Utility model content
In order to solve the above problems, the utility model provides a kind of based on safety management and feedback of the information system under GDOI agreements
System, the system includes high-speed encryption module, KMC, key management control terminal, security management center and information
Feedback management center;
Further, the high-speed encryption module includes the first treatment channel, second processing passage and shared module;
Further, the shared module connects including control centre's unit, editor's integrated unit, flash cell and configuration
Mouthful, first treatment channel and second processing passage also include data processing unit, data buffer storage unit, authentication unit,
Micro-control unit and expanding element;
Further, the KMC include device management module, algorithm processing module, key management module,
Communications Processor Module, local monitoring module and Integrated Management Module, the device management module are inquired about including remote status
And monitoring unit, group policy processing unit and identity key management unit, it is single that the key management module includes noise code processing
First, local critical data memory protection unit, session encryption key(SEK)Administrative unit, group policy key-encrypting key(KEK)
Administrative unit and group policy transmission cryptographic work key(TEK)Administrative unit, the Communications Processor Module includes peace pipe communication and connect
Mouthful unit, GDOI protocol processing units and cast communication processing unit, the management module include close tube hub administrative unit and
Daily record maintenance unit;
Further, the key management module join algorithm processing module;
Further, the key management control terminal includes credit card information input module and public key distribution module, institute
Key management control terminal is stated for key management console;
Further, the security management center includes assets management module and configuration management module, the asset management
Module includes assets information collecting unit, assets information administrative unit, owner information administrative unit and assets Topology Management list
Member, the configuration management module includes group information administrative unit, group membership's information management unit, Group policy management unit and encryption
Device status monitoring unit;
Further, described information feedback management center includes monitoring module, statistical analysis module and system administration
Module, the monitoring module include flow information collecting unit, traffic statistics analysis unit, flow information display unit and
Abnormal flow alarm unit, the statistical analysis management module includes performance alarm management unit, fault alarm administrative unit, comprehensive
Association analysis unit and security risk alarm unit are closed, wherein;
The beneficial effects of the utility model are as follows:
1) by a kind of encryption module framework of innovation, high-speed encryption module realizes high-performance encryption module and can supported
The encryption and decryption of 40Gbps business datums, function divides clear, and service process performance is superior and can provide the user the customization of extension
Change function;
2) Key Management server and group membership are passed through(GM)Group encryption deployment model, whole net negotiation mechanism(Group
SA), using the flow between Group SA encryption and decryption nodes, being provided for arbitrary node IP can secure communication;
3) assets and its encryption device can be safeguarded and at any time monitoring check, support NETSTREAM, SPAN,
SNMP various ways gather backbone network link flow, real-time exhibition and monitoring full-mesh network stream in real time from router, interchanger
Amount situation, going wrong can be adopted remedial measures with the very first time.
Embodiment
In order that the purpose of this utility model, technical scheme and advantage are more clearly understood, below in conjunction with accompanying drawing and implementation
Example, the utility model is explained in further detail.It should be appreciated that specific embodiment described herein is used only for explaining
The utility model, is not used to limit the utility model.On the contrary, the utility model cover it is any be defined by the claims this
Replacement, modification, equivalent method and the scheme made in the spirit and scope of utility model.Further, in order that the public is to this reality
Have a better understanding with new, it is detailed to describe some specific detail portions below in detailed description of the present utility model
Point.The description of part can also understand the utility model completely without these details for a person skilled in the art.
The utility model is described in further detail with specific embodiment below in conjunction with the accompanying drawings, but not as to the utility model
Restriction.Below most preferred embodiment is enumerated to be of the present utility model:
As illustrated, the utility model, which provides one kind, is based on safety management and information feedback system management system under GDOI agreements
System, the system includes assets management module, configuration management module, monitoring module, statistical analysis module and system administration
Module.
The encryption module includes the first treatment channel, second processing passage and shared module, first treatment channel
Encryption business is independently handled with second processing passage, the shared module connects the first treatment channel and second processing simultaneously
Passage, the shared module is used for the first treatment channel and the input of second processing channel information and control process.
It is defeated that first treatment channel and second processing passage are equipped with independent user profile input interface, management information
Incoming interface and authentication interface, data processing unit, data buffer storage unit, authentication unit, micro-control unit and expanding element.
The shared module includes control centre's unit, editor's integrated unit, flash cell and configuration interface, the control
Center cell, editor's integrated unit, flash cell and configuration interface are sequentially connected, control centre's unit, the integrated list of editor
Member, flash cell are connected with first treatment channel, second processing passage.
Control centre's unit is used to handle the administrative staff's configuration operation received by management information input interface
Order, editor's integrated unit is used to all operational orders in control centre's unit passing through logical edit and set of digits
Into switching to digital information, and data processing unit is sent to by editing integrated unit, the data processing unit can be handled
20Gbps business datum, the flash cell is used to cache to be come from authentication unit and is recognized by what control centre's unit was received
Demonstrate,prove the key information and checking information of interface.
Control centre's unit connects user profile input interface, the user profile input by data processing unit
The key information of user is sent to control centre's Single Component Management information input interface, the authentication interface connection control by interface
Center cell processed, is sent to control centre's unit by the authentication information of administrative staff and user and is verified, the management
Information input interface, micro-control unit, data processing unit and control centre's unit are sequentially connected, and the management information input connects
The operational order and checking information of administrative staff are sent to control centre's unit by mouth, if after being proved to be successful, the microcontroller
Unit can directly input manager works order, and the data buffer storage unit connection control centre unit stores part of key
Information and checking information, the expanding element are used to connect external equipment, and the data processing unit includes packet symmetric cryptography
Computing and hashed password computing, the block cipher computing is by SM4 algorithms to data encryption, and the hashed password computing passes through
SM3 algorithms are hashed to the data encrypted by HASH computings.The authentication unit is used to provide digital signature and numeral is signed
The checking of name.Control centre's unit is microcontroller ARM, and editor's integrated unit is CPLD, and the flash cell is
FLASH 128Mb memories, the data processing unit is DPU, and the data buffer storage unit is 1MBSRAM data buffer storages, institute
It is that safety chip SSX1408, the micro-control unit are ethernet PHY to state authentication unit, and the expanding element, which is used to connect, to be used
Family Custom Encryption equipment.
The KMC be 2U height server apparatus, the server apparatus include X86-based mainboard, specially
With PCI-E cipher cards, storage assembly, network interface card, ID card driver, identity card reader and power supply, the KMC
It is arranged on X86-based mainboard, and Usb-KEY is configured with the mainboard, the machine authentication during for system boot, number
According to the encipherment protection and the identity key management of the whole network encryption device of storage, KMC's connection key pipe
Control terminal is managed, the key management control terminal is used for close under the registration of cipher machine ID card and off-line state used in the whole network
The identity public key distribution of key administrative center.
The KMC includes device management module, algorithm processing module, key management module, communication process mould
Block, local monitoring module and management module.
The device management module is used to complete the management of the whole network encryption device, condition monitoring, the dimension for organizing Password Policy
Nurse makees, and realizes the management of the whole network identity key, and the device management module, which includes remote status, to be inquired about and monitoring unit, group plan
Omit processing unit, identity key management unit.
Remote status inquiry and monitoring unit are used for the running status for collecting and monitoring encryption device, if any abnormal and
When reported to device management module, the device management module carries out maintenance and management to the encryption device of abnormality.It is described
Group policy processing unit is used for the maintenance for realizing group policy information, supports that the encryption device member of group policy is increased and deleted
Division operation, most group policy entries that the whole network is supported are no more than 10000, and the member that each group policy is supported is no more than 1000
It is individual.The identity key management unit includes note key spoon and certification key, and the note key spoon is used to realize encryption device
The first of key parameter is filled with into the certification key is used to realize local identity authentication function when encryption device starts.
The algorithm processing module passes through SM2, SM3 by SM2, SM3 and SM4 algorithm process, the algorithm processing module
Key information calculating is carried out to encryption device with SM4 algorithms, the authentication registration of most 200 encryption devices simultaneously is supported.
The key management module includes noise code processing unit, local critical data memory protection unit, session encryption
Key(SEK)Administrative unit, group policy key-encrypting key(KEK)Administrative unit and group policy transmission cryptographic work key
(TEK)Administrative unit, noise data of the noise code processing unit to obtain physical noise source, to the noise data of acquisition
Carry out randomness detection, it is ensured that the existing randomness of key processed.The local critical data memory protection unit passes through identity key
The certification key of administrative unit realizes local identity authentication function, obtains storage protection key, realizes local sensitive information
Storage protection.The session encryption key(SEK)Administrative unit is exchanged by carrying out IKE with encryption device, is realized close with the whole network
The maintenance and management of SEK keys between decoding apparatus, completes the transmission to KEK data and protects.The group policy key-encrypting key
(KEK)Administrative unit realizes that the transmission to TEK data is protected according to the renewal and management of group policy state-maintenance the whole network KEK keys
Shield.The group policy transmits cryptographic work key(TEK)Administrative unit is according to group policy state and key updating periodic maintenance TEK
The management of key data, realizes that the transmission to group policy data is protected.
The algorithm processing module connects key management module, by SM2, SM3 and SM4 algorithm, realizes local crucial number
According to storage protection, the whole network session encryption key, group policy key-encrypting key and group policy transmit the dimension of cryptographic work key
Shield and management.
It is single that the Communications Processor Module includes peace pipe communications interface unit, GDOI protocol processing units and cast communication processing
Member, the Communications Processor Module to realize the communicating to connect of the key management module and key management control terminal, it is described
Communication connection and key management module and the device management module of the device management module with key management control terminal
Communication connection, the Communications Processor Module is externally unified to provide GDOI protocol interfaces, and the distribution of key uses GDOI actualizings.
The peace pipe communications interface unit is used to realize key management module and communication protocol parsing and processing, the group of device management module
Collection, device management module command analysis and the information reporting of policy information.The GDOI protocol processing units are used to realize
Communication connection between key management control terminal and key management, and being completed according to GDOI agreements to IKE SA, KEK SA and
TEK SA foundation and maintenance.The cast communication processing unit is to realize device management module and key management control terminal
Communication connection, to TEK keys carry out multicast distribution.
The local monitoring module is used for the running status for collecting each unit, checks the integrality of critical data, different
Normal state triggering alarm.
The management module includes close tube hub administrative unit and daily record maintenance unit, the close tube hub administrative unit base
In the management service function of WEB modes, parameter configuration, operational management, the daily record maintenance unit are carried out to KMC
All kinds of operation informations run for collecting in KMC, status information, information is safeguarded, and form log recording, just
In retrieval and inquiry.
The key management control terminal includes credit card information input module and public key distribution module, the key management
Control terminal is key management console.
The security management center includes assets management module and configuration management module, system management module, the assets
Management module mainly realizes the description and definition to information assets, and the basic condition of conjunctive tissue carries out the classification of assets and stepped on
Note, asset management is one of core of system, is the basis for carrying out other all safe operation management work, the asset management
Module includes assets information collecting unit, assets information administrative unit, owner information administrative unit, assets Topology Management list
Member, the assets information collecting unit is used for the collection typing of matching management person's completion asset data, and asset model is built
It is vertical, including the automatic data collection mode and personnel's typing mode, the assets information administrative unit is for assisting keeper to complete assets
Presentation of information, realize that according to different attribute asset search, assets information modification, assets delete management work, person liable's letter
Breath administrative unit to assets owner information to be set up, maintenance and management work, and person liable refers mainly to need to assets
Responsible administrative staff, the collection that the assets Topology Management unit is used to complete assets network topological diagram information is set up, periodically
Maintenance, the topological interactive maintenance work of the real-time exhibition of assets topological diagram, assets, the configuration management module are used for the work(to assets
It can configure and function information is set, the configuration management module assisted network keeper completes key coded communication network
Information keywords monitoring, the managing of refined net key equipment, crucial cryptographic parameter(AES and parameter)Maintenance, group password
The formulation of strategy, issue, cancel management work, the configuration management module includes group information administrative unit, group membership's message tube
Unit, Group policy management unit and encryption device condition monitoring unit are managed, the group information administrative unit is used to assist keeper
Obtain the details of all or Partial encryption group parameter in group encryption network.Group membership's information management unit is mainly assisted
Keeper is helped to complete the acquisition and understanding of correspondence key message with the angle of group membership.The Group policy management unit assisted network
Keeper utilizes the interface that safe tube hub is provided, to group key server(KMC)Group policy instruction is assigned, KMC is in execution group
Group policy is instructed to the group membership be handed down to and specified, so that instruction of the cryptographic system according to network manager while tactful
Complete cryptographic system institutional framework or cryptographic parameter more new task.The encryption device condition monitoring unit is used to monitor key
Administrative center KMC and the running status of group membership, above-mentioned KMC KMC is key management apparatus, above-mentioned group membership
For encryption device, the encryption device is high-speed encryption module, and the encryption module can be directly embedded into existing core and hand over
Change planes, in router network equipment, undertake all safety services and function related to password, the encryption module is divided to or so two
Individual independent passage, each passage can handle 20Gbps business datum.Each passage provides independent business interface, management
Interface and authentication interface;Two passages share a configuration interface simultaneously.The entirely autonomous research and development of encryption module.40G encryption modules
Internal hardware is divided into three parts:The data processing section of passage 0, the data processing section of passage 1, two passage common functions parts.
The data processing section of passage 0/1 is by data processing unit, ethernet PHY, data buffer storage SRAM, safety chip and expansion module group
Into;Common sparing is made up of CPLD, microcontroller ARM and FLASH memory.The key management apparatus is in key management
The heart, the center is made up of 4 nucleus modules, is respectively:It is equipment control management module, algorithm process and key management module, logical
Believe processing module and local condition monitoring and management module.By the linux system kernel of security customization, specific drivers,
Cryptographic service and management module, realize the pipe of the authentication and the control management that networks, and all kinds of keys of the whole network to cipher machine
Reason and online dynamic distribution function.
Feedback of the information administrative center includes the monitoring module, statistical analysis module and system management module, described
Monitoring module helps network manager to control in real time various in backbone network by accurate efficient flow analysis function
Communication flows and its scale, note abnormalities flow and is positioned in time, and the monitoring module includes flow information
Collecting unit, traffic statistics analysis unit, flow information display unit and abnormal flow alarm unit, the flow information collection
Unit is docked by the flow standard with the various main flows of industry, realizes and related streams information data is obtained from the network equipment, and carry out
Certain formatting processing, so that further statistical analysis is used.The traffic statistics analysis unit utilizes DFI statistical analysis sides
Method, in-depth analysis detection is carried out to the grouped data collected.The flow information display unit is by traffic statistics analysis unit
Result be presented to network manager according to rational display mode, assisted network keeper carries out daily traffic monitoring work.
Including various cycles, various types of charts.The abnormal flow alarm unit will be suspicious different during traffic statistics analysis
Normal flow, using reasonable manner, reports and submits network manager, so that network manager understands in time and takes treatment measures.
The statistical analysis module connects the monitoring module, and the data returned according to monitoring module are believed
Breath, carries out security incident relevant with operation risk in safety statistics analysis, the statistical analysis module collection network equipment, comprehensive
Close in analysis network and there may be safe operation risk, and alarmed, assisted network keeper completes equipment operation risk
Positioning and investigation, it is ensured that whole network even running.The statistical analysis module includes performance alarm management unit, fault alarm
Administrative unit, integrated relational analysis unit and security risk alarm unit.The performance alarm management unit is used to gather network
The anomalous event relevant with performance of network equipments in unit, and it is supplied to security risk alarm unit to be alarmed.It is described
Fault alarm administrative unit is used to gather the network equipment failure event in network device unit, and is supplied to security risk to alarm
Unit is alarmed.The integrated relational analysis unit obtains suspicious risk case using SYSLOG, SNMP mode, utilizes polymerization
Engine merger handles suspicious risk case, using the suspicious risk case of association analysis engine comprehensive analysis, and most analysis is tied at last
Fruit is notified to security risk alarm unit.The security risk alarm unit is mainly for performance alarm management unit, failure report
Security risk prompting that alert administrative unit, integrated relational analysis unit are generated and analysis report and alarm simultaneously notify associated nets
Network keeper and person liable, so as to investigation risk in time, the system management module is used for keeper and administrator role
Information is monitored, and carries out daily record retention to the operation of login system.
One kind of embodiment described above, simply the utility model more preferably embodiment, the skill of this area
The usual variations and alternatives that art personnel are carried out in the range of technical solutions of the utility model should all be included in of the present utility model protect
In the range of shield.