WO2017036003A1 - Trusted network identity management and authentication system and method - Google Patents

Trusted network identity management and authentication system and method Download PDF

Info

Publication number
WO2017036003A1
WO2017036003A1 PCT/CN2015/098467 CN2015098467W WO2017036003A1 WO 2017036003 A1 WO2017036003 A1 WO 2017036003A1 CN 2015098467 W CN2015098467 W CN 2015098467W WO 2017036003 A1 WO2017036003 A1 WO 2017036003A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
identity
trusted
information
network
Prior art date
Application number
PCT/CN2015/098467
Other languages
French (fr)
Chinese (zh)
Inventor
延志伟
耿光刚
傅瑜
李晓东
Original Assignee
中国互联网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国互联网络信息中心 filed Critical 中国互联网络信息中心
Publication of WO2017036003A1 publication Critical patent/WO2017036003A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the invention belongs to the technical field of network technology and information security, and particularly relates to a trusted network identity management and verification system and method.
  • the Domain Name System is a distributed Internet service system that maps domain names to certain predefined types of resource records, such as IP addresses.
  • domain name service is the basis of other Internet application services.
  • Common Internet application services (such as Web services, email services, FTP services, etc.) are implemented on the basis of domain name services. Addressing and location of resources.
  • the original protocol of DNS is a lightweight protocol that does not provide security guarantees for service data content; and DNS data is transmitted in clear text over the Internet, and data is easily hijacked or tampered with during transmission. Since the DNS protocol itself does not provide an integrity protection mechanism for data content, the receiver cannot determine whether the received message has been tampered with and the source is correct. In addition, the implementation of the DNS protocol is usually based on the UDP protocol and lacks communication reliability. This guarantees that this further increases the likelihood that the message will be tampered with or forged. It is precisely because of the above security flaws exposed by the DNS protocol that the emergence and development of DNS Security Extensions (DNSSEC).
  • DNS DNS Security Extensions
  • the DNSSEC protocol is a security extension for the DNS protocol. It adds a digital signature based on the asymmetric encryption algorithm to the DNS reply message to ensure that the data has not been tampered with and the source is correct. Then the domain name system is stepped up to the parent from the bottom up. The domain submits its own public key to implement step-by-step security authentication of the entire domain name system.
  • DNSSEC is The DNS data provides three aspects of security: (1) source verification: ensuring that the DNS response message comes from the authorized authoritative server; (2) integrity verification: ensuring that the DNS response message has not been tampered with during transmission; (3) denying the existence Verification: When a user requests a domain name that does not exist, the DNS server can also give a negative response message containing a digital signature to ensure the reliability of this negative response.
  • DNSSEC is essentially based on the domain name system tree authorization system, and then establishes a set of signature/verification system based on cryptography, which is the trust chain system, ensuring DNS query results through step-by-step security verification on the trust chain.
  • Cryptography which is the trust chain system
  • the invention provides a trusted network identity management and verification system and method, which can realize functions of two-way identity authentication, key agreement, secure communication and the like between a service provider and an Internet user.
  • a trusted network identity management and verification system includes a user identity management unit, a network service management unit, a trusted identity maintenance unit, an internet subscriber unit, and a network service provider unit;
  • the user identity management unit maintains network identity information of the user, and binds the network identity and public key information of the user to the trusted identity maintenance unit;
  • the network service management unit manages the Internet service, and registers the corresponding public key information and the domain name binding to the trusted identifier maintenance unit;
  • the trusted identifier maintenance unit deploys a DNSSEC protocol, and maintains identity and public key binding information of the user and the Internet service;
  • the Internet subscriber unit saves and manages the private key information, and obtains the information of the trusted network service provider by querying the trusted identifier maintenance unit;
  • the network service provider unit saves and manages the private key information, and obtains the user information by querying the trusted identifier maintenance unit.
  • a trusted network authentication and secure communication method using the above system includes the following steps:
  • the user identification management unit generates a network identifier for the user and creates a user identification management account for it;
  • the user identity management unit registers the user network identity and its public key information to the trusted identity maintenance unit; at the same time, sends the user's network identity and its public key information to the local ISP, and the local ISP uses the user Network identity Binding information and online account information;
  • the Internet service provider performs real-name registration with the network service management unit
  • the network service management unit performs network access license verification, performs security level division based on the service content, and creates a service identifier management account for it;
  • the Internet service provider generates an asymmetric key pair and uploads the public key information through the login account;
  • the network service management unit registers the service domain name and its public key information to the trusted identifier maintenance unit;
  • the trusted key maintenance unit searches for the public key information and the IP address corresponding to the website;
  • the network service provider queries the trusted identifier maintenance unit, and verifies the user network identifier and public key information with its own private key;
  • the network service provider generates a symmetric key, which is encrypted by the user's public key and transmitted to the user;
  • the user After receiving the user, the user obtains the symmetric key by decrypting with his own private key, and the user and the network service provider use the symmetric key for secure communication.
  • the invention utilizes DNS and DNSSEC technologies to manage and verify the trusted identity of the Internet, and supports service management of different security levels, thereby supporting two-way authentication, key agreement, secure communication, etc. between the service provider and the Internet user.
  • Figure 1 is a schematic diagram of the roles associated with the trusted network framework.
  • FIG. 2 is a schematic diagram of key distribution and user identification registration.
  • Figure 3 is a schematic diagram of key distribution and service identification registration.
  • FIG. 4 is a schematic diagram of a trusted identity maintenance domain.
  • Figure 5 is a flow chart of trusted identification verification.
  • the present invention specifically includes five functional roles: an organization that manages user identity information, an organization that manages Internet service providers, an organization that maintains user and service trusted identification information, Internet users, and network service providers.
  • the above five functions may be implemented by specific hardware devices or software modules, which may be referred to as user identification management units/devices/modules, network service management units/devices/modules, trusted identification maintenance units/devices/modules, Internet subscriber units/devices/ Modules and network service provider units/devices/modules.
  • the name "unit” is used below, as shown in Figure 1.
  • the user identification management unit maintains unique identification information of Chinese citizens (and foreign inbound users), and binds its network identity and public key information to the trusted identity maintenance unit, and simultaneously sets the user's network identity information and public key.
  • the information is shared with the local ISP (Internet Service Provider), enabling the ISP to bind the user's network identity to the user's online account information.
  • ISP Internet Service Provider
  • the network service management unit manages the Internet service registered domestically (and registered abroad but domestically operated), confirms its service security requirements, and registers the corresponding public key information and domain name binding to the trusted identity maintenance unit.
  • the trusted identity maintenance unit deploys the DNSSEC protocol to maintain massive user/service identity and public key binding information in a scalable and manageable mode, and supports efficient and accurate queries.
  • the Internet subscriber unit saves and manages its own private key information, and obtains trusted network service provider information by querying the trusted identifier maintenance unit.
  • the network service provider unit saves and manages the private key information, and obtains the user information by querying the trusted identifier maintenance unit.
  • the user identification management unit maintains a user identification database, which includes: 1) identity information of a citizen of China (such as an identity card number); 2) entry of foreign citizenship information (such as a passport number). All those who wish to obtain Internet services in China need to register their real identity in the user identification database and fill in more than one effective communication method (generally e-mail and mobile phone number). And generate an account for each registered user to manage the user's identity and public key information. At the same time, the user's identity information and public key information are sent to the local ISP for record through an out-of-band security method.
  • identity information of a citizen of China such as an identity card number
  • foreign citizenship information such as a passport number
  • the user identity management unit generates a network identity of the registered user, and registers the identity and the public key information submitted by the user to the trusted identity maintenance unit, as shown in FIG. 2;
  • 1.1 User registration After the user fills in the relevant information in the user identification database, the user registration function is selected, and the user registers the public key in the generated key to the identification database. In order to avoid counterfeiting user registration, the registration identity and the registrant must be strictly consistent in this step. For details, refer to the CN personal domain name registration process and the user verification mechanism.
  • the user identification database submits a list of user registration information to the identification maintenance unit through a dedicated security interface (such as the CN domain name registration service), wherein the mandatory information includes at least:
  • the identification maintenance unit first generates the corresponding domain name based on the inventory information, and its format is as follows:
  • USER is a domain under the CN that specifically protects user identification information, and Location identifies the geographical area to which the user belongs (for Chinese citizens by province, and for foreign nationals by country), U-ID is a user ID of no more than 13 digits. (such as ID card or passport number).
  • the identifier maintenance unit generates a corresponding DNS resource record (the invention does not limit which resource record is used, and it is recommended to use the TLSA or TXT resource record), and adds to the corresponding CN subdomain, where the lifetime is not greater than the user registration information list. The lifetime.
  • the identification maintenance unit performs a registration confirmation to the user identification management unit.
  • the user identification management unit After receiving the registration success confirmation message, the user identification management unit sends a registration success message and a corresponding user network identity (via the communication mode selected by the user) to the user.
  • the network service management unit maintains a network service provider filing management database, which includes: 1) a network service provider based on a domestic domain name (.CN, . China, a company, a network, etc.); 2) based on an overseas domain name but operating in the country Network service provider (eg www.baidu.com). Domain name owners who wish to provide secure and effective Internet services in China should register and file in the database and fill in more than one type of effective communication (usually email and mobile phone numbers). An account is generated for each registered service, and the management service corresponds to the domain name, IP, and public key information.
  • the network service management unit should also set its security level according to the type of service, which is currently divided into three types:
  • Medium security requirement service only one-way authentication of the user to the network service provider is performed, and a secure session channel is established;
  • Service registration Internet service providers wish to provide certain services in the Internet environment. First, they need to register and file in the network service management unit. In order to avoid counterfeiting, the registration identity and registrant must be guaranteed at this step. Strict and consistent, please refer to CN company domain name registration process and formalities verification mechanism.
  • the network service management unit demarcates its service security level based on its registered information, and then receives the public key information of the key pair generated by the service provider.
  • the network service management unit then submits the registered service provider information list to the identity maintenance unit through a dedicated security interface (such as the CN domain name registration service), wherein the mandatory information includes at least:
  • the identity maintenance unit For the domestically registered domain name, the identity maintenance unit generates a corresponding DNS resource record based on the inventory information, and adds a new resource type as the corresponding domestic domain name; for the domain name registered overseas but running in the territory, the identity maintenance unit is based on the The overseas domain name, with the SERVICE.CN suffix, generates a new domain name, and adds the corresponding resource record.
  • www.baidu.com will have a DNS resource record of the following domain name in the CN domain:
  • the identification maintenance unit performs a successful registration confirmation with the service management unit.
  • the service identification management unit After receiving the registration success confirmation message, the service identification management unit issues a registration success message to the service provider, and the domain name information in the new DNS record (the communication method selected by the service provider).
  • the trusted identity maintenance unit manages the trusted identity data and adds support for the DNSSEC protocol in the existing domain name system (at least the DNS zone that manages the network identity information supports DNSSEC). And the corresponding domain name area is divided to maintain trusted identification data.
  • the specific plan is shown in Figure 4.
  • Personal identification maintenance domain Create a .USER subdomain under .CN, and create corresponding subdomains according to the Pinyin abbreviation (or Alpha-3 country code) of each geographical area (such as Beijing as .BJ, Shanxi) For .SX, Shandong is .SD, and the US entry citizen is .USA).
  • the domain name of the user based on the ID number is maintained under each subdomain.
  • the pinyin abbreviation of each geographical area can refer to the Chinese phonetic alphabet abbreviations of the names of provinces, municipalities and autonomous regions in China (http://www.pthyygf.org/guifanbiaozhun/guifanbiaozhun/2011-11-26/12.html); using Alpha -3 country code in order to avoid a conflict with China provinces Pinyin initials (such as Shandong abbreviated as SD, and Sudan's Alpha-2 country code is SD, but its Alpha-3 country code SDN), the specific code see: https: / /www.iso.org/obp/ui/#search .
  • Service ID Maintenance Domain Create a .SERVICE subdomain under .CN, and generate and maintain an overseas registration under the subdomain.
  • the service domain name that runs in the country.
  • the trusted identity maintenance unit shall provide the interfaces and services corresponding to the identity registration unit (user identity management unit and network service management unit), with the following functions and performance guarantees:
  • the trusted identity maintenance unit should also provide query interfaces and services for identification information for users and service providers, with the following features and performance guarantees:
  • the user first needs to register and authenticate in the user identification management unit, and generates an asymmetric key by itself, and registers the public key information in the corresponding account of the user identification management unit.
  • Network Service Provider (Network Service Provider Unit)
  • the network service provider first needs to register before the service is started in the network service management unit, and generates a corresponding asymmetric key pair according to the security level assessed by the network service management unit, and registers the public key information in the corresponding account of the network service management unit. .
  • the network identity verification process shown in Figure 5 can be implemented, including the following steps:
  • the Internet user performs real-name registration with the user identification management unit
  • the user identification management unit generates a network identifier for the user based on the verification structure, and creates a user identification management account for the user (if the ID card system is used, the ID number can be used as the user name, and the ID verification code can be used as the initial login password) ;
  • the user identity management unit registers the user network identity and its public key information to the trusted identity maintenance unit; at the same time, sends the user's network identity and its public key information to the local ISP, which will be The user's network identity information is bound to the online account information. Therefore, the user identity management unit can check the online time length of the user, the visited website information, the IP address (IPv4 public address information, IPv4 private address information, IPv6 address information), etc. according to the user's network identity information. Therefore, the user is subjected to legal network monitoring and network traceability through an IP address.
  • the Internet Service Provider performs real-name registration with the Network Service Management Unit
  • the network service management unit performs network access license verification, and performs security level division based on the service content, and creates a service identifier management account for it;
  • the Internet service provider generates an asymmetric key pair, and uploads the public key information by logging in to the account;
  • the network service management unit registers the service domain name and its public key information to the trusted identifier maintenance unit;
  • the network service provider queries the trusted identifier maintenance unit and verifies the user network identifier and public key information with its own private key;
  • the network service provider generates a symmetric key, which is encrypted by the user's public key and transmitted to the user;
  • the user After receiving the user, the user obtains the symmetric key by decrypting with his own private key, and the user and the network service provider use the symmetric key for secure communication.
  • the invention defines the main logical roles of ensuring secure communication between the two parties of the Internet communication and the controllability of the network, and defines the key functions of each role and the verification process of the trusted identification.
  • the following technical details are not limited, and those skilled in the art can implement the existing methods:
  • a verification mechanism for the signature record of the user and the service provider including the trusted identifier and the corresponding public key

Abstract

The present invention relates to a trusted network identity management and authentication system and method. A user identifier management unit maintains network identifier information of a user, and binds a network identifier of the user to public key information to register at a trusted identifier maintenance unit. A network service management unit manages an Internet service, and binds the corresponding public key information to a domain name to register at the trusted identifier maintenance unit. The trusted identifier maintenance unit deploys a DNSSEC protocol, and maintains identifiers of the user and the Internet service, and the binding public key information. An Internet user unit stores and manages private key information, and obtains trusted network service provider information via querying the trusted identifier maintenance unit. A network service provider unit stores and manages the private key information, and obtains user information via querying the trusted identifier maintenance unit. The invention can support functions between a service provider and an Internet user, such as mutual identity authentication, key agreement, secure communication, etc.

Description

一种可信网络身份管理和验证系统和方法Trusted network identity management and verification system and method 技术领域Technical field
本发明属于网络技术、信息安全技术领域,具体涉及一种可信网络身份管理和验证系统和方法。The invention belongs to the technical field of network technology and information security, and particularly relates to a trusted network identity management and verification system and method.
背景技术Background technique
近二十年来伴随着信息技术的迅猛发展,互联网在社会生产和个人生活中的重要性日益凸显,其服务和应用已经渗透到军事、文化、政治、经济等各个领域。然而,伴随着互联网空前广泛的应用,其所面临的安全问题日益严峻。“棱镜门”事件、“五只眼”情报联盟、“愤怒的小鸟”间谍风波等案例不断引发各国对网络可信安全的高度关注。With the rapid development of information technology in the past two decades, the importance of the Internet in social production and personal life has become increasingly prominent, and its services and applications have penetrated into military, cultural, political, and economic fields. However, with the unprecedented application of the Internet, the security problems it faces are becoming more and more serious. Cases such as the "Prism Gate" incident, the "five-eye" intelligence alliance, and the "angry bird" spy storm have repeatedly attracted high attention from countries to the credible security of the network.
自2000年以来,美国、欧盟、日本等国家和地区均加快在信息网络中引入和部署可信网络战略框架,加强身份管理、构建可信环境。以美国为例,白宫早在2011年4月就发布了《网络空间可信身份国家战略》,计划用10年左右时间构建网络身份生态体系,以推动个人和组织在网络上使用安全、高效、易用的可信身份。Since 2000, the United States, the European Union, Japan and other countries and regions have accelerated the introduction and deployment of a credible network strategic framework in information networks, strengthening identity management and building a credible environment. In the United States, for example, the White House released the National Strategy for Trustworthy Identity in Cyberspace as early as April 2011. It plans to build a network identity ecosystem in about 10 years to promote the safe and efficient use of individuals and organizations on the Internet. Easy to use trusted identity.
这就意味着互联网的安全可信越来越重要,而建立互联网用户和服务提供者之间的双向认证已经成为构建互联网安全可信环境迫在眉睫的基础。This means that the security and credibility of the Internet is becoming more and more important, and establishing two-way authentication between Internet users and service providers has become an urgent basis for building an Internet security and trusted environment.
域名系统(DomainName System,DNS)是一种将域名映射为某些预定义类型资源记录(如IP地址)的分布式互联网服务系统。作为一种互联网应用层的资源寻址服务,域名服务是其它互联网络应用服务的基础,常见的互联网络应用服务(如Web服务、电子邮件服务、FTP服务等)都以域名服务为基础来实现资源的寻址和定位。The Domain Name System (DNS) is a distributed Internet service system that maps domain names to certain predefined types of resource records, such as IP addresses. As a resource addressing service for the Internet application layer, domain name service is the basis of other Internet application services. Common Internet application services (such as Web services, email services, FTP services, etc.) are implemented on the basis of domain name services. Addressing and location of resources.
DNS的原始协议是一种轻量级协议,它不能对服务数据内容提供安全保证;而且DNS数据在互联网上以明文方式进行传输,数据在传输过程中很容易遭到劫持或篡改。由于DNS协议本身不提供数据内容的完整性保护机制,因此接收方无法判别接收到的消息是否遭到篡改及来源是否正确;此外,DNS协议的实现通常以UDP协议为基础,缺乏通信的可靠性保证,这进一步加重了消息被篡改或被伪造的可能性。正是由于DNS协议所暴露出来的以上安全缺陷,促使了DNS安全扩展(DNS SecurityExtensions,DNSSEC)的产生和发展。The original protocol of DNS is a lightweight protocol that does not provide security guarantees for service data content; and DNS data is transmitted in clear text over the Internet, and data is easily hijacked or tampered with during transmission. Since the DNS protocol itself does not provide an integrity protection mechanism for data content, the receiver cannot determine whether the received message has been tampered with and the source is correct. In addition, the implementation of the DNS protocol is usually based on the UDP protocol and lacks communication reliability. This guarantees that this further increases the likelihood that the message will be tampered with or forged. It is precisely because of the above security flaws exposed by the DNS protocol that the emergence and development of DNS Security Extensions (DNSSEC).
DNSSEC协议是一个针对DNS协议的安全扩展,它通过给DNS的应答消息添加基于非对称加密算法的数字签名,来保证数据未经篡改且来源正确;再通过域名体系自下而上逐级向父域提交自己的公共密钥,来实现整个域名体系的逐级安全认证。具体而言,DNSSEC为 DNS数据提供了三方面的安全保障:(1)来源验证:保证DNS应答消息来自被授权的权威服务器;(2)完整性验证:保证DNS应答消息在传输途中未经篡改;(3)否定存在验证:当用户请求一个不存在的域名时,DNS服务器也能够给出包含数字签名的否定应答消息,以保证这个否定应答的可靠性。The DNSSEC protocol is a security extension for the DNS protocol. It adds a digital signature based on the asymmetric encryption algorithm to the DNS reply message to ensure that the data has not been tampered with and the source is correct. Then the domain name system is stepped up to the parent from the bottom up. The domain submits its own public key to implement step-by-step security authentication of the entire domain name system. Specifically, DNSSEC is The DNS data provides three aspects of security: (1) source verification: ensuring that the DNS response message comes from the authorized authoritative server; (2) integrity verification: ensuring that the DNS response message has not been tampered with during transmission; (3) denying the existence Verification: When a user requests a domain name that does not exist, the DNS server can also give a negative response message containing a digital signature to ensure the reliability of this negative response.
DNSSEC本质上是在域名系统树形授权体系的基础上,再建立一套基于密码学手段的签名/验证体系,也就是信任链体系,通过信任链上的逐级安全验证,来确保DNS查询结果的真实可靠(数据完整性和非否认性)。DNSSEC is essentially based on the domain name system tree authorization system, and then establishes a set of signature/verification system based on cryptography, which is the trust chain system, ensuring DNS query results through step-by-step security verification on the trust chain. True and reliable (data integrity and non-repudiation).
发明内容Summary of the invention
本发明提供一种可信网络身份管理和验证系统和方法,能够实现服务提供者和互联网用户之间的双向身份验证、密钥协商、安全通信等功能。The invention provides a trusted network identity management and verification system and method, which can realize functions of two-way identity authentication, key agreement, secure communication and the like between a service provider and an Internet user.
为实现上述目的,本发明采用的技术方案如下:In order to achieve the above object, the technical solution adopted by the present invention is as follows:
一种可信网络身份管理和验证系统,包括用户标识管理单元、网络服务管理单元、可信标识维护单元、互联网用户单元以及网络服务提供者单元;A trusted network identity management and verification system includes a user identity management unit, a network service management unit, a trusted identity maintenance unit, an internet subscriber unit, and a network service provider unit;
所述用户标识管理单元维护用户的网络身份标识信息,并将用户的网络身份标识和公钥信息绑定注册到所述可信标识维护单元;The user identity management unit maintains network identity information of the user, and binds the network identity and public key information of the user to the trusted identity maintenance unit;
所述网络服务管理单元管理互联网服务,并将对应的公钥信息和域名绑定注册到所述可信标识维护单元;The network service management unit manages the Internet service, and registers the corresponding public key information and the domain name binding to the trusted identifier maintenance unit;
所述可信标识维护单元部署DNSSEC协议,并维护用户和互联网服务的标识及公钥绑定信息;The trusted identifier maintenance unit deploys a DNSSEC protocol, and maintains identity and public key binding information of the user and the Internet service;
所述互联网用户单元保存和管理自有私钥信息,并通过查询所述可信标识维护单元获取可信的网络服务提供者的信息;The Internet subscriber unit saves and manages the private key information, and obtains the information of the trusted network service provider by querying the trusted identifier maintenance unit;
所述网络服务提供者单元保存和管理自有私钥信息,并通过查询所述可信标识维护单元获取用户信息。The network service provider unit saves and manages the private key information, and obtains the user information by querying the trusted identifier maintenance unit.
一种采用上述系统的可信网络身份验证和安全通信方法,包括如下步骤:A trusted network authentication and secure communication method using the above system includes the following steps:
1)互联网用户向用户标识管理单元进行实名注册;1) The Internet user registers the real name with the user identification management unit;
2)用户标识管理单元为用户生成网络标识,并为其创建用户标识管理账号;2) The user identification management unit generates a network identifier for the user and creates a user identification management account for it;
3)用户生成非对称密钥对,通过登录账号上传公钥信息;3) The user generates an asymmetric key pair and uploads the public key information through the login account;
4)用户标识管理单元将用户网络身份标识及其公钥信息注册到可信标识维护单元;同时将该用户的网络身份标识及其公钥信息发送给当地的ISP,由当地的ISP将该用户的网络身份 信息和上网账户信息进行绑定;4) The user identity management unit registers the user network identity and its public key information to the trusted identity maintenance unit; at the same time, sends the user's network identity and its public key information to the local ISP, and the local ISP uses the user Network identity Binding information and online account information;
5)互联网服务提供者向网络服务管理单元进行实名注册;5) The Internet service provider performs real-name registration with the network service management unit;
6)网络服务管理单元对其进行入网许可验证,基于服务内容进行安全等级划分,并为其创建服务标识管理账号;6) The network service management unit performs network access license verification, performs security level division based on the service content, and creates a service identifier management account for it;
7)互联网服务提供者生成非对称密钥对,通过登录账号上传公钥信息;7) The Internet service provider generates an asymmetric key pair and uploads the public key information through the login account;
8)网络服务管理单元将服务域名及其公钥信息注册到可信标识维护单元;8) The network service management unit registers the service domain name and its public key information to the trusted identifier maintenance unit;
9)当某用户要访问网络服务提供者的网站时,首先通过可信标识维护单元查询该网站对应的公钥信息和IP地址;9) When a user wants to access the website of the network service provider, firstly, the trusted key maintenance unit searches for the public key information and the IP address corresponding to the website;
10)用户使用网络服务提供者的公钥签名自己的网络标识和公钥信息;10) The user signs the network identifier and public key information using the public key of the network service provider;
11)网络服务提供者查询可信标识维护单元,用自己的私钥核验用户网络标识和公钥信息;11) The network service provider queries the trusted identifier maintenance unit, and verifies the user network identifier and public key information with its own private key;
12)网络服务提供者生成对称密钥,用用户的公钥进行加密后传输给用户;12) The network service provider generates a symmetric key, which is encrypted by the user's public key and transmitted to the user;
13)用户接收后用自己的私钥解密获得该对称密钥,用户和网络服务提供者使用该对称密钥进行安全通信。13) After receiving the user, the user obtains the symmetric key by decrypting with his own private key, and the user and the network service provider use the symmetric key for secure communication.
本发明利用DNS及DNSSEC技术,来进行互联网可信身份的管理和验证,并支持不同安全等级的服务管理,进而支持服务提供者和互联网用户之间的双向身份验证、密钥协商、安全通信等功能。The invention utilizes DNS and DNSSEC technologies to manage and verify the trusted identity of the Internet, and supports service management of different security levels, thereby supporting two-way authentication, key agreement, secure communication, etc. between the service provider and the Internet user. Features.
附图说明DRAWINGS
图1是可信网络框架相关角色示意图。Figure 1 is a schematic diagram of the roles associated with the trusted network framework.
图2是密钥分发和用户标识注册示意图。2 is a schematic diagram of key distribution and user identification registration.
图3是密钥分发和服务标识注册示意图。Figure 3 is a schematic diagram of key distribution and service identification registration.
图4是可信标识维护域的示意图。4 is a schematic diagram of a trusted identity maintenance domain.
图5是可信标识验证流程图。Figure 5 is a flow chart of trusted identification verification.
具体实施方式detailed description
为使本发明的上述目的、特征和优点能够更加明显易懂,下面通过具体实施例和附图,对本发明做进一步说明。The above described objects, features and advantages of the present invention will become more apparent from the aspects of the appended claims.
本发明具体包括五种功能角色:管理用户身份信息的机构、管理互联网服务提供者的机构、维护用户和服务可信标识信息的机构、互联网用户以及网络服务提供者。上述五种功能 角色可以通过具体的硬件装置或软件模块实现,可分别称为用户标识管理单元/装置/模块、网络服务管理单元/装置/模块、可信标识维护单元/装置/模块、互联网用户单元/装置/模块以及网络服务提供者单元/装置/模块。下面采用“单元”这一名称,如图1所示。The present invention specifically includes five functional roles: an organization that manages user identity information, an organization that manages Internet service providers, an organization that maintains user and service trusted identification information, Internet users, and network service providers. The above five functions The roles may be implemented by specific hardware devices or software modules, which may be referred to as user identification management units/devices/modules, network service management units/devices/modules, trusted identification maintenance units/devices/modules, Internet subscriber units/devices/ Modules and network service provider units/devices/modules. The name "unit" is used below, as shown in Figure 1.
用户标识管理单元维护中国公民(及外籍入境用户)的唯一性标识信息,并将其网络身份标识和公钥信息绑定注册到可信标识维护单元,同时将用户的网络身份标识信息和公钥信息与当地的ISP(Internet Service Provider网络服务提供商)进行共享,从而使ISP能够将用户的网络身份标识和该用户的上网账户信息进行绑定。The user identification management unit maintains unique identification information of Chinese citizens (and foreign inbound users), and binds its network identity and public key information to the trusted identity maintenance unit, and simultaneously sets the user's network identity information and public key. The information is shared with the local ISP (Internet Service Provider), enabling the ISP to bind the user's network identity to the user's online account information.
网络服务管理单元管理国内注册(及国外注册但国内运行)的互联网服务,对其服务安全性需求进行确认,将对应公钥信息和域名绑定注册到可信标识维护单元。The network service management unit manages the Internet service registered domestically (and registered abroad but domestically operated), confirms its service security requirements, and registers the corresponding public key information and domain name binding to the trusted identity maintenance unit.
可信标识维护单元部署DNSSEC协议,通过可扩展、可管理的模式维护海量用户/服务标识和公钥绑定信息,并支持高效准确的查询。The trusted identity maintenance unit deploys the DNSSEC protocol to maintain massive user/service identity and public key binding information in a scalable and manageable mode, and supports efficient and accurate queries.
互联网用户单元保存和管理自有私钥信息,并通过查询可信标识维护单元获取可信的网络服务提供者信息。The Internet subscriber unit saves and manages its own private key information, and obtains trusted network service provider information by querying the trusted identifier maintenance unit.
网络服务提供者单元保存并管理自有私钥信息,并通过查询可信标识维护单元获取用户信息。The network service provider unit saves and manages the private key information, and obtains the user information by querying the trusted identifier maintenance unit.
下面就各角色关键功能进行分别描述。The following describes each key function of each role separately.
1.用户标识管理单元1. User Identity Management Unit
用户标识管理单元维护用户标识数据库,其中包含:1)我国公民的身份信息(如身份证号码);2)入境外国公民身份信息(如护照编号)。希望在我国境内获取互联网服务的所有人都需要在用户标识数据库进行真实身份注册,并填写多于一种有效通信方式(一般为电子邮箱和手机号码)。并为每个注册的用户生成一个账户,管理用户的身份及公钥信息。同时将用户的身份信息和公钥信息通过带外的安全方式发送给当地的ISP备案。The user identification management unit maintains a user identification database, which includes: 1) identity information of a citizen of China (such as an identity card number); 2) entry of foreign citizenship information (such as a passport number). All those who wish to obtain Internet services in China need to register their real identity in the user identification database and fill in more than one effective communication method (generally e-mail and mobile phone number). And generate an account for each registered user to manage the user's identity and public key information. At the same time, the user's identity information and public key information are sent to the local ISP for record through an out-of-band security method.
用户标识管理单元生成经过注册的用户的网络身份标识,并将该标识和用户提交的公钥信息注册到可信标识维护单元,如图2所示;The user identity management unit generates a network identity of the registered user, and registers the identity and the public key information submitted by the user to the trusted identity maintenance unit, as shown in FIG. 2;
1.1用户注册:用户在用户标识数据库中填写相关信息之后,选择用户注册功能,用户将生成的密钥中的公钥注册到标识数据库。为了避免假冒用户注册,在这个步骤必须保证注册身份和注册人的严格一致,具体可以参考CN个人域名注册流程和用户核验机制。1.1 User registration: After the user fills in the relevant information in the user identification database, the user registration function is selected, and the user registers the public key in the generated key to the identification database. In order to avoid counterfeiting user registration, the registration identity and the registrant must be strictly consistent in this step. For details, refer to the CN personal domain name registration process and the user verification mechanism.
3.1标识注册:用户标识数据库通过专用安全接口(如CN域名注册服务)向标识维护单元提交用户注册信息清单,其中必选信息至少包括:3.1 Identification registration: The user identification database submits a list of user registration information to the identification maintenance unit through a dedicated security interface (such as the CN domain name registration service), wherein the mandatory information includes at least:
●用户身份标识信息 ● User identity information
●所属省份或国家●Affiliation or country
●公钥信息●Public key information
●生存时间● Survival time
3.2标识注册确认:标识维护单元基于清单信息,首先生成对应域名,其格式如下:3.2 Identification registration confirmation: The identification maintenance unit first generates the corresponding domain name based on the inventory information, and its format is as follows:
U-ID.Location.USER.CNU-ID.Location.USER.CN
其中USER为CN下的一个专门维护用户标识信息的域,Location标识该用户所属地理区域(对于中国公民以省份区分,对于入境外国公民以国家区分),U-ID为不超过13位的用户标识(如身份证或护照编号)。USER is a domain under the CN that specifically protects user identification information, and Location identifies the geographical area to which the user belongs (for Chinese citizens by province, and for foreign nationals by country), U-ID is a user ID of no more than 13 digits. (such as ID card or passport number).
然后标识维护单元生成对应的DNS资源记录(本发明不限定采用何种资源记录,建议使用TLSA或TXT资源记录),并添加到对应的CN子域,其中的生存期不大于用户注册信息清单中的生存期。Then, the identifier maintenance unit generates a corresponding DNS resource record (the invention does not limit which resource record is used, and it is recommended to use the TLSA or TXT resource record), and adds to the corresponding CN subdomain, where the lifetime is not greater than the user registration information list. The lifetime.
最后,标识维护单元向用户标识管理单元进行注册成功确认。Finally, the identification maintenance unit performs a registration confirmation to the user identification management unit.
1.2用户注册确认:接收到注册成功确认消息之后,用户标识管理单元向用户发送注册成功消息及对应的用户网络身份标识(通过用户选择的通信方式)。1.2 User Registration Confirmation: After receiving the registration success confirmation message, the user identification management unit sends a registration success message and a corresponding user network identity (via the communication mode selected by the user) to the user.
2.网络服务管理单元2. Network Service Management Unit
网络服务管理单元维护网络服务提供者备案管理数据库,其中包含:1)基于国内域名(.CN、.中国、.公司、.网络等)的网络服务提供者;2)基于境外域名但在国内运行的网络服务提供者(如www.baidu.com)。希望在中国范围提供安全、有效互联网服务的域名所有者都应该在该数据库进行注册备案,并填写多于一种有效通信方式(一般为电子邮箱和手机号码)。并为每个注册的服务生成一个账户,管理服务对应域名、IP及公钥信息。The network service management unit maintains a network service provider filing management database, which includes: 1) a network service provider based on a domestic domain name (.CN, . China, a company, a network, etc.); 2) based on an overseas domain name but operating in the country Network service provider (eg www.baidu.com). Domain name owners who wish to provide secure and effective Internet services in China should register and file in the database and fill in more than one type of effective communication (usually email and mobile phone numbers). An account is generated for each registered service, and the management service corresponds to the domain name, IP, and public key information.
此外,网络服务管理单元还应根据服务类型,设定其安全等级,当前分为三种类型:In addition, the network service management unit should also set its security level according to the type of service, which is currently divided into three types:
●强安全需求业务:对用户身份真实性以及用户权限具有一定要求,并可能对会话隐私性有一定保障;● Strong security requirements: There are certain requirements for user identity authenticity and user rights, and may have certain guarantees for session privacy;
●中安全需求业务:只进行用户对网络服务提供者的单向身份验证,并建立安全的会话通道;● Medium security requirement service: only one-way authentication of the user to the network service provider is performed, and a secure session channel is established;
●弱安全需求业务:只有用户需要对网络服务提供者身份进行单向验证。● Weak security requirement service: Only users need to perform one-way authentication on the identity of the network service provider.
在网络服务提供者注册过程中,涉及网络服务提供者单元、网络服务管理单元和可信标识维护单元之间的交互,如图3所示;In the network service provider registration process, the interaction between the network service provider unit, the network service management unit, and the trusted identifier maintenance unit is involved, as shown in FIG. 3;
2.1服务注册:互联网服务提供者希望在互联网环境中提供一定业务,首先需要在网络服务管理单元进行注册和备案,为了避免假冒注册,在这个步骤必须保证注册身份和注册人 的严格一致,具体可以参考CN公司域名注册流程和手续核验机制。2.1 Service registration: Internet service providers wish to provide certain services in the Internet environment. First, they need to register and file in the network service management unit. In order to avoid counterfeiting, the registration identity and registrant must be guaranteed at this step. Strict and consistent, please refer to CN company domain name registration process and formalities verification mechanism.
4.1标识注册:网络服务管理单元基于其注册的信息,划定其业务安全等级,然后接收服务提供者生成的密钥对的公钥信息。然后由网络服务管理单元通过专用安全接口(如CN域名注册服务)向标识维护单元提交注册的服务提供者信息清单,其中必选信息至少包括:4.1 Identity registration: The network service management unit demarcates its service security level based on its registered information, and then receives the public key information of the key pair generated by the service provider. The network service management unit then submits the registered service provider information list to the identity maintenance unit through a dedicated security interface (such as the CN domain name registration service), wherein the mandatory information includes at least:
●网络服务提供者的域名● The domain name of the network service provider
●所属省份或国家●Affiliation or country
●业务类型及安全等级●Business type and security level
●密钥算法和公钥信息Key algorithm and public key information
●生存时间● Survival time
4.2标识注册确认:对于境内注册域名,标识维护单元基于清单信息,生成对应的DNS资源记录,并添加作为对应境内域名的新建资源类型;对于境外注册但在境内运行的域名,标识维护单元基于该境外域名,附加SERVICE.CN后缀,生成新的域名,并添加对应的资源记录。如www.baidu.com将在CN域中存在如下域名的一条DNS资源记录:4.2 Identification of registration: For the domestically registered domain name, the identity maintenance unit generates a corresponding DNS resource record based on the inventory information, and adds a new resource type as the corresponding domestic domain name; for the domain name registered overseas but running in the territory, the identity maintenance unit is based on the The overseas domain name, with the SERVICE.CN suffix, generates a new domain name, and adds the corresponding resource record. For example, www.baidu.com will have a DNS resource record of the following domain name in the CN domain:
www.baidu.com.service.cnWww.baidu.com.service.cn
最后标识维护单元向服务管理单元进行注册成功确认。Finally, the identification maintenance unit performs a successful registration confirmation with the service management unit.
2.2服务注册确认:接收到注册成功确认消息之后,服务标识管理单元向该服务提供者发放注册成功消息、新的DNS记录中域名信息(通过服务提供者选择的通信方式)。2.2 Service Registration Confirmation: After receiving the registration success confirmation message, the service identification management unit issues a registration success message to the service provider, and the domain name information in the new DNS record (the communication method selected by the service provider).
3.可信标识维护单元3. Trusted Logo Maintenance Unit
可信标识维护单元管理可信标识数据,在现有的域名体系中增加对DNSSEC协议的支持(至少保证管理网络身份信息的DNS区支持DNSSEC)。并划分对应的域名区维护可信标识数据,具体规划如图4所示。The trusted identity maintenance unit manages the trusted identity data and adds support for the DNSSEC protocol in the existing domain name system (at least the DNS zone that manages the network identity information supports DNSSEC). And the corresponding domain name area is divided to maintain trusted identification data. The specific plan is shown in Figure 4.
1)个人标识维护域:在.CN下建立.USER子域,在该子域下按照各地理区域的拼音缩写(或Alpha-3国家码)建立对应的子域(如北京为.BJ,山西为.SX,山东为.SD,美国入境公民为.USA)。在各子域下面维护基于身份证编号的用户域名。1) Personal identification maintenance domain: Create a .USER subdomain under .CN, and create corresponding subdomains according to the Pinyin abbreviation (or Alpha-3 country code) of each geographical area (such as Beijing as .BJ, Shanxi) For .SX, Shandong is .SD, and the US entry citizen is .USA). The domain name of the user based on the ID number is maintained under each subdomain.
其中,各地理区域的拼音缩写可以参考中国各省、直辖市、自治区名称汉语拼音字母缩写表(http://www.pthyygf.org/guifanbiaozhun/guifanbiaozhun/2011-11-26/12.html);采用Alpha-3国家码是为了避免跟中国各省拼音缩写存在冲突(如山东缩写为SD,而Sudan的Alpha-2国家码也是SD,但其Alpha-3国家码为SDN),具体代码参见:https://www.iso.org/obp/ui/#searchAmong them, the pinyin abbreviation of each geographical area can refer to the Chinese phonetic alphabet abbreviations of the names of provinces, municipalities and autonomous regions in China (http://www.pthyygf.org/guifanbiaozhun/guifanbiaozhun/2011-11-26/12.html); using Alpha -3 country code in order to avoid a conflict with China provinces Pinyin initials (such as Shandong abbreviated as SD, and Sudan's Alpha-2 country code is SD, but its Alpha-3 country code SDN), the specific code see: https: / /www.iso.org/obp/ui/#search .
2)服务标识维护域:在.CN下建立.SERVICE子域,在该子域下生成并维护境外注册但 在国内运行的服务域名。2) Service ID Maintenance Domain: Create a .SERVICE subdomain under .CN, and generate and maintain an overseas registration under the subdomain. The service domain name that runs in the country.
注册服务:可信标识维护单元应提供标识注册单元(用户标识管理单元和网络服务管理单元)对应的接口和服务,重点提供如下功能和性能保障:Registration service: The trusted identity maintenance unit shall provide the interfaces and services corresponding to the identity registration unit (user identity management unit and network service management unit), with the following functions and performance guarantees:
●注册服务器和客户端的时钟同步● Register the clock synchronization between the server and the client
●海量标识注册和更新的效率● The efficiency of mass identification and update
●注册者身份的安全认证以及注册数据的安全传输● Secure authentication of registrant identity and secure transmission of registration data
查询服务:可信标识维护单元还应为用户和服务提供者提供标识信息的查询接口和服务,重点提供如下功能和性能保证:Query service: The trusted identity maintenance unit should also provide query interfaces and services for identification information for users and service providers, with the following features and performance guarantees:
●海量标识查询的效率●The efficiency of massive identification query
●对基础DNS服务的影响规避● Circumventing the impact of the underlying DNS service
4.用户(互联网用户单元)4. User (Internet User Unit)
用户首先需要在用户标识管理单元进行注册和身份验证,并自己生成非对称密钥,将其中公钥信息注册到用户标识管理单元的对应账户。The user first needs to register and authenticate in the user identification management unit, and generates an asymmetric key by itself, and registers the public key information in the corresponding account of the user identification management unit.
5.网络服务提供者(网络服务提供者单元)5. Network Service Provider (Network Service Provider Unit)
网络服务提供者首先需要在网络服务管理单元进行开通业务前的注册,并根据网络服务管理单元评定的安全等级生成对应非对称密钥对,将其中公钥信息注册到网络服务管理单元的对应账户。The network service provider first needs to register before the service is started in the network service management unit, and generates a corresponding asymmetric key pair according to the security level assessed by the network service management unit, and registers the public key information in the corresponding account of the network service management unit. .
基于上述各角色对网络身份管理的功能,可以实现图5所示的网络身份验证流程,具体包括如下步骤:Based on the functions of the foregoing roles for network identity management, the network identity verification process shown in Figure 5 can be implemented, including the following steps:
(1)互联网用户向用户标识管理单元进行实名注册;(1) The Internet user performs real-name registration with the user identification management unit;
(2)用户标识管理单元基于验证结构,为用户生成网络标识,并为其创建用户标识管理账号(如使用身份证系统,身份证号码可作为用户名,身份证验证码可作为初始登录密码);(2) The user identification management unit generates a network identifier for the user based on the verification structure, and creates a user identification management account for the user (if the ID card system is used, the ID number can be used as the user name, and the ID verification code can be used as the initial login password) ;
(3)用户生成非对称密钥对,通过登录该账号上传公钥信息;(3) The user generates an asymmetric key pair and uploads the public key information by logging in to the account;
(4)用户标识管理单元将用户网络身份标识及其公钥信息注册到可信标识维护单元;同时将该用户的网络身份标识及其公钥信息发送给当地的ISP,由当地的ISP将该用户的网络身份信息和上网账户信息进行绑定。从而使得用户标识管理单元可以根据用户的网络身份信息到当地ISP上查到该用户的上网在线时长,访问的网站信息,IP地址(IPv4公有地址信息,IPv4私有地址信息,IPv6地址信息)等,从而对该用户进行合法的网络监控和通过IP地址进行网络溯源等功能。(4) The user identity management unit registers the user network identity and its public key information to the trusted identity maintenance unit; at the same time, sends the user's network identity and its public key information to the local ISP, which will be The user's network identity information is bound to the online account information. Therefore, the user identity management unit can check the online time length of the user, the visited website information, the IP address (IPv4 public address information, IPv4 private address information, IPv6 address information), etc. according to the user's network identity information. Therefore, the user is subjected to legal network monitoring and network traceability through an IP address.
(1’)互联网服务提供者向网络服务管理单元进行实名注册; (1') The Internet Service Provider performs real-name registration with the Network Service Management Unit;
(2’)网络服务管理单元对其进行入网许可验证,并基于服务内容进行安全等级划分,并为其创建服务标识管理账号;(2') the network service management unit performs network access license verification, and performs security level division based on the service content, and creates a service identifier management account for it;
(3’)互联网服务提供者生成非对称密钥对,通过登录该账号上传公钥信息;(3') the Internet service provider generates an asymmetric key pair, and uploads the public key information by logging in to the account;
(4’)网络服务管理单元将服务域名及其公钥信息注册到可信标识维护单元;(4') the network service management unit registers the service domain name and its public key information to the trusted identifier maintenance unit;
(5)当某用户要访问网络服务提供者的网站时,首先通过可信标识维护单元查询该网站对应的公钥信息和IP地址;(5) When a user wants to access the website of the network service provider, firstly, the public key information and the IP address corresponding to the website are inquired through the trusted identifier maintenance unit;
(6)用户使用网络服务提供者的公钥签名自己的网络标识和公钥信息;(6) The user signs the network identifier and public key information using the public key of the network service provider;
(7)网络服务提供者查询可信标识维护单元,用自己的私钥核验用户网络标识和公钥信息;(7) The network service provider queries the trusted identifier maintenance unit and verifies the user network identifier and public key information with its own private key;
(8)网络服务提供者生成对称密钥,用用户的公钥进行加密后传输给用户;(8) The network service provider generates a symmetric key, which is encrypted by the user's public key and transmitted to the user;
(9)用户接收后用自己的私钥解密获得该对称密钥,用户和网络服务提供者使用该对称密钥进行安全通信。(9) After receiving the user, the user obtains the symmetric key by decrypting with his own private key, and the user and the network service provider use the symmetric key for secure communication.
本发明定义了保证互联网通信双方安全通信,以及网络可管可控的主要逻辑角色,并定义了各角色的关键功能及可信标识验证流程。为了支持各种实际应用情况,并未对如下技术细节进行限定,本领域技术人员可以采用现有方法来实现:The invention defines the main logical roles of ensuring secure communication between the two parties of the Internet communication and the controllability of the network, and defines the key functions of each role and the verification process of the trusted identification. In order to support various practical applications, the following technical details are not limited, and those skilled in the art can implement the existing methods:
1)用户网络标识生成机制;1) User network identity generation mechanism;
2)用户和网络服务提供者的密钥生成方法;2) a key generation method for the user and the network service provider;
3)各角色注册标识管理数据的安全通信接口;3) a secure communication interface for each role registration identification management data;
4)用户和服务提供者对包含可信标识及对应公钥的签名记录的验证机制;4) a verification mechanism for the signature record of the user and the service provider including the trusted identifier and the corresponding public key;
5)通过用户的IP地址进行溯源的功能。5) Traceability through the user's IP address.
以上实施例仅用以说明本发明的技术方案而非对其进行限制,本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明的精神和范围,本发明的保护范围应以权利要求书所述为准。 The above embodiments are only used to illustrate the technical solutions of the present invention, and the present invention is not limited thereto, and those skilled in the art can modify or replace the technical solutions of the present invention without departing from the spirit and scope of the present invention. The scope of protection shall be as stated in the claims.

Claims (9)

  1. 一种可信网络身份管理和验证系统,其特征在于,包括用户标识管理单元、网络服务管理单元、可信标识维护单元、互联网用户单元以及网络服务提供者单元;A trusted network identity management and verification system, comprising: a user identity management unit, a network service management unit, a trusted identity maintenance unit, an internet subscriber unit, and a network service provider unit;
    所述用户标识管理单元维护用户的网络身份标识信息,并将用户的网络身份标识和公钥信息绑定注册到所述可信标识维护单元;The user identity management unit maintains network identity information of the user, and binds the network identity and public key information of the user to the trusted identity maintenance unit;
    所述网络服务管理单元管理互联网服务,并将对应的公钥信息和域名绑定注册到所述可信标识维护单元;The network service management unit manages the Internet service, and registers the corresponding public key information and the domain name binding to the trusted identifier maintenance unit;
    所述可信标识维护单元部署DNSSEC协议,并维护用户和互联网服务的标识及公钥绑定信息;The trusted identifier maintenance unit deploys a DNSSEC protocol, and maintains identity and public key binding information of the user and the Internet service;
    所述互联网用户单元保存和管理自有私钥信息,并通过查询所述可信标识维护单元获取可信的网络服务提供者的信息;The Internet subscriber unit saves and manages the private key information, and obtains the information of the trusted network service provider by querying the trusted identifier maintenance unit;
    所述网络服务提供者单元保存和管理自有私钥信息,并通过查询所述可信标识维护单元获取用户信息。The network service provider unit saves and manages the private key information, and obtains the user information by querying the trusted identifier maintenance unit.
  2. 如权利要求1所述的系统,其特征在于:所述用户标识管理单元维护用户标识数据库,其中包含公民的身份信息、入境外国公民身份信息,用于对用户进行身份注册;所述用户标识管理单元生成经过注册的用户的网络身份标识,并将该标识和用户提交的公钥信息注册到所述可信标识维护单元。The system according to claim 1, wherein said user identification management unit maintains a user identification database, which includes citizen identity information, inbound foreign citizenship information, and is used for identity registration of the user; said user identity management The unit generates a network identity of the registered user, and registers the identity and the public key information submitted by the user to the trusted identity maintenance unit.
  3. 如权利要求1所述的系统,其特征在于:所述网络服务管理单元维护网络服务提供者备案管理数据库,其中包含基于国内域名的网络服务提供者、基于境外域名但在国内运行的网络服务提供者,用于对提供互联网服务的域名所有者进行注册备案。The system according to claim 1, wherein said network service management unit maintains a network service provider filing management database, which includes a network service provider based on a domestic domain name, and a network service provider based on an overseas domain name but operating in the country. For registration and filing of domain name owners who provide Internet services.
  4. 如权利要求1所述的系统,其特征在于:所述网络服务管理单元根据服务类型设定其安全等级,分为三种类型:The system according to claim 1, wherein said network service management unit sets its security level according to the type of service, and is classified into three types:
    ●强安全需求业务:对用户身份真实性以及用户权限具有一定要求,并可能对会话隐私性有一定保障;● Strong security requirements: There are certain requirements for user identity authenticity and user rights, and may have certain guarantees for session privacy;
    ●中安全需求业务:只进行用户对网络服务提供者的单向身份验证,并建立安全的会话通道;● Medium security requirement service: only one-way authentication of the user to the network service provider is performed, and a secure session channel is established;
    ●弱安全需求业务:只有用户需要对网络服务提供者身份进行单向验证。● Weak security requirement service: Only users need to perform one-way authentication on the identity of the network service provider.
  5. 如权利要求1所述的系统,其特征在于:所述可信标识维护单元划分对应的域名区维护可信标识数据,包括个人标识维护域和服务标识维护域。The system of claim 1, wherein the trusted identity maintenance unit divides the corresponding domain name zone to maintain trusted identity data, including a personal identity maintenance domain and a service identity maintenance domain.
  6. 如权利要求5所述的系统,其特征在于:所述个人标识维护域在.CN下建立.USER子域, 在该子域下按照各地理区域的拼音缩写或Alpha-3国家码建立对应的子域,在各子域下面维护基于身份证编号的用户域名;所述服务标识维护域在.CN下建立.SERVICE子域,在该子域下生成并维护境外注册但在国内运行的服务域名。The system of claim 5 wherein said personal identification maintenance domain establishes a .USER subdomain under .CN. Under the sub-domain, the corresponding sub-domain is established according to the Pinyin abbreviation or Alpha-3 country code of each geographical area, and the user domain name based on the ID number is maintained under each sub-domain; the service identification maintenance domain is established under .CN. SERVICE subdomain, under which the domain name of the service registered overseas but running in the country is generated and maintained.
  7. 一种采用权利要求1所述系统的可信网络身份验证和安全通信方法,其特征在于,包括如下步骤:A trusted network authentication and secure communication method using the system of claim 1, comprising the steps of:
    1)互联网用户向用户标识管理单元进行实名注册;1) The Internet user registers the real name with the user identification management unit;
    2)用户标识管理单元为用户生成网络标识,并为其创建用户标识管理账号;2) The user identification management unit generates a network identifier for the user and creates a user identification management account for it;
    3)用户生成非对称密钥对,通过登录账号上传公钥信息;3) The user generates an asymmetric key pair and uploads the public key information through the login account;
    4)用户标识管理单元将用户网络身份标识及其公钥信息注册到可信标识维护单元;同时将该用户的网络身份标识及其公钥信息发送给当地的ISP,由当地的ISP将该用户的网络身份信息和上网账户信息进行绑定;4) The user identity management unit registers the user network identity and its public key information to the trusted identity maintenance unit; at the same time, sends the user's network identity and its public key information to the local ISP, and the local ISP uses the user Binding of network identity information and online account information;
    5)互联网服务提供者向网络服务管理单元进行实名注册;5) The Internet service provider performs real-name registration with the network service management unit;
    6)网络服务管理单元对其进行入网许可验证,基于服务内容进行安全等级划分,并为其创建服务标识管理账号;6) The network service management unit performs network access license verification, performs security level division based on the service content, and creates a service identifier management account for it;
    7)互联网服务提供者生成非对称密钥对,通过登录账号上传公钥信息;7) The Internet service provider generates an asymmetric key pair and uploads the public key information through the login account;
    8)网络服务管理单元将服务域名及其公钥信息注册到可信标识维护单元;8) The network service management unit registers the service domain name and its public key information to the trusted identifier maintenance unit;
    9)当某用户要访问网络服务提供者的网站时,首先通过可信标识维护单元查询该网站对应的公钥信息和IP地址;9) When a user wants to access the website of the network service provider, firstly, the trusted key maintenance unit searches for the public key information and the IP address corresponding to the website;
    10)用户使用网络服务提供者的公钥签名自己的网络标识和公钥信息;10) The user signs the network identifier and public key information using the public key of the network service provider;
    11)网络服务提供者查询可信标识维护单元,用自己的私钥核验用户网络标识和公钥信息;11) The network service provider queries the trusted identifier maintenance unit, and verifies the user network identifier and public key information with its own private key;
    12)网络服务提供者生成对称密钥,用用户的公钥进行加密后传输给用户;12) The network service provider generates a symmetric key, which is encrypted by the user's public key and transmitted to the user;
    13)用户接收后用自己的私钥解密获得该对称密钥,用户和网络服务提供者使用该对称密钥进行安全通信。13) After receiving the user, the user obtains the symmetric key by decrypting with his own private key, and the user and the network service provider use the symmetric key for secure communication.
  8. 如权利要求7所述的方法,其特征在于,步骤4)中用户标识管理单元将用户网络身份标识及其公钥信息注册到可信标识维护单元的方法是:The method according to claim 7, wherein the method for registering the user network identity and its public key information in the trusted identity maintenance unit by the user identity management unit in step 4) is:
    a)用户标识管理单元通过专用安全接口向可信标识维护单元提交用户注册信息清单,其中必选信息至少包括:用户身份标识信息、所属省份或国家、公钥信息、生存时间;a) the user identification management unit submits a list of user registration information to the trusted identifier maintenance unit through a dedicated security interface, where the mandatory information includes at least: user identity identification information, the province or country, the public key information, and the survival time;
    b)可信标识维护单元基于清单信息生成对应域名,其格式为:U-ID.Location.USER.CN;其中USER为CN下的一个专门维护用户标识信息的域,Location标识该用户所属地理区域, U-ID为用户标识;b) The trusted identifier maintenance unit generates a corresponding domain name based on the manifest information, and the format is: U-ID.Location.USER.CN; wherein USER is a domain under the CN dedicated to maintaining user identification information, and Location identifies the geographic region to which the user belongs. , U-ID is the user ID;
    c)可信标识维护单元生成对应的DNS资源记录,并添加到对应的CN子域,其中的生存期不大于用户注册信息清单中的生存期;c) The trusted identifier maintenance unit generates a corresponding DNS resource record and adds it to the corresponding CN subdomain, wherein the lifetime is not greater than the lifetime in the user registration information list;
    d)可信标识维护单元向用户标识管理单元进行注册成功确认。d) The trusted identification maintenance unit performs a successful registration confirmation with the user identification management unit.
  9. 如权利要求7或8所述的方法,其特征在于:步骤8)中网络服务管理单元将服务域名及其公钥信息注册到可信标识维护单元的方法是:The method according to claim 7 or 8, wherein the method for registering the service domain name and its public key information in the trusted identity maintenance unit by the network service management unit in step 8) is:
    a)网络服务管理单元通过专用安全接口向可信标识维护单元提交注册的服务提供者信息清单,其中必选信息至少包括:网络服务提供者的域名、所属省份或国家、业务类型及安全等级、密钥算法和公钥信息、生存时间;a) the network service management unit submits the registered service provider information list to the trusted identifier maintenance unit through the dedicated security interface, wherein the mandatory information includes at least: the domain name of the network service provider, the province or country to which it belongs, the service type and the security level, Key algorithm and public key information, survival time;
    b)对于境内注册域名,可信标识维护单元基于清单信息生成对应的DNS资源记录,并添加作为对应境内域名的新建资源类型;对于境外注册但在境内运行的域名,可信标识维护单元基于该境外域名,附加SERVICE.CN后缀,生成新的域名,并添加对应的资源记录;b) For the domestically registered domain name, the trusted identifier maintenance unit generates a corresponding DNS resource record based on the inventory information, and adds a new resource type as the corresponding domestic domain name; for the domain name registered overseas but running in the territory, the trusted identifier maintenance unit is based on the The overseas domain name, with the SERVICE.CN suffix, generates a new domain name, and adds the corresponding resource record;
    c)可信标识维护单元向服务管理机构进行注册成功确认。 c) The trusted identification maintenance unit successfully confirms the registration with the service management organization.
PCT/CN2015/098467 2015-09-01 2015-12-23 Trusted network identity management and authentication system and method WO2017036003A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510551325.3A CN105162602B (en) 2015-09-01 2015-09-01 A kind of trustable network Identity Management and verification system and method
CN201510551325.3 2015-09-01

Publications (1)

Publication Number Publication Date
WO2017036003A1 true WO2017036003A1 (en) 2017-03-09

Family

ID=54803366

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/098467 WO2017036003A1 (en) 2015-09-01 2015-12-23 Trusted network identity management and authentication system and method

Country Status (2)

Country Link
CN (1) CN105162602B (en)
WO (1) WO2017036003A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110945833A (en) * 2018-12-07 2020-03-31 北京大学深圳研究生院 Method and system for multi-mode identification network privacy protection and identity management
CN113346990A (en) * 2021-05-11 2021-09-03 科大讯飞股份有限公司 Secure communication method and system, and related equipment and device
CN114520734A (en) * 2021-12-31 2022-05-20 华能信息技术有限公司 Network data security management and control method and system based on bidirectional transmission

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105162602B (en) * 2015-09-01 2018-05-11 中国互联网络信息中心 A kind of trustable network Identity Management and verification system and method
CN105743918A (en) * 2016-04-05 2016-07-06 浪潮电子信息产业股份有限公司 Information encrypted transmission method, device and system
CN106302513A (en) * 2016-09-06 2017-01-04 中国互联网络信息中心 A kind of network identity validation method and device
CN106789881A (en) * 2016-11-17 2017-05-31 中国互联网络信息中心 A kind of block chain digital identification authentication method and system based on domain name service DNS systems
CN108737419B (en) * 2018-05-22 2020-05-22 北京航空航天大学 Trusted identifier life cycle management device and method based on block chain
CN108737420A (en) * 2018-05-22 2018-11-02 北京航空航天大学 Information service trusted identities format and its life cycle management device and method
CN108964892B (en) * 2018-06-25 2019-07-26 北京迪曼森科技有限公司 Generation method, application method, management system and the application system of trusted application mark
CN109005029B (en) * 2018-06-25 2019-08-16 北京迪曼森科技有限公司 Trusted application mark generation method and system, application method and apply end equipment
CN109067768B (en) * 2018-08-31 2021-11-26 赛尔网络有限公司 Method, system, equipment and medium for detecting domain name query security
CN109474592B (en) * 2018-11-08 2021-08-31 蓝信移动(北京)科技有限公司 Public key binding method and system
CN109670284A (en) * 2019-02-20 2019-04-23 中国互联网络信息中心 User authen method, system, equipment and medium based on block chain and DNSSEC
CN109831529B (en) * 2019-03-15 2020-05-12 北京世纪诚链科技有限公司 Cloud chain number integrated system structure
CN111783135A (en) * 2020-06-17 2020-10-16 复旦大学 DNSSEC-based data trusted service implementation method
CN112995139B (en) * 2021-02-04 2023-06-02 北京信息科技大学 Trusted network, trusted network construction method and trusted network construction system
CN113660276A (en) * 2021-08-18 2021-11-16 宜宾电子科技大学研究院 Remote task scheduling method based on privacy data protection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401686A (en) * 2013-07-31 2013-11-20 陕西海基业高科技实业有限公司 User Internet identity authentication system and application method thereof
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
CN104243150A (en) * 2014-09-05 2014-12-24 中国联合网络通信集团有限公司 IPSec public key interaction method, nodes and DNS servers
WO2015056009A1 (en) * 2013-10-17 2015-04-23 Arm Ip Limited Method of establishing a trusted identity for an agent device
CN105162602A (en) * 2015-09-01 2015-12-16 中国互联网络信息中心 Trusted network identity management and verification system and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0020441D0 (en) * 2000-08-18 2000-10-04 Hewlett Packard Co Performance of a service on a computing platform
CN101179380A (en) * 2007-11-19 2008-05-14 上海交通大学 Bidirectional authentication method, system and network terminal
CN102594558B (en) * 2012-01-19 2014-08-06 东北大学 Anonymous digital certificate system and verification method of trustable computing environment
CN103796200A (en) * 2014-03-03 2014-05-14 公安部第三研究所 Method for achieving key management in wireless mobile ad hoc network based on identities

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401686A (en) * 2013-07-31 2013-11-20 陕西海基业高科技实业有限公司 User Internet identity authentication system and application method thereof
WO2015056009A1 (en) * 2013-10-17 2015-04-23 Arm Ip Limited Method of establishing a trusted identity for an agent device
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
CN104243150A (en) * 2014-09-05 2014-12-24 中国联合网络通信集团有限公司 IPSec public key interaction method, nodes and DNS servers
CN105162602A (en) * 2015-09-01 2015-12-16 中国互联网络信息中心 Trusted network identity management and verification system and method

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110945833A (en) * 2018-12-07 2020-03-31 北京大学深圳研究生院 Method and system for multi-mode identification network privacy protection and identity management
CN113346990A (en) * 2021-05-11 2021-09-03 科大讯飞股份有限公司 Secure communication method and system, and related equipment and device
CN113346990B (en) * 2021-05-11 2022-12-23 科大讯飞股份有限公司 Secure communication method and system, and related equipment and device
CN114520734A (en) * 2021-12-31 2022-05-20 华能信息技术有限公司 Network data security management and control method and system based on bidirectional transmission
CN114520734B (en) * 2021-12-31 2024-01-26 华能信息技术有限公司 Network data security management and control method and system based on bidirectional transmission

Also Published As

Publication number Publication date
CN105162602A (en) 2015-12-16
CN105162602B (en) 2018-05-11

Similar Documents

Publication Publication Date Title
WO2017036003A1 (en) Trusted network identity management and authentication system and method
US11223598B2 (en) Internet security
EP3354001B1 (en) Secure domain name resolution in computer networks
Panda et al. A blockchain based decentralized authentication framework for resource constrained iot devices
US20100138907A1 (en) Method and system for generating digital certificates and certificate signing requests
CN103078877B (en) Based on the user authentication of DNS and domain name access control method and system
US20230020504A1 (en) Localized machine learning of user behaviors in network operating system for enhanced secure services in secure data network
US20230059173A1 (en) Password concatenation for secure command execution in a secure network device
US11582241B1 (en) Community server for secure hosting of community forums via network operating system in secure data network
US11784813B2 (en) Crypto tunnelling between two-way trusted network devices in a secure peer-to-peer data network
Jalalzai et al. DNS security challenges and best practices to deploy secure DNS with digital signatures
US20230012373A1 (en) Directory server providing tag enforcement and network entity attraction in a secure peer-to-peer data network
Wu et al. A gateway-based access control scheme for collaborative clouds
Shulman et al. Towards forensic analysis of attacks with DNSSEC
CN114127764A (en) Destination addressing associated with distributed ledger
US8112535B2 (en) Securing a server in a dynamic addressing environment
CN103118025B (en) Based on the single-point logging method of networking certification, device and certificate server
Mendki Securing cloud native applications using blockchain
WO2017210914A1 (en) Method and apparatus for transmitting information
US11582201B1 (en) Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers
US11870899B2 (en) Secure device access recovery based on validating encrypted target password from secure recovery container in trusted recovery device
US20220399995A1 (en) Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network
Durand Resource public key infrastructure (RPKI) technical analysis
Shulman et al. DNSSEC for cyber forensics
Jacobs et al. Identities, anonymity and information warfare

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15902808

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 28.06.2018)

122 Ep: pct application non-entry in european phase

Ref document number: 15902808

Country of ref document: EP

Kind code of ref document: A1