CN1463117A - Safety communication method between communication system of networking computer and user oriented network layer - Google Patents
Safety communication method between communication system of networking computer and user oriented network layer Download PDFInfo
- Publication number
- CN1463117A CN1463117A CN 03136493 CN03136493A CN1463117A CN 1463117 A CN1463117 A CN 1463117A CN 03136493 CN03136493 CN 03136493 CN 03136493 A CN03136493 A CN 03136493A CN 1463117 A CN1463117 A CN 1463117A
- Authority
- CN
- China
- Prior art keywords
- user
- message
- sign indicating
- indicating number
- secure communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The system consists of the multi registered users, networked computers, the safety authentication center, the safety communication server and Internet etc. the safety authentication center is in charge of completing the work for user's registration. The center issues user's intelligent card storing user's personal feature codes, private key and root certificate with self-signature of the safety authentication center. The managing safety communication link in network layer is carried out based on user's roles and safety communication strategy and management of user's certificate. The invention can be applied to computer network communication system in areas of E-government affairs, E-business, enterprise information management, negotiable securities, finance and military affairs.
Description
Invention field
The present invention relates to the network computer communication technical field, particularly relate to network computer communication system and user oriented IP Security communication means.
Technical background
The notion of network computer is proposed in nineteen ninety-five by the CEO Larry Ai Lisen of Oracle company the earliest.At Ai Lisen, so-called network computer is meant that configuration simply but can make full use of the low-price computers of Internet resources.It does not need the hardware device brought in constant renewal in and become increasingly complex, huge operating system, do not have floppy disk and hard disk, as long as opening power connects to network with browser, just can acquired information and storage file.This not only will reduce the volume and the price of subscriber computer greatly, and make the user needn't always be the HardwareUpgring worry.After this notion of network computer proposes 1 year, Oracle set IBM, Sun, Apple and Netscape formulate the standard of first related network computer.But because the restriction of the network bandwidth at that time, the browser/server pattern is not popularized in most of application systems yet, add Net PC alliance that the same Intel of Microsoft, Compaq, Dell in 1997 form to the suppressing of network computer, network computer does not win real triumph on market.
Today, along with the increase of the network bandwidth and the lifting of CPU disposal ability, the performance of network computer is greatly improved.Add that network computer compares with traditional PC, tangible price advantage is arranged, so network computer system obtains compatriots' concern again, become the important solutions that advances China's IT application process today.Compare several years ago, the present canot compare with the past for the development environment of domestic network computer.On the one hand, government has become the major drive of network computer development.This is because China's development network computer is based on homemade CPU and the disclosed operating system of source code (as Linux), this is for breaking through the monopolization of Wintel (operating system of Windows company and the CPU of Intel Company) in the information technology core realm, development China has the core technology of independent intellectual property right at message area, thoroughly eliminating the Wintel technology to the information security hidden danger that China's informationization may bring, will be very important; On the other hand, current, the domestic software and hardware technology that possesses independent intellectual property right that is applicable to network computer has more and more moved towards perfect.Be that the homemade CPU technology of representative has been moved towards the marketization for example with Godson, Noah's ark CPU, domestic desktop Linux operating system technology also makes important progress under the effort of each tame software vendor, simultaneously, the many solution and application systems towards the industry customer of network computer of being applicable to also begin to occur.These development for network computer provide the good technical guarantee.
Network computer must be under a network environment and various Server Consolidation be a system, thereby bring into play its function, and can not be as PC independent use.Like this when network computer system is applied in such as E-Government, ecommerce, enterprise information management even military field, just must solve in the network computer system safety problem of information communication between each node.
Because the software/hardware system of network computer is normally enclosed, be that it does not provide expansion slot common on the PC, do not allow the hardware configuration of random change, upgrade of network computer, do not allow the application program and the system program of random interpolation, deletion, replacement network computer yet.Created very favorable condition for safe and reliable network computer system of customization like this.These characteristics of computer system Network Based just, we have proposed user oriented IP Security communication means.This method at be the network computer hardware environment shown in the Figure of abstract 1.In this networked computer environment, the registered user can utilize any network computer to set up the safe communication link with other registered user or other server in network layer.Why be chosen in network layer and set up secure communications links, on the one hand be because this mode compatible to greatest extent existing network hardware environment; Be this mode on the other hand to existing application program be fully transparent, neither need existing application program is made any modification, so just at the existing programing work of having gone up compatibility to greatest extent.
User oriented IP Security communication means is the expansion to IP Security communication protocol IPSec (network layer) commonly used.The original intention of ipsec protocol is to set up the safe communication link for any two nodes in the network.But in fact, a lot of network applications are to wish to connect for the network user provides secure communication.Particularly under networked computer environment, the registered user wishes can be by the secure communication of any network computer realization with other user or other server.Therefore must be on the basis that keeps the existing advantage of ipsec protocol, it is user oriented safety communication technology that the existing ipsec security communication technology is expanded.
Summary of the invention
User oriented IP Security communication means of the present invention is under networked computer environment, the IP Security communication technology of network-oriented node is further expanded be user oriented IP Security communication means.Be applicable to security authentication center (Certificate Authority, abbreviation CA), smart card, secure communication server (Communication Server, be called for short CS) and the believable networked computer environment of network computer (Network Computer is called for short NC); Hope realizes that under networked computer environment the user of secure communication must arrive the security authentication center registration; Registered user's private key, personal characteristics sign indicating number and security authentication center are stored in security authentication center from the root certificate of signing and are presented in this registered user's the smart card; All registered users' user certificate all will store into by specific safe lane on the secure communication server together with the private key of security authentication center; On any network computer of registered user in networked computer environment after the login, must be immediately with the network node information (the IP address, gateway ip address and the subnet mask that comprise this network computer) of individual subscriber condition code and registered user place network computer safe and reliable submit to secure communication server; Secure communication server is responsible for the authentification of user in the networked computer environment, secure communication tactical management and user certificate management; When the network topology structure of networked computer environment or secure communication strategy changed, the secure communication configuration information that each network node in the networked computer environment (comprising network computer, secure communication server and other server) is stored was all wanted reconstruct once; Secure communication server is finished the management to the secure communications links in the networked computer environment according to own collected login user information and current safety communication strategy.
Security authentication center (Certificate Authority is called for short CA), smart card, secure communication server (Communication Server is called for short CS) and the believable implication of network computer (NetworkComputer is called for short NC) are:
A. security authentication center can not revealed all personal characteristic information that the user submits to the third party; The personal identity number that the user can be selected (Personal Identification Number is called for short PIN) is not revealed and is given the third party; Can not give the third party to revealing with registered user's public/private keys; The private key of oneself can not revealed to the third party;
B. individual subscriber identifier, private key for user information, individual subscriber condition code and the security authentication center stored of smart card can unlawfully do not distorted by any external force or substitute from the root certificate of signature; Smart card can not respond any illegal holder, does not promptly know the holder's of registered user's personal identity number operational order; Registered user's personal identity number never allows to read from smart card;
C. secure communication server can not revealed the private key of the own security authentication center of being stored to the third party; The secure communication strategy of secure communication server can not be illegally modified or substitute; The current login user information of secure communication server storage can not be illegally modified or substitute; The user certificate revocation list information that secure communication server is safeguarded (Certificate Revocation List is called for short CRL) can not be illegally modified or substitute; Secure communication server is safeguarded withdraws from that user list can not be illegally modified or substitutes; Secure communication server must be according to secure communication strategy and current login user information management secure communications links;
D. in networked computer environment, when carrying out secure communication between the registered user or between registered user and other server, network computer can not destroy integrality, the privacy of institute's interactive information in the communication process, can not destroy the privacy and the integrality of the root certificate of signing certainly of registered user's personal identity number, registered user's private key and security authentication center that communication process uses.
Method of the present invention is used for:
Employed safety communicating method before networked computer environment is not set up basic faith mechanism as yet, such as: the special use of between security authentication center and secure communication server, setting up, safe communication link physically; By movable storage device (as floppy disk), user certificate is copied to secure communication server together with the root of the signature certainly certificate of security authentication center from security authentication center by a believable system manager.
Secure communication server adopts the secure communication management strategy based on the role.Because the role can organically unite with management concepts such as actual position, post in government, the enterprise/public institution, this makes based on secure communication demand of role's secure communication management strategy easier expression people various reality in life.For instance, if in a company, be provided with line manager, two positions of common office worker (for the secure communication strategy, Here it is two roles), and such three rules are arranged in the secure communication strategy that designs for the said firm:
A. the communication information must guarantee privacy and integrality between the line manager;
B. the communication information between line manager and the common office worker must guarantee integrality;
C. security requirement is not done in the communication between the common office worker.
Then when two line managers in the company need carry out network service, the secure communications links of must foundation between them can give security privacy and integrity ensuring; Network service between two common office workers then can be without any security assurance information.
With the arbitrary network node δ in the networked computer environment is example, and its corresponding secure communication configuration information is as shown in table 1:
Table 1 secure communication configuration information table
| Secure communication configuration symbol | Role (R 1) | Role (R 2) | … | Role (R i) | … | Role (R n) |
| ??(IP 1,GW 1,Subnet 1) | ??Conn 1-1 | ??Conn 1-2 | … | ??Conn 1-i | … | ??Conn 1-n |
| ??(IP 2,GW 2,Subnet 2) | ??Conn 2-1 | ??Conn 2-2 | … | ??Conn 2-i | … | ??Conn 2-n |
| ????????… | ????… | ????… | … | ????… | … | ????… |
| ??(IP i,GW i,Subnet i) | ??Conn i-1 | ??Conn i-2 | … | ??Conn i-i | … | ??Conn i-n |
| ????????… | ????… | ????… | … | ????… | … | ????… |
| ??(IP m,GW m,Subnet m) | ??Conn m-1 | ??Conn m-2 | … | ??Conn m-i | … | ??Conn m-n |
1 (IP in the table
j, GW
i, Subnet
j) represent this machine IP address of j possible communication node in the networked computer environment, corresponding gateway address and subnet mask, and j ≠ δ.If currently use the role that the registered user distributed of j communication section to be R
i, then network node δ need open secure communication configuration symbol conn
I-iDescribed secure communications links.
Secure communication server has comprised the meaning of following two aspects according to own collected login user information and current safety communication strategy to the management of the secure communications links in the networked computer environment:
A. registered user of every new login from the network computer, secure communication server all will be determined the secure communications links that existing login user place network computer need be opened in the networked computer environment according to its login user information of having collected and current safety communication strategy;
B. adopt batch fashion to handle the registered user and withdraw from of the influence of place network computer secure communications links in the networked computer environment.Promptly set and whenever withdraw from m registered user, just the secure communications links of this m registered user place network computer correspondence is closed.This batch processing mode is helpful for the load that reduces the secure communication server and the network bandwidth.The concrete value of thresholding m wherein is that the hardware configuration situation by the network bandwidth in the networked computer environment, network computer and server decides.
Secure communication server is responsible for safeguarding that is withdrawed from a user list, and this tabulation is as shown in table 2:
| Recording mechanism | The personal characteristics sign indicating number | User name | The role | The nodal information of place network computer |
| ????1 | ????Code 1 | ????User 1 | ??Role 1 | ????{IP 1,GW 1,Subnet 1} |
| ????2 | ????Code 2 | ????User 2 | ??Role 2 | ????{IP 2,GW 2,Subnet 2} |
| ????… | ?????… | ?????… | ???… | ????????????… |
| ????m | ????Code m | ????User m | ??Role m | ????{IP m,GW m,Subnet m} |
Table 2 withdraws from user list
After secure communication server receives that a user withdraws from the message of place network computer, will insert the user list that withdraws from shown in the table 2 to the personal information of this user's correspondence.
The present invention is a kind of user oriented IP Security communication means, the key of method is to introduce secure communication server in networked computer environment, and be responsible for authentification of user in the networked computer environment, secure communication tactical management and user certificate management by secure communication server; In addition, secure communication server also according to own collected login user information and current safety communication strategy, is finished the management to the current safety communication link in the networked computer environment.Pairing committed step of IP Security communication means and technology are expressed as follows:
1. the user who wishes under networked computer environment, to realize secure communication to the step of security authentication center registration as shown in Figure 2, the Arabic alphabet among the figure (a, b, c, d, e, f, g, h, i) represent 9 steps registering respectively.The concrete implication of these steps is explained as follows,
Following steps have comprised user oriented IP Security communication means:
A. the user provides the personal information that is enough to show own identity to security authentication center;
B. security authentication center is verified the personal information that the user provides.If the personal information that the user provides can't pass the checking of security authentication center, security authentication center will stop the registration to the user at once;
C. the user provides the personal identity number of oneself selecting to security authentication center;
D. the security authentication center public/private keys unique for the user generates is right;
E. the security authentication center personal characteristics sign indicating number unique for the user generates;
F. security authentication center comprises the user certificate of user name, user role, personal characteristics sign indicating number and client public key for the user generates, and is that this user certificate is signed with oneself private key;
G. security authentication center stores user's personal identity number, personal characteristics sign indicating number, private key for user and security authentication center on the smart card that will provide to the user into from the root certificate of signature;
H. security authentication center provides the smart card that obtains among the g to the registered user;
I. security authentication center stores the user certificate that obtains among the g on the secure communication server into by specific safe lane.
2. login and with the network node information of registered user's personal characteristics sign indicating number and registered user place network computer on any network computer of registered user in networked computer environment, the step that IP address, gateway ip address and the subnet mask that comprises this network computer submitted to secure communication server is:
A. the registered user chooses a network computer wantonly, inserts user's smart card on the intelligent card read/write device of this network computer configuration;
B. network computer prompting registered user imports the individual subscriber identifier;
C. the registered user is input to the individual subscriber identifier in user's the smart card by network computer;
D. the personal identity number of registered user's input compares with the personal identity number of smart card memory storage, if the two does not wait, then smart card will refuse further to carry out any other instruction; If the two is equal, then
E. the client software on the network computer will be collected the network node information of this machine;
F. network computer reads user's personal characteristics sign indicating number from smart card, and and the network node information collected link (concatenate) and obtain message [type of message sign indicating number I| personal characteristics sign indicating number | network node information] together;
G. the private key for user that reads from smart card of network computer utilization is to message [type of message sign indicating number I| personal characteristics sign indicating number | network node information] signature;
H. network computer is passed to secure communication server together with message [type of message sign indicating number I| personal characteristics sign indicating number | network node information] and corresponding signature.
3. registered user of every increase in the networked computer environment, the step that secure communication server is opened corresponding secure communications links is:
A. network computer is passed to secure communication server together with message [type of message sign indicating number I| personal characteristics sign indicating number | network node information] and corresponding signature;
B. secure communication server is extracted user's personal characteristics sign indicating number from message [type of message sign indicating number I| personal characteristics sign indicating number | network node information], and utilizes the personal characteristics sign indicating number that obtains to search the user certificate of relative users in local data base;
C. confirm this message respective user log-in events by type of message sign indicating number I, otherwise, further processing stopped;
D. secure communication server is extracted this user's PKI from user certificate, and utilize the message that this public key verifications receives [type of message sign indicating number I| personal characteristics sign indicating number | network node information], if authentication failed then abandons the message received [type of message sign indicating number I| personal characteristics sign indicating number | network node information]; Otherwise, then
E. from user certificate, extract user's personal information (such as user's user name, role etc.), then these information are filled up in active user's information database;
F. secure communication server is utilized the current safety communication strategy, judgement has those users need start the secure communications links corresponding with newly adding access customer in networked computer environment, and structure message [type of message sign indicating number II| newly adds the role of access customer | and newly add the network node information of access customer place network computer];
G. secure communication server utilizes the private key of the security authentication center of own storage that message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] is signed, and should the signature value passes to all together with message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] and need start network computer with the user place that newly adds the corresponding secure communications links of access customer;
H. utilize type of message sign indicating number II acknowledge message type for opening secure communications links, otherwise, further processing stopped;
Certainly the signature root certificate of the security authentication center that the network computer that i. obtains message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] reads from the respective user smart card, and extract the PKI of security authentication center from this root certificate, utilize the message that this public key verifications receives [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] then, if authentication failed then abandons message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer]; Otherwise, then
J. utilize the information { role who newly adds access customer, the network node information that newly adds access customer place network computer } in the secure communication configuration information table of network computer, search corresponding secure communication configuration symbol, and start the described secure communications links of this secure communication configuration symbol.
4. before each user withdraws from from the place network computer, all must construct one and withdraw from message [type of message sign indicating number III| personal characteristics sign indicating number | network node information], and with user's private key to this information signature, then the signature value is passed to secure communication server together with withdrawing from message [type of message sign indicating number III| personal characteristics sign indicating number | network node information].Secure communication server will be finished following actions after receiving above-mentioned message:
A. secure communication server is determined this message for withdrawing from message by type of message sign indicating number III, otherwise, stop further processing;
B. secure communication server is extracted the individual subscriber condition code from withdraw from message [type of message sign indicating number III| personal characteristics sign indicating number | network node information], and utilizes this personal characteristics sign indicating number to search the user certificate of relative users in local data base;
C. secure communication server is extracted this user's PKI from user certificate, and utilize that this public key verifications receives withdraw from message [type of message sign indicating number III| personal characteristics sign indicating number | network node information], if authentication failed then abandons the message received [type of message sign indicating number III| personal characteristics sign indicating number | network node information]; Otherwise, then
D. the secure communication server personal information that will withdraw from the message respective user is inserted and is withdrawed from user list;
Do not fill up if e. withdraw from m clauses and subclauses of user list, then secure communication server is not done further processing, otherwise, then
F. secure communication server will be notified and withdraw from all user-dependent network computers in the user list, close and these user-dependent secure communications links, empty then and withdraw from user list.
Embodiment
One, the hardware environment of institute of the present invention applicable network computer environment requires:
1. require the believable security authentication center of configuration;
2. require the believable secure communication server of configuration;
3. require the believable network computer of configuration;
4. require the believable smart card of configuration.
Two, the present invention is to the requirement of the user in the networked computer environment:
1. the user must register at security authentication center;
2. the user must provide legal smart card when the logging in network computer.
Description of drawings
Fig. 1 is the hardware environment figure of the network computer system that is suitable for of the present invention;
Fig. 2 is the step schematic diagram of user of the present invention to the security authentication center registration.
The system hardware environment of network computer communication of the present invention shown in Figure 1 both can be built on the LAN (LAN), also can be built on the basis of internet. The domestic consumer of network computer system must pass through the authentication of security authentication center, become the registered user of security authentication center after, could enjoy the IP Security communication service. Security authentication center is responsible for the trust management work under the whole network computer system environment, just under the support of security authentication center, between the registered user, between registered user and the secure communication server through safety certification the user certificate issued of center set up necessary trusting relationship. The registered user must sign in on the network computer, and under the help of secure communication server, just can finish the secure communication with other registered user or server.
Network computer communication system shown in Figure 1 is comprised of a plurality of registered users, network computer, internet or LAN, and security authentication center is used for checking registered user's personal information; The user that secure communication server is used for network computer authenticates, secure communication tactical management and user certificate management based on the role, also according to collected login user information and current safety communication strategy, finish the management to the current safety information link in the networked computer environment. Be connected between security authentication center and internet or the LAN.
Security authentication center requires the user that the personally identifiable information of necessity and legal personal identity number are provided, and security authentication center will generate personal characteristics code, private key for user and user certificate for the registered user.
Fig. 2 is that user of the present invention is to the step of security authentication center registration; In fact comprised user oriented IP Security communication means. Concrete detailed step describes in detail in summary of the invention. In this omission.
Claims (6)
1. a system that is applicable to network computer communication is made up of a plurality of registered users, network computer, security authentication center, secure communication server, the Internet or local area network (LAN), it is characterized in that:
Security authentication center is responsible for finishing the user and is registered work; In being presented to user's smart card, depositing security authentication center the root of the signature certainly certificate of user's personal characteristics sign indicating number, private key for user and security authentication center;
Secure communication server is used for the authentification of user of network computer system, based on role's secure communication tactical management and user certificate management, and finishes management to the IP Security communication link based on user role and secure communication strategy.
2. according to the network computer communication system of claim 1, it is characterized in that, security authentication center requires the user that personally identifiable information of necessity and legal personal identity number are provided, and security authentication center will generate personal characteristics sign indicating number, private key for user and user certificate for the registered user.
3. user oriented IP Security communication means comprises following user's registration step:
A. the user provides the personal information that is enough to show own identity to security authentication center;
B. security authentication center is verified the personal information that the user provides, if the personal information that the user provides can't pass the checking of security authentication center, security authentication center will stop the registration to the user at once;
C. the user provides the personal identity number of oneself selecting to security authentication center;
D. the security authentication center public/private keys unique for the user generates is right;
E. the security authentication center personal characteristics sign indicating number unique for the user generates;
F. security authentication center comprises the user certificate of user name, user role, personal characteristics sign indicating number and client public key for the user generates, and is that this user certificate is signed with oneself private key;
G. security authentication center stores user's personal identity number, personal characteristics sign indicating number, private key for user and security authentication center on the smart card that will provide to the user into from the root certificate of signature;
H. security authentication center provides the smart card that obtains among the g to the registered user;
I. security authentication center stores the user certificate that obtains among the g on the secure communication server into by specific safe lane.
4. according to the user oriented IP Security communication means of claim 3, also comprise:
Login and with the network node information of registered user's personal characteristics sign indicating number and registered user place network computer on any network computer of registered user in networked computer environment, the step that IP address, gateway ip address and the subnet mask that comprises this network computer submitted to secure communication server is:
A. the registered user chooses a network computer wantonly, inserts user's smart card on the intelligent card read/write device of this network computer configuration;
B. network computer prompting registered user imports the individual subscriber identifier;
C. the registered user is input to the individual subscriber identifier in user's the smart card by network computer;
D. the personal identity number of registered user's input compares with the personal identity number of smart card memory storage, if the two does not wait, then smart card will refuse further to carry out any other instruction; If the two is equal, then
E. the client software on the network computer will be collected the network node information of this machine;
F. network computer reads user's personal characteristics sign indicating number from smart card, and and the network node information collected link together and obtain message [type of message sign indicating number I| personal characteristics sign indicating number | network node information];
G. the private key for user that reads from smart card of network computer utilization is to message [type of message sign indicating number I| personal characteristics sign indicating number | network node information] signature;
H. network computer is passed to secure communication server together with message [type of message sign indicating number I| personal characteristics sign indicating number | network node information] and corresponding signature.
5. according to the user oriented IP Security communication means of claim 3, also comprise:
Registered user of every increase in the networked computer environment, the step that secure communication server is opened corresponding secure communications links is:
A. network computer is passed to secure communication server together with message [type of message sign indicating number I| personal characteristics sign indicating number | network node information] and corresponding signature;
B. secure communication server is extracted user's personal characteristics sign indicating number from message [type of message sign indicating number I| personal characteristics sign indicating number | network node information], and utilizes the personal characteristics sign indicating number that obtains to search the user certificate of relative users in local data base;
C. confirm this message respective user log-in events by type of message sign indicating number I, otherwise, further processing stopped;
D. secure communication server is extracted this user's PKI from user certificate, and utilize the message that this public key verifications receives [type of message sign indicating number I| personal characteristics sign indicating number | network node information], if authentication failed then abandons the message received [type of message sign indicating number I| personal characteristics sign indicating number | network node information]; Otherwise, then
E. from user certificate, extract user's personal information, then these information are filled up in active user's information database;
F. secure communication server is utilized the current safety communication strategy, judgement has those users need start the secure communications links corresponding with newly adding access customer in networked computer environment, and structure message [type of message sign indicating number II| newly adds the role of access customer | and newly add the network node information of access customer place network computer];
G. secure communication server utilizes the private key of the security authentication center of own storage that message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] is signed, and should the signature value passes to all together with message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] and need start network computer with the user place that newly adds the corresponding secure communications links of access customer;
H. utilize type of message sign indicating number II acknowledge message type for opening secure communications links, otherwise, further processing stopped;
I. the network computer that obtains message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] reads the root of the signature certainly certificate of security authentication center from the respective user smart card, and extract the PKI of security authentication center from this root certificate, utilize the message that this public key verifications receives [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer] then, if authentication failed then abandons message [type of message sign indicating number II| newly adds the role of access customer | newly add the network node information of access customer place network computer]; Otherwise, then
J. utilize the information { role who newly adds access customer, the network node information that newly adds access customer place network computer } in the secure communication configuration information table of network computer, search corresponding secure communication configuration symbol, and start the described secure communications links of this secure communication configuration symbol.
6. according to the user oriented IP Security communication means of claim 3, also comprise:
Before each user withdraws from from the place network computer, all must construct one and withdraw from message [type of message sign indicating number III| personal characteristics sign indicating number | network node information], and with user's private key to this information signature, then the signature value is passed to secure communication server together with withdrawing from message [type of message sign indicating number III| personal characteristics node letter], secure communication server will be finished and assign action after receiving above-mentioned message:
A. secure communication server is determined this message for withdrawing from message by type of message sign indicating number III, otherwise, stop further processing;
B. secure communication server is extracted the individual subscriber condition code from withdraw from message [type of message sign indicating number III| personal characteristics sign indicating number | network node information], and utilizes this personal characteristics sign indicating number to search the user certificate of relative users in local data base;
C. secure communication server is extracted this user's PKI from user certificate, and utilize that this public key verifications receives withdraw from message [type of message sign indicating number III| personal characteristics sign indicating number | network node information], if authentication failed then abandons the message received [type of message sign indicating number III| personal characteristics sign indicating number | network node information]; Otherwise, then
D. the secure communication server personal information that will withdraw from the message respective user is inserted and is withdrawed from user list;
Do not fill up if e. withdraw from m clauses and subclauses of user list, then secure communication server is not done further processing, otherwise, then
F. secure communication server will be notified and withdraw from all user-dependent network computers in the user list, close and these user-dependent secure communications links, empty then and withdraw from user list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03136493 CN1284331C (en) | 2003-05-22 | 2003-05-22 | Safety communication method between communication system of networking computer and user oriented network layer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03136493 CN1284331C (en) | 2003-05-22 | 2003-05-22 | Safety communication method between communication system of networking computer and user oriented network layer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1463117A true CN1463117A (en) | 2003-12-24 |
| CN1284331C CN1284331C (en) | 2006-11-08 |
Family
ID=29748531
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 03136493 Expired - Fee Related CN1284331C (en) | 2003-05-22 | 2003-05-22 | Safety communication method between communication system of networking computer and user oriented network layer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1284331C (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100352229C (en) * | 2003-12-26 | 2007-11-28 | 华为技术有限公司 | A 802.1x authentication method |
| CN100367708C (en) * | 2005-02-04 | 2008-02-06 | 联想(北京)有限公司 | Method for issuing application software to network computer by server |
| CN100403814C (en) * | 2004-11-25 | 2008-07-16 | 华为技术有限公司 | Packet broadcasting service key controlling method |
| CN101046899B (en) * | 2006-03-31 | 2011-05-11 | 中国科学院软件研究所 | Electronic ticket system and method based on public key basic infrastructure |
| CN101547096B (en) * | 2009-02-11 | 2012-02-15 | 广州杰赛科技股份有限公司 | Net-meeting system and management method thereof based on digital certificate |
| CN101366233B (en) * | 2005-12-28 | 2013-07-10 | 卢森特技术有限公司 | Methods and system for managing security keys within a wireless network |
| CN106059775A (en) * | 2016-06-07 | 2016-10-26 | 北京博文广成信息安全技术有限公司 | Method for implementing CFL centralized management mode |
| CN106161035A (en) * | 2016-06-07 | 2016-11-23 | 北京博文广成信息安全技术有限公司 | CFL individual privacy protected mode implementation method |
| CN109088888A (en) * | 2018-10-15 | 2018-12-25 | 山东科技大学 | A kind of safety communicating method and its system based on smart card |
-
2003
- 2003-05-22 CN CN 03136493 patent/CN1284331C/en not_active Expired - Fee Related
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100352229C (en) * | 2003-12-26 | 2007-11-28 | 华为技术有限公司 | A 802.1x authentication method |
| CN100403814C (en) * | 2004-11-25 | 2008-07-16 | 华为技术有限公司 | Packet broadcasting service key controlling method |
| CN100367708C (en) * | 2005-02-04 | 2008-02-06 | 联想(北京)有限公司 | Method for issuing application software to network computer by server |
| CN101366233B (en) * | 2005-12-28 | 2013-07-10 | 卢森特技术有限公司 | Methods and system for managing security keys within a wireless network |
| CN101046899B (en) * | 2006-03-31 | 2011-05-11 | 中国科学院软件研究所 | Electronic ticket system and method based on public key basic infrastructure |
| CN101547096B (en) * | 2009-02-11 | 2012-02-15 | 广州杰赛科技股份有限公司 | Net-meeting system and management method thereof based on digital certificate |
| CN106059775A (en) * | 2016-06-07 | 2016-10-26 | 北京博文广成信息安全技术有限公司 | Method for implementing CFL centralized management mode |
| CN106161035A (en) * | 2016-06-07 | 2016-11-23 | 北京博文广成信息安全技术有限公司 | CFL individual privacy protected mode implementation method |
| CN106059775B (en) * | 2016-06-07 | 2019-03-26 | 青岛博文广成信息安全技术有限公司 | CFL manages mode implementation method concentratedly |
| CN106161035B (en) * | 2016-06-07 | 2019-06-04 | 青岛博文广成信息安全技术有限公司 | CFL personal privacy protection mode implementation method |
| CN109088888A (en) * | 2018-10-15 | 2018-12-25 | 山东科技大学 | A kind of safety communicating method and its system based on smart card |
| CN109088888B (en) * | 2018-10-15 | 2021-02-05 | 山东科技大学 | Secure communication method and system based on smart card |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1284331C (en) | 2006-11-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111988338B (en) | Permission-controllable Internet of things cloud platform based on block chain and data interaction method | |
| CN108615148B (en) | A kind of preposition method of commerce of secured assets and system based on block chain technology | |
| US9047462B2 (en) | Computer account management system and realizing method thereof | |
| US7437752B2 (en) | Client architecture for portable device with security policies | |
| CN101203841B (en) | Preventing fraudulent internet account access | |
| CN1191703C (en) | Safe inserting method of wide-band wireless IP system mobile terminal | |
| KR102236341B1 (en) | System and method for blockchain-based data management | |
| US7793335B2 (en) | Computer-implemented method, system, and program product for managing log-in strikes | |
| WO2021143025A1 (en) | Internet-of-things data transmission method and apparatus, and medium and electronic device | |
| US20110047610A1 (en) | Modular Framework for Virtualization of Identity and Authentication Processing for Multi-Factor Authentication | |
| CN1610292A (en) | Interoperable credential gathering and access modularity | |
| CN106464494A (en) | Wireless device authentication and service access | |
| CN1304109A (en) | System and method for effectively collecting aranging and access to withdrew table of certificate | |
| US11398902B2 (en) | Systems and methods for non-deterministic multi-party, multi-user sender-receiver authentication and non-repudiatable resilient authorized access to secret data | |
| JP2002064485A (en) | System and method for safe legacy enclave in public key infrastructure | |
| CN101488857B (en) | Authenticated service virtualization | |
| CN1731723A (en) | Electron/handset token dynamic password identification system | |
| CN1588853A (en) | Uniform identication method and system based on network | |
| US9258118B1 (en) | Decentralized verification in a distributed system | |
| US9660972B1 (en) | Protection from data security threats | |
| CN1284331C (en) | Safety communication method between communication system of networking computer and user oriented network layer | |
| CN101588352A (en) | Method and system for ensuring security of operating environment | |
| CN1186723C (en) | Dynamic password identity authentication system applicable to network based on software token | |
| CN1601954A (en) | Moving principals across security boundaries without service interruption | |
| CN106529216B (en) | Software authorization system and software authorization method based on public storage platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING SHENZHOUTIANMAI NETWORK COMPUTER CO., LTD. Free format text: FORMER OWNER: INST. OF COMPUTING TECHN. ACADEMIA SINICA Effective date: 20090508 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20090508 Address after: Four floor, No. 10 South Road, Haidian District Academy of Sciences, Beijing Patentee after: Beijing Skyvein Net Computer Co., Ltd. Address before: No. 6 South Road, Zhongguancun Academy of Sciences, Beijing Patentee before: Institute of Computing Technology, Chinese Academy of Sciences |
|
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20061108 Termination date: 20120522 |