CN116056043B - Secure and trusted access platform and access system integrating multiple mobile networks - Google Patents

Secure and trusted access platform and access system integrating multiple mobile networks Download PDF

Info

Publication number
CN116056043B
CN116056043B CN202211644583.2A CN202211644583A CN116056043B CN 116056043 B CN116056043 B CN 116056043B CN 202211644583 A CN202211644583 A CN 202211644583A CN 116056043 B CN116056043 B CN 116056043B
Authority
CN
China
Prior art keywords
access
authentication request
authentication
network
request information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211644583.2A
Other languages
Chinese (zh)
Other versions
CN116056043A (en
Inventor
祝咏升
卢云龙
王万齐
钟章队
蔡伯根
魏长水
张骁
孙宵芳
冯源
王巍
杨轶杰
许凌瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
China Academy of Railway Sciences Corp Ltd CARS
China State Railway Group Co Ltd
Institute of Computing Technologies of CARS
Original Assignee
Beijing Jiaotong University
China Academy of Railway Sciences Corp Ltd CARS
China State Railway Group Co Ltd
Institute of Computing Technologies of CARS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University, China Academy of Railway Sciences Corp Ltd CARS, China State Railway Group Co Ltd, Institute of Computing Technologies of CARS filed Critical Beijing Jiaotong University
Priority to CN202211644583.2A priority Critical patent/CN116056043B/en
Publication of CN116056043A publication Critical patent/CN116056043A/en
Application granted granted Critical
Publication of CN116056043B publication Critical patent/CN116056043B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/42Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for mass transport vehicles, e.g. buses, trains or aircraft
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention provides a safe and reliable access platform and an access system for fusing multiple mobile networks. The platform comprises: the SDN ground control unit is used for receiving authentication request information sent by the terminal equipment and sending the authentication request information and the acquired ground equipment monitoring information to the strategy management unit and the authentication type selection unit; the SDN space control unit is used for sending the acquired space equipment monitoring information to the policy management unit after receiving the authentication request information sent by the terminal equipment; the authentication type selection unit judges whether the single user access or the multi-user concurrent access is performed according to the received authentication request information after receiving the authentication request information, and outputs an access type; the policy management unit is used for formulating an access policy; the SDN ground control unit and the SDN space control unit also issue access strategy and authentication request information to the ground equipment unit and the space equipment unit. The platform provides a unified access scheme for multi-network access and has good safety.

Description

Secure and trusted access platform and access system integrating multiple mobile networks
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a secure trusted access platform and access system for fusing multiple mobile networks.
Background
The next generation railway mobile communication network is a communication network which is accessed by a plurality of mobile networks such as a 5G network, a Beidou satellite, wiFi6, an heaven-earth integration and the like, and the requirements and the characteristics of various innovative railway application scenes are required to be met. Heterogeneous network formed by integrating multiple mobile network access means an effective means for two or more wireless communication systems to adopt different access technologies, utilizing multiple wireless communication networks with mutually overlapped wireless coverage areas, and making the systems complement each other by means of intersystem integration so as to meet the future mobile communication service requirements. In order to make up the defect of a single network on the ground, the multi-access large-span heterogeneous network utilizes the existing mode of fusion of a plurality of isolated networks, so as to form a heterogeneous network, the plurality of networks complement each other, and a globalization mobile communication network with low delay, high reliability and wide coverage is provided for the ground terminal. Multi-mobile access networks are still currently in a preliminary development stage, facing significant challenges in terms of network security. Because of the openness of the multi-mobile access network links and the dynamic difference of the network nodes, the network system is easy to be attacked by the malicious attack of the outsiders, and the communication is interrupted; or steal the data information without user authorization, endanger the safety of the communication data information, and cause paralysis of the network system. In addition, the maintenance cost of the multi-mobile access network is relatively high, and once the multi-mobile access network is damaged by attack, the multi-mobile access network can cause great loss.
Although railway systems have respective access and authentication schemes aiming at different heterogeneous networks, the authentication schemes are difficult to meet the endless security attack and risk, and are difficult to manage. The existing identity authentication mode is single, the differentiation problem is not considered, and the discrimination of users with different authority levels and the assignment of corresponding access authorities are not supported.
Disclosure of Invention
The invention provides a secure and reliable access platform and a network access system integrating multiple mobile networks, which are used for solving the problems that in the prior art, different access authentication schemes of different heterogeneous networks are different, the security requirement is difficult to meet, and the authentication mode is single.
The invention provides a safe and reliable access platform integrating multiple mobile networks, which comprises the following components: an SDN (Software Defined Network ) ground control unit, an SDN space control unit, an authentication type selection unit and a policy management unit;
the SDN ground control unit is used for receiving authentication request information sent by terminal equipment and sending the authentication request information and acquired ground equipment monitoring information to the strategy management unit and the authentication type selection unit;
The SDN space control unit is used for sending the acquired space equipment monitoring information to the policy management unit after receiving the authentication request information sent by the terminal equipment;
the authentication type selection unit is used for judging whether single-user access or multi-user concurrent access is performed according to the received authentication request information after receiving the authentication request information, and outputting an access type;
the policy management unit is used for formulating an access policy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type;
the SDN ground control unit is also used for acquiring the access strategy, transmitting the access strategy and the authentication request information to a ground equipment unit, controlling the ground equipment unit to finish authentication work and returning response information to the terminal equipment for authentication;
the SDN space control unit is also used for acquiring the access strategy, issuing the access strategy and the authentication request information to a space equipment unit, controlling the space equipment unit to finish authentication work and returning response information to the terminal equipment for authentication.
According to the secure and trusted access platform integrating multiple mobile networks provided by the invention, the SDN ground control unit comprises:
the first transceiver module is used for receiving the authentication request information sent by the terminal equipment and for issuing the access strategy;
the ground equipment monitoring module is used for monitoring the state of the ground equipment unit and generating the ground equipment monitoring information;
the user controller is used for controlling the terminal equipment to finish authentication access work after the terminal equipment receives the response information;
and the security gateway controller is used for controlling the gateway to complete interconnection of the preset two networks.
According to the secure and trusted access platform integrating multiple mobile networks provided by the invention, the SDN space control unit comprises:
the second transceiver module is used for receiving the authentication request information sent by the terminal equipment and for issuing the access strategy;
the flow monitoring module is used for monitoring the state of the flow in each space network;
the network state monitoring module is used for monitoring the state of each spatial network, wherein the state of the spatial network comprises network bandwidth, network transmission delay and network data packet loss rate;
The topology monitoring module is used for detecting the topology change in each spatial network in real time;
and the space equipment monitoring module is used for monitoring the state of the space equipment unit and generating the space equipment monitoring information.
According to the present invention, a secure trusted access platform for fusing multiple mobile networks is provided, and the policy management unit includes:
the resource management module is used for managing the resources of the ground network and the space network and making a resource management strategy;
the route management module is used for formulating a route strategy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type;
the gateway management module is used for managing the gateway and making a gateway strategy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type;
and the third transceiver module is used for receiving the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type, and also used for issuing the access strategy, wherein the access strategy comprises a resource management strategy, a routing strategy, a gateway strategy and the access type.
The invention also provides a safe and reliable access system for fusing the multi-mobile network, which comprises the safe and reliable access platform for fusing the multi-mobile network, and further comprises: ground equipment units, space equipment units and terminal equipment;
the ground equipment unit is used for receiving the authentication request information sent by the terminal equipment, sending the authentication request information to the SDN ground control unit, receiving the access strategy issued by the SDN ground control unit, executing access work under the control of the SDN ground control unit according to the access strategy, and sending response information after the access work is completed;
the space equipment unit is used for receiving the access strategy issued by the SDN space control unit, executing access work under the control of the SDN space control unit according to the access strategy, and sending response information after the access work is completed;
the terminal equipment is used for sending the authentication request information, receiving the response information, and communicating with a corresponding network for signal transmission after authentication under the control of the SDN ground control unit.
According to the present invention, there is provided a secure trusted access system for converged multi-mobile network, the terminal device includes: the system comprises a client, a WiFi module, a satellite communication module and a mobile communication module;
The client is used for sending authentication request information and authenticating the response information;
and the WiFi module, the satellite communication module and the mobile communication module are used for connecting the corresponding network and transmitting signals after the response information is authenticated successfully.
According to the secure and trusted access system integrating multiple mobile networks provided by the invention, the client is specifically used for:
generating initial authentication request information;
generating a user first private key of the initial authentication request information through a semi-trusted third party key generation center based on the user identity;
generating a user integral private key of the initial authentication request information based on the user first private key;
generating a user public key based on the user integral private key;
and adding a signature to the initial authentication request information according to the first user private key, the integral user private key and the public user key, and sending the authentication request information with a single signature or an aggregate signature.
According to the safe and reliable access system integrating the multiple mobile networks, the ground equipment unit comprises a ground authentication module, and the space equipment unit comprises a space authentication module;
when the access type is single-user access, the ground authentication module and the space authentication module are respectively used for:
Receiving the authentication request information;
verifying the time stamp of the authentication request information based on the access policy;
under the condition of verifying that the time stamp is fresh, checking the authentication request information through a single verification algorithm to check whether the authentication request information is legal or not;
and returning the response information when the response information is legal and adding a signature to the response information before returning the response information so as to be used for authentication of the client.
According to the safe and reliable access system integrating the multiple mobile networks, the ground equipment unit comprises a ground authentication module, and the space equipment unit comprises a space authentication module;
when the access type is multi-user concurrent access, the ground authentication module and the space authentication module are respectively used for:
receiving the authentication request information;
verifying an aggregate signature of the authentication request information based on an aggregate verification algorithm;
returning the response information after verification is passed, and adding a signature to the response information before returning so as to be used for authentication of the client;
the response information is specifically the response information after being broadcast and encrypted to all clients corresponding to the aggregation signature.
The invention provides a safe and reliable access system for fusing multiple mobile networks, which also comprises a safe situation monitoring platform, wherein the safe situation monitoring platform comprises:
the network security situation sensing unit is used for sensing the security state of the network accessed by the security trusted access system of the converged multi-mobile network in real time;
the network security situation assessment unit is used for assessing the security situation of the accessed network based on the network security state perceived in real time;
and the network security situation prediction unit is used for predicting the security situation of the accessed network within the future preset time based on the network security state perceived in real time.
The safe and reliable access platform and the access system for fusing the multiple mobile networks can meet the unified access of multiple access networks and meet the safety access requirements and the on-demand management of resources of the multiple networks by establishing the safe and reliable access platform for fusing the multiple mobile networks; by means of different identity authentication modes of concurrent access of a single user and multiple users, corresponding access authorities can be provided for users of different grades.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a secure trusted access platform for converged multi-mobile network according to the present invention;
fig. 2 is a second schematic structural diagram of a secure trusted access platform for converged multi-mobile network according to the present invention;
fig. 3 is a schematic structural diagram of a secure trusted access system for converged multi-mobile network according to the present invention;
fig. 4 is a second schematic structural diagram of a secure trusted access system for converged multi-mobile network according to the present invention;
fig. 5 is a schematic workflow diagram of a client of a secure trusted access system incorporating multiple mobile networks provided by the present invention;
FIG. 6 is a schematic diagram of a ground authentication module and a workflow of the space authentication module of the secure trusted access system incorporating multiple mobile networks provided by the present invention;
FIG. 7 is a second schematic diagram of the workflow of the ground authentication module and the space authentication module of the secure trusted access system with multiple mobile networks;
fig. 8 is a third schematic structural diagram of a secure trusted access system for converged multi-mobile network according to the present invention;
fig. 9 is a schematic diagram of a network security situation assessment model of a security trusted access system integrated with a multi-mobile network.
Reference numerals:
10. SDN ground control unit; 20. SDN space control unit; 30. an authentication type selection unit; 40. a policy management unit; 101. a first transceiver module; 102. a ground equipment monitoring module; 103. a user controller; 104. a security gateway controller; 201. a second transceiver module; 202. a flow monitoring module; 203. a network state monitoring module; 204. a topology monitoring module; 205. a space equipment monitoring module; 401. a third transceiver module; 402. a resource management module; 403. a route management module; 404. a gateway management module; 50. a ground equipment unit; 60. a space equipment unit; 70. a terminal device; 701. a client; 702. a WiFi module; 703. a satellite communication module; 704. a mobile communication module; 80. a security situation monitoring platform; 801. a network security situation sensing unit; 802. a network security situation assessment unit; 803. and a network security situation prediction unit.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
A secure trusted access platform for converged multi-mobile networks of the present invention is described below with reference to fig. 1 to 2, and includes: an SDN ground control unit 10, an SDN space control unit 20, an authentication type selection unit 30 and a policy management unit 40; the SDN ground control unit 10 is configured to receive authentication request information sent by the terminal device 70, and send the authentication request information and acquired ground device monitoring information to the policy management unit 40 and the authentication type selection unit 30; the SDN space control unit 20 is configured to send acquired space device monitoring information to the policy management unit 40 after receiving the authentication request information sent by the terminal device 70; the authentication type selection unit 30 is configured to determine whether to access a single user or multiple users concurrently according to the received authentication request information after receiving the authentication request information, and output an access type; the policy management unit 40 is configured to formulate an access policy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information, and the access type; the SDN ground control unit 10 is configured to obtain the access policy and send the access policy and the authentication request information to the ground equipment unit 50, and control the ground equipment unit 50 to complete authentication and return response information to the terminal equipment 70 for authentication; the SDN space control unit 20 is configured to obtain the access policy and send the access policy and the authentication request information to the space equipment unit 60, and control the space equipment unit 60 to complete authentication work and return response information to the terminal equipment 70 for authentication.
Specifically, the above-mentioned secure and trusted access platform for merging multiple mobile networks includes an authentication layer and a control layer, where the authentication layer includes an authentication type selection unit 30 and a policy management unit 40, where the authentication type selection unit 30 is configured to identify whether an authentication request message is a single-user access or a multi-user concurrent access, that is, to determine an access type of an access user. The policy management unit 40 is for formulating an access policy according to the device status of the ground device, the space device, the access type of the authentication request information, and the like. The control layer comprises an SDN ground control unit 10 and an SDN space control unit 20, wherein the SDN ground control unit 10 and the SDN space control unit 20 are respectively used for monitoring and managing ground equipment and space equipment and forwarding identity authentication request information. The SDN ground control unit 10 and the SDN space control unit 20 are further configured to control the ground device and the space device to perform authentication work.
The secure and reliable access platform integrating the multi-mobile network utilizes the idea that a control plane and a data plane in the SDN are separated, combines the software definition with the multi-access network to realize unified access authentication work of users, and the control layer intensively collects network and entity state information of the ground and space and controls forwarding of authentication information.
The above-mentioned safe and reliable access platform of integrating many mobile networks designs the goal in order to realize multiple access authentication demands such as common users' access and cluster users concurrent access under the unified framework, achieve the goal that access authentication can be defined flexibly and managed with the demand of the resource, the safe and reliable access platform of above-mentioned integrating many mobile networks has the following characteristics: (1) network flexibility controllable: the traditional spatial information network evolves in a chimney mode, and the functions of network element equipment are coupled with hardware, so that the network is difficult to realize flexible control. In this embodiment, the access network implemented based on the software defined network (Software Defined Network, SDN) separates control and data, and the SDN ground control unit 10 and the SDN space control unit 20 complete control on the ground device and the space device according to the global view, so as to achieve a flexible and controllable effect. (2) network convergence may evolve: the access network comprises a plurality of different heterogeneous networks such as ground, railway, space and the like, and the heterogeneous networks are difficult to realize interconnection and interworking. In the embodiment, the integrated network designed by SDN is combined, the policy management module can acquire real-time global information in the network through the controller, reasonably schedule resources, enable heterogeneous networks to be integrated, provide uniform global control for network access authentication, integrate access modes of 5G, wiFi, satellite networks and the like, and achieve integration of networks. (3) network security services customizable: the access authentication based on SDN can flexibly provide different access authentication services such as single user and multi-user concurrency for users according to the security access requirements of different users, and different strategies are formulated, so that the security services can be flexibly defined and customized as required.
The safe and reliable access platform for fusing the multi-mobile network can meet the unified access of multiple access networks and meet the safety access requirements and the on-demand management of resources of the multiple networks by establishing the safe and reliable access platform for fusing the multi-mobile network uniformly; by means of different identity authentication modes of concurrent access of a single user and multiple users, corresponding access authorities can be provided for users of different grades.
In one embodiment, as shown in fig. 2, the SDN ground control unit 10 comprises: a first transceiver module 101, a ground equipment monitoring module 102, a user controller 103 and a security gateway controller 104; the first transceiver module 101 is configured to receive the authentication request information sent by the terminal device 70 and send the access policy; the ground equipment monitoring module 102 is configured to monitor a status of the ground equipment unit 50 and generate the ground equipment monitoring information; the user controller 103 is configured to control the terminal device 70 to complete authentication access operation after the terminal device 70 receives the response information; the security gateway controller 104 is configured to control the gateway to complete interconnection of the preset two networks.
Specifically, the SDN ground control unit 10 includes a user controller 103 that can complete control operations related to user access authentication, a security gateway controller 104 that can configure and manage gateways, a ground device monitoring module 102 for monitoring a device status and a network status of a ground device, and a first transceiver module 101 for forwarding information. The security gateway controller 104 is used for controlling the gateway to complete interconnection of two preset networks, and controlling the gateway after network connection so that the gateway has a network firewall function, a network intrusion detection function, an anti-virus function and the like.
In one embodiment, as shown in fig. 2, the SDN space control unit 20 comprises: a second transceiver module 201, a flow monitoring module 202, a network state monitoring module 203, a topology monitoring module 204 and a space equipment monitoring module 205; the second transceiver module 201 is configured to receive the authentication request information sent by the terminal device 70 and send the access policy; the flow monitoring module 202 is configured to monitor a state of a flow in each spatial network; the network state monitoring module 203 is configured to monitor a state of each of the spatial networks, where the state of the spatial network includes a network bandwidth, a network transmission delay, and a network data packet loss rate; the topology monitoring module 204 is configured to detect a topology change in each of the spatial networks in real time; the space equipment monitoring module 205 is configured to monitor a status of the space equipment unit 60 and generate the space equipment monitoring information.
Specifically, the SDN space control unit 20 includes a second transceiver module 201, a traffic monitoring module 202, a network state monitoring module 203, a topology monitoring module 204, and a space device monitoring module 205, where the traffic monitoring module 202 is mainly configured to monitor traffic of a space network, and generally includes a network output data speed, a data receiving speed, a network total traffic, and the like, so as to monitor and filter data traffic, and effectively master bad information within a monitoring range. The network status monitoring module 203 and the space device monitoring module 205 are mainly used for monitoring the status of a space network and the status of a space device, such as whether the network is available, whether the device operates normally, and the like. The topology detection module is mainly used for finding out topology change information in the network in real time.
In one embodiment, as shown in fig. 2, the policy management unit 40 includes: a third transceiver module 401, a resource management module 402, a route management module 403 and a gateway management module 404; the third transceiver module 401 is configured to receive the authentication request information, the ground device monitoring information, the space device monitoring information, and the access type, and further configured to issue the access policy, where the access policy includes a resource management policy, a routing policy, a gateway policy, and an access type; the resource management module 402 is configured to manage resources of the ground network and the space network and formulate a resource management policy; the route management module 403 is configured to formulate a routing policy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information, and the access type; the gateway management module 404 is configured to manage the gateway, and formulate a gateway policy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information, and the access type.
Specifically, the policy management unit 40 includes a third transceiver module 401, a resource management module 402, a route management module 403, and a gateway management module 404. The third transceiver module 401 is configured to receive information and issue information, such as receiving authentication type information, authentication request information, issue policy information, and the like. The resource management module 402 is configured to manage resources of the ground network and the spatial network, and formulate a resource management policy, where the resource management policy provides service quality guarantee for the user terminal device 70 in the network under the condition of limited bandwidth, and its basic starting point is to flexibly allocate and dynamically adjust available resources of the wireless transmission part and the network under the conditions of uneven network traffic distribution, fluctuation of channel characteristics due to channel weakness and interference, etc., so as to maximally improve wireless spectrum utilization rate, prevent network congestion, and keep signaling load as small as possible.
The route management module 403 formulates a route policy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type. The routing policy determines the forwarding route of the authentication request information, which is delivered in the form of network packets, i.e. the route along which the authentication request is sent to the destination address.
The gateway management module 404 is configured to formulate a gateway policy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information, and the access type. I.e. the gateway policy is used to indicate the forwarding of information by the gateway, i.e. to indicate which networks the gateway is interconnected to complete.
The following describes, with reference to fig. 3 to fig. 9, a secure trusted access system for converged multi-mobile network provided by the present invention, as shown in fig. 3, including a secure trusted access platform for converged multi-mobile network as described in any one of the above, further including: a ground equipment unit 50, a space equipment unit 60 and a terminal equipment 70; the ground device unit 50 is configured to receive the authentication request information sent by the terminal device 70 and send the authentication request information to the SDN ground control unit 10, and further configured to receive the access policy sent by the SDN ground control unit 10, perform an access operation under the control of the SDN ground control unit 10 according to the access policy, and send response information after completing the access operation; the space equipment unit 60 is configured to receive the access policy issued by the SDN space control unit 20, perform an access operation under the control of the SDN space control unit 20 according to the access policy, and send out response information after the access operation is completed; the terminal device 70 is configured to send the authentication request information, and also configured to accept the response information, and communicate with a corresponding network for signal transmission after authentication under the control of the SDN ground control unit 10.
Specifically, the surface equipment unit 50 includes routers, gateways, switches, base stations, etc., which are used to route data packets to destinations over individual networks. The gateway is also called an intersystem connector and a protocol converter, is the most complex network interconnection equipment on a transmission layer, is only used for interconnection of two networks with different higher-layer protocols, and can be used for interconnection of wide area networks and local area networks. The switch is used for: (1) learning MAC (Media Access Control Address) address: the switch knows the MAC address of each port connected device and maps the address to the corresponding port and stores it in the MAC address table in the switch cache. If a new port response is received, it can learn the new MAC address and record it; (2) forwarding a data frame: when the destination address of a data frame has a mapping in the MAC address table, it is forwarded to the port connecting the destination node instead of all ports. To eliminate loops, when the switch includes a redundant loop, the switch is used to avoid loop generation through the spanning tree protocol while allowing backup paths to exist. (3) Connecting different networks: the switch can be connected with the networks of the same type and also can play a role of interconnection among the networks of different types; (4) dividing a local area network: the switch can divide the local area network into a plurality of conflict domains like a network bridge, and each conflict domain is provided with an independent broadband, so that the bandwidth of the local area network is greatly improved.
The space equipment unit 60 includes a forwarding satellite and an access satellite, and when the access satellite is not within the area range, forwarding of authentication request information by the forwarding satellite is required, and the access satellite includes a low-orbit access satellite, a medium-orbit access satellite, a high-orbit access satellite, and the like.
It can be understood that in the multi-network access authentication process, the access of the WiFi network is authenticated by the router, the access of the mobile network is authenticated by the base station, and the satellite network is authenticated by the authentication satellite.
The safe and reliable access system for fusing the multiple mobile networks can meet the unified access of multiple access networks and meet the safety access requirements and the on-demand management of resources of the multiple networks by establishing the safe and reliable access platform for fusing the multiple mobile networks; by means of different identity authentication modes of concurrent access of a single user and multiple users, corresponding access authorities can be provided for users of different grades.
In one embodiment, as shown in fig. 4, the terminal device 70 includes: a client 701, a WiFi module 702, a satellite communication module 703, and a mobile communication module 704; the client 701 is configured to send out authentication request information and authenticate the response information; the WiFi module 702, the satellite communication module 703 and the mobile communication module 704 are configured to connect to a corresponding network and perform signal transmission after the response information is authenticated successfully.
Specifically, the flow of the multi-network access authentication is as follows:
the client 701 of the user issues authentication request information, and if there is no relevant forwarding flow table in the switch in the floor equipment unit 50, the switch forwards the authentication request information to the SDN floor control unit 10 and the SDN space control unit 20. After receiving the authentication request information, the SDN ground control unit 10 sends the authentication request information to the authentication type selection unit 30 and the policy management unit 40, and the SDN ground control unit 10 sends the state information of the devices in the ground device unit 50 to the policy management unit 40. The SDN space control unit 20, upon receiving the authentication request information, transmits space state information such as a state of traffic, a state of a network, a change in topology, and a state of a space device to the policy management unit 40. The policy management unit 40 formulates an access policy according to the authentication request information, the ground device monitoring information, and the space device monitoring information, and the access type. The policy management unit 40 sends the formulated access policy and authentication request information to the SDN ground control unit 10 and the SDN space control unit 20, the SDN ground control unit 10 and the SDN space control unit 20 respectively send the access policy to the ground equipment and the space equipment required to be used in the access policy, and the SDN ground control unit 10 and the SDN space control unit 20 are respectively used for controlling the corresponding ground equipment and space equipment to execute authentication work. After the ground equipment and the space equipment complete the authentication work, response information is generated and returned to the client 701, and the authentication request information is successfully authenticated after the authentication is performed by the client 701. Further, the authentication request information received by the access satellite may be sent to the router through the switch of the ground device, sent to the gateway through the router, and sent to the access satellite by completing the conversion from the ground protocol to the spatial protocol through the gateway. It can be understood that the response message returned by the access satellite is converted from a space protocol to a ground protocol through the gateway, then the response message is returned to the client 701 through the router and the switch, and then the client 701 performs authentication.
The client 701 of the user sends out authentication request information, if the relevant forwarding flow table exists in the switch, the historical time of the client 701 is indicated to carry out connection authentication, and the authentication request information is forwarded according to the forwarding flow table rule.
In one embodiment, as shown in fig. 5, the client 701 is specifically configured to:
s501: initial authentication request information is generated.
S502: and generating a first private key of the user of the initial authentication request information through a semi-trusted third party key generation center based on the user identity.
S503: and generating a user integral private key of the initial authentication request information based on the user first private key.
S504: a user public key is generated based on the overall private key.
S505: and adding a signature to the initial authentication request information according to the first user private key, the integral user private key and the public user key, and sending the authentication request information with a single signature or an aggregate signature.
Specifically, the client 701 generates initial authentication request information, which is authentication request information when a signature has not been added yet. A semi-trusted third party key generation center (key generation center, KGC) of the client 701 uses the security parameter k to generate a public parameter set and a system master key by:
(1) Generating a cyclic addition group G 1 And cyclic multiplication group G 2 ,G 1 And G 2 The number of the orders of (a) is q, and a bilinear pair e is generated 1 ×G 1 →G 2
(2) KGC generates master key: optionally selecting master key Then two arbitrary generating elements P, Q epsilon G are selected 1 And calculates a first public key P pub =λP。
(3) KGC generates three secure hash functions H 0 、H 1 And H 2 Wherein:
(4) Generating public parameter set params= (G) 1 ,G 2 ,e,P,Q,P pub ,H 0 ,H 1 ) And secret the master key lambda.
KGC uses the identity ID of the user i Public parameter set params and master key lambda, are generated by a partial private key generation algorithm (Gen PPK ) First private key D for generating authentication request information i The first private key, namely a part of private keys, comprises the following specific processes:
(1) calculate Q i =H 0 (ID i )。
(2) Outputting the first private key D i =λQ i
By running a user key generation algorithm (Gen k ) By means of user identity ID i Arbitrarily selectGenerating a user overall private key (x) as a secret value i ,D i ) And generates a user public key P i =x i P。
The client 701 runs a single signature algorithm (Sign) based on the public parameter set params, the identity ID of the user i Initial authentication request information M i E. Mu. Plaintext space μ= {0,1} * User public key P i And the user's overall private key (x i ,D i ) Outputting initial authentication request information M of user i Single signature sigma of i
a) Arbitrarily selectCalculating R i =r i P;
b) Calculating t i =H 1 (M i ||ID i ||P i ||R i ),hi=H 2 (M i ||ID i ||P pub ||R i );
c) Calculation S i =D i +x i t i Q+(h i x i +r i )P pub
d) Output signature sigma i =(R i ,S i )。
Further, the user client 701 (any user of the multiple users accessing concurrently with multiple users may act as a generator of an Aggregate signature) runs an Aggregate algorithm (Aggregate Verify), and uses the identity set { ID "of n users for n users accessing concurrently with multiple users 1 ,ID 2 ,…,ID n ' and corresponding user public key set { O } 1 ,O 2 ,…,O n N different initial authentication request messages and corresponding signature sets
{(M 11 =(R 1 ,S 1 )),(M 22 =(R 2 ,S 2 )),…,(M nn =(R n ,S n ) As input, calculate }Output gets the request message M for initial authentication 1 ,M 2 ,…,M n Aggregate signature σ= (R, S) and send the aggregate signature to clients 701 of other concurrent users.
In one embodiment, the surface equipment unit 50 includes a surface authentication module, and the space equipment unit 60 includes a space authentication module;
as shown in fig. 6, when the access type is single-user access, the ground authentication module and the space authentication module are respectively configured to:
s601: and receiving the authentication request information.
S602: and verifying the time stamp of the authentication request information based on the access policy.
S603: and under the condition of verifying that the time stamp is fresh, checking the authentication request information through a single verification algorithm to check whether the authentication request information is legal or not.
S604: and returning the response information when the response information is legal and signing the response information before returning so as to authenticate the client 701.
Specifically, the User (UN) arbitrarily selectsCalculation of Z UN =ap, and generates a single signature σ of the user according to the method described in the above embodiment UN Transmitting authentication request information with a single signature to a ground authentication module and a space authentication module, wherein the authentication request information with the single signature is as follows:
ReqAccess,ID UN ,paras UN ,T UN ,Z UN ,σ UN (ID UN ,paras UN ,T UN ,Z UN ) Wherein T is UN Is a time stamp of authentication request information.
After the ground authentication module and the space authentication module respectively receive the authentication request messages, the time stamp T is checked first UN If the verification time stamp is not fresh, discarding the authentication request message. If the time stamp passes the verification, verifying the validity of the authentication request message through a Single verification algorithm (Single Verify), judging whether the authentication request message is sent by a legal user, and if the verification is not passed, discarding the authentication request message; if the test passes, the ground authentication module and the space authentication module are respectively and arbitrarily selectedCalculation of Z AN =bp and signature σ of itself AN And returning a response message Res Access with self signature to the user, wherein the response message is as follows: reqAccess, T AN ,Z AN ,σ AN (T AN ,Z AN ). In the case of multi-network access, the multiple authentication modules respectively perform the above processing on the received authentication request information, generate respective signatures, and return response information for authentication of the user client 701.
The Single Verify algorithm (Single Verify) is specifically as follows:
using user identity ID i User public key P i For initial authentication request message M i Single signature sigma of i Verifier calculates t i =H 1 (M i ||ID i ||P i ||R i )),hi=H 2 (M i ||ID i ||P pub ||R i ),Q i =H 0 (ID i ) Thereby obtaining a verification equation e (P, S i )=e(P pub ,Q i +h i p i +R i )e(Q,P i t i ) If the verification equation is satisfied, the authentication request information passes the verification, otherwise the authentication request information fails the verification, and the authentication request information is discarded by the verifier.
(3) After each response message is received by the User (UN), checking the freshness of the timestamp of the response message, checking the freshness of the timestamp, and verifying the signature sigma using a Single verification algorithm (Single Verify) AN To realize the verification of each authentication module, thereby completing the process of bidirectional authentication.
In one embodiment, the surface equipment unit 50 includes a surface authentication module, and the space equipment unit 60 includes a space authentication module;
as shown in fig. 7, when the access type is multi-user concurrent access, the terrestrial authentication module and the spatial authentication module are respectively configured to:
S701: and receiving the authentication request information.
S702: and verifying the aggregation signature of the authentication request information based on an aggregation verification algorithm.
S703: returning the response information after verification is passed and adding a signature to the response information before returning so as to enable the client 701 to authenticate; the response information returned is specifically the encrypted response information broadcast to all clients 701 corresponding to the aggregate signature.
Specifically, (1) each user UN i (1. Ltoreq.i.ltoreq.n) are randomly selected respectively/>And calculate L i ,Z i The method is characterized by comprising the following steps: l (L) i =a i x 0 P,Zi=x i (x i+1 P-x i- 1 P). Calculating according to the above aggregate signature algorithm to obtain an aggregate signature sigma= (R, S), UN i Will have parameters (sigma, L i ,Z i ) The authentication request information of (a) is transmitted to the ground authentication module and the space authentication module.
(2) When the ground authentication module and the space authentication module respectively receive all the user UNs i After the parameters transmitted by (1.ltoreq.i.ltoreq.n), calculating t according to an aggregation verification algorithm (Aggregate Verify) i =H 1 (M i ||ID i ||P i ||R i )),hi=H 2 (M i ||ID i ||P pub ||R i ),Q i =H 0 (ID i ) By verifying the equation
Aggregation verifies the aggregate signature, and if the equation is true, the verification passes. Optionally select +.>Calculation of And calculates its signature sigma from a single signature algorithm (Sign) 0 =(R 0 ,S 0 ) Will (sigma) 0 ,O 1 ,O 2 ,…,O n ,Y,Z′ 1 ,Z′ 2 ,…,Z′ n ) Broadcast to all users UN i (1≤i≤n)。
(3) Each user UN i (1. Ltoreq.i.ltoreq.n) verifying the legitimacy of the access point by a Single verification algorithm (Single Verify), i.e. signature σ 0 Is the legitimacy of (2). If the two-way authentication is passed, the two-way authentication is successful.
In one embodiment, as shown in fig. 8, further comprising a security posture monitoring platform 80, the security posture monitoring platform 80 comprising:
a network security situation sensing unit 801, configured to sense, in real time, a security state of a network accessed by the security trusted access system of the converged multi-mobile network;
a network security situation assessment unit 802, configured to assess a security situation of the network that is accessed based on the network security state perceived in real time;
and the network security situation prediction unit 803 is configured to predict a security situation within a future preset time of the accessed network based on the network security state perceived in real time.
Specifically, the purpose of network security situation monitoring is to obtain the security situation of the current network, and predict the trend of future network security changes, which is usually achieved through collecting, processing and analyzing network security related factors. The network security situation assessment can intuitively display the current network security situation, and the network security prediction technology can predict the future network security development trend, so that support and basis are provided for the next step of taking security protection measures. The network security posture awareness model may be one of an Endsley model, a Tim Bass model, and a JDL model.
Before evaluating the network security situation, an evaluation index system needs to be established first. The construction of an evaluation index system generally needs to follow several basic principles of systematicness, approximation, layering and operability. The network security situation assessment index first-level index established by the technical scheme comprises vulnerability, threat and stability of the network; the secondary indexes comprise network vulnerability number level, alarm number level, TCP/UDP protocol data packet duty ratio, subnet inflow increment rate and the like. The evidence reasoning method can solve uncertain information and fuzzy information capability, and only needs a small amount of sample data and training. The process of constructing and evaluating the network security situation assessment model based on evidence reasoning is described in detail below.
The network security posture assessment unit 802 mainly comprises four parts (as shown in fig. 9) including data acquisition, data processing, evidence reasoning and network security posture quantification. The data acquisition mainly utilizes an open source security information management system (OPEN SOURCE SECURITY INFORMATION MANAGEMENT, OSSIM) to acquire data related to network security from a network, and provides a data basis for the next development situation assessment. The data processing part is used for classifying the collected data with different formats according to vulnerability, threat and stability to form a data format for later use. The evidence reasoning part fuses the three types of data by adopting a evidence reasoning method, so that the description condition of the trust degree of the whole network is obtained, and specifically: first, the combination weights of various indexes listed in the index system are obtained through the calculation of the main relation weight and the objective weight. And converting the processed data into the trust degree, and finally calculating the target trust degree of the index data to the network according to the combined weight and the trust degree. The network security situation quantifying module quantifies the reasoning result, namely the target trust level, into a specific value, so that the network security situation is quantitatively described.
The network security posture prediction unit 803 predicts using a network security posture prediction model of the bidirectional LSTM. The network security situation prediction model of the bidirectional LSTM consists of an input layer, a bidirectional LSTM layer, a full connection layer and a data layer from bottom to top. The input layer is the bottommost layer, the network security situation values are represented by time sequences, and the first t network security situation values at the current time are used as input; the bidirectional LSTM layer calculates LSTM values in the positive direction and the negative direction and outputs nonlinear characteristic values; the full-connection layer performs weighting processing on nonlinear characteristic values output in the forward and reverse directions of the bidirectional LSTM layer by utilizing nonlinear processing capacity of the full-connection layer; the output layer outputs the predicted network security situation predicted value.
The network security situation is predicted by using a network security situation prediction model of the bidirectional LSTM, and the method mainly comprises five main steps of model construction, training set and test set construction, super parameter determination, model training and prediction.
Constructing a data set, firstly, historical network security situation values { x ] at N moments 1 ,x 2 ,...,x N The training data are divided into k training situation values as input, the situation value at the next moment as output, and the output part data are training true values of the model, as shown in the following table:
Input device Output of
x 1 ,x 2 ,..·,x k x k+1
x 2 ,x 3 ,...,x k+1 x k+2
x N-k ,x N-k+1 ,…,x N-1 x N
And then data processing is carried out on the data, and the input and the output in the table are converted into data formats meeting the requirements of bidirectional LSTM, namely:
[[[x 1 ],[x 2 ],…,[x k ]],[[x 2 ],[x 3 ],…,[x k+1 ]],…,[[x N-k ],[x N-k+1 ],…,[x N-1 ]]]。
wherein each of the above tables[[x 1 ],[x 2 ],...,[x k ]]For one sample, the data set in the table is obtained, and the data set is divided into a training set and a testing set.
Before training the model, the super parameters such as the step length of the input layer, the number of the neuron nodes, the dropout rate and the like are determined and optimized by adopting a Bayesian optimization method. And during training, inputting the data of the input part in the upper table into a network security situation prediction model of the bidirectional LSTM to obtain a predicted value, finally calculating a loss function according to the predicted value and the data of the output part in the upper table, namely training a true value, updating network parameters, and repeating the steps until the model converges and the iteration is finished. And after model training is finished, testing the trained network security situation prediction model of the bidirectional LSTM by using a test set, and verifying the prediction effect of the model. The network security situation prediction model of the bidirectional LSTM can be directly used for predicting the security situation of the network after training.
The embodiments of a platform or system described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (9)

1. A secure trusted access platform for converged multiple mobile networks, comprising: an SDN ground control unit, an SDN space control unit, an authentication type selection unit and a strategy management unit;
the SDN ground control unit is used for receiving authentication request information sent by terminal equipment and sending the authentication request information and acquired ground equipment monitoring information to the strategy management unit and the authentication type selection unit;
the SDN space control unit is used for sending the acquired space equipment monitoring information to the policy management unit after receiving the authentication request information sent by the terminal equipment;
The authentication type selection unit is used for judging whether single-user access or multi-user concurrent access is performed according to the received authentication request information after receiving the authentication request information, and outputting an access type;
the policy management unit is used for formulating an access policy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type;
the SDN ground control unit is also used for acquiring the access strategy, transmitting the access strategy and the authentication request information to a ground equipment unit, controlling the ground equipment unit to finish authentication work and returning response information to the terminal equipment for authentication;
the SDN space control unit is also used for acquiring the access strategy, issuing the access strategy and the authentication request information to a space equipment unit, controlling the space equipment unit to finish authentication work and returning response information to the terminal equipment for authentication;
the policy management unit includes:
the resource management module is used for managing the resources of the ground network and the space network and making a resource management strategy;
the route management module is used for formulating a route strategy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type;
The gateway management module is used for managing the gateway and making a gateway strategy according to the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type;
and the third transceiver module is used for receiving the authentication request information, the ground equipment monitoring information, the space equipment monitoring information and the access type, and also used for issuing the access strategy, wherein the access strategy comprises a resource management strategy, a routing strategy, a gateway strategy and the access type.
2. The converged multi-mobile network secure trusted access platform of claim 1, wherein the SDN ground control unit comprises:
the first transceiver module is used for receiving the authentication request information sent by the terminal equipment and for issuing the access strategy;
the ground equipment monitoring module is used for monitoring the state of the ground equipment unit and generating the ground equipment monitoring information;
the user controller is used for controlling the terminal equipment to finish authentication access work after the terminal equipment receives the response information;
and the security gateway controller is used for controlling the gateway to complete interconnection of the preset two networks.
3. The converged multi-mobile network secure trusted access platform of claim 1, wherein the SDN space control unit comprises:
the second transceiver module is used for receiving the authentication request information sent by the terminal equipment and for issuing the access strategy;
the flow monitoring module is used for monitoring the state of the flow in each space network;
the network state monitoring module is used for monitoring the state of each spatial network, wherein the state of the spatial network comprises network bandwidth, network transmission delay and network data packet loss rate;
the topology monitoring module is used for detecting the topology change in each spatial network in real time;
and the space equipment monitoring module is used for monitoring the state of the space equipment unit and generating the space equipment monitoring information.
4. A secure trusted access system for converged multi-mobile networks, comprising the secure trusted access platform for converged multi-mobile networks of any one of claims 1 to 3, further comprising: ground equipment units, space equipment units and terminal equipment;
the ground equipment unit is used for receiving the authentication request information sent by the terminal equipment, sending the authentication request information to the SDN ground control unit, receiving the access strategy issued by the SDN ground control unit, executing access work under the control of the SDN ground control unit according to the access strategy, and sending response information after the access work is completed;
The space equipment unit is used for receiving the access strategy issued by the SDN space control unit, executing access work under the control of the SDN space control unit according to the access strategy, and sending response information after the access work is completed;
the terminal equipment is used for sending the authentication request information, receiving the response information, and communicating with a corresponding network for signal transmission after authentication under the control of the SDN ground control unit.
5. The converged multi-mobile network secure trusted access system of claim 4, wherein the terminal device comprises: the system comprises a client, a WiFi module, a satellite communication module and a mobile communication module;
the client is used for sending authentication request information and authenticating the response information;
and the WiFi module, the satellite communication module and the mobile communication module are used for connecting the corresponding network and transmitting signals after the response information is authenticated successfully.
6. The converged multi-mobile network secure trusted access system of claim 5, wherein the client is specifically configured to:
generating initial authentication request information;
generating a user first private key of the initial authentication request information through a semi-trusted third party key generation center based on the user identity;
Generating a user integral private key of the initial authentication request information based on the user first private key;
generating a user public key based on the user integral private key;
and adding a signature to the initial authentication request information according to the first user private key, the integral user private key and the public user key, and sending the authentication request information with a single signature or an aggregate signature.
7. The converged multi-mobile network secure trusted access system of claim 6, wherein the ground equipment unit comprises a ground authentication module, and the space equipment unit comprises a space authentication module;
when the access type is single-user access, the ground authentication module and the space authentication module are respectively used for:
receiving the authentication request information;
verifying the time stamp of the authentication request information based on the access policy;
under the condition of verifying that the time stamp is fresh, checking the authentication request information through a single verification algorithm to check whether the authentication request information is legal or not;
and returning the response information when the response information is legal and adding a signature to the response information before returning the response information so as to be used for authentication of the client.
8. The converged multi-mobile network secure trusted access system of claim 6, wherein the ground equipment unit comprises a ground authentication module, and the space equipment unit comprises a space authentication module;
when the access type is multi-user concurrent access, the ground authentication module and the space authentication module are respectively used for:
receiving the authentication request information;
verifying an aggregate signature of the authentication request information based on an aggregate verification algorithm;
returning the response information after verification is passed, and adding a signature to the response information before returning so as to be used for authentication of the client;
the response information is specifically the response information after being broadcast and encrypted to all clients corresponding to the aggregation signature.
9. A converged multi-mobile network secure trusted access system according to any one of claims 4 to 8, further comprising a security posture monitoring platform, the security posture monitoring platform comprising:
the network security situation sensing unit is used for sensing the security state of the network accessed by the security trusted access system of the converged multi-mobile network in real time;
the network security situation assessment unit is used for assessing the security situation of the accessed network based on the network security state perceived in real time;
And the network security situation prediction unit is used for predicting the security situation of the accessed network within the future preset time based on the network security state perceived in real time.
CN202211644583.2A 2022-12-20 2022-12-20 Secure and trusted access platform and access system integrating multiple mobile networks Active CN116056043B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211644583.2A CN116056043B (en) 2022-12-20 2022-12-20 Secure and trusted access platform and access system integrating multiple mobile networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211644583.2A CN116056043B (en) 2022-12-20 2022-12-20 Secure and trusted access platform and access system integrating multiple mobile networks

Publications (2)

Publication Number Publication Date
CN116056043A CN116056043A (en) 2023-05-02
CN116056043B true CN116056043B (en) 2024-02-23

Family

ID=86121449

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211644583.2A Active CN116056043B (en) 2022-12-20 2022-12-20 Secure and trusted access platform and access system integrating multiple mobile networks

Country Status (1)

Country Link
CN (1) CN116056043B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012075347A1 (en) * 2010-12-01 2012-06-07 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
CN113727420A (en) * 2021-09-03 2021-11-30 重庆邮电大学 Multimode access network selection device and method
WO2022002175A1 (en) * 2020-07-01 2022-01-06 大唐移动通信设备有限公司 Dynamic authentication method and apparatus, and device and readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170085494A1 (en) * 2015-09-18 2017-03-23 Electronics And Telecommunications Research Institute Converged network system independent of access scheme, and method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012075347A1 (en) * 2010-12-01 2012-06-07 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
WO2022002175A1 (en) * 2020-07-01 2022-01-06 大唐移动通信设备有限公司 Dynamic authentication method and apparatus, and device and readable storage medium
CN113727420A (en) * 2021-09-03 2021-11-30 重庆邮电大学 Multimode access network selection device and method

Also Published As

Publication number Publication date
CN116056043A (en) 2023-05-02

Similar Documents

Publication Publication Date Title
Mahmoud et al. An integrated stimulation and punishment mechanism for thwarting packet dropping attack in multihop wireless networks
Buchegger et al. Self-policing mobile ad hoc networks by reputation systems
Liu et al. A dynamic trust model for mobile ad hoc networks
Yau et al. Reputation methods for routing security for mobile ad hoc networks
Sultana et al. Security of SDN-based vehicular ad hoc networks: State-of-the-art and challenges
CN113660668B (en) Seamless trusted cross-domain routing system of heterogeneous converged network and control method thereof
Lin et al. PA-SHWMP: a privacy-aware secure hybrid wireless mesh protocol for IEEE 802.11 s wireless mesh networks
Nogueira et al. A security management architecture for supporting routing services on WANETs
Yan et al. A survey on secure routing protocols for satellite network
Li et al. Federated hierarchical trust-based interaction scheme for cross-domain industrial IoT
Azer et al. A survey on trust and reputation schemes in ad hoc networks
Moe et al. TSR: Trust-based secure MANET routing using HMMs
Pugalendhi et al. Fuzzy-based trusted routing to mitigate packet dropping attack between data aggregation points in smart grid communication network
US20130138793A1 (en) Network information processing system, a network information processing apparatus and a data processing method
CN112600672B (en) Inter-domain credibility consensus method and device based on real identity
Khalid et al. FRID: Flood attack mitigation using resources efficient intrusion detection techniques in delay tolerant networks
Boubakri et al. Access control in 5G communication networks using simple PKI certificates
CN116056043B (en) Secure and trusted access platform and access system integrating multiple mobile networks
Kidston et al. Mitigating security threats in tactical networks
Lefebvre et al. On SDPN: integrating the software-defined perimeter (SDP) and the software-defined network (SDN) paradigms
Evans et al. Wireless networking security: open issues in trust, management, interoperation and measurement
Bhutta et al. Security analysis for delay/disruption tolerant satellite and sensor networks
Kozma Jr et al. Dealing with liars: Misbehavior identification via Renyi-Ulam games
Alqallaf Software defined secure ad hoc wireless networks
Samad Securing wireless mesh networks: a three dimensional perspective

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant