CN1791114A - Gridding safety communication system and gridding safety communication method - Google Patents

Gridding safety communication system and gridding safety communication method Download PDF

Info

Publication number
CN1791114A
CN1791114A CNA2005101325444A CN200510132544A CN1791114A CN 1791114 A CN1791114 A CN 1791114A CN A2005101325444 A CNA2005101325444 A CN A2005101325444A CN 200510132544 A CN200510132544 A CN 200510132544A CN 1791114 A CN1791114 A CN 1791114A
Authority
CN
China
Prior art keywords
message
strategy
unit
engine module
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2005101325444A
Other languages
Chinese (zh)
Other versions
CN100440892C (en
Inventor
怀进鹏
胡春明
李沁
薛伟
李建欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Beijing University of Aeronautics and Astronautics
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CNB2005101325444A priority Critical patent/CN100440892C/en
Publication of CN1791114A publication Critical patent/CN1791114A/en
Application granted granted Critical
Publication of CN100440892C publication Critical patent/CN100440892C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a grid security communication system, which comprises: a strategy library module, a strategy engine module connected to former module, an information input interface unit connected to former module, a treatment engine module connected to both former modules, and an information output interface unit connected to strategy engine module and treatment engine module. It also relates to an opposite method: acquiring message information, matching attribute parameter with security strategy to output; for sending message, applying security strategy to treat message for output and send; for receiving message, validating the security strategy. This invention can describe flexibly the complex and variable security request without modifying service code or knowing implementation principle.

Description

Grid security communication system and grid security communication means
Technical field
The present invention relates to a kind of grid security communication system and grid security communication means; especially a kind of for mesh services provides safeguard protection, and can safeguard the grid security communication system and the grid security communication means of the communication security between mesh services and the client.
Background technology
Along with going deep into to grid computing research, grid computing is regarded as the next stage of Distributed Calculation by increasing people, present grid computing technology is based on existing internet standard, and trans-departmental and organizational boundary is calculated and information resources are carried out effectively shared sharing in enterprise.Grid computing technology has been used in a lot of in the world being organized in the different fields, for example carries out the cooperation of scientific research, cooperations such as drug research, financial risks analysis and product design.Original because the restriction of calculating and data integration, a lot of research work can't be carried out, the Application Grid technology can make research institution realize the research work that these can't be carried out, perhaps save cost by the utilance of grid computing lifting information resources, increase the flexibility of enterprise, realize more efficient operation flow and have the fast-changing ability that adapts to.
In the evolution of grid computing, Web Services is incorporated into the grid computing field forms service grid environment, become the new direction of grid computing development, under the service grid environment architecture, the abstract form of various resources such as calculating, storage, network and equipment for service, thereby shielded the isomerism of resources such as calculating in the grid, storage, network and equipment effectively, sharing and collaboratively provide effective support for resource.
The existing service grid environment Globus Toolkit of system is cover software systems of information infrastructure in the grid, resource management, data management, communication, error detection and security mechanism; this cover designed in software systems Grid Security Infrastructure (GSI) for service grid environment in all kinds of services basic security protection is provided; comprise identity discriminating, communication encryption, digital signature; and the single login of oriented mission submission, can carry out unified message communicating protection for mesh services.In Globus Toolkit, mesh services and the client demand to secure communication is described by the security descriptor file, the function of basic security is provided for the user according to the security descriptor file by GSI again, the user only need be paid close attention to how to realize the business function of serving, and pay close attention to how to realize the security feature of serving without overspending energy.
The ability that GSI describes demand for security by the security descriptor file is limited, and flexibility and the autgmentability described are all relatively poor, and can only describe the demand for security of coarseness.The restriction of security descriptor file description document presentation ability is embodied as following aspect:
1) user can not select the cryptographic algorithm and the signature algorithm of nonsystematic acquiescence.The cryptographic algorithm of giving tacit consent in Globus Toolkit is 3DES, and the signature algorithm is MD5-RSA, and the user can't specify other algorithm as cryptographic algorithm and signature algorithm;
2) user can not operate the message part of encrypting and sign.The default behavior of GSI is that the message body of Simple Object Access Protocol (SOAP) message is carried out bulk encryption or signature, and can't the message part of this message further be operated;
3) granularity of security descriptor file description can only be supported service class and method rank, can think different services, and perhaps the distinct methods of same service is specified different demands for security.But the security descriptor file can't be supported more fine-grained level, selects different demands for security such as the different parameters value that is Same Way;
4) GSI does not provide the user to specify the function of demand for security according to the context parameters value in the running environment, for example wish to specify the request that comes from a certain class IP address need be as the user to message encryption and signature, request from other IP address does not then need, and GSI can't realize this requirement of user;
5) user can not specify identification strategy, and promptly the user can't specify different trusted certificates for different services, can only continue to use the identification strategy of grid service container.
The restriction of security descriptor file makes that the administrative staff of mesh services can't be according to the difference of concrete environment, for flexible, specific security configuration is formulated in service.In case demand for security has exceeded the restriction of configuration file ability to express, just need to design and develop extra code and realize this function.Increased the weight of mesh services developer's burden to a certain extent, made the developer pay close attention to and realize the service function, also need realize the particular safety demand at each security service except needs.
In addition, because distributed, the dynamic of grid environment, isomerism for same mesh services, are deployed in the different application environment, may be very different to the demand of safety.The developer that all these demands complicated and changeable all need to give mesh services also is inappropriate.
Summary of the invention
First purpose of the present invention is the many defectives at existing safe communication system, proposes a kind of grid security communication system, can possess certain independence, extensibility and flexibility, thereby describes service demand for security complicated and changeable flexibly.
Second purpose of the present invention is the many defectives at existing safety communicating method; a kind of grid security communication means is proposed; can carry out fine-grained setting to the safe handling strategy, and can provide suitable secure communication protection for various mesh services.
For realizing above-mentioned first purpose, the invention provides a kind of grid security communication system, it comprises:
The policy library module is used for the security strategy of storage file form;
The policy engine module links to each other with described policy library module, be used for obtaining security strategy, and resolve from described policy library module, then with current message and environmental context in property value compare and find the security strategy that is complementary;
The message input interface unit links to each other with described policy engine module, is used to intercept the message message that sends or receive between client and the server;
The processing engine module links to each other with the message input interface unit with described policy engine module, is used for the message message of described message input interface unit intercepting is carried out safe handling;
Message output interface unit links to each other with the processing engine module with described policy engine module, is used for the message message after the safe handling is exported.
For realizing above-mentioned second purpose, the invention provides a kind of grid security communication means, it may further comprise the steps:
Step 1, message input interface unit are intercepted and captured the message message between the client and server;
The security strategy of the tactful main body of the property parameters that step 2, policy engine module will be extracted and comprising of extracting and resolve asserting the policy expression that combines by strategy and is made up of matching condition from described message message or environmental context from the policy library module is mated, and security strategy is mated in output;
Step 3, judge whether described message message is in the transmission stage, if be in the transmission stage, then execution in step 4; If be in the reception stage, then execution in step 6;
Step 4, described policy engine module are applied to described security strategy the parameter of the safe processor in the processing engine module;
Step 5, described safe processor carry out safe handling to described message message, again by message output interface unit after with described safe handling the output of message message and send end operation then;
Collection and treatment information in step 6, the safe processor of described policy engine module from described processing engine module;
Step 7, described policy engine module judge whether described process information is complementary with described security strategy, be that then described safe processor carries out safe handling to described message information, again by message output interface unit after with described safe handling the output of message message and receive end operation then; Otherwise described policy engine module prompting security violations mistake, and end operation.
Based on technique scheme, the present invention has the following advantages:
1, the present invention can describe mesh services demand for security complicated and changeable flexibly by the predefined strategy file of configuration.
2, security mechanism provided by the invention is independent of the realization mechanism of special services, does not promptly need to revise the code of mesh services, does not even need to understand the realization principle of specifiable lattice service, just can specify complicated demand for security for it.
3, the present invention has carried out comprehensive description by the abundant policy language of descriptive power to the multiple strategy in the communication security, can specify fine-grained demand for security.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is the basic structure schematic diagram of grid security communication system of the present invention.
Fig. 2 is the structural representation of a specific embodiment of grid security communication system of the present invention.
Fig. 3 is the basic principle schematic flow sheet of grid security communication means of the present invention.
Fig. 4 is the schematic flow sheet of tactful main body expression formula coupling in the grid security communication means of the present invention.
Fig. 5 is the schematic flow sheet of using security strategy in the grid security communication means of the present invention.
Fig. 6 is the schematic flow sheet of authenticating security strategy in the grid security communication means of the present invention.
Embodiment
The present invention can make the system manager that policy expression concrete in the strategy file in the grid security communication system, matching condition or matching way etc. are carried out fine-grained setting, and can self-defined plug-in unit and processor, describe mesh services demand for security complicated and changeable with this, have good flexibility and extended capability.
As shown in Figure 1, basic structure schematic diagram for grid security communication system of the present invention, comprise following assemblies: policy library module 1, policy engine module 2, message input interface unit 3, processing engine module 4 and message output interface unit 5, wherein policy library module 1 security strategy of a lot of document forms as the database storage of security strategy; Policy engine module 2 all links to each other as all modules of nucleus module and other, its effect is to obtain security strategy from policy library module 1, and resolve, then with current message and environmental context in property value compare and find the security strategy that is complementary, and these security strategies are applied to processing engine module 4; Message input interface unit 3 links to each other with processing engine module 4 with policy engine module 2, and its effect is the message message that sends or receive between intercepting client and the server, then these message informations is offered processing engine module 4 and handles; Processing engine module 4 links to each other with message input interface unit 3, policy engine module 2 and message output interface unit 5, this module is carried out safe handling with the message message of message input interface unit 3 interceptings, if the message of intercepting is the message message that sends, processor by application strategy carries out safe handling to message message, normally encrypt or safe handling modes such as digital signature, if the message of intercepting is the message message that receives, then operating information is dealt in the policy engine module and verifies by processing engine module 4; If these information are consistent with the security strategy of coupling, then carry out corresponding safe handling, for example deciphering or checking digital signature etc.; If the security strategy of these information and coupling is inconsistent, then in the safe handling process, quote the error message of security violations, shut-down operation then; Message output interface unit 5 links to each other with processing engine module 4 with policy engine module 2, and its effect is with the output of the message message after the safe handling, if process of transmitting is then carried out transmission, if receiving course then receives.
As shown in Figure 2, structural representation for a specific embodiment of grid security communication system of the present invention, present embodiment has carried out refinement to tactful engine modules 2 and processing engine module 4, wherein policy engine module 2 comprises policy resolution unit 21, policy management element 22, strategy matching unit 23 and attribute acquisition unit 24, policy resolution unit 21 links to each other with policy library module 1, this unit is used for the security strategy of policy library module 1 is accessed, because these security strategies are all with document form storage, be data structure in the internal memory with these document analysis therefore by policy resolution unit 21; Policy management element 22 links to each other with policy resolution unit 21, and the external access interface of the data structure of the security strategy in the internal memory is provided; Strategy matching unit 23 and policy management element 22, processing engine module 4 links to each other, the message message of the current intercepting and capturing that strategy matching unit 23 is collected the security strategy in the policy management element 22 and attribute acquisition unit 24 or the property value in the context mate, to offer processing engine module 4 with the specific policy that current message message or context are complementary then, in the process of security strategy coupling, the property value of choosing in the attribute acquisition unit can compare with the expection matching value in the matching condition, if relatively success represents that then this matching condition is satisfied; Attribute acquisition unit 24 links to each other with strategy matching unit 23, message input interface unit 3 and message output interface unit 5, is used for from current message message, the required property value of context acquisition strategy coupling; Processing engine module 4 is made up of several processors, these processors can be ciphering unit 41 and the digital signature unit of using in the message process of transmitting 42, and decrypting device of using in the message receiving course 43 and certifying signature unit 44, these processors have some special parameters can control processing to message message, the selection of processor and order are not fixed, can set according to mesh services keeper or user's requirement, except these processors, the also new safe processor of definable, these processors have constituted a safe handling chain.
In this safe handling chain, various processor has parameter separately to set according to security strategy, for example: send the stage at message, the parameter that user name password signature processor reads comprises whether needing the user name cipher processor, sign part, user name and password etc.; The parameter that the certificate encryption processor reads comprises whether needing the concrete part of message of using encryption, cryptographic algorithm, needs to encrypt and the certificate of encrypting usefulness etc.; Whether the parameter that certificate signature processor reads comprises needs to use the concrete part of message of signature, signature algorithm, needs signature and the certificate of signature usefulness etc.Receive the stage at message, the parameter that the inspection of user name password signature validation processor is provided with: which part whether has used the signature of user name password, the other side's user name and the part of process signature is; The parameter that the inspection of certificate decryption processor is provided with: whether used certificate encryption, the cryptographic algorithm of use and the message part that process is encrypted; The parameter that the inspection of certificate signature validation processor is provided with: whether used the signature algorithm of signature, use and had the concrete part of which message to have passed through signature.
In the present embodiment, the attribute acquisition unit can be subdivided into message content chooser unit, context chooser unit and/or plug-in unit chooser unit, wherein message content chooser unit links to each other with strategy matching unit 23 with message input interface unit 3, this subelement extracts specific part as property value from the message of intercepting and capturing, because the message in the grid environment all is soap message, and adopted the XML form, therefore in the XML data, select a content dual mode to be arranged, corresponding two kinds of chooser unit: XPath chooser unit and QName chooser unit as property value.
QName chooser unit needs given two parameters: NameSpace of certain XML element (Namespace) and bookmark name (Tag Name).Selector is searched object element according to NameSpace and bookmark name in message, and the content of this element is set to property value to be compared.QName chooser unit (" for example ", " add ") will in message, choose the content of add element as property value.XPath chooser unit needs a given parameter: the XPath expression formula.Can in XML document, choose a node by the XPath expression formula.Find after this node, will be the content of this node as property value.XPath chooser unit (" * [local-name (.)=" add "] for example ") will in message, choose the content of add element as property value.
Context chooser unit is to use hereinafter to choose certain information as property value.In the present embodiment, context is a data structure of depositing the Message Processing relevant information, has comprised many useful informations that do not occur in the content of message own in this data structure, and it is the mapping of a keyword to value.For example: comprise destination service name, the target side religious name of visit, the information such as the network address of opposite end in the context.Context chooser unit can be destination service chooser unit, method chooser unit and make parameter chooser unit by oneself.The destination service name that destination service chooser unit can obtain to visit, and the target side religious name that method chooser unit can obtain to visit, making parameter chooser unit by oneself needs given keyword parameter, and this chooser unit obtains correlation attribute value by keyword parameter from contextual mapping table.The user can also define plug-in unit chooser unit for plugin information, and the chooser unit that these design voluntarily can obtain any information of obtaining wanted from running environment, as property value.
When between client and the server request message and response message being arranged, no matter be the request message that sends of client or the response message of reception, or the response message that request message that server receives after the process grid security communication system of the present invention or server send, the grid security communication system can both be intercepted and captured this request message.A plurality of grid security communication systems are arranged between client and server usually, can carry out corresponding safe handling operation, for example operations such as encrypt and decrypt, digital signature and certifying digital signature.
Referring to Fig. 3, Fig. 3 is the basic principle schematic flow sheet of grid security communication means of the present invention, may further comprise the steps:
Step 101, message input interface unit are intercepted and captured the message message between the client and server;
The property parameters that step 102, policy engine module will be extracted from described message message or environmental context mates with the security strategy of extracting from the policy library module and resolving, output coupling security strategy;
Step 103, judge whether described message message is in the transmission stage, if be in the transmission stage, then execution in step 104; If be in the reception stage, then execution in step 106;
Step 104, described policy engine module are applied to described security strategy the parameter of the safe processor in the processing engine module;
Step 105, described safe processor carry out safe handling to described message message, again by message output interface unit after with described safe handling the output of message message and send end operation then;
Collection and treatment information in step 106, the safe processor of described policy engine module from described processing engine module;
Step 107, described policy engine module judge whether described process information is complementary with described security strategy, be that then described safe processor carries out safe handling to described message information, again by message output interface unit after with described safe handling the output of message message and receive end operation then; Otherwise described policy engine module prompting security violations mistake, and end operation.
In technique scheme, the security strategy in the step 102 is made up of two parts: policy expression and tactful main body.Wherein tactful main body is to be combined by a series of matching conditions.Combination is extracted, two kinds of forms of conjunction.The strategy main body is represented the object of this application of policies, that is to say that this strategy need be employed under which kind of condition of expression.
Matching condition in the strategy main body comprises three parts: attribute selector, matching way, matching value.Suppose to have certain matching condition to be: the destination service selector, equate coupling, matching value A, the condition of its representative is: " if destination service equals A ".The matching condition process is extracted, conjunction, is called complicated coupling expression formula, and on behalf of this strategy, just tactful main body if the coupling expression formula is true, just obtained coupling.
Policy expression is by combining that strategy is asserted.Each bar strategy asserts that the setting of all representing a safe handling parameter, single strategy assert that the behavior that can control the individual security processor, a group policy assert the behavior that can control one group of safe processor.Such as: cryptographic algorithm (DES3), perhaps encryption section (message body is whole) all is that strategy is asserted.The combining form that strategy is asserted is also extracted, two kinds of conjunction.For example: (cryptographic algorithm (DES3) or cryptographic algorithm (AES)) is exactly the combination that strategy is asserted, just a policy expression with signature algorithm (SHA1-RSA) and encryption section (value of parameter A).
In such safe processing system based on strategy, attribute selector, matching way and tactful assert rich have fundamental influence to the ability to express with strategy.Therefore attribute selector and strategy are asserted and have all been adopted extendible design.
Coupling in step 102 and 107 is represented the mode that compares between property value and the matching value, the present invention can adopt three kinds of matching ways that property value and matching value are mated, these three kinds of matching ways are for equating coupling, regular expression coupling and self-defined coupling, equating under the matching way, will do equivalent judgement to property value and matching value, if equate, then matching condition is true, otherwise matching condition is false.
Under the regular expression matching way, will resolve to regular expression to matching value, and judge whether property value can mate this regular expression.If can satisfy this regular expression, then matching condition is true, otherwise matching condition is false.For example: matching value " .*Test " is made the regular expression coupling, will mate any property value with " Test " ending, property value is set up for " ATest " or " BBTest " can both make matching condition.Equally, the user can self-defined matching way, removes comparison property value and matching value with any logic, and returns the message that the match is successful or it fails to match.
In step 105 and 107, when being in the stage that sends message be, the safe handling of being carried out is encryption and digital signature processing etc., order can be set by user or keeper, and when being in the stage that receives message, the safe handling of being carried out is decrypted processing and certifying digital signature processing etc. corresponding to the safe handling in the stage of transmission.
As shown in Figure 4, for the schematic flow sheet of tactful main body expression formula coupling in the grid security communication means of the present invention, when tactful main body is a true time, represent this strategy to obtain coupling, the process of coupling is as follows:
Whether step 201, determination strategy main body are the conjunction expression formula, wherein conjunction expression formula be a kind of " with " form, when wherein all subitems all mate, the strategy main body is true, if tactful main body is the conjunction expression formula, then execution in step 202, otherwise execution in step 205;
Step 202, from tactful main body, take out a subitem;
Step 203, mate taking out subitem, if this subitem can mate, then execution in step 204, otherwise expression it fails to match, and end operation;
Whether have the subitem of processing or not in step 204, the determination strategy main body, if having, then return step 202 and take out new subitem, if do not have, then the match is successful in expression, and end operation;
Whether step 205, determination strategy main body are the expression formula of extracting, wherein conjunction expression formula be a kind of " or " form, when arbitrary subitem coupling wherein, the strategy main body is true, if tactful main body is the expression formula of extracting, then execution in step 206, if structure, then execution in step 209;
Step 206, from tactful main body, take out a subitem;
Step 207, mate taking out subitem, if this subitem can mate, then the match is successful in expression, and end operation, otherwise execution in step 208;
Whether have the subitem of processing or not in step 208, the determination strategy main body, if having, then return step 206 and take out new subitem, if do not have, then it fails to match in expression, and end operation;
Step 209, structure is handled;
Whether the structure after step 210, the judgment processing can mate, if can mate, then the match is successful in expression, and end operation; Otherwise it fails to match in expression, and end operation.
As shown in Figure 5, schematic flow sheet for using security strategy in the grid security communication means of the present invention, the security strategy that is complementary that obtains by the policy engine module will be applied in the whole system, parameter to each module and unit is configured, to satisfy mesh services demand for security complicated and changeable.Idiographic flow is as follows:
Step 301, from the strategy matching unit, take out policy expression;
Step 302, the policy expression that takes out is converted into disjunctive normal form;
Step 303, from disjunctive normal form, take out first disjunct;
Step 304, in this first disjunct, take out strategy and assert;
Step 305, this strategy asserted be applied to various parameters in the middle of the running environment;
Step 306, judge whether still have strategy to assert in first disjunct, if having, then execution in step 304 is taken out new strategy and is asserted, otherwise end operation.
As shown in Figure 6, be the schematic flow sheet of authenticating security strategy in the grid security communication means of the present invention, receiving message phase, after system finds matching strategy, need obtain information from the operation of safe handling subelement, and judge whether to be complementary with policy expression, idiographic flow is as follows:
Step 401, from the strategy matching unit, take out policy expression;
Step 402, assert according to the processing messages structure strategy of collecting the safe handling subelement;
Step 403, check whether the set that this strategy is asserted is consistent with policy expression,, then be proved to be successful, carry out operation normally if consistent; If inconsistent, then in the safe handling process, produce the security violations mistake, check and debug to wait for the keeper.
Below by some processes such as the explanation of concrete example strategy matching, application of policies and policy validation, for example client has two such transmission strategies:
1) if (access services A, and parameter p 1 is less than 5), with regard to application strategy (using user name signature=true, and user name=alice, and password=123456, the and part=whole message body of signing);
2) if (access services A, and parameter p 1 is more than or equal to 5), with regard to application strategy (use certificate bookmark word=true, and signer certificate=a.cer, the and algorithm=RSA-SHA1 that signs, and sign part=parameter p 1);
If wherein the content in the bracket of back is exactly tactful main body, the content in the bracket of application strategy back is a policy expression.
Then server end has such authentication policy:
If (access services A) ((uses the and (part=message body of signing) of user name signature=true or use certificate bookmark word=true) with regard to authentication policy
In this case, if in the time of the client-access service, parameter is less than 5, then in transmission stage of client, will mate article one and send strategy, effect is that 4 parameters (are used user name signature=true below using in safe handling, user name=alice, password=123456, signature part=whole message body), when promptly passing through the user name cipher processor, do signature with alice and 123456 pairs of whole message bodies of password, when the stage of reception, safe processor can be provided with 3 parameters and (use user name signature=true through the message handled like this, user name=alice, signature part=whole message body), now verifies that its requires the ((and (part=message body of signing) of use user name signature=true or use certificate bookmark word=true) according to the strategy 1 of server, obviously for this situation, checking is successful;
If in the time of the client-access service, parameter is more than or equal to 5, client can be mated transmission strategy 2, use it and mean meeting parameter (use certificate bookmark word=true below the application when safe handling, signer certificate=a.cer, signature algorithm=RSA-SHA, signature part=parameter p 1), such message is through the reception of server, and safe handling, the processor of receiver section can be provided with following 3 parameters (use certificate bookmark word=true, signature algorithm=RSA-SHA, signature part=parameter p 1), and according to the authentication policy of server, its requires ((uses the and (signature part=message body) of user name signature=true or use certificate bookmark word=true), so is ungratified in this case; ((use the and of user name signature=true or use certificate bookmark word=true) (signature part=message body or sign part=parameter p 1) or ((use user name signature=true and sign part=message body) or (use certificate bookmark word=true and sign part=parameter p 1), then all satisfy if revise the strategy of server and be.
Should be noted that at last: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit; Although with reference to preferred embodiment the present invention is had been described in detail, those of ordinary skill in the field are to be understood that: still can make amendment or the part technical characterictic is equal to replacement the specific embodiment of the present invention; And not breaking away from the spirit of technical solution of the present invention, it all should be encompassed in the middle of the technical scheme scope that the present invention asks for protection.

Claims (10)

1, a kind of grid security communication system is characterized in that comprising:
The policy library module is used for the security strategy of storage file form;
The policy engine module links to each other with described policy library module, be used for obtaining security strategy, and resolve from described policy library module, then with current message and environmental context in property value compare and find the security strategy that is complementary;
The message input interface unit links to each other with described policy engine module, is used to intercept the message message that sends or receive between client and the server;
The processing engine module links to each other with the message input interface unit with described policy engine module, is used for the message message of described message input interface unit intercepting is carried out safe handling;
Message output interface unit links to each other with the processing engine module with described policy engine module, is used for the message message after the safe handling is exported.
2, grid security communication system according to claim 1 is characterized in that described policy engine module comprises:
The policy resolution unit links to each other with described policy library module, is used for security strategy file with described policy library module and accesses and resolve to data structure in the internal memory;
Policy management element links to each other with described policy resolution unit, is used for providing the external access interface of data structure of the security strategy of internal memory;
The strategy matching unit, link to each other with described processing engine module with described policy management element, be used for the security strategy of described policy management element is mated with the message message of current intercepting and capturing or the property value in the context, will offer described processing engine module with the specific policy that current message message or context are complementary then;
The attribute acquisition unit links to each other with described strategy matching unit, message input interface unit and message output interface unit, is used for from current message message, the required property value of context acquisition strategy coupling.
3, grid security communication system according to claim 1 is characterized in that described processing engine module comprises:
Several processor units link to each other with described message input interface unit, policy engine module and message output interface unit, are used for current message message is carried out safe handling.
4, grid security communication system according to claim 3 is characterized in that described processor unit is ciphering unit, digital signature unit, decrypting device or certifying signature unit.
5, grid security communication system according to claim 2 is characterized in that described attribute acquisition unit comprises message content chooser unit, context chooser unit and/or plug-in unit chooser unit; Described message content chooser unit is XPath chooser unit or QName selector, and described context chooser unit is destination service chooser unit, method chooser unit or makes parameter chooser unit by oneself.
6, a kind of grid security communication means is characterized in that may further comprise the steps:
Step 1, message input interface unit are intercepted and captured the message message between the client and server;
The security strategy of the tactful main body of the property parameters that step 2, policy engine module will be extracted and comprising of extracting and resolve asserting the policy expression that combines by strategy and is made up of matching condition from described message message or environmental context from the policy library module is mated, and security strategy is mated in output;
Step 3, judge whether described message message is in the transmission stage, if be in the transmission stage, then execution in step 4; If be in the reception stage, then execution in step 6;
Step 4, described policy engine module are applied to described security strategy the parameter of the safe processor in the processing engine module;
Step 5, described safe processor carry out safe handling to described message message, again by message output interface unit after with described safe handling the output of message message and send end operation then;
Collection and treatment information in step 6, the safe processor of described policy engine module from described processing engine module;
Step 7, described policy engine module judge whether described process information is complementary with described security strategy, be that then described safe processor carries out safe handling to described message information, again by message output interface unit after with described safe handling the output of message message and receive end operation then; Otherwise described policy engine module prompting security violations mistake, and end operation.
7, grid security communication means according to claim 6 is characterized in that safe handling described in the described step 5 is encryption.
8, grid security communication means according to claim 6 is characterized in that safe handling described in the described step 5 is that digital signature is handled.
9, grid security communication means according to claim 6 is characterized in that in described step 2 and the step 7, and described coupling is for equating coupling.
10, grid security communication means according to claim 6 is characterized in that in described step 2 and the step 7, and described coupling is the regular expression coupling.
CNB2005101325444A 2005-12-26 2005-12-26 Gridding safety communication system and gridding safety communication method Expired - Fee Related CN100440892C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005101325444A CN100440892C (en) 2005-12-26 2005-12-26 Gridding safety communication system and gridding safety communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005101325444A CN100440892C (en) 2005-12-26 2005-12-26 Gridding safety communication system and gridding safety communication method

Publications (2)

Publication Number Publication Date
CN1791114A true CN1791114A (en) 2006-06-21
CN100440892C CN100440892C (en) 2008-12-03

Family

ID=36788602

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005101325444A Expired - Fee Related CN100440892C (en) 2005-12-26 2005-12-26 Gridding safety communication system and gridding safety communication method

Country Status (1)

Country Link
CN (1) CN100440892C (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242272B (en) * 2008-03-11 2010-10-06 南京邮电大学 Realization method for cross-grid secure platform based on mobile agent and assertion
CN105099992A (en) * 2014-04-29 2015-11-25 杭州迪普科技有限公司 Message modification device and method
CN106161377A (en) * 2015-04-13 2016-11-23 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106789959A (en) * 2016-12-01 2017-05-31 北京锐安科技有限公司 A kind of data safe processing device and processing method
CN107025539A (en) * 2007-05-15 2017-08-08 社会方案有限责任公司 System and method for forming social networking on-line communities
CN110688369A (en) * 2019-09-30 2020-01-14 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for analyzing DB2 message
CN111049665A (en) * 2018-10-12 2020-04-21 北京思源理想控股集团有限公司 Server, communication system and method for self-defined dynamic policy deployment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8352724B2 (en) * 2003-07-23 2013-01-08 Semiconductor Energy Laboratory Co., Ltd. Microprocessor and grid computing system
JP4064914B2 (en) * 2003-12-02 2008-03-19 インターナショナル・ビジネス・マシーンズ・コーポレーション Information processing apparatus, server apparatus, method for information processing apparatus, method for server apparatus, and apparatus executable program

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107025539A (en) * 2007-05-15 2017-08-08 社会方案有限责任公司 System and method for forming social networking on-line communities
CN101242272B (en) * 2008-03-11 2010-10-06 南京邮电大学 Realization method for cross-grid secure platform based on mobile agent and assertion
CN105099992A (en) * 2014-04-29 2015-11-25 杭州迪普科技有限公司 Message modification device and method
CN105099992B (en) * 2014-04-29 2018-07-24 杭州迪普科技股份有限公司 A kind of message modification device and method
CN106161377A (en) * 2015-04-13 2016-11-23 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106161377B (en) * 2015-04-13 2019-03-29 中国科学院软件研究所 A kind of social networks access control method based on user characteristics
CN106789959A (en) * 2016-12-01 2017-05-31 北京锐安科技有限公司 A kind of data safe processing device and processing method
CN111049665A (en) * 2018-10-12 2020-04-21 北京思源理想控股集团有限公司 Server, communication system and method for self-defined dynamic policy deployment
CN111049665B (en) * 2018-10-12 2023-09-15 北京思源理想控股集团有限公司 Self-defined dynamic policy deployment server, communication system and method
CN110688369A (en) * 2019-09-30 2020-01-14 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for analyzing DB2 message
CN110688369B (en) * 2019-09-30 2022-07-12 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for analyzing DB2 message

Also Published As

Publication number Publication date
CN100440892C (en) 2008-12-03

Similar Documents

Publication Publication Date Title
Abouelmehdi et al. Big healthcare data: preserving security and privacy
Hu et al. A survey on data provenance in IoT
Awaysheh et al. Next-generation big data federation access control: A reference model
CA2924858C (en) Method and system for distributing secrets
Alhaidari et al. Cloud of Things: architecture, applications and challenges
CN1791114A (en) Gridding safety communication system and gridding safety communication method
Essa et al. IFHDS: intelligent framework for securing healthcare bigdata
Bertino et al. A roadmap for privacy-enhanced secure data provenance
WO2002059821A2 (en) Method and apparatus for locating and exchanging clinical information
CN1688996A (en) Method to remotely query, safely measure, and securely communicate configuration information of a networked computational device
CN103414585A (en) Method and device for building safety baselines of service system
CN101977212A (en) Basic sharing platform for Internet of things
Al-Jaroodi et al. Security middleware approaches and issues for ubiquitous applications
CN1855086A (en) System and method for analyzing and abstracting data evidence
Han et al. A blockchain-based and SGX-enabled access control framework for IoT
Mishra et al. Enhancing privacy‐preserving mechanisms in Cloud storage: A novel conceptual framework
Kaliya et al. Framework for privacy preservation in iot through classification and access control mechanisms
Alsulbi et al. Big data security and privacy: A taxonomy with some HPC and blockchain perspectives
Khan et al. Blockchain-enabled infrastructural security solution for serverless consortium fog and edge computing
Wang et al. A Novel Elasticsearch Encryption Scheme for Intelligent Transportation System Applications
Mehmood et al. IoT-enabled Web warehouse architecture: a secure approach
Yang et al. Overview of Blockchain and Cloud Service Integration
Samaniego et al. Digital Twins and Blockchain for IoT Management
Rani et al. Redundancy elimination in IoT oriented big data: a survey, schemes, open challenges and future applications
Alzoubi Blockchain technology solutions in healthcare: a systematic review

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081203

Termination date: 20121226