PEP. Find the satisfied access control policy at the policy management point based on various attribute information and customer trust values; the proxy accepts the subscription request and forwards the subscription success/failure message to the customer, which is also intercepted by PEP and forwarded to the trust evaluation center for the proxy and customer. Trust evaluation and update trust list.

步骤3、客户根据步骤2所订阅的主题进行消息发布Step 3. The client publishes the message according to the topic subscribed in step 2

所述步骤3的具体步骤包括:The concrete steps of described step 3 include:

(1)客户向代理中心依主题发布消息,由PEP截获,首先转交信任评估中心对当前客户进行信任评估,若信任值过低则直接拒绝本次发布,并更新黑名单;(1) The customer releases a message to the agency center according to the topic, which is intercepted by PEP and first transferred to the trust evaluation center to conduct a trust evaluation for the current customer. If the trust value is too low, the release will be directly rejected and the blacklist will be updated;

(2)PEP向PDP提供客户的当前信任值,PDP依据各项属性信息以及客户信任值在PAP处查找满足的访问控制策略,若拒绝发布则向客户返回拒绝消息,若允许则向代理中心转发发布消息。(2) PEP provides the current trust value of the customer to the PDP, and the PDP searches for the satisfied access control policy at the PAP according to various attribute information and the customer trust value. If it refuses to publish, it returns a rejection message to the customer, and if it is allowed, it forwards it to the agency center make an announcement.

由于分布式系统的动态性,每一次消息的订阅/发布都需要进行授权,在一次行为结束后,该用户的当前权限作废,下一次进行同样同为时(如再一次发布相同主题信息)需要重新授权;Due to the dynamic nature of the distributed system, each message subscription/publishing needs to be authorized. After the end of a behavior, the user's current permissions will be invalidated, and the next time the same behavior (such as publishing the same topic information again) needs to be done. reauthorization;

(3)代理中心接收客户发布信息,向信任评估中心查询最新信任名单,依据信任值向符合该主题信任等级的订阅客户转发主题消息,若客户信任值未达到接受消息所需的信任阈值,则向该客户发送消息拒发通知,告知该客户有此主题的未收到消息并附明原因;(3) The agency center receives the information released by the customer, queries the latest trust list from the trust evaluation center, and forwards the topic message to the subscribing customers who meet the trust level of the topic according to the trust value. If the customer trust value does not reach the trust threshold required for accepting the message, then Send a message refusal notification to the customer, informing the customer that there is an unreceived message on this topic and specifying the reason;

(4)代理中心向发布客户反馈发布成功/失败信息,同样由PEP截获并转交信任评估中心,对代理和客户进行信任评估并更新信任名单。(4) The agency center feedbacks the release success/failure information to the issuing customer, which is also intercepted by the PEP and forwarded to the trust evaluation center to conduct trust evaluation on the agent and customer and update the trust list.

在本实施例中,客户可依据主题进行消息发布,传统的订阅发布模式下,代理接收客户所发布的消息后,依订阅名单直接发送订阅了该主题的客户,这种做法不符合零信任的思想。在本模型中,将对消息的发布增加限制,不仅客户进行消息发布需要进行信任评估和访问控制决策,代理进行消息转发时也需要获取客户信任值,对符合信任要求的客户进行相应的消息转发。In this embodiment, customers can publish messages based on topics. In the traditional subscription publishing mode, after receiving the messages published by customers, the agent directly sends the customers who have subscribed to the topic according to the subscription list. This approach does not conform to the principle of zero trust. Thought. In this model, restrictions will be added to the release of messages. Not only do customers need to conduct trust evaluation and access control decisions when publishing messages, but agents also need to obtain customer trust values when forwarding messages, and forward corresponding messages to customers that meet the trust requirements. .

在本实施例中,还包括访问控制模块,对用户行为进行动态授权;In this embodiment, an access control module is also included to dynamically authorize user behavior;

所述访问控制模块的功能和作用如下:The functions and effects of the access control module are as follows:

本发明中访问控制部分采用基于属性的访问控制模型(AttributeBasedAccessControl,ABAC)并进行改进。ABAC是一种根据主体和对象的指定属性、环境条件以及根据这些属性和条件指定的一组策略,实现对受保护资源的访问控制权限匹配的访问控制方法。由于本发明中不存在客户主体直接申请访问资源客体的过程,所以本发明对ABAC模型作出一定的改动,其访问控制策略制定和实施将基于主题进行。主题以树状形式存在,访问控制策略依据主题树创建,管理员可对每一主题分配与其匹配的访问权限,授权过程依据该主题下的权限、约束以及策略进行。In the access control part of the present invention, an attribute-based access control model (AttributeBasedAccessControl, ABAC) is adopted and improved. ABAC is an access control method that matches the access control rights to protected resources according to the specified attributes of subjects and objects, environmental conditions, and a set of policies specified according to these attributes and conditions. Since there is no process in which the client subject directly applies for accessing resource objects in the present invention, the present invention makes certain changes to the ABAC model, and its access control policy formulation and implementation will be based on topics. Topics exist in a tree form, and access control policies are created based on the topic tree. Administrators can assign matching access rights to each topic, and the authorization process is based on the permissions, constraints, and policies under the topic.

可扩展访问控制标记语言(XACML)是一种用XML语言来为信息访问表达访问控制策略的OASIS规范,可以支持复杂、细粒度规则的访问控制策略语言,可以用于实现ABAC授权模型。模型包括5个主要部分:a)策略执行点(PEP):通过发出决策请求和强制执行授权决策来执行访问控制的系统实体;b)策略决策点(PDP):依据访问控制策略以及其他属性信息进行访问控制决策的实体;c)策略管理点(PAP):系统中产生和维护安全策略的实体;d)策略信息点(PIP):获取主体、环境和资源的属性信息的实体,如果PEP发起的请求中缺少某些属性,会由PIP找并反馈给PDP做决策;e)上下文处理器(Context Processor):将外部请求转化为XACML请求,以及将XACML响应转化为外部响应,并根据属性服务对XACML请求(响应)进行数字化处理。Extensible Access Control Markup Language (XACML) is an OASIS specification that uses XML language to express access control policies for information access. It can support complex and fine-grained access control policy languages, and can be used to implement the ABAC authorization model. The model includes 5 main parts: a) Policy Enforcement Point (PEP): a system entity that enforces access control by issuing decision requests and enforcing authorization decisions; b) Policy Decision Point (PDP): based on access control policies and other attribute information The entity that makes access control decisions; c) Policy Administration Point (PAP): the entity that generates and maintains security policies in the system; d) Policy Information Point (PIP): the entity that obtains the attribute information of subjects, environments and resources, if PEP initiates Some attributes are missing in the request, which will be found by PIP and fed back to PDP for decision-making; e) Context Processor (Context Processor): convert external requests into XACML requests, and convert XACML responses into external responses, and serve according to attributes Digitizes XACML requests (responses).

访问控制模型框图如图4所示,此内容非本发明研究内容,故不作详细阐述。The block diagram of the access control model is shown in Figure 4, which is not the research content of the present invention, so it will not be described in detail.

在本实施例中,还包括信任评估模块,对用户行为进行持续信任评估。In this embodiment, a trust assessment module is also included to perform continuous trust assessment on user behavior.

所述信任评估模块说明如下:The description of the trust evaluation module is as follows:

信任评估模块分为认证授权中心(CAC)和信任评估中心(PEC)两部分,负责管理网络中的信任体系,TEC的基本框架如图5所示。CAC中存放有客户黑白名单,负责证书发放,TEC在负责网络系统中任意对等实体间信任度的评估,TEC与模型中的认证授权中心CAC、策略决策点PDP等模块联动,收集实体间访问交互的历史记录,并量化为信任综合能力,利用对等实体相似度、惩罚机制、信任衰减等计算直接信任度、间接信任度和推荐信任度,并将结果反馈给访问控制模块中策略决策点PDP进行下一步的操作,信任度将作为一项重要的主体属性参与授权过程。The trust evaluation module is divided into two parts: the certification authorization center (CAC) and the trust evaluation center (PEC), which are responsible for managing the trust system in the network. The basic framework of the TEC is shown in Figure 5. CAC stores black and white lists of customers and is responsible for issuing certificates. TEC is responsible for evaluating the trust degree between any peer entities in the network system. TEC is linked with modules such as the authentication authorization center CAC and policy decision point PDP in the model to collect access between entities. Interaction historical records, quantified as trust comprehensive ability, using peer entity similarity, penalty mechanism, trust decay, etc. to calculate direct trust, indirect trust and recommended trust, and feedback the results to the policy decision point in the access control module In the next step of the PDP operation, the trust degree will participate in the authorization process as an important subject attribute.

通常访问控制策略不会频繁变化,但主体信任度是动态变化的,多次异常行为会导致主体信任度锐减甚至进入黑名单,这在一定程度上减少了访问控制所带来的开销,因为信任度不合格的用户的部分行为会直接被拒绝,而无需要后续授权过程。并且主题树具有层级划分,信任等级制度适用于该模型,不同主题下的订阅、发布和接收等行为对应不同的信任阈值,易于实现。Usually, the access control policy does not change frequently, but the trust degree of the subject changes dynamically. Multiple abnormal behaviors will cause the trust degree of the subject to drop sharply or even enter the blacklist, which reduces the overhead brought by access control to a certain extent, because Some behaviors of users with unqualified trust will be directly rejected without subsequent authorization process. In addition, the topic tree has a hierarchical division, and the trust hierarchy is applicable to this model. Subscription, publication, and reception under different topics correspond to different trust thresholds, which is easy to implement.

此外,代理(Broker)也作为信任评估对象之一,这能有效避免不可信代理带来的安全隐患,很大程度上提高了该分布式系统的安全性。In addition, the agent (Broker) is also one of the trust evaluation objects, which can effectively avoid the security risks brought by untrusted agents and greatly improve the security of the distributed system.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

Claims (4)

1.一种零信任框架下分布式网络构建方法,其特征在于:包括以下步骤:1. A distributed network construction method under a zero-trust framework, characterized in that: comprising the following steps: 步骤1、新客户接入时和代理中心建立连接;Step 1. Establish a connection with the agency center when a new customer accesses; 步骤2、客户向代理发起订阅消息进行主题订阅;Step 2. The client initiates a subscription message to the agent for topic subscription; 步骤3、客户根据步骤2所订阅的主题进行消息发布。Step 3. The client publishes the message according to the topic subscribed in step 2. 2.根据权利要求1所述的一种零信任框架下分布式网络构建方法,其特征在于:所述步骤1的具体步骤包括:2. The distributed network construction method under a zero-trust framework according to claim 1, characterized in that: the specific steps of the step 1 include: (1)新客户向信任评估模块的认证中心提出认证申请,认证中心查询新客户是否存在于现有的黑白名单:①若存在于黑名单,则拒绝返回证书②若存在于白名单,则返回带有主体属性的证书,具有初始信任值③若不存在于白名单上,同样返回带有主体属性的证书,不具有初始信任值;(1) The new customer applies for certification to the certification center of the trust evaluation module, and the certification center queries whether the new customer exists in the existing black and white list: ① If it exists in the black list, refuse to return the certificate ② If it exists in the white list, return A certificate with a subject attribute has an initial trust value ③ If it does not exist on the whitelist, a certificate with a subject attribute will also be returned without an initial trust value; (2)新客户向代理中心发起连接请求并附带有证书,由策略执行点PEP截获该请求,PEP首先将客户信息转交信任评估模块的信任评估中心,由信任评估中心计算该客户当前信任值;(2) A new customer initiates a connection request to the agency center with a certificate attached, and the request is intercepted by the policy enforcement point PEP. The PEP first transfers the customer information to the trust evaluation center of the trust evaluation module, and the trust evaluation center calculates the current trust value of the customer; (3)获取客户信任值后,PEP依据信任阈值判断是否允许本次连接请求;若信任值满足,则向代理转发连接请求,同时向认证中心更新名单;(3) After obtaining the trust value of the client, PEP judges whether to allow the connection request according to the trust threshold; if the trust value is satisfied, it forwards the connection request to the agent and updates the list to the authentication center at the same time; (4)代理中心成功与客户建立连接后,反馈连接确认信息,该消息同样由PEP截获,再次进行信任评估,此次信任评估将对客户和代理中心同时进行,而后转发连接确认信息。(4) After the agency center successfully establishes a connection with the customer, it will feed back the connection confirmation message, which is also intercepted by the PEP, and the trust evaluation will be performed again. 3.根据权利要求1所述的一种零信任框架下分布式网络构建方法,其特征在于:所述步骤2的具体步骤包括:3. The distributed network construction method under a zero-trust framework according to claim 1, characterized in that: the specific steps of the step 2 include: (1)客户向代理发起订阅消息,由PEP截获,首先转交信任评估中心对当前客户进行信任评估,若信任等级低于该主题订阅所需信任阈值则直接拒绝本次申请,并更新黑名单;(1) The customer initiates a subscription message to the agent, which is intercepted by the PEP, and first transferred to the trust assessment center to conduct a trust assessment for the current customer. If the trust level is lower than the trust threshold required for the topic subscription, the application will be directly rejected and the blacklist will be updated; (2)PEP向访问控制模块中的策略决策点PDP提供客户的当前信任值,信任度将作为一项重要的主体属性参与授权过程,PDP依据各项属性信息以及客户信任值在策略管理点PAP处查找满足的访问控制策略,若拒绝请求则向客户返回拒绝消息,若允许则向代理转发订阅消息;(2) PEP provides the customer's current trust value to the policy decision point PDP in the access control module, and the trust degree will participate in the authorization process as an important subject attribute. Find the satisfied access control policy at the location, if the request is rejected, a rejection message will be returned to the client, and if the request is allowed, the subscription message will be forwarded to the proxy; (3)代理接受订阅请求,向客户转发订阅成功/失败消息,同样由PEP截获并转交信任评估中心,对代理中心和客户进行信任评估并更新信任名单。(3) The agent accepts the subscription request and forwards the subscription success/failure message to the customer, which is also intercepted by the PEP and forwarded to the trust evaluation center, which conducts trust evaluation on the agent center and the customer and updates the trust list. 4.根据权利要求1所述的一种零信任框架下分布式网络构建方法,其特征在于:所述步骤3的具体步骤包括:4. The method for constructing a distributed network under a zero-trust framework according to claim 1, wherein the specific steps of step 3 include: (1)客户向代理中心依主题发布消息,由PEP截获,首先转交信任评估中心对当前客户进行信任评估,若信任值过低则直接拒绝本次发布,并更新黑名单;(1) The customer releases a message to the agency center according to the topic, which is intercepted by PEP and first transferred to the trust evaluation center to conduct a trust evaluation for the current customer. If the trust value is too low, the release will be directly rejected and the blacklist will be updated; (2)PEP向PDP提供客户的当前信任值,PDP依据各项属性信息以及客户信任值在PAP处查找满足的访问控制策略,若拒绝发布则向客户返回拒绝消息,若允许则向代理中心转发发布消息;(2) PEP provides the current trust value of the customer to the PDP, and the PDP searches for the satisfied access control policy at the PAP according to various attribute information and the customer trust value. If it refuses to publish, it returns a rejection message to the customer, and if it is allowed, it forwards it to the agency center make an announcement; (3)代理中心接收客户发布信息,向信任评估中心查询最新信任名单,依据信任值向符合该主题信任等级的订阅客户转发主题消息,若客户信任值未达到接受消息所需的信任阈值,则向该客户发送消息拒发通知,告知该客户有此主题的未收到消息并附明原因;(3) The agency center receives the information released by the customer, queries the latest trust list from the trust evaluation center, and forwards the topic message to the subscribing customers who meet the trust level of the topic according to the trust value. If the customer trust value does not reach the trust threshold required for accepting the message, then Send a message refusal notification to the customer, informing the customer that there is an unreceived message on this topic and specifying the reason; (4)代理中心向发布客户反馈发布成功/失败信息,同样由PEP截获并转交信任评估中心,对代理和客户进行信任评估并更新信任名单。(4) The agency center feedbacks the release success/failure information to the issuing customer, which is also intercepted by the PEP and forwarded to the trust evaluation center to conduct trust evaluation on the agent and customer and update the trust list.
CN202211556084.8A 2022-12-06 2022-12-06 A distributed network construction method under zero trust Active CN115865606B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211556084.8A CN115865606B (en) 2022-12-06 2022-12-06 A distributed network construction method under zero trust

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211556084.8A CN115865606B (en) 2022-12-06 2022-12-06 A distributed network construction method under zero trust

Publications (2)

Publication Number Publication Date
CN115865606A true CN115865606A (en) 2023-03-28
CN115865606B CN115865606B (en) 2025-02-28

Family

ID=85670239

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211556084.8A Active CN115865606B (en) 2022-12-06 2022-12-06 A distributed network construction method under zero trust

Country Status (1)

Country Link
CN (1) CN115865606B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848236A (en) * 2010-05-06 2010-09-29 北京邮电大学 Real-time data distribution system with distributed network architecture and working method thereof
WO2016048129A2 (en) * 2014-09-26 2016-03-31 Mimos Berhad A system and method for authenticating a user based on user behaviour and environmental factors
US10958662B1 (en) * 2019-01-24 2021-03-23 Fyde, Inc. Access proxy platform
CN112653679A (en) * 2020-12-14 2021-04-13 北京指掌易科技有限公司 Dynamic identity authentication method, device, server and storage medium
CN113051602A (en) * 2021-01-22 2021-06-29 东南大学 Database fine-grained access control method based on zero trust architecture
CN114070600A (en) * 2021-11-11 2022-02-18 上海电气集团数字科技有限公司 Industrial Internet field identity access control method based on zero trust model
WO2022177876A1 (en) * 2021-02-16 2022-08-25 Bastionzero, Inc. Zero trust authentication

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848236A (en) * 2010-05-06 2010-09-29 北京邮电大学 Real-time data distribution system with distributed network architecture and working method thereof
WO2016048129A2 (en) * 2014-09-26 2016-03-31 Mimos Berhad A system and method for authenticating a user based on user behaviour and environmental factors
US10958662B1 (en) * 2019-01-24 2021-03-23 Fyde, Inc. Access proxy platform
CN112653679A (en) * 2020-12-14 2021-04-13 北京指掌易科技有限公司 Dynamic identity authentication method, device, server and storage medium
CN113051602A (en) * 2021-01-22 2021-06-29 东南大学 Database fine-grained access control method based on zero trust architecture
WO2022177876A1 (en) * 2021-02-16 2022-08-25 Bastionzero, Inc. Zero trust authentication
CN114070600A (en) * 2021-11-11 2022-02-18 上海电气集团数字科技有限公司 Industrial Internet field identity access control method based on zero trust model

Also Published As

Publication number Publication date
CN115865606B (en) 2025-02-28

Similar Documents

Publication Publication Date Title
Zhang et al. A survey on access control in fog computing
CN111488595B (en) Method for realizing authority control and related equipment
AU2015240467B2 (en) Method for authentication and assuring compliance of devices accessing external services
CN112422532A (en) Business communication method, system, device and electronic equipment
US20070143408A1 (en) Enterprise to enterprise instant messaging
WO2019215040A1 (en) Telecom node control via blockchain
CN103532981A (en) Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN112688927A (en) Block chain-based distributed access control method
Li et al. Zero trust in edge computing environment: a blockchain based practical scheme
CN106685955B (en) A security authentication method for video surveillance platform based on Radius
CN116956247B (en) Information processing system based on BIM
Salman et al. Multi-level security for the 5G/IoT ubiquitous network
JP2008003879A (en) Group participation management method, system, and program
CN102972005B (en) Pay authentication method
CN117290861A (en) Intelligent fire control resource access control system and method based on attributes
CN103069767B (en) Consigning authentication method
Zhu et al. Microthingschain: blockchain-based controlled data sharing platform in multi-domain iot
Olson et al. Federating trust: network orchestration for cross-boundary zero trust
CN108199866B (en) A social network system with strong privacy protection
KR20100060130A (en) System for protecting private information and method thereof
CN116260656B (en) Main body trusted authentication method and system in zero trust network based on blockchain
Tao et al. The research on dynamic self-adaptive network security model based on mobile agent
CN115865606A (en) A distributed network construction method under zero trust
Huang et al. A method for trusted usage control over digital contents based on cloud computing
CN116405183A (en) A blockchain-based UCON cross-domain data access control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant