CN116707807A - Distributed zero-trust micro-isolation access control method and system - Google Patents
Distributed zero-trust micro-isolation access control method and system Download PDFInfo
- Publication number
- CN116707807A CN116707807A CN202310996548.5A CN202310996548A CN116707807A CN 116707807 A CN116707807 A CN 116707807A CN 202310996548 A CN202310996548 A CN 202310996548A CN 116707807 A CN116707807 A CN 116707807A
- Authority
- CN
- China
- Prior art keywords
- resource
- access
- authentication key
- sdp
- authorized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000002955 isolation Methods 0.000 title claims abstract description 37
- 238000013475 authorization Methods 0.000 claims abstract description 42
- 230000000977 initiatory effect Effects 0.000 claims description 36
- 230000006378 damage Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 10
- 230000006399 behavior Effects 0.000 description 30
- 230000005540 biological transmission Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 4
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a distributed zero-trust micro-isolation access control method and a system, wherein the method comprises the steps that a user initiates a resource authorization request to a security center so that a security center vector subkey distribution network applies for an authentication key identifier corresponding to authorized access resources and generates an SDP strategy; receiving an SDP policy returned by the security center, and establishing a security channel with an SDP gateway based on the SDP policy to access authorized access resources; acquiring a corresponding authentication key from the quantum key distribution network based on the authentication key identification, and calculating a hash value of the resource information by using the authentication key; transmitting the hash value and the authentication key identification to the authorized access resource so as to allow the access after the authorized access resource acquires the corresponding authentication key from the quantum key distribution network to carry out identity authentication on the user terminal; the invention adopts the identity authentication and access control means based on the password technology to realize the last section of micro isolation in the zero trust flow.
Description
Technical Field
The invention relates to the technical field of password application, in particular to a distributed zero-trust micro-isolation access control method and system.
Background
Zero trust "micro-isolation" is the division of an unstructured, unbounded network into logically tiny segments of many ways to ensure that there is only one computing resource on each segment, and all traffic that needs to go into and out of this segment needs to go through the access control device. In a network without any access control capability, an overall controllable zero trust network is created, so that each resource can be logically isolated from the other resources. By this technique IT experts can make special security settings for different kinds of data stream definitions, creating special security policies to restrict the network and application flows between the various workflows.
The solution of zero trust generally adopts an SDP gateway (Software Defined Perimeter, software defined boundary based on zero trust concept) and TLS (Transport Layer Security Protocol, secure transport layer protocol) to identify and protect the channel of the entity sending the access request, and the accessed resource performs fine-grained access control through a pre-positioned firewall or reverse proxy. These schemes suffer from the following disadvantages:
(1) There is a last centimeter security risk and there is still an attack surface between the firewall and reverse proxy and the accessed resource.
(2) Only by means of access control, the possibility still exists for illegal authorization of the data connection after termination of the TLS connection at the SDP gateway.
In the related art, a method for realizing zero trust access by quantum key distribution is proposed in patent application document with publication number CN115567210a, the scheme is based on quantum key distribution and symmetric cryptography to realize forced access control of resources protected by a zero trust gateway, and the quantum key distribution (Quantum key distribution, QKD) network is used for pre-sharing master key distribution, data is not directly encrypted, only used for data encryption key distribution protection, a communication data message from a user to the gateway carries ciphertext of the data encryption key and master key ID, and packet symmetric encryption is performed on the message, but no special protection is performed from the gateway to the accessed resources.
Disclosure of Invention
The invention aims to solve the technical problem of how to realize the last section of micro isolation in the zero trust flow.
The invention solves the technical problems by the following technical means:
in a first aspect, the present invention provides a distributed zero-trust micro-isolation access control method, applied to a user terminal, where the method includes:
The user side initiates a resource authorization request to a security center so that the security center vector subkey distribution network applies for an authentication key identifier corresponding to the authorized access resource and generates an SDP strategy;
receiving the SDP policy returned by the security center, and establishing a security channel with an SDP gateway based on the SDP policy to access authorized access resources;
acquiring a corresponding authentication key from the quantum key distribution network based on the authentication key identification, and calculating a hash value of resource information by using the authentication key;
and sending the hash value and the authentication key identification to the authorized access resource so as to allow the access after the authorized access resource acquires the corresponding authentication key from the quantum key distribution network to carry out identity authentication on the user terminal.
In a second aspect, the present invention proposes a distributed zero-trust micro-isolation access control method, applied to a security center, the method comprising:
receiving a resource authorization request sent by a user side, and generating a task ID based on the resource authorization request, wherein the task ID is bound with an identifier of the user side, a QKD node to which the user side belongs, an identifier of an authorized access resource and a QKD node to which the authorized access resource belongs;
For each task ID, sending an authentication key request to a QKD node to which a corresponding authorized access resource belongs, so that the QKD node to which the authorized access resource belongs sends an authentication key and an authentication key identification thereof to the QKD node;
and receiving an authentication key identifier returned by the QKD node to which the authorized resource belongs, generating an SDP policy based on the authentication key identifier, and sending the SDP policy to the user terminal and the SDP gateway so that the user terminal and the SDP gateway establish a channel for accessing the authorized resource based on the SDP policy.
In a third aspect, the present invention provides a distributed zero-trust micro-isolation access control method, applied to an accessed resource party, the method comprising:
intercepting a resource access request sent by a user side to an authorized access resource through a service grid, wherein the resource access request carries information including a first hash value of resource information calculated by using an authentication key and an authentication key identifier;
acquiring a corresponding authentication key from the quantum key distribution network according to the authentication key identification, and calculating a second hash value of the resource information based on the authentication key;
comparing the second hash value with the first hash value, and carrying out identity authentication on the user side;
And after the identity authentication is passed, transmitting permission access information to the user side.
In a fourth aspect, the present invention proposes a client, in which a zero trust proxy is running, where the zero trust proxy is configured to execute the distributed zero trust micro quarantine access control method according to the first aspect of the present invention.
In a fifth aspect, the present invention proposes a security center comprising:
the identity authentication module is used for receiving a resource authorization request sent by a user side and generating a task ID based on the resource authorization request, wherein the task ID is bound with an identifier of the user side, a QKD node to which the user side belongs, an identifier of an authorized access resource and a QKD node to which the authorized access resource belongs;
an SDP controller, configured to send, for each task ID, an authentication key request to a QKD node to which a corresponding authorized access resource belongs, so that the QKD node to which the authorized access resource belongs sends an authentication key and an authentication key identifier thereof to the QKD node; and receiving an authentication key identifier returned by the QKD node to which the authorized access resource belongs, generating an SDP policy based on the authentication key identifier, and sending the SDP policy to the user terminal and the SDP gateway so that the user terminal and the SDP gateway establish a channel for accessing the authorized resource based on the SDP policy.
In a sixth aspect, the present invention proposes an accessed resource party, where a service grid is running, where the service grid is configured to execute the distributed zero-trust micro-isolation access control method proposed in the third aspect of the present invention.
In a seventh aspect, the present invention provides a distributed zero-trust micro-isolation access control system, where the system includes a user side, an accessed resource side, a security center, and a quantum key distribution network, where the user side is connected to the accessed resource side via an SDP gateway, the user side, the accessed resource side, and the security center are all connected to the quantum key distribution network, and the user side is connected to the security center, where:
the user end runs a zero trust proxy and is used for initiating a resource authorization request to the security center;
the security center is configured to generate an SDP policy based on an authentication key identifier corresponding to an authorized resource applied by the resource authorization request vector subkey distribution network sent by the user side, and send the SDP policy to the user side and the SDP gateway, so that the user side and the SDP gateway establish a security channel for accessing the authorized resource based on the SDP policy;
The accessed resource side runs a service grid and is used for acquiring an authentication key from the quantum key distribution network so as to identify the last section of the access behavior of the user side and directly authorize the access behavior of the authorized resource side.
The invention has the advantages that:
(1) The invention realizes access control on the server of the accessed resource, and the accessed resource runs on the same physical equipment and operating system, solves the last centimeter safety problem, specifically, the user side accesses the authorized access resource based on the safety channel between the SDP gateway and the authentication key and the password hash technology generated by the quantum key distribution network, the accessed resource authenticates and manages the access behavior of the user side by combining the authentication key and the password hash technology generated by the quantum key distribution network, and the last section of micro isolation in the zero trust flow is realized by adopting the identity authentication and access control means based on the password technology; compared with the traditional zero trust scheme, the method has certain advantages in the aspects of access control intensity and granularity, key management, service transparency, security and the like.
(2) The QKD network is used for distributing the data encryption key, the data encryption key is directly used for controlling the access of resources, not only protecting and authenticating the communication data message from the user to the gateway, but also performing secondary authentication on the resource access request from the gateway to the accessed resources by adopting hash calculation with the key, and the security problem of the last centimeter does not exist.
(3) There is no attack surface between the service grid deployed in the accessed resource and the accessed resource in the sidecar manner.
(4) After the TLS secure channel connection is terminated at the SDP gateway, the data connection for resource access is authenticated by the password with the key, so that the possibility of illegal authorization does not exist.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
FIG. 1 is a flow chart of a distributed zero-trust micro-isolation access control method according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a distributed zero-trust micro-isolation access control method according to a second embodiment of the present invention;
FIG. 3 is a flow chart of a distributed zero-trust micro-isolation access control method according to a third embodiment of the present invention;
FIG. 4 is a schematic view of a safety center according to a fifth embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a distributed zero-trust micro-isolation access control system according to a seventh embodiment of the present invention;
fig. 6 is a schematic workflow diagram of a distributed zero-trust micro-isolation access control system according to a seventh embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, a first embodiment of the present invention discloses a distributed zero-trust micro-isolation access control method, which is applied to a user terminal, and the method includes the following steps:
s101, a user side initiates a resource authorization request to a security center so that the security center vector subkey distribution network applies for an authentication key identifier corresponding to authorized access resources and generates an SDP policy;
s102, receiving the SDP policy returned by the security center, and establishing a security channel with an SDP gateway based on the SDP policy to access authorized access resources;
s103, acquiring a corresponding authentication key from the quantum key distribution network based on the authentication key identification, and calculating a hash value of resource information by using the authentication key;
And S104, the hash value and the authentication key identification are sent to the authorized access resource, so that after the authorized access resource acquires the corresponding authentication key from the quantum key distribution network to carry out identity authentication on the user terminal, the access is allowed.
In this embodiment, the user side sends a resource authorization request to the security center and receives an SDP policy returned by the security center, so as to establish a secure channel access with the SDP gateway, access authorized access resources by combining an authentication key and a password hash technology generated by the quantum key distribution network, authenticate and manage access behaviors of the user side by combining the authentication key and the password hash technology generated by the quantum key distribution network by the accessed resources, and implement a last section of micro-isolation in a zero trust flow by adopting an identity authentication and access control means based on the password technology.
In one embodiment, the step S101: the user side initiates a resource authorization request to a security center so that the security center vector subkey distribution network applies for an authentication key identifier corresponding to the authorized access resource to generate an SDP policy, and the method specifically comprises the following steps:
and initiating a resource authorization request to a security center, wherein the resource authorization request carries information including an identifier of a user side initiating access behavior and a security state, so that the security center evaluates the security state to determine a resource authorized to be accessed by the user side, and applies for an authentication key identifier corresponding to the authorized resource to the quantum key distribution network to generate an SDP policy.
Specifically, an entity initiating the access behavior, such as a user, initiates identity authentication to a security center and reports a security state; the security center is used for carrying out identity authentication on the entity initiating the access behavior, carrying out security assessment according to the security state of the entity initiating the access behavior, and determining the resource authorized to access the entity according to the assessment result.
The security center determines the QKD node of the access party to which the security center belongs according to the identification information (IP or URI, etc.) of the user terminal, and determines each QKD node of the resource party to which the authorized access resource belongs according to the identification information (IP or URI, etc.) of the resource authorized to the user terminal; the security center generates a unique task ID (such as UUID) of the whole system for each pair of access entities and authorized resources, and binds the unique task ID with the user end initiating the access, the access QKD node to which the user end belongs, the authorized resources and the resource QKD node to which the authorized resources belong. The security center applies for each task an authentication key to the corresponding resource-side QKD node, and generates an SDP policy based on the authentication key.
The quantum key distribution network comprises a QKD node and a quantum network link control center, so that services such as quantum key generation, quantum key relay, quantum key provision and the like are realized; the user end and the accessed resource are connected with corresponding QKD nodes in the quantum key distribution network, the QKD nodes are responsible for key distribution in the domain and key transmission among the domains, the transmission of the session key among the domains is considered to be safe on the QKD key distribution channel, the key transmission and synchronization are carried out between the directly connected QKD nodes through the quantum network QKD link, and the key transmission and synchronization are carried out between the non-directly connected QKD nodes through the quantum key distribution network and the trusted relay.
In one embodiment, the step S102: receiving the SDP policy returned by the security center, and establishing a secure channel with an SDP gateway based on the SDP policy to access authorized access resources, comprising the following steps:
s121, receiving the SDP policy returned by the security center, wherein the SDP policy comprises an authentication key identifier corresponding to each authorized access resource;
s122, based on the SDP policy, a TLS security channel is established with the SDP gateway through a zero trust proxy, and authorized access resources are accessed through the TLS security channel.
It should be noted that, the zero trust proxy runs on the device or application at the user side, and is responsible for implementing the security functions of identity authentication, security information collection and reporting, SDP policy issuing, TLS channel establishment, micro grid authentication, etc. for the entity initiating access.
The user terminal for initiating the access behavior in the embodiment establishes a TLS security channel through the zero trust proxy and the SDP gateway, and accesses the network where the accessed resource is located through the security channel, and further connects the accessed resource; after the termination of the TLS connection in the SDP gateway, the data connection for accessing the resource is authenticated by the password with the key, so that the possibility of illegal authorization does not exist.
In an embodiment, the step S103: acquiring a corresponding authentication key from the quantum key distribution network based on the authentication key identification, and calculating a hash value of resource information by using the authentication key, wherein the method comprises the following steps:
s131, acquiring a corresponding authentication key from the quantum key distribution network based on the authentication key identification through a zero trust proxy;
s132, calculating a hash value of the resource information by using the authentication key and a password hash algorithm with the key, wherein the resource information comprises: key identificationSource IP->Source Port->IP of interest->Purpose I->Predefined pad string,/->Representing a series connection.
In an embodiment, after the hash value and the authentication key identification are sent to the authorized access resource in step S104, the method further comprises the steps of:
receiving access permission information returned by the authorized access resource, wherein the access permission information is generated after the authorized access resource acquires a corresponding authentication key from the quantum key distribution network to carry out identity authentication on the user terminal;
and receiving access refusing information returned by the authorized access resource, wherein the access refusing information is generated after the authorized access resource acquires a corresponding authentication key from the quantum key distribution network to carry out identity authentication failure on the user terminal.
In an embodiment, the client stores a pre-shared master key pre-charged by the quantum key distribution network, and the method further includes:
and when the user side communicates with a corresponding QKD node in the quantum key distribution network, the pre-shared master key is adopted for protection.
It should be noted that, the transmission channel is protected by encrypting the master key between the QKD node and all service nodes (such as user end) connected to the QKD node in the domain, and the master key is copied to the inside of each service node by the secure medium, and the communication (key distribution) between the QKD node and the service node is protected by using the master key, so as to improve the security of key distribution.
Example 2
As shown in fig. 2, a second embodiment of the present invention discloses a distributed zero-trust micro-isolation access control method, applied to a security center, the method comprising the following steps:
s201, receiving a resource authorization request sent by a user terminal, and generating a task ID based on the resource authorization request, wherein the task ID is bound with an identifier of the user terminal, a QKD node to which the user terminal belongs, an identifier of an authorized access resource and a QKD node to which the authorized access resource belongs;
S202, for each task ID, sending an authentication key request to a QKD node to which a corresponding authorized access resource belongs, so that the QKD node to which the authorized access resource belongs sends an authentication key and an authentication key identification thereof to the QKD node;
s203, receiving an authentication key identifier returned by the QKD node to which the authorized resource belongs, generating an SDP policy based on the authentication key identifier, and sending the SDP policy to the user terminal and the SDP gateway so that the user terminal and the SDP gateway establish a channel for accessing the authorized resource based on the SDP policy.
In this embodiment, the security center determines the resource authorized for access based on the resource authorization request sent by the user terminal, applies for an authentication key corresponding to the authorized resource to the sub-key distribution network, and generates an SDP policy based on the authentication key, so that the user terminal and the SDP gateway establish a channel for accessing the authorized resource based on the SDP policy, thereby implementing access to the resource by the user terminal.
In an embodiment, the step S201: receiving a resource authorization request sent by a user terminal, and generating a task ID based on the resource authorization request, wherein the method comprises the following steps:
s211, receiving a resource authorization request sent by a user terminal, wherein the resource authorization request carries information including an identifier and a security state of the user terminal initiating the access behavior;
S212, carrying out security assessment on the security state of the user terminal, and determining authorized access resources based on an assessment result;
s213, determining the QKD node to which the user terminal belongs according to the identifier of the user terminal, and determining the QKD node to which the authorized access resource belongs according to the identifier of the authorized access resource;
s214, generating a task ID for the user terminal initiating the access behavior and the corresponding authorized access resource.
Specifically, the security center performs identity authentication on the entity initiating the access behavior, performs security assessment according to the security state of the entity initiating the access behavior, and determines the resource authorized to access the entity according to the assessment result. The security center determines the access QKD node to which it belongs based on the identity information (IP or URI, etc.) of the entity, and determines each of the resource QKD nodes to which it belongs based on the resource identity (IP or URI, etc.) granted to the entity. The security center generates a system-wide unique task ID (such as UUID) for each access entity-authorized resource pair, and binds the access entity, the access QKD node to which the access entity belongs, the authorized resource, and the resource QKD node to which the authorized resource belongs.
In one embodiment, the authentication key is identified as ID_QKD The Seq_Key, which is the sequence number of the authentication Key, is the identity of the QKD node to which the authorized access resource belongs.
Specifically, the full center applies for an authentication key to the corresponding resource QKD node for each task respectively; the resource-side QKD node generates an authentication key for the task ID, which is the ID_QKD with the identification of the QKD node plus the key sequence numberThe seq_Key is identified. And initiates a quantum key transfer (QKD link with direct connection between two QKD nodes) or trusted relay (QKD link without direct connection between two QKD nodes) to the accessing QKD node, synchronizes the authentication key and its key identification to the accessing QKD node, and returns the key identification to the security center; the security center sends the corresponding SDP policy to the entity initiating the access behavior and the SDP gateway, wherein the SDP policy sent to the entity comprises an authentication key identifier corresponding to each authorized resource.
Example 3
As shown in fig. 3, a third embodiment of the present invention discloses a distributed zero-trust micro-isolation access control method applied to an accessed resource, the method comprising the steps of:
s301, intercepting a resource access request sent by a user terminal to an authorized access resource through a service grid, wherein the resource access request carries information including a first hash value of resource information calculated by using an authentication key and an authentication key identifier;
S302, acquiring a corresponding authentication key from the quantum key distribution network according to the authentication key identification, and calculating a second hash value of the resource information based on the authentication key;
s303, comparing the second hash value with the first hash value, and carrying out identity authentication on the user side;
s304, after the identity authentication is passed, the permission access information is sent to the user terminal.
It should be noted that, the visited resource side running service grid intercepts the first hash value and the key identifier sent by the user side, obtains the authentication key of the present task from the corresponding resource side QKD node according to the key identifier, calculates the second hash value of the resource information by adopting the authentication key, performs identity authentication on the entity initiating the access behavior, and allows the present access to the protected resource after the authentication (comparison verification) passes. The last section of micro isolation in the zero trust flow is realized by configuring a service grid which is exclusive for the accessed resource and combining quantum key distribution and password hash technology to identify and control the access behavior, and the identity identification and access control means based on the password technology is adopted, so that the security risk of the last centimeter is avoided, and the attack surface is not existed between the service grid deployed in the side car mode and the accessed resource.
In an embodiment, the resource information includes a key identification, a source IP, a source port, a destination IP, and a predefined pad string.
In an embodiment, the accessed resource is connected to a corresponding QKD node in the quantum key distribution network.
In an embodiment, the accessed resource stores a pre-shared master key pre-charged by the quantum key distribution network, the method further comprising:
and when the accessed resource party communicates with a corresponding QKD node in the quantum key distribution network, the accessed resource party is protected by adopting the pre-shared master key.
In an embodiment, after the end of the resource access, the method further comprises:
and sending a key destruction request to the QKD node to which the accessed resource side belongs through the service grid so that the corresponding QKD node destroys the authentication key corresponding to the access task.
Example 4
Based on the disclosure of embodiment 1, the present embodiment correspondingly provides a user side, where a zero trust proxy is running in the user side, where the zero trust proxy is used to execute the distributed zero trust micro-isolation access control method described in embodiment 1.
It should be noted that, in other embodiments of the user terminal or the implementation method of the user terminal according to the present invention, reference may be made to the above-mentioned method embodiment 1, and no redundant description is provided herein.
Example 5
As shown in fig. 4, a fifth embodiment of the present invention discloses a security center including:
the identity authentication module 11 is configured to receive a resource authorization request sent by a user terminal, and generate a task ID based on the resource authorization request, where the task ID is bound with an identifier of the user terminal, an identifier of a QKD node to which the user terminal belongs, an identifier of an authorized access resource, and a QKD node to which the authorized access resource belongs;
an SDP controller 12, configured to send, for each task ID, an authentication key request to a QKD node to which a corresponding authorized access resource belongs, so that the QKD node to which the authorized access resource belongs sends an authentication key and an authentication key identifier thereof to the QKD node; and receiving an authentication key identifier returned by the QKD node to which the authorized access resource belongs, generating an SDP policy based on the authentication key identifier, and sending the SDP policy to the user terminal and the SDP gateway so that the user terminal and the SDP gateway establish a channel for accessing the authorized resource based on the SDP policy.
In one embodiment, the identity authentication module 11 includes:
the resource authorization request unit is used for receiving a resource authorization request sent by a user terminal, wherein the resource authorization request carries information including an identifier and a security state of the user terminal initiating the access behavior;
The resource determining unit is used for carrying out security assessment on the security state of the user terminal and determining authorized access resources based on the assessment result;
a QKD node determining unit, configured to determine, according to the identifier of the user side, a QKD node to which the user side belongs, and determine, according to the identifier of the authorized access resource, a QKD node to which the authorized access resource belongs;
and the task ID generation unit is used for generating a task ID for the user side initiating the access behavior and the corresponding authorized access resource.
It should be noted that, in other embodiments of the security center or the implementation method of the present invention, reference may be made to the above-mentioned method embodiment 2, and redundant description is omitted here.
Example 6
Based on the disclosure of embodiment 3, the present embodiment correspondingly provides an accessed resource party, where a service grid is running in the accessed resource party, where the service grid is used to execute the distributed zero-trust micro-isolation access control method described in embodiment 3.
It should be noted that, in other embodiments of the accessed resource side or the implementation method of the present invention, reference may be made to the above-mentioned method embodiment 3, and no redundant description is provided herein.
Example 7
As shown in fig. 5, a seventh embodiment of the present invention discloses a distributed zero-trust micro-isolation access control system, where the system includes a user side, an accessed resource side, a security center, and a quantum key distribution network, the user side and the accessed resource side are connected through an SDP gateway, the user side, the accessed resource side, and the security center are all connected to the quantum key distribution network, and the user side is connected to the security center, where:
The user end runs a zero trust proxy and is used for initiating a resource authorization request to the security center;
the security center is configured to generate an SDP policy based on an authentication key identifier corresponding to an authorized resource applied by the resource authorization request vector subkey distribution network sent by the user side, and send the SDP policy to the user side and the SDP gateway, so that the user side and the SDP gateway establish a security channel for accessing the authorized resource based on the SDP policy;
the accessed resource side runs a service grid and is used for acquiring an authentication key from the quantum key distribution network so as to identify the last section of the access behavior of the user side and directly authorize the access behavior of the authorized resource side.
Specifically, the zero trust proxy runs on equipment or application at the user side and is responsible for realizing the safety functions of identity authentication, safety information collection and reporting, SDP policy issuing, TLS channel establishment, micro grid authentication and the like for an entity initiating access.
The service grid is a network service agent running on equipment or application service at the accessed resource side in a side order, has the security functions of routing, flow control, identity authentication, access control, flow analysis and the like, is a security agent of the accessed single resource, and realizes micro isolation of the single resource. The service grid in this embodiment is responsible for authenticating the access entity in the last segment of the access activity using the key obtained from the QKD node and directly authorizing that access activity to the single resource being protected.
The security center comprises an SDP controller and an identity authentication module, performs identity authentication on the entity initiating the access behavior, performs security evaluation according to the security state of the entity initiating the access behavior, and sends corresponding SDP strategies to the entity initiating the access behavior and an SDP gateway after determining the resources authorized to access the entity according to the evaluation result;
the SDP gateway is used for establishing a TLS security channel with the zero trust proxy according to the SDP policy sent by the security center, carrying out traffic encryption and carrying out access control on an entity initiating access behaviors;
the quantum key distribution network comprises a QKD node and a quantum network link control center, and realizes services such as quantum key generation, quantum key relay, quantum key provision and the like; quantum network link control center: quantum key distribution and relay links between nodes can be established according to QKD node IDs.
The QKD nodes are responsible for intra-domain key distribution and inter-domain key transmission, and the transmission of inter-domain session keys over the QKD key distribution channels is considered secure, with key transmission and synchronization between directly connected QKD nodes over quantum network QKD links, and with key transmission and synchronization between non-directly connected QKD nodes over quantum key distribution networks and trusted relays. The user end and the accessed resource side both store pre-shared master keys which are pre-filled by the quantum key distribution network, transmission channels are protected between the QKD nodes and all service nodes (such as the user end and the accessed resource) connected to the QKD nodes in the domain through the encryption of the master keys, the master keys are copied into the service nodes through a security medium, and communication (key distribution) between the QKD nodes and the service nodes is protected by the master keys.
Further, as shown in fig. 6, the workflow of the distributed zero-trust micro-isolation access control system disclosed in this embodiment includes:
(1) In the initialization stage, a service grid is installed for each accessed resource, a zero trust proxy is installed for an entity initiating access, and a pre-shared master key used for the secure connection of a plurality of nodes and local QKD nodes is injected offline for the service grid and the zero trust proxy by adopting a secure medium.
(2) And the entity initiating the access behavior initiates identity authentication to the security center and reports the security state.
(3) The security center performs identity authentication on the entity initiating the access behavior, performs security assessment according to the security state of the entity initiating the access behavior, and determines the resource authorized to access the entity according to the assessment result. The security center determines the access QKD node to which it belongs based on the identity information (IP or URI, etc.) of the entity, and determines each of the resource QKD nodes to which it belongs based on the resource identity (IP or URI, etc.) granted to the entity.
(4) The security center generates a system-wide unique task ID (such as UUID) for each access entity-authorized resource pair, and binds the access entity, the access QKD node to which the access entity belongs, the authorized resource, and the resource QKD node to which the authorized resource belongs. The security center applies for each task an authentication key to the corresponding resource-side QKD node, respectively.
(5) The resource-side QKD node generates an authentication key for the task ID, which is the ID_QKD with the identification of the QKD node plus the key sequence numberThe seq_Key is identified. And initiates a quantum key transfer (QKD link with direct connection between two QKD nodes) or trusted relay (QKD link without direct connection between two QKD nodes) to the accessing QKD node, synchronizes the authentication key and its key identification to the accessing QKD node, and returns the key identification to the security center.
(6) The security center sends the corresponding SDP policy to the entity initiating the access behavior and the SDP gateway, wherein the SDP policy sent to the entity comprises an authentication key identifier corresponding to each authorized resource.
(7) And the entity initiating the access action establishes a TLS security channel through the zero trust proxy and the SDP gateway, and accesses the network where the accessed resource is located through the security channel to further connect the accessed resource.
(8) The entity initiating the access action obtains the authentication key from the accessing QKD node based on the accessed resource authentication key identification through the zero trust proxy, and computes a hash value of the following data using the authentication key and a keyed cryptographic hash algorithm: key identificationSource IP->Source Port- >IP of interest->IP of interest->The pad string is predefined and the hash value is issued to the accessed resource along with the key identification.
(9) The service grid of the accessed resource intercepts the hash value and the key identification, acquires the authentication key of the task from the QKD of the resource party according to the key identification, calculates the hash value in the same way as in the step (8), performs identity authentication on the entity initiating the access behavior, and allows the access of the protected resource after the authentication (comparison verification) passes.
(10) After the access task is finished, the service grid informs the QKD node of the resource party to destroy the information such as the authentication key corresponding to the task ID.
The embodiment configures a service grid which is exclusive for the accessed resource, and combines quantum key distribution and password hash technology to identify and manage the access behavior, so that the last section of micro isolation in the zero trust flow is realized, and compared with the traditional zero trust scheme, the method has certain advantages in the aspects of access control intensity and granularity, key management, service transparency, security and the like.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (19)
1. The distributed zero-trust micro-isolation access control method is characterized by being applied to a user side, and comprises the following steps:
the user side initiates a resource authorization request to a security center so that the security center vector subkey distribution network applies for an authentication key identifier corresponding to the authorized access resource and generates an SDP strategy;
receiving the SDP policy returned by the security center, and establishing a security channel with an SDP gateway based on the SDP policy to access authorized access resources;
Acquiring a corresponding authentication key from the quantum key distribution network based on the authentication key identification, and calculating a hash value of resource information by using the authentication key;
and sending the hash value and the authentication key identification to the authorized access resource so as to allow the access after the authorized access resource acquires the corresponding authentication key from the quantum key distribution network to carry out identity authentication on the user terminal.
2. The distributed zero-trust micro-isolation access control method of claim 1, wherein the user side initiates a resource authorization request to a security center to enable the security center vector subkey distribution network to apply for an authentication key identifier corresponding to an authorized access resource, and generating an SDP policy comprises:
and initiating a resource authorization request to a security center, wherein the resource authorization request carries information including an identifier of a user side initiating access behavior and a security state, so that the security center evaluates the security state to determine a resource authorized to be accessed by the user side, and applies for an authentication key identifier corresponding to the authorized resource to the quantum key distribution network to generate an SDP policy.
3. The distributed zero-trust micro-quarantine access control method of claim 1, wherein the receiving the SDP policy returned by the security center and establishing a secure channel with an SDP gateway to access authorized access resources based on the SDP policy comprises:
Receiving the SDP policy returned by the security center, wherein the SDP policy comprises an authentication key identifier corresponding to each authorized access resource;
and based on the SDP policy, establishing a TLS security channel with the SDP gateway through a zero trust proxy, and accessing authorized access resources through the TLS security channel.
4. The distributed zero-trust micro-isolation access control method of claim 1, wherein the obtaining a corresponding authentication key from the quantum key distribution network based on the authentication key identification and calculating a hash value of resource information using the authentication key comprises:
acquiring a corresponding authentication key from the quantum key distribution network based on the authentication key identification through a zero trust proxy;
and calculating a hash value of the resource information by using the authentication key and a cryptographic hash algorithm with the key, wherein the resource information comprises a key identifier, a source IP, a source port, a destination IP and a predefined filling character string.
5. The distributed zero-trust micro-quarantine access control method of claim 1, further comprising, after the sending the hash value and the authentication key identification to an authorized access resource:
Receiving access permission information returned by the authorized access resource, wherein the access permission information is generated after the authorized access resource acquires a corresponding authentication key from the quantum key distribution network to carry out identity authentication on the user terminal;
and receiving access refusing information returned by the authorized access resource, wherein the access refusing information is generated after the authorized access resource acquires a corresponding authentication key from the quantum key distribution network to carry out identity authentication failure on the user terminal.
6. The distributed zero-trust micro-quarantine access control method of claim 1, in which the user side is connected to a corresponding QKD node in the quantum key distribution network.
7. The distributed zero-trust micro-isolation access control method of claim 1, wherein the client stores a pre-shared master key pre-charged via the quantum key distribution network, the method further comprising:
and when the user side communicates with a corresponding QKD node in the quantum key distribution network, the pre-shared master key is adopted for protection.
8. A distributed zero-trust micro-isolation access control method, characterized in that it is applied to a security center, the method comprising:
Receiving a resource authorization request sent by a user side, and generating a task ID based on the resource authorization request, wherein the task ID is bound with an identifier of the user side, a QKD node to which the user side belongs, an identifier of an authorized access resource and a QKD node to which the authorized access resource belongs;
for each task ID, sending an authentication key request to a QKD node to which a corresponding authorized access resource belongs, so that the QKD node to which the authorized access resource belongs sends an authentication key and an authentication key identification thereof to the QKD node;
and receiving an authentication key identifier returned by the QKD node to which the authorized resource belongs, generating an SDP policy based on the authentication key identifier, and sending the SDP policy to the user terminal and the SDP gateway so that the user terminal and the SDP gateway establish a channel for accessing the authorized resource based on the SDP policy.
9. The distributed zero-trust micro-isolation access control method of claim 8, wherein the receiving the resource grant request sent by the user side and generating the task ID based on the resource grant request comprises:
receiving a resource authorization request sent by a user side, wherein the resource authorization request carries information including an identifier and a security state of the user side initiating access behavior;
Performing security assessment on the security state of the user side, and determining authorized access to the resource based on the assessment result;
determining a QKD node to which the user terminal belongs according to the identification of the user terminal, and determining the QKD node to which the authorized access resource belongs according to the identification of the authorized access resource;
and generating a task ID for the user terminal initiating the access behavior and the corresponding authorized access resource.
10. The distributed zero-trust micro-quarantine access control method of claim 8, wherein the authentication key is identified as id_qkdThe Seq_Key, ID_QKD is the identification of the QKD node to which the authorized access resource belongs, and the Seq_Key is the serial number of the authentication Key,/-for the authentication Key>Representing a series connection.
11. A distributed zero-trust micro-quarantine access control method, applied to a accessed resource, the method comprising:
intercepting a resource access request sent by a user side to an authorized access resource through a service grid, wherein the resource access request carries information including a first hash value of resource information calculated by using an authentication key and an authentication key identifier;
acquiring a corresponding authentication key from the quantum key distribution network according to the authentication key identification, and calculating a second hash value of the resource information based on the authentication key;
Comparing the second hash value with the first hash value, and carrying out identity authentication on the user side;
and after the identity authentication is passed, transmitting permission access information to the user side.
12. The distributed zero-trust micro-quarantine access control method of claim 11, wherein the resource information includes a key identification, a source IP, a source port, a destination IP, and a predefined pad string.
13. The distributed zero-trust micro-quarantine access control method of claim 11, in which the accessed resource is connected to a corresponding QKD node in the quantum key distribution network.
14. The distributed zero-trust micro-quarantine access control method of claim 12, further comprising, after the end of the resource access:
and sending a key destruction request to the QKD node to which the accessed resource side belongs through the service grid so that the corresponding QKD node destroys the authentication key corresponding to the access task.
15. The distributed zero-trust micro-quarantine access control method of claim 11, wherein the accessed resource stores a pre-shared master key pre-charged via the quantum key distribution network, the method further comprising:
And when the accessed resource party communicates with a corresponding QKD node in the quantum key distribution network, the accessed resource party is protected by adopting the pre-shared master key.
16. A client, wherein a zero trust proxy is running in the client, and the zero trust proxy is configured to execute the distributed zero trust micro quarantine access control method according to any one of claims 1 to 7.
17. A security center, the security center comprising:
the identity authentication module is used for receiving a resource authorization request sent by a user side and generating a task ID based on the resource authorization request, wherein the task ID is bound with an identifier of the user side, a QKD node to which the user side belongs, an identifier of an authorized access resource and a QKD node to which the authorized access resource belongs;
an SDP controller, configured to send, for each task ID, an authentication key request to a QKD node to which a corresponding authorized access resource belongs, so that the QKD node to which the authorized access resource belongs sends an authentication key and an authentication key identifier thereof to the QKD node; and receiving an authentication key identifier returned by the QKD node to which the authorized access resource belongs, generating an SDP policy based on the authentication key identifier, and sending the SDP policy to the user terminal and the SDP gateway so that the user terminal and the SDP gateway establish a channel for accessing the authorized resource based on the SDP policy.
18. An accessed resource party, wherein a service grid is operated in the accessed resource party, and the service grid is used for executing the distributed zero-trust micro-isolation access control method according to any one of claims 11-15.
19. The distributed zero-trust micro-isolation access control system is characterized by comprising a user side, an accessed resource side, a security center and a quantum key distribution network, wherein the user side is connected with the accessed resource side through an SDP gateway, the user side, the accessed resource side and the security center are all connected with the quantum key distribution network, and the user side is connected with the security center, wherein:
the user end runs a zero trust proxy and is used for initiating a resource authorization request to the security center;
the security center is configured to generate an SDP policy based on an authentication key identifier corresponding to an authorized resource applied by the resource authorization request vector subkey distribution network sent by the user side, and send the SDP policy to the user side and the SDP gateway, so that the user side and the SDP gateway establish a security channel for accessing the authorized resource based on the SDP policy;
The accessed resource side runs a service grid and is used for acquiring an authentication key from the quantum key distribution network so as to identify the last section of the access behavior of the user side and directly authorize the access behavior of the authorized resource side.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996548.5A CN116707807B (en) | 2023-08-09 | 2023-08-09 | Distributed zero-trust micro-isolation access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996548.5A CN116707807B (en) | 2023-08-09 | 2023-08-09 | Distributed zero-trust micro-isolation access control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116707807A true CN116707807A (en) | 2023-09-05 |
| CN116707807B CN116707807B (en) | 2023-10-31 |
Family
ID=87831655
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310996548.5A Active CN116707807B (en) | 2023-08-09 | 2023-08-09 | Distributed zero-trust micro-isolation access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116707807B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117201112A (en) * | 2023-09-06 | 2023-12-08 | 江南信安(北京)科技有限公司 | Data access processing method and system based on all-node zero-trust gateway |
Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040010603A1 (en) * | 2002-07-10 | 2004-01-15 | Foster Ward Scott | Secure resource access in a distributed environment |
| US20120144202A1 (en) * | 2010-12-06 | 2012-06-07 | Verizon Patent And Licensing Inc. | Secure authentication for client application access to protected resources |
| US20130208894A1 (en) * | 2011-08-05 | 2013-08-15 | Fabio Antonio Bovino | Cryptographic key distribution system |
| CN104917765A (en) * | 2015-06-10 | 2015-09-16 | 杭州华三通信技术有限公司 | Attack prevention method, and equipment |
| CN105847247A (en) * | 2016-03-21 | 2016-08-10 | 飞天诚信科技股份有限公司 | Authentication system and working method thereof |
| US20160241396A1 (en) * | 2015-02-16 | 2016-08-18 | Alibaba Group Holding Limited | Method, apparatus, and system for identity authentication |
| US20160261564A1 (en) * | 2014-06-20 | 2016-09-08 | Zscaler, Inc. | Cloud-based virtual private access systems and methods |
| KR20180046476A (en) * | 2016-10-28 | 2018-05-09 | 에스케이텔레콤 주식회사 | Apparatus and method for controlling access based on software defined perimeter |
| US20200403787A1 (en) * | 2019-06-21 | 2020-12-24 | Verizon Patent And Licensing Inc. | Quantum entropy distributed via software defined perimeter connections |
| CN112152817A (en) * | 2020-09-25 | 2020-12-29 | 国科量子通信网络有限公司 | Quantum key distribution method and system for authentication based on post-quantum cryptographic algorithm |
| US11070980B1 (en) * | 2019-03-25 | 2021-07-20 | Sprint Communications Company L.P. | Secondary device authentication proxied from authenticated primary device |
| US20220045854A1 (en) * | 2020-08-09 | 2022-02-10 | Perimeter 81 Ltd | Unification of data flows over network links with different internet protocol (ip) addresses |
| CN114221765A (en) * | 2022-02-17 | 2022-03-22 | 浙江九州量子信息技术股份有限公司 | Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm |
| CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
| CN115001770A (en) * | 2022-05-25 | 2022-09-02 | 山东极光智能科技有限公司 | Zero-trust-based service access control system and control method |
| CN115118442A (en) * | 2022-08-30 | 2022-09-27 | 飞天诚信科技股份有限公司 | Port protection method and device under software defined boundary framework |
| US20220345446A1 (en) * | 2021-04-21 | 2022-10-27 | Avaya Management L.P. | Session initiation protocol (sip) authentication and registration in software defined perimeter (sdp) networks |
| CN115567210A (en) * | 2022-09-29 | 2023-01-03 | 中电信量子科技有限公司 | Method and system for realizing zero trust access by quantum key distribution |
| WO2023279782A1 (en) * | 2021-07-08 | 2023-01-12 | 华为技术有限公司 | Access control method, access control system and related device |
| CN115665737A (en) * | 2022-09-06 | 2023-01-31 | 国网浙江省电力有限公司绍兴供电公司 | Internet of things terminal authentication method based on zero trust architecture |
| CN116032533A (en) * | 2022-11-29 | 2023-04-28 | 兴业银行股份有限公司 | Remote office access method and system based on zero trust |
| CN116319024A (en) * | 2023-03-23 | 2023-06-23 | 北京神州泰岳软件股份有限公司 | Access control method and device of zero trust system and zero trust system |
| US20230246816A1 (en) * | 2021-02-16 | 2023-08-03 | Bastionzero, Inc. | Zero trust authentication |
-
2023
- 2023-08-09 CN CN202310996548.5A patent/CN116707807B/en active Active
Patent Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040010603A1 (en) * | 2002-07-10 | 2004-01-15 | Foster Ward Scott | Secure resource access in a distributed environment |
| US20120144202A1 (en) * | 2010-12-06 | 2012-06-07 | Verizon Patent And Licensing Inc. | Secure authentication for client application access to protected resources |
| US20130208894A1 (en) * | 2011-08-05 | 2013-08-15 | Fabio Antonio Bovino | Cryptographic key distribution system |
| US20160261564A1 (en) * | 2014-06-20 | 2016-09-08 | Zscaler, Inc. | Cloud-based virtual private access systems and methods |
| US20160241396A1 (en) * | 2015-02-16 | 2016-08-18 | Alibaba Group Holding Limited | Method, apparatus, and system for identity authentication |
| CN104917765A (en) * | 2015-06-10 | 2015-09-16 | 杭州华三通信技术有限公司 | Attack prevention method, and equipment |
| CN105847247A (en) * | 2016-03-21 | 2016-08-10 | 飞天诚信科技股份有限公司 | Authentication system and working method thereof |
| KR20180046476A (en) * | 2016-10-28 | 2018-05-09 | 에스케이텔레콤 주식회사 | Apparatus and method for controlling access based on software defined perimeter |
| US11070980B1 (en) * | 2019-03-25 | 2021-07-20 | Sprint Communications Company L.P. | Secondary device authentication proxied from authenticated primary device |
| US20200403787A1 (en) * | 2019-06-21 | 2020-12-24 | Verizon Patent And Licensing Inc. | Quantum entropy distributed via software defined perimeter connections |
| US20220045854A1 (en) * | 2020-08-09 | 2022-02-10 | Perimeter 81 Ltd | Unification of data flows over network links with different internet protocol (ip) addresses |
| CN112152817A (en) * | 2020-09-25 | 2020-12-29 | 国科量子通信网络有限公司 | Quantum key distribution method and system for authentication based on post-quantum cryptographic algorithm |
| US20230246816A1 (en) * | 2021-02-16 | 2023-08-03 | Bastionzero, Inc. | Zero trust authentication |
| US20220345446A1 (en) * | 2021-04-21 | 2022-10-27 | Avaya Management L.P. | Session initiation protocol (sip) authentication and registration in software defined perimeter (sdp) networks |
| WO2023279782A1 (en) * | 2021-07-08 | 2023-01-12 | 华为技术有限公司 | Access control method, access control system and related device |
| CN114221765A (en) * | 2022-02-17 | 2022-03-22 | 浙江九州量子信息技术股份有限公司 | Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm |
| CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
| CN115001770A (en) * | 2022-05-25 | 2022-09-02 | 山东极光智能科技有限公司 | Zero-trust-based service access control system and control method |
| CN115118442A (en) * | 2022-08-30 | 2022-09-27 | 飞天诚信科技股份有限公司 | Port protection method and device under software defined boundary framework |
| CN115665737A (en) * | 2022-09-06 | 2023-01-31 | 国网浙江省电力有限公司绍兴供电公司 | Internet of things terminal authentication method based on zero trust architecture |
| CN115567210A (en) * | 2022-09-29 | 2023-01-03 | 中电信量子科技有限公司 | Method and system for realizing zero trust access by quantum key distribution |
| CN116032533A (en) * | 2022-11-29 | 2023-04-28 | 兴业银行股份有限公司 | Remote office access method and system based on zero trust |
| CN116319024A (en) * | 2023-03-23 | 2023-06-23 | 北京神州泰岳软件股份有限公司 | Access control method and device of zero trust system and zero trust system |
Non-Patent Citations (2)
| Title |
|---|
| ERIC P. HANSON等: "Guesswork With Quantum Side Information", 《IEEE》 * |
| 罗俊 等: "融合量子密钥分配的电信运营商密码应用体系", 《电信科学》, vol. 39, no. 01 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117201112A (en) * | 2023-09-06 | 2023-12-08 | 江南信安(北京)科技有限公司 | Data access processing method and system based on all-node zero-trust gateway |
| CN117201112B (en) * | 2023-09-06 | 2024-06-04 | 江南信安(北京)科技有限公司 | Data access processing method and system based on all-node zero-trust gateway |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116707807B (en) | 2023-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11477037B2 (en) | Providing forward secrecy in a terminating SSL/TLS connection proxy using ephemeral Diffie-Hellman key exchange | |
| KR101009330B1 (en) | Methods, systems, and authentication centers for authentication in end-to-end communications based on mobile networks | |
| CN112235235B (en) | SDP authentication protocol implementation method based on cryptographic algorithm | |
| CN100591003C (en) | Realize pre-shared privacy based on stateless server | |
| TWI454112B (en) | Key management for communication networks | |
| CN101156352B (en) | Authentication method, system and authentication center based on mobile network P2P communication | |
| Daeinabi et al. | An advanced security scheme based on clustering and key distribution in vehicular ad-hoc networks | |
| CN109600226A (en) | TLS protocol session key recovery method based on random number implicit negotiation | |
| CN115567210A (en) | Method and system for realizing zero trust access by quantum key distribution | |
| KR102756028B1 (en) | Improved transmission of in-vehicle data or messages using SOME/IP communication protocol | |
| CN115001770B (en) | A business access control system and control method based on zero trust | |
| JP4783340B2 (en) | Protecting data traffic in a mobile network environment | |
| CN113452764A (en) | SM 9-based vehicle networking V2I bidirectional authentication method | |
| CN115835194B (en) | NB-IOT terminal safety access system and access method | |
| CN116707807B (en) | Distributed zero-trust micro-isolation access control method and system | |
| CN118713853A (en) | Identity-driven trust management system for data center collaboration | |
| Li et al. | Securing distributed adaptation | |
| CN101094063B (en) | Security interaction method for the roam terminals to access soft switching network system | |
| CN107979466B (en) | iSCSI protocol security enhancement method based on Diffie-Hellman protocol | |
| Jaroucheh et al. | Secretation: Toward a decentralised identity and verifiable credentials based scalable and decentralised secret management solution | |
| Cho et al. | Practical authentication and access control for software-defined networking over optical networks | |
| CN108282337A (en) | A kind of Routing Protocol reinforcement means based on trusted cryptography's card | |
| CN115580403B (en) | PKI-based computing node access control method | |
| CN113449343B (en) | Trusted computing system based on quantum technology | |
| WO2025031150A1 (en) | Distributed zero-trust micro-segmentation access control method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |