CN1585405A - Wide-band wireless IP network safety system structure and realizing method - Google Patents
Wide-band wireless IP network safety system structure and realizing method Download PDFInfo
- Publication number
- CN1585405A CN1585405A CN 200410026211 CN200410026211A CN1585405A CN 1585405 A CN1585405 A CN 1585405A CN 200410026211 CN200410026211 CN 200410026211 CN 200410026211 A CN200410026211 A CN 200410026211A CN 1585405 A CN1585405 A CN 1585405A
- Authority
- CN
- China
- Prior art keywords
- security
- authentication
- engine
- avie
- bwip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The system comprises BWIP (bandwidth wireless IP) security system, BWIP security executing system, BWIP security management system and external security supporting system. The BWIP management system sets the security strategy, preset shared key, charge rate and monitor system resource for BWIP security system. The BWIP security executing system calls all assembles of BWIP to filter the connection request for input and output packet. BWIP security system gets the user's public key, credit information from external support system, and couples with external support system to provide decision for BWIP security supporting system. The invention is based on cryptography algorithm.
Description
Technical field
The present invention relates to technical field of communication safety and comprising, specifically be a kind of wide-band wireless IP (Broadband WirelessInternet Protocol, be called for short BWIP) network security architecture and safe implementation method, be used to realize the general safety of BWIP network, provide the safe practice guarantee following mobile e-business, mobile electron government affairs.
Background technology
Existing Security Architecture scheme has: OSI (open system interconnection) Security Architecture standard (ISO/IEC7498-2); IPsec (IP secureity, the safe IP) Security Architecture that IETF (Internet engineering duty group) proposed in November, 1998 (RFC2401, No. 2401 request comment); The WAP architecture specification (document code is WAP-100-WAPArch-19980430-a) that WAP (Wireless Application Protocol, WAP (wireless application protocol)) forum proposed in April, 1998; The Security Architecture (Release 5 for 3GSecurity, Security architecture) that 3GPP (the 3rd third-generation mobile communication project partner plan) proposed in December, 2002.The ubiquitous problem of these security systems is as follows:
1.OSI Security Architecture standard (ISO/IEC7498-2) is a universal safety architecture frame providing of ISO (International Standards Organization) in 1989, be called " the open interconnection of information processing system basic reference model part 2---Security Architecture ", this standard provides the general description of security service with relevant security mechanism, and having determined can provide the position of these services with mechanism in reference model inside.This standard is divided into level Four according to the security threat that may exist in the network with safety, be link level security, network level safety, end-to-end level security and application-level security, the user can realize safety function according to the optional one or more ranks of the demand for security of oneself during specific implementation.This security framework has directive significance, but does not provide concrete implementation method, therefore can not directly adopt.
2.IPsec Security Architecture is at the Security Architecture scheme under the symmetrical applied environment in the fixed network, what mainly consider is maintaining secrecy and authentication function in the cable network, do not have the accounting feature in the wireless network, can not be directly used in the special applications that the low-power consumption under the mobile environment, little internal memory, disposal ability are weak, bandwidth is low relatively and error rate is high.
3.WAP WAP (wireless application protocol) is to be based upon on the new architecture, its security mechanism is to realize by the WTLS of WAP1.X protocol stack (Wireless Transport Layer Security) layer, because the WTLS criteria of right and wrong, the compatibility issue of existence and existing TCP/IP (transmission control protocol/internetworking protocol) protocol stack, and there are many security breaches in WTLS.WAP2.X uses the security mechanism of WAP instead SSL/TLS (SSL/Transport Layer Security) mode, and proposition cooperates the mode of PKI (Public KeyInfrastructure, PKIX) that the safety guarantee of wap protocol is provided.This solution mainly is the safety problem that solves WAP in transport layer, it is a kind of wireless mobile IP protocol by the proposal of manufacturers such as mobile phone, existing the compatibility issue that waits the wireless IP technology of other main flow with IEEE802.11 (WLAN standard), is not a general wide-band wireless IP Security Architecture therefore.
4.3GPP Security Architecture is to be based upon on the basis of 3G (Third Generation) Moblie, its fail safe mainly concentrates on authentication, mandate and record keeping (the Authentication Authorization Accounting of mobile telephone equipment, abbreviation AAA) on the function, safe practice is to be based upon to insert on the level, versatility is poor, can not satisfy the problems such as AAA under the wireless mobile PCs (Personal Computer, personal computer) such as the whole demands for security of following mobile IP and IEEE802.11.
This shows, above-mentioned Security Architecture all can not satisfy the demand for security of following BWIP network, need design new Security Architecture and safe implementation method, this structure can not only satisfy the needs of BWIP network security performance, but also good authentication, authorization and accounting function should be arranged, and can take into account the weak relatively characteristics of mobile device disposal ability in the BWIP network well in these function aspects of realization.
Summary of the invention
The objective of the invention is to overcome the deficiency of prior art, according to wide-band wireless IP network security needs, in conjunction with safe realization technology such as network management, cryptography calculating, PKIX, mobile IP, authentication, authorization and accountings, adopt the component reuse thought in the soft project, each function in the security system is organically combined, a kind of wide-band wireless IP network security architecture and safe implementation method are provided, can solve following BWIP network security problem on the whole, to satisfy the needs of wide-band wireless IP network service.
Technical scheme of the present invention is to realize broadband wireless IP network general safety mechanism on network layer, and the wide-band wireless IP network security architecture comprises BWIP safety system, BWIP safety executive system, BWIP safety management system, external security support system; Wherein, the BWIP safety system is the core system of Security Architecture, in network, bear encryption and decryption, safety calculating, authentication, mandate, book keeping operation and secure data management, the BWIP safety system is made up of crypto engine CE, security context database SEDB, security context manager SEM, authentication, authorization and accounting engine AAAE, policy database PDB, policy manager PM, log database ADB, log manager AM, credit database CDB, credit management device CM; BWIP safety executive system is the master control system of Security Architecture, is the secure processing interface between the internal-external network, is made up of force policy Control Engine PEE, authentication verification and integrity checking engine AEIV and resource control framework RCF; The BWIP safety management system is the man-machine interface of internal security management, is made up of configuration management, safety management, fault-tolerant management, accounting management and performance management assembly; The external security support system is the part of PKIX PKI, is made up of certificate agency CA, the AA of authorized organization and public credit database CP.Data call between each system is closed: the BWIP network management system to the BWIP safety system carry out strategy setting, preset shared symmetric key, toll rate be set, preferential period, user credit information and the resource control framework of BWIP safety executive system monitored; BWIP safety executive system is called each assembly in the BWIP safety system, to all inflows with flow out the BWIP output packet and connection request is examined, filtered, allows or forbids with decision; BWIP safety system visit external security support system is obtained mobile subscriber's public key certificate and credit information, and data is stored in security context database SEDB temporarily and credit database CDB is standby, to improve the operational efficiency of system; BWIP safety system and external security support system provide decision-making foundation for BWIP safety executive system jointly;
The safe implementation method of broadband wireless IP network, be by BWIP network security architecture utilization cryptography arithmetic, handle flowing out and flowing into data, to realize network confidentiality services, integrity service and authentication, authorization and accounting (hereinafter to be referred as AAA) service; Described confidentiality services is to encrypt flowing out data, is decrypted flowing into data; Described integrity service is to encapsulate flowing out data, carries out integrity checking to flowing into data; Above-mentioned two services all realize by authentication, checking and integrity service engine AVIE, force policy Control Engine PEE, crypto engine CE, policy database PDB, credit database ADB and security management component; Described AAA service is to flow out and flow into packet to carry out two-way authentication, authorization and accounting, by authentication, checking and integrity checking engine AVIE, force policy Control Engine PEE, authentication, authorization and accounting engine AAAE, crypto engine CE, security context database SEDB, credit database CDB, log database ADB, policy database PDB, the external security support system, resource control framework RCF, safety management, accounting management and performance management assembly are realized, wherein, security management component is carried out wildcard to system, security strategy is set, and deposits in security context database SEDB and policy database PDB respectively; The performance management assembly carries out the number of users that system monitoring, resources open time set and Adjustment System allow visit; The accounting management assembly provides the setting of toll rate, grace period section for the system manager and inquires about for the user provides bill.
Above-mentioned safe implementation method comprises flowing out safe handling, the secure package flow process of network data, the safe handling flow process that the network data are gone in convection current reaches flowing out and flow into authentication, the authorization and accounting AAA handling process of data, by above-mentioned safe handling flow process, realization is to the confidentiality services of broadband wireless IP network, integrity service, AAA (authentication, mandate, book keeping operation) service.
The present invention has following characteristics compared with prior art:
1. highly versatile, the present invention fully takes into account the demand for security and the safety function of broadband wireless IP network, realize the security solution of network level, under the prerequisite that keeps present all wireless Internet technology, they are all included in the safety architecture, improved the fail safe and the practicality of broadband wireless IP network;
2. function is complete, present Security Architecture all is to realize safe practice and security needs from different aspects, the have an eye on the future development of wide-band wireless IP network security system of the present invention, to its function that should possess carried out organic integration, and labor and the implementation procedure of each major function is provided;
3. open good, adopt modular design method, made things convenient for the software reuse between each system component, system flexibility is good, is convenient to following new technology and the new algorithm of expanding;
4. the transparency is good, and the present invention designs by network infrastructure in the safety of network level realization broadband wireless IP network, provides corresponding security service by Network Provider, and Security Architecture is transparent to the user; Security mechanism to application layer and transport layer is directly used, and is transparent to the upper strata;
5. the present invention can reach the requirement of Security Architecture standard, and the AAA service and the undeniable sex service of confidentiality services, integrity service, authentication, authorization and accounting can be provided the broadband wireless IP network;
The present invention is integrated AAA, PKI function are taken into account mobile subscriber, mobile operator, Internet supplier's requirement, in case come into operation, will produce good economic benefits to the BWIP network in future.
Description of drawings
Fig. 1 is the realization position of BWIP Security Architecture;
Fig. 2 is a BWIP network security architecture model;
Fig. 3 is the outflow process chart of BWIP Security Architecture;
Fig. 4 is that the BWIP Security Architecture flows out the data encapsulation handling process;
Fig. 5 is the inflow process chart of BWIP Security Architecture;
Fig. 6 is the AAA handling process in the BWIP Security Architecture;
Embodiment
Referring to Fig. 1, transmission control protocol/Internet protocol stack (TCP/IP) comprises that application layer, transport layer, network layer, link are to host layer.The wide-band wireless IP network security architecture is in the network layer of the residing position of ICP/IP protocol stack in Fig. 1, and promptly network level safety realizes technology.Going up most two-layer is the application layer and the transport layer of ICP/IP protocol stack, and the safety architecture is directly used this two-layer security mechanism, and is promptly transparent to the upper strata.The bottom of Fig. 1 corresponding to the link in the ICP/IP protocol to host layer, support the existing or following wireless access wide band technology, its representative technology has: private wireless network (WPAN), wireless lan (wlan), wireless MAN (WMAN) wireless wide area network (WWAN), the present invention carries out transparent processing with the safe practice of broadband wireless access link, and it is brought in the safety architecture, keep the characteristic of access technology separately.The IPsec agreement of employing standard is not only applicable to IPv4 (the 4th edition IP address scheme), is suitable for following IPv6 (the 6th edition IP address scheme) environment yet, makes the present invention have good autgmentability and compatibility.
Referring to Fig. 2, BWIP network security architecture of the present invention and its implementation are made up of BWIP safety system, BWIP safety executive system, the BWIP NMS external security support system of unifying.Wherein the BWIP safety system is the core system of BWIP Security Architecture, bearing encryption and decryption, the calculating of MAC (message authentication code) safety, authentication, the operation of authorizing, keep accounts in the broadband wireless IP network, also is encryption key, trusting relationship, security policy manager responding system.The BWIP safety system is made up of crypto engine CE, security context database SEDB, security context manager SEM, authentication, authorization and accounting engine AAAE, policy database PDB, policy manager PM, log database ADB, log manager AM, credit database CDB, credit management device CM; The function of each assembly is:
Crypto engine CE (Crypto Engine) provide different cryptographic algorithms, as symmetrical enciphering/deciphering, asymmetric enciphering/deciphering, Hash operation etc., for other assembly in the system provides enciphering/deciphering computing, MAC calculation services;
Security context database SEDB (Security Environment Database,) store various encryption keys, use for CE as the security association SA of consulting by the key (MN-FA, MN-HA etc.) and the different node of IKE ike negotiation between the public private key pair of mobile node MN, MN and all communication entities;
Key among security context manager SEM (Security Environment Manager) the management SEDB provides the function of manual configuration encryption key with automatic managing keys, enables ike negotiation key and SA, and is kept among the SEDB;
Authentication, authorization and accounting engine AAAE (Authentication, Authorization, and AccountingEngine) mobile subscriber is carried out authentication, carry out granted access and the operation of keeping accounts according to different roles, AAAE depends on CE and SEDB carries out necessary crypto-operation.Will be according to present AAA (authentication, authorization and accounting) as the trend of wireless network infrastructure, the BWIP Security Architecture is realized AAAE as the form of an engine, it suitable one act on behalf of parts, can be regularly and in the network other AAA carry out alternately, form the AAA management system of level shape, but not online the book keeping operation helps subtracting through BWIP offered load like this, improves network efficiency.Authentication and authorization is put in the BWIP Security Architecture, and the fine granularity of being convenient to authenticate and visit is controlled, and has improved the flexibility of BWIP safety management;
Policy database PDB (Policy Database) store data is used for controlling the behavior of different role to the operation of BWIP network;
Policy manager PM (Policy Manager) manages PDB, provides manual mode or the automated manner editting function to policy database to authorized user, as by center strategic server download policy data;
Credit database CDB (Credential Database) deposits user's credit data, as public key certificate, Attribute certificate;
Credit management device CM (Credential Manager) manages CDB, provides manual mode, automated manner editting function to credit database to authorized user, as search or download credit data from outside credit interchange;
Log database ADB (Audit Database) deposits the log record of security-related activity;
Log manager AM (Audit Manager) handles the daily record of safety function assembly, for problem analysis and decision-making provide foundation.
BWIP safety executive system is a main system, is the secure processing interface between Security Architecture and internal-external network, is made up of force policy Control Engine PEE, authentication, checking and integrity checking engine AVIE and resource control framework RCF; The function of each assembly is:
Forcing security strategy Control Engine PEE (Policy Enforcement Engine) is the critical piece of safe executive system, and its effect is that all are controlled from the inflow request of Internet, makes the decision that receives or tackle; The packet that flows out to Internet from main frame or Intranet (intranet) is filtered through the PEE filter, make abandoning, detouring or encapsulation process;
Authentication, checking and integrity checking engine AVIE (Authentication Verification IntegrityEngine,) packet that flows into from Internet is carried out inspection, Data Source authentication, the integrity checking of digital signature, the packet that flows out is carried out secure package;
(Resource Control Frame RCF) controls, manages and monitor system resource resource control framework RFC, and various environmental variances are provided, and as system clock, ADB provides basis of time for log database;
The BWIP network management system is internal security administrative staff's man-machine interface, is made up of configuration management, safety management, fault-tolerant management, accounting management and performance management assembly; The present invention expands safety management, accounting management and performance management assembly, and above-mentioned five Management Units are equivalent to user interface, and by these management interfaces, the user adopts visualization method, easily network implementation is managed effectively.This management mode makes network management system separate with the safety system layer, is convenient to modular implementation, also makes the realization of BWIP Security Architecture become more flexible, is convenient to update algorithm.
The external security support system is the part of PKIX PKI, is made up of certificate agency CA, the AA of authorized organization and public credit database CP; Wherein:
Certification authority CA (Certification Authority,) be the core component in the PKI system, accept online certificate request, the signing and issuing, examine and make of certificate, certificate issuance, the filing of certificate and cancel the renewal of certificate, the backup of key and recovery, cross-certification, proving that for the certified component among the AAAE provides user's authenticity CA is independent of outside the Security Architecture, is the secure and trusted mechanism that generally acknowledges;
The AA of authorized organization (Authorization Authority) authorizes the power of using system resource to validated user, normally authorizes with the form of Attribute certificate;
Public credit database CP (Credential rePository) deposits the relevant information that the proof user truly uses resource right, can deposit public key certificate, Attribute certificate, certificate revocation list CRL.
Represent between each frame of broken lines among Fig. 2 that each system carries out the data call service relation by interface, wherein BWIP safety executive system is the externally window of service of whole Security Architecture, be responsible for all inflows and flow out the BWIP output packet and connection request is examined filtration, whether allow or forbid with decision; BWIP safety executive system is called each parts in the BWIP safety system, and making it provides security service for BWIP safety executive system; Provide in the process of service in the BWIP safety system, when packet adopts the public key cryptography system to provide secret and authentication etc. to serve, then the BWIP safety system also needs to visit the external security support system, provide mobile subscriber's public key certificate and credit information by it, and this data offered AAAE, these data are stored in temporarily among security context database SEDB and the credit database CDB simultaneously, its objective is when the BWIP Security Architecture provides service for the mobile subscriber once more in effective time, need not to visit once more the external security support system, to improve the operational efficiency of system; By the cooperation of BWIP safety system and external security support system, for BWIP safety executive system provides reliable decision-making foundation.
The BWIP network management system is the man-machine interface that is provided with for the flexibility that improves the BWIP Security Architecture, by the BWIP network management system, the safety manager can be easily for safety system set strategy, preset shared symmetric key, toll rate be set monitor with preferential mode, setting user's credit information with to the resource of system.
The present invention works in coordination by BWIP network management system, BWIP safety system, BWIP safety executive system and external security support system, realize the confidentiality services of broadband wireless IP network, integrity service, AAA (authentication, mandate, book keeping operation) service comprises every security services such as non-repudiation service.
The security service of BWIP network is to realize by the processing to inflow in the network system and outflow packet, each assembly in the Security Architecture also is that the needs according to safety function reasonably are organized into together, describes below in conjunction with the safe implementation method of accompanying drawing to the BWIP network security architecture.In each accompanying drawing of Fig. 3 to Fig. 6, represent that with solid line control flow in the BWIP Security Architecture, dotted line represent the data call and the data interaction relation of carrying out between different system components.
Referring to Fig. 3, the data message of delivering when the transport layer or the Intranet network of system node need be when outer net transmits, and the BWIP network security architecture is as follows to the processing data packets flow process that flows out from network:
1. the filter among the force policy Control Engine PEE filters packet, and its operating process is IP address and the interface querying policy database PDB of filter request policy manager PM according to this packet, obtains processing policy;
2. carrying out strategy handles: if security strategy is for abandoning, then force policy Control Engine PEE only need simply abandon this packet, and process information is passed to log manager PM, records among the log database ADB by PM; If security strategy is for detouring, show that then such packet is not need to carry out safe handling, as the managing signaling in the part BWIP network etc., then PEE only needs directly to give the IP layer with this packet and carries out the IP encapsulation, and carries out IP by the IP layer and transmit and operate; If security strategy is an encapsulation process, then PEE just gives this packet authentication, checking and integrity checking engine AVIE;
3.AVIE carrying out secure package handles, AVIE is request security context manager SEM earlier, query safe environment data base SEDB, judge whether this communication entity exists corresponding security association SA, if no SA exists or SA lost efficacy, then enable key agreement protocol IKE and carry out negotiations such as corresponding SA, encryption and decryption key, Hash key, cryptographic algorithm, identifying algorithm by SEM; If the security negotiation then packet discard of failing, and negotiation result information passed to log manager PM, record among the log database ADB by PM; When consulting successfully, the data of just preserving this negotiation earlier arrive security context database SEDB, and result is returned to authentication, checking and integrity checking engine AVIE;
4.AVIE request authentication, authorization and accounting engine AAAE authenticate accordingly, authorization and accounting AAA operation, AAAE returns to AVIE with operation result information.Because the AAA operation is the process of a complexity, represents with shading that in Fig. 3 detailed process is seen Fig. 6.AVIE passes to log manager PM with the return results of AAAE earlier after receiving authentication, authorization and accounting engine AAAE operation return results, record among the log database ADB by PM, and personnel check daily record for system security management, improve security strategy;
5. authentication, checking and integrity checking engine AVIE handle the return results of authentication, authorization and accounting engine AAAE: if the AAA operation failure, then AVIE only need abandon this packet, and records among the log database ADB; If AAA operates successfully, show that system allows this packet to flow out network;
6.AVIE request security context manager SEM calls crypto engine CE, CE carries out corresponding secure package according to the security association SA parameter among the security context database SEDB and handles operation.The CE operation also is the process of a complexity, represents with shading among Fig. 3 that detailed process is seen Fig. 4.After CE finishes data encapsulation, the result is returned to authentication, checking and integrity checking engine AVIE;
7.AVIE the packet after will encapsulating is directly given the IP layer, adds new IP head again by the IP layer, and joins among the IP forwarding queue, or directly send in the Internet network.
Referring to Fig. 4, it is as follows that the packet that allow to flow out network or safety system among Fig. 3 is carried out the secure package process: authentication, checking and integrity checking engine AVIE give security context manager SEM with the transport layer data bag of required encapsulation, and SEM calls crypto engine CE this packet is carried out secure package;
1. crypto engine CE carries out preliminary treatment to data earlier, and this is to carry out event because of encryption technology with grouping, need add initial vector IV and fill character, and to form the integral multiple of fixed size, represents with M (Message) through pretreated message;
2.CE from security context database SEDB, take out the safe handling parameter of this security association SA correspondence, comprise encryption key K1, Hash key K2, signature key K3, sequence number SN, Security Parameter Index SPI;
3.CE message M is carried out cryptographic operation, and (M, the encapsulation load after K1) expression is encrypted, and sequence number SN and Security Parameter Index SPI inserted in the header format of tunneling form capsule header with f.Capsule header and encapsulation load operation have been realized the confidentiality services of BWIP Security Architecture;
4. crypto engine CE continues with the hash algorithm of appointment in Hash key K2 and the security association SA encapsulation of data to be carried out the operation of Hash in Fig. 4, to realize integrity service, with MAC=h (capsule header, encapsulation load, K2) expression;
5. also will carry out digital signature to message in view of some agreement, crypto engine CE also needs with signature key K3 the message authentication code MAC value that generates to be signed; Because signature service is optionally, still with MAC represent S (MAC, K3);
6. after crypto engine CE finishes above-mentioned secure package, capsule header, encapsulation load and MAC are stitched together and return to AVIE, give the IP layer by AVIE and carry out corresponding IP encapsulation, promptly add new IP head, form the IP packet, join again among the IP forwarding queue, wait for the data forwarding operation.
So far, the BWIP Security Architecture has been finished the safe handling process of the outflow of packet.
The transmit leg of message is after carrying out safe handling to the database bag in the BWIP network security architecture, and then the recipient also needs to carry out corresponding safety operation.
Referring to Fig. 5, the BWIP network security architecture is as follows at recipient's data inflow treatment step:
1. authentication, checking and integrity checking engine AVIE receive IP bag from Internet, seal Security Parameter Index SPI in the mounted head portion, request security context manager SEM query safe environment data base SEDB according to IP;
2. judge whether this SPI is effective: if this Security Parameter Index SPI does not exist or surpassed the term of validity, then AVIE will directly abandon this packet, and write down this process information among log database ADB;
3. if this SPI is effective, then AVIE just asks SEM to call crypto engine CE to carry out integrity checking earlier, judge whether this packet has been active attack in transmission course.AVIE carries out integrity checking to packet and is made of three steps:
The first step is that request crypto engine CE carries out cryptographic calculations, decrypt the mark that is used for message authentication code MAC protection, in order to finish this operation, CE need obtain decruption key from security context database SEDB, and decrypted result returns the HASH value that a transmit leg sends; If regulation MAC has carried out digital signature in the agreement, then security context manager SEM also needs to call the external security support system, from certificate agency CA, obtain mobile subscriber's valid certificate, PKI in the certificate of utility carries out signature verification to message authentication code MAC, if authentication failed is notification authentication, checking and integrity checking engine AVIE then, and provides failure cause; If be proved to be successful, the MAC after then will deciphering returns to AVIE;
Second step was the HASH value of AVIE request CE according to this packet of HASH function calculation of consulting, and returned to AVIE;
The 3rd step was that AVIE compares deciphering HASH value that obtains and the HASH value that recalculates, if equate, showed the integrity checking success of packet, otherwise was failure.
If integrity checking failure, authentication, checking and integrity checking AVIE will abandon the packet of this inflow automatically, and corresponding integrity check info is recorded among the log database ADB;
4. if integrity checking is successful, then AVIE carries out corresponding AAA operation with request call authentication, authorization and accounting engine AAAE, and AVIE receives that authentication, authorization and accounting engine AAAE operate return results;
5. the return results of AAAE is passed to log manager PM, record among the log database ADB by PM, personnel check daily record for system security management, improve security strategy;
6.AVIE the return results to authentication, authorization and accounting engine AAAE is handled, if the AAA operation failure, then AVIE only need abandon this packet; If AAA operates successfully, show that system allows this packet accesses network, AVIE just asks security context manager SEM to call crypto engine CE and deciphers this packet;
(deciphering is put into the flow process back 7.CE corresponding decryption oprerations is carried out in the encapsulation load according to the security association SA parameter among the security context database SEDB, this is because decrypt is bigger, holding time is many, purpose is the treatment effeciency of raising system), the message after AVIE will decipher expressly passes to force policy Control Engine PEE;
8.PEE request call policy manager PM query strategy database PDB, PEE checks the safe handling strategy and the access mode of being inquired about;
9. if meet local policy, then transmit, otherwise just abandon this message expressly, and process information is recorded among the log database ADB to inner Intranet network or to the procotol high level.So far, also realized flowing into confidentiality, the integrity service of data.
Force policy Control Engine PEE of the present invention expressly carries out strategy to message to be checked, and helps packet is carried out information filtering and improves the BWIP security of network system.
The present invention carries out the AAA operation to the packet that flows into and flow out, and purpose is at the needs of bidirectional traffics statistics in the BWIP network, also can realize access control better simultaneously, helps improving the availability of BWIP Security Architecture.
Referring to Fig. 6, the authentication of BWIP Security Architecture, the AAA of authorization and accounting handle according to the following steps and implement:
One. authentication
1. authentication, checking and integrity checking engine AVIE request authentication, authorization and accounting engine AAAE authenticate, the authorization and accounting operation;
2. after AAAE received this request, certified component carried out source authentication, the subscriber authentication operation of packet by crypto engine CE to the Security Parameter Index SPI that comprises in the request package, and authentication can be adopted following execution mode:
Authentication execution mode one. adopt the authentication method of sharing key
Crypto engine CE takes out key and the algorithm of consulting in advance according to security association SA from security context database SEDB, carry out corresponding crypto-operation, thereby determines the authenticity of user identity and informed source;
Authentication execution mode two. adopt the authentication method of public key system
The query safe environment data base SEDB of crypto engine CE elder generation, when not having relevant public key information, CE is by security context manager SEM visit external security support system, certificate agency CA from the external security support system, public credit database CP and authorized organization AA place obtain mobile subscriber's public key certificate, mobile subscriber's credit information and user's authorization message, security context manager SEM is when these data of preservation arrive security context database SEDB, also ask credit management device CM that mobile subscriber's credit information is saved among the credit database CDB, purpose is to accelerate follow-up licensing process or accelerate the BWIP Security Architecture to provide AAA the process of service for the mobile subscriber once more in effective time.After crypto engine CE obtains user's public key information, PKI according to the user carries out cryptography calculating to signing messages, and result of calculation is returned to the certified component of authentication, authorization and accounting engine AAAE, carry out the checking of digital signature by certified component and compare, realized user's the authentication or the authentication of data source.
3. as if authentification failure, then certified component stops the AAA operating process, and by authentication, authorization and accounting engine AAAE, with authentication failure message return authentication, checking and integrity checking engine AVIE;
4. if authentication success and needs continue Authorized operation, then carry out Authorized operation by authorized component.The purpose of authorization service is in order to prevent the unauthorized use to resource, to comprise network entity without approval, security information can not being sent to other network entity; And unwarranted user can not obtain the security information and the Internet resources of network internal.
Two. authorize
1. authorized component is carried out authorization decision according to the information that authentication, checking and integrity checking engine AVIE provide, and these information are extracted corresponding strategy and credit with the form of " index code " from policy database CDB and public credit database CP respectively, the title of mobile request object, as ID (identity) number, authorized component also asks safe executive system that environmental variance is provided, and comprises system clock and monitoring resource assembly in the resource control framework RCF;
2. after collecting all information that need, authorized component is according to the Authorized operation of internal rule deal with data, and with " request is authorized successfully " or " mandate is refused " this succinct form as Authorization result;
3. if authorize refusal, then authorized component returns to authentication, checking and integrity checking engine AVIE with " mandate refusal " information by authentication, authorization and accounting engine AAAE, and the AVIE information of will " authorizing and refuse " records among the ADB and abandons this packet;
4. if authorize successfully and will keep accounts operation, then give the book keeping operation assembly, proceed the process of keeping accounts accordingly the control of system.
Three. book keeping operation
1. the book keeping operation operation is according to the identity of requestor ID, generating a band has recording of informations such as the destination of user ID, access time, visit, visit information amount, and deposit in the book keeping operation database of authentication, authorization and accounting engine AAAE, finished the billed services in the AAA service;
2. authentication, authorization and accounting engine AAAE are after the book keeping operation assembly is finished book keeping operation task to the user, processing result information is returned to authentication, checking and integrity checking engine AVIE, AVIE also records operation information among the log database ADB simultaneously, and the strong point of this employing double record is the dispute that helps solving the note expense.
Through above-mentioned inflow and outflow security processing, the BWIP network security architecture can be realized the needed various different security service purposes of present BWIP network well.
Claims (6)
1. a wide-band wireless IP (BWIP) network security architecture, it is characterized in that realizing on network layer the general safety mechanism of broadband wireless IP network, it comprises BWIP safety system, BWIP safety executive system, BWIP safety management system, external security support system; Wherein, the BWIP safety system is carried out encryption and decryption in network, safety is calculated, authentication, mandate, book keeping operation and secure data management are made up of crypto engine (CE), security context database (SEDB), security context manager (SEM), Certificate Authority and book keeping operation engine (AAAE), policy database (PDB), policy manager (PM), log database (ADB), log manager (AM), credit database (CDB), credit management device (CM); BWIP safety executive system is the secure processing interface between Security Architecture and the internal-external network, is made up of force policy Control Engine (PEE), authentication, checking and integrity checking engine (AEIV) and resource control framework (RCF); The BWIP safety management system is internal security management man-machine interface, is made up of configuration management, safety management, fault-tolerant management, accounting management and performance management assembly; The external security support system is the part of Public Key Infrastructure(PKI), is made up of certificate agency (CA), authorized organization (AA) and public credit database (CP); Data call between each system is closed: the BWIP network management system is carried out strategy setting, preset shared symmetric key, toll rate and preferential period and user's credit information is set and the resource of BWIP safety executive system is monitored the BWIP safety system; BWIP safety executive system is called each assembly in the BWIP safety system, to all inflows with flow out the BWIP output packet and connection request is examined, filtered, allows or forbids with decision; The BWIP safety system is visited the external security support system, obtains mobile subscriber's public key certificate and credit information; And cooperate with the external security support system for BWIP safety executive system decision-making foundation is provided; Said system is worked in coordination, for the broadband wireless IP network confidentiality services, integrity service are provided, recognize award, warrant, book keeping operation (AAA) service and undeniable sex service.
2. the safe implementation method of a broadband wireless IP network, BWIP network security architecture utilization cryptography arithmetic, to flowing out and flow into processing realization network confidentiality services, integrity service and authentication, authorization and accounting (hereinafter to be referred as the AAA) service of data, described confidentiality services is to encrypt flowing out data, is decrypted flowing into data; Described integrity service is to encapsulate at AVIE flowing out data, carries out integrity checking to flowing into data by AVIE; Above-mentioned two services all realize by authentication, checking and integrity service engine (AVIE), force policy Control Engine (PEE), crypto engine (CE), policy database (PDB), credit database (ADB) and security management component; Described AAA service is to flow out and flow into packet to carry out two-way authentication, authorization and accounting, by authentication, checking and integrity checking engine (AVIE), force policy Control Engine (PEE), authentication, authorization and accounting engine (AAAE), crypto engine (CE), security context database (SEDB), credit database (CDB), log database (ADB), policy database (PDB), the external security support system, resource control framework (RCF), safety management, accounting management and performance management assembly are realized, wherein, security management component is carried out wildcard to system, security strategy is set, and deposits in security context database (SEDB) and policy database (PDB) respectively; The performance management assembly carries out system monitoring, resources open time set and sets the number of users that allows accesses network; The accounting management assembly provides the setting of toll rate, grace period section and is the open bill inquiry of user for the system manager.
3. wide-band wireless IP network security implementation method according to claim 2 is characterized in that the BWIP network security architecture is to implementing according to the following steps from the processing of BWIP network outflow packet:
1) delivers next data message to the outer net transmission from the transport layer or the Intranet network of system node, filter through force policy Control Engine (PEE) filters earlier, and (PEE) filter request policy manager (PM) is according to the IP address of this packet and the safe handling strategy of interface querying policy database (PDB);
2) security strategy is handled, if security strategy is defined as and abandons, then (PEE) abandons this packet, and process information is passed to log manager (PM), records log database (ADB) by (PM); If security strategy is defined as and detours, then (PEE) hands over the IP layer to carry out the IP encapsulation this packet, and carries out IP by the IP layer and transmit operation; If security strategy is defined as encapsulation process, then (PEE) gives authentication, checking and integrity checking engine (AVIE) with this packet and carries out secure package and handle;
3) security association (SA) of this communication entity if security association (SA) is arranged, directly enters next program in authentication, checking and integrity checking engine (AVIE) request security context manager (SEM) the query safe environment data base (SEDB); If not having (SA) exists or (SA) inefficacy, then enable key agreement protocol (IKE) by (SEM), consult corresponding SA, encryption and decryption key, Hash key, cryptographic algorithm, identifying algorithm, consult then notice (AVIE) packet discard of failure, negotiation information is recorded log database (ADB); Consult successfully, just preserve the data of consulting and arrive (SEDB), and result is returned to (AVIE);
4) authentication, checking and integrity checking engine (AVIE) request authentication, authorization and accounting engine (AAAE) carry out the AAA operation, (AAAE) object information are returned (AVIE);
5) authentication, checking and integrity checking engine (AVIE) will authenticate, the return results of authorization and accounting engine (AAAE) is passed to log manager (PM), record log database (ADB) by (PM);
6) (AVIE) return results of authentication, authorization and accounting engine (AAAE) is handled; If the AAA operation failure, then (AVIE) abandons this packet, and records log database (ADB);
7) if AAA operates successfully, authentication, checking and integrity checking engine (AVIE) request security context manager (SEM) call crypto engine (CE) and carry out the secure package operation;
8) crypto engine (CE) is finished the data security encapsulation, the result is returned to authentication, checking and integrity checking engine (AVIE), directly give the IP layer with the packet of encapsulation, the IP layer adds new IP head again, and join among the IP forwarding queue, or directly send in the Internet network.
4. according to claim 2,3 described wide-band wireless IP network security implementation methods, it is characterized in that the BWIP Security Architecture carries out according to the following steps to the secure package that allows to flow out output packet:
1) data that authentication, checking and integrity checking engine (AVIE) will need to encapsulate are delivered to security context manager (SEM), call crypto engine (CE) by (SEM) these data are carried out secure package;
2) crypto engine (CE) carries out preprocessing process with data, adds initial vector IV and fills character, and forms the integral multiple of regular length, represents with M (Message) through pretreated message;
3) crypto engine (CE) takes out the corresponding safe handling parameter of this security association (SA) from security context database (SEDB), comprises encryption key (K1), Hash key (K2), signature key (K3), sequence number (SN), Security Parameter Index (SPI);
4) crypto engine (CE) is to message M cryptographic operation, with f (M, the encapsulation load after K1) expression is encrypted, and sequence number (SN) and Security Parameter Index (SPI) inserted in the header format of tunneling, form capsule header, realize flowing out the confidentiality services of data;
5) crypto engine (CE) with Hash key (K2) and (SA) hash algorithm of appointment encapsulation of data is carried out the operation of Hash, (K2) expression realizes flowing out the integrity service of data for capsule header, encapsulation load with MAC=h;
6) need carry out digital signature person to message according to protocol requirement, crypto engine (CE) is with message authentication code (MAC) the value signature of signature key (K3) to generating, with MAC represent S (MAC, K3);
7) crypto engine (CE) is finished with above-mentioned secure package, the capsule header, encapsulation load and the MAC that generate are spliced, return to (AVIE), hand over the IP layer to carry out corresponding IP encapsulation by (AVIE), promptly add new IP head, form the IP packet, join again among the IP forwarding queue, wait for the data forwarding operation
5. wide-band wireless IP network security implementation method according to claim 2 is characterized in that the BWIP Security Architecture flows into processing enforcement according to the following steps to recipient's data:
1) authentication, checking and integrity checking engine (AVIE) receive an IP bag from Internet, seal Security Parameter Index (SPI) in the mounted head portion according to IP, request security context manager (SEM) query safe environment data base (SEDB), judge the validity of being somebody's turn to do (SPI), if should (SPI) not have or surpass the term of validity, then (AVIE) directly abandons this packet, and this process information is recorded among the log database (ADB); If (SPI) effective, then (AVIE) request (SEM) is called crypto engine (CE) and is carried out integrity checking;
2) crypto engine (CE to) carries out integrity checking, if the integrity checking failure (AVIE) abandons this packet automatically, and inspection message is recorded log database (ADB);
3) integrity checking success, (AVIE) request call authentication, authorization and accounting engine (AAAE) authenticate, authorization and accounting AAA operation;
4) authentication, checking and integrity checking engine (AVIE) are received the operating result of authentication, authorization and accounting engine (AAAE), and outcome record is arrived log database (ADB);
5) authentication, checking and integrity checking engine (AVIE) are handled the return results of authentication, authorization and accounting engine (AAAE), if authentication, authorization and accounting operation failure, then (AVIE) abandons this packet, and records log database (ADB); If operate successfully, show that system allows this packet accesses network;
6) (AVIE) request security context database (SEM) calls crypto engine (CE), according to the security association in (SEDB) (SA) parameter to the decryption oprerations carried out of encapsulation load;
7) message after authentication, checking and integrity checking engine (AVIE) will be deciphered expressly passes to force policy Control Engine (PEE), request query strategy proximity database (pdb) proximity;
8) force policy Control Engine (PEE) is checked the safe handling strategy and the access mode of inquiry, if meet local policy, then transmits to inner Intranet network or to the host protocol high level; Otherwise abandon this message expressly, and process information is recorded in the log database (ADB).
6. according to claim 2,3 and 5 described wide-band wireless IP network security implementation methods, it is characterized in that authentication in the BWIP Security Architecture, authorization and accounting AAA handle by following flow implementation:
1) authentication, checking and integrity checking engine (AVIE) request authentication, authorization and accounting engine (AAAE) carry out the AAA operation;
2) after authentication, authorization and accounting engine (AAAE) were received this request, certified component carried out source authentication, the subscriber authentication of packet to the Security Parameter Index (SPI) that comprises in the request package by crypto engine (CE);
1. adopt the authentication method of sharing key, then (CE) carries out corresponding crypto-operation according to security association (SA) from key and the algorithm that security context database (SEDB) calls negotiation in advance, to determine the authenticity of user identity and informed source;
2. verify data adopts the authentication method of public key system, the first query safe environment data base of crypto engine (CE) (SEDB) then, when there not being relevant public key information, then by security context manager (SEM) visit external security support system, from certificate agency (CA), public credit database (CP) and authorized organization (AA) locate to obtain mobile subscriber's public key certificate, mobile subscriber's credit information and user's authorization message, (SEM) when these data of preservation arrive security context database SEDB, also ask credit management device (CM) that mobile subscriber's credit information is saved in the credit database (CDB); (CE) obtain user's public key information after, PKI according to the user carries out cryptography calculating to signing messages, and result of calculation is returned to the certified component of authentication, authorization and accounting engine (AAAE), carry out the checking of digital signature by certified component and compare, to realize user's the authentication or the authentication of data source;
3) authentification failure, then certified component stops the AAA operation, and by (AAAE) authentification failure is returned to authentication, checking and integrity checking engine (AVIE);
4) Authorized operation that undertaken by authorized component of authentication success;
5) aaa authorization process determines according to following data message:
Authorized component is according to the title of mobile request object, reach the information that (AVIE) provides as ID (identity) number and carry out authorization decision, and these information are extracted corresponding strategy and credit with the form of " index code " respectively from policy database (PDB) and credit database (CDB) or public credit database (CP).System clock and monitoring resource component environment variable that authorized component also asks BWIP safety executive system to provide to comprise resource control framework (RCF) simultaneously;
6) authorized component is collected the information that all need, carry out Authorized operation according to internal rule, if authorization failure, then authorized component will " be authorized refusal " information will be returned (AVIE) by (AAAE), record among the log database (ADB) and abandon this packet;
7) operation of authorizing successfully and will keep accounts, the then AAA book keeping operation assembly operation of keeping accounts;
8) the book keeping operation assembly is according to the identity of requestor ID, generate a band destination of user ID, access time, visit and the information record of visit information amount are arranged, and deposit the book keeping operation database of authentication, authorization and accounting engine (AAAE) in, finish the billed services in the AAA service;
9) after the book keeping operation assembly is finished book keeping operation, to authenticate, the processing result information of authorization and accounting engine (AAAE) returns to authentication, checking and integrity checking engine (AVIE), (AVIE) simultaneously this information is also recorded log database (ADB), adopt this dual logging to help solving the dispute of note expense.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100262119A CN100358326C (en) | 2004-06-04 | 2004-06-04 | Wide-band wireless IP network safety system structure and realizing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100262119A CN100358326C (en) | 2004-06-04 | 2004-06-04 | Wide-band wireless IP network safety system structure and realizing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1585405A true CN1585405A (en) | 2005-02-23 |
| CN100358326C CN100358326C (en) | 2007-12-26 |
Family
ID=34601254
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100262119A Expired - Fee Related CN100358326C (en) | 2004-06-04 | 2004-06-04 | Wide-band wireless IP network safety system structure and realizing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100358326C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009018743A1 (en) * | 2007-08-08 | 2009-02-12 | China Iwncomm Co., Ltd. | A trusted network connect system for enhancing the security |
| WO2009046667A1 (en) * | 2007-09-30 | 2009-04-16 | Huawei Technologies Co., Ltd. | System, device and method of security management |
| CN101594229B (en) * | 2009-06-30 | 2011-06-22 | 华南理工大学 | System and method for connecting credible network based on combined public key |
| CN102724173A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method for realizing IKEv2 protocol in MIPv6 environment |
| CN105897748A (en) * | 2016-05-27 | 2016-08-24 | 飞天诚信科技股份有限公司 | Symmetric secrete key transmission method and device |
| CN108431810A (en) * | 2015-10-23 | 2018-08-21 | 甲骨文国际公司 | proxy database |
| WO2023011233A1 (en) * | 2021-07-31 | 2023-02-09 | 华为技术有限公司 | Traffic management method and apparatus, device, and computer-readable storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020031230A1 (en) * | 2000-08-15 | 2002-03-14 | Sweet William B. | Method and apparatus for a web-based application service model for security management |
| US7050589B2 (en) * | 2001-08-17 | 2006-05-23 | Sun Microsystems, Inc. | Client controlled data recovery management |
| CN1352434A (en) * | 2001-11-29 | 2002-06-05 | 上海维豪信息安全技术有限公司 | Electronic government affairs safety platform system based on trust and authorization service |
| CN1191703C (en) * | 2001-12-31 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Safe inserting method of wide-band wireless IP system mobile terminal |
-
2004
- 2004-06-04 CN CNB2004100262119A patent/CN100358326C/en not_active Expired - Fee Related
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009018743A1 (en) * | 2007-08-08 | 2009-02-12 | China Iwncomm Co., Ltd. | A trusted network connect system for enhancing the security |
| KR101083152B1 (en) | 2007-08-08 | 2011-11-11 | 차이나 아이더블유엔콤 씨오., 엘티디 | A trusted network connect system for enhancing the security |
| US8336081B2 (en) | 2007-08-08 | 2012-12-18 | China Iwncomm Co., Ltd. | Trusted network connect system for enhancing the security |
| WO2009046667A1 (en) * | 2007-09-30 | 2009-04-16 | Huawei Technologies Co., Ltd. | System, device and method of security management |
| CN101594229B (en) * | 2009-06-30 | 2011-06-22 | 华南理工大学 | System and method for connecting credible network based on combined public key |
| CN102724173A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method for realizing IKEv2 protocol in MIPv6 environment |
| CN108431810A (en) * | 2015-10-23 | 2018-08-21 | 甲骨文国际公司 | proxy database |
| CN108431810B (en) * | 2015-10-23 | 2022-02-01 | 甲骨文国际公司 | Proxy database |
| CN105897748A (en) * | 2016-05-27 | 2016-08-24 | 飞天诚信科技股份有限公司 | Symmetric secrete key transmission method and device |
| CN105897748B (en) * | 2016-05-27 | 2019-05-10 | 飞天诚信科技股份有限公司 | A kind of transmission method and equipment of symmetric key |
| WO2023011233A1 (en) * | 2021-07-31 | 2023-02-09 | 华为技术有限公司 | Traffic management method and apparatus, device, and computer-readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100358326C (en) | 2007-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4999884B2 (en) | Mobile terminal | |
| Bonetto et al. | Secure communication for smart IoT objects: Protocol stacks, use cases and practical examples | |
| CN100399739C (en) | Method and system for realizing trust identification based on negotiation communication | |
| CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
| US8549300B1 (en) | Virtual single sign-on for certificate-protected resources | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| US7853783B2 (en) | Method and apparatus for secure communication between user equipment and private network | |
| CN200962604Y (en) | Vertical encryption authentication gateway device special for power | |
| CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
| CN1765079A (en) | Packet encryption substituting device | |
| CN1745356A (en) | Single sign-on secure service access | |
| CN1949765A (en) | Method and system for obtaining SSH host computer public key of device being managed | |
| CN1961557A (en) | Method and system for a secure connection in communication networks | |
| CN101543005A (en) | Secure network architecture | |
| CN1946233A (en) | Mechanism to avoid double-encryption in mobile networks | |
| CN101043335A (en) | Information security control system | |
| CN1905436A (en) | Method for ensuring data exchange safety | |
| CN100401706C (en) | Access method and system for client end of virtual private network | |
| CN1940955A (en) | System and method for registering entities for code signing services | |
| CN1977559A (en) | Method and system for protecting information exchanged during communication between users | |
| CN103716280B (en) | data transmission method, server and system | |
| CN1260927C (en) | IP network system for realizing safety verification and method thereof | |
| CN1585405A (en) | Wide-band wireless IP network safety system structure and realizing method | |
| CN1481109A (en) | Identity authentication system with dynamic cipher based on wireless transmission platform | |
| CN1529531A (en) | Method for accessing safety gate-link for mobile user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20071226 Termination date: 20110604 |