[go: up one dir, main page]

CN100358326C - Wide-band wireless IP network safety system structure and realizing method - Google Patents

Wide-band wireless IP network safety system structure and realizing method Download PDF

Info

Publication number
CN100358326C
CN100358326C CNB2004100262119A CN200410026211A CN100358326C CN 100358326 C CN100358326 C CN 100358326C CN B2004100262119 A CNB2004100262119 A CN B2004100262119A CN 200410026211 A CN200410026211 A CN 200410026211A CN 100358326 C CN100358326 C CN 100358326C
Authority
CN
China
Prior art keywords
authentication
security
engine
avie
bwip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100262119A
Other languages
Chinese (zh)
Other versions
CN1585405A (en
Inventor
马建峰
吴振强
朱建明
郭渊博
李兴华
曹春杰
张帆
裴庆祺
沈玉龙
王超
杨力
杨超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CNB2004100262119A priority Critical patent/CN100358326C/en
Publication of CN1585405A publication Critical patent/CN1585405A/en
Application granted granted Critical
Publication of CN100358326C publication Critical patent/CN100358326C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种宽带无线IP网络安全体系结构及实现安全的方法,在网络层实现安全体制,包括BWIP安全系统、BWIP安全执行系统、BWIP网络管理系统和外部支撑系统。BWIP网络管理系统对BWIP安全系统进行策略设定、预置共享对称密钥、收费率和监测系统资源;BWIP安全执行系统调用BWIP安全系统各组件,对流入和流出网络的数据包和连接请求审查过滤;BWIP安全系统从外部安全支撑系统获取用户公钥证书、信用资料,与外部安全支撑系统配合为BWIP安全执行系统提供决策。基于密码学运算,通过对流入和流出网络数据包的控制实现对网络的机密性、完整性、认证授权记账和不可否认性服务。本发明具有功能全、开放性好,透明性好、通用性强特点,适用于未来宽带无线IP技术领域。

Figure 200410026211

The invention discloses a broadband wireless IP network safety system structure and a method for realizing safety. The safety system is realized at the network layer, including a BWIP safety system, a BWIP safety execution system, a BWIP network management system and an external support system. The BWIP network management system sets policies, presets shared symmetric keys, charging rates and monitors system resources for the BWIP security system; the BWIP security execution system invokes components of the BWIP security system to review incoming and outgoing network data packets and connection requests Filtering; the BWIP security system obtains user public key certificates and credit information from the external security support system, and cooperates with the external security support system to provide decision-making for the BWIP security execution system. Based on cryptographic operations, the network's confidentiality, integrity, authentication, authorization, and accounting and non-repudiation services are realized through the control of incoming and outgoing network data packets. The invention has the characteristics of complete functions, good openness, good transparency and strong versatility, and is suitable for the future broadband wireless IP technical field.

Figure 200410026211

Description

The method of wide-band wireless IP network security architecture and realization safety
Technical field
The present invention relates to technical field of communication safety and comprising, specifically be a kind of wide-band wireless IP (Broadband Wireless InternetProtocol, be called for short BWIP) network security architecture and the safe method of realization, be used to realize the general safety of BWIP network, provide the safe practice guarantee following mobile e-business, mobile electron government affairs.
Background technology
Existing Security Architecture scheme has: OSI (open system interconnection) Security Architecture standard (ISO/IEC7498-2); IPsec (IP secureity, the safe IP) Security Architecture that IETF (Internet engineering duty group) proposed in November, 1998 (RFC2401, No. 2401 request comment); The WAP architecture specification (document code is WAP-100-WAPArch-19980430-a) that WAP (Wireless Application Protocol, WAP (wireless application protocol)) forum proposed in April, 1998; The Security Architecture (Release 5 for 3G Security, Security architecture) that 3GPP (the 3rd third-generation mobile communication project partner plan) proposed in December, 2002.The ubiquitous problem of these security systems of institute is as follows:
1.OSI Security Architecture standard (ISO/IEC7498-2) is a universal safety architecture frame providing of ISO (International Standards Organization) in 1989, be called " the basic reference model part 2 of information processing system open system interconnection---Security Architecture ", this standard provides the general description of security service with relevant security mechanism, and having determined can provide the position of these services with mechanism in reference model inside.This standard is divided into level Four according to the security threat that may exist in the network with safety, be link level security, network level safety, end-to-end level security and application-level security, the user can be according to realizing safety function on the optional one or more ranks of the demand for security of oneself during specific implementation.This security framework has directive significance, but does not provide concrete implementation method, therefore can not directly adopt.
2.IPsec Security Architecture is at the Security Architecture scheme under the symmetrical applied environment in the fixed network, what mainly consider is maintaining secrecy and authentication function in the cable network, do not have the book keeping operation function in the wireless network, can not be directly used in the special applications that the low-power consumption under the mobile environment, little internal memory, disposal ability are weak, bandwidth is low relatively and error rate is high.
3.WAP WAP (wireless application protocol) is to be based upon on the new architecture, its security mechanism is to realize by the WTLS of WAP1.X protocol stack (Wireless Transport Layer Security) layer, because WTLS's is non-standard, the compatibility issue of existence and existing TCP/IP (transmission control protocol/Internet protocol) protocol stack, and there are many security breaches in WTLS.WAP2.X uses the security mechanism of WAP instead SSL/TLS (SSL/Transport Layer Security) mode, and proposition cooperates the mode of PKI (Public Key Infrastructure, PKIX) that the safety guarantee of wap protocol is provided.This solution mainly is the safety problem that solves WAP in transport layer, it is a kind of wireless mobile IP protocol by the proposal of manufacturers such as mobile phone, existing the compatibility issue that waits the wireless IP technology of other main flow with IEEE802.11 (WLAN standard), is not a general wide-band wireless IP Security Architecture therefore.
3.3GPP Security Architecture is to be based upon on the basis of 3G (Third Generation) Moblie, its fail safe mainly concentrates on authentication, authorization and accounting (the Authentication Authorization Accounting of mobile telephone equipment, abbreviation AAA) on the function, safe practice is to be based upon to insert on the level, versatility is poor, can not satisfy the problems such as AAA under the wireless mobile PCs (Personal Computer, personal computer) such as the whole demands for security of following mobile IP and IEEE802.11.
This shows, above-mentioned Security Architecture all can not satisfy the demand for security of following BWIP network, need design new Security Architecture and safe implementation method, not only satisfy the needs of BWIP network security performance, also should there be good authentication, authorization and accounting function in system, and can take into account the weak relatively characteristics of mobile device disposal ability in the BWIP network well in these function aspects of realization.
Summary of the invention
The objective of the invention is to overcome the deficiency of prior art, according to wide-band wireless IP network security needs, in conjunction with safe realization technology such as Network Management Function, cryptography calculating, PKIX, safe IP, authentication, authorization and accounting AAA, adopt the component reuse thought in the soft project, each function in the security system is organically gathered together, a kind of wide-band wireless IP network security architecture and safe implementation method are provided, solve following BWIP network security problem on the whole, to satisfy the needs of wide-band wireless IP network service.
Technical scheme of the present invention is to realize broadband wireless IP network general safety mechanism on network layer, and the wide-band wireless IP network security architecture comprises BWIP safety system, BWIP safety executive system, BWIP network management system, external security support system; Wherein, the BWIP safety system is the core system of Security Architecture, in network, bear encryption and decryption, safety calculating, authentication, mandate, book keeping operation and secure data management are made up of crypto engine CE, security context database SEDB, security context manager SEM, authentication, authorization and accounting engine AAAE, policy database PDB, policy manager PM, log database ADB, log manager AM, credit database CDB, credit management device CM; Acting as of each assembly:
Crypto engine CE is used to the cryptographic algorithm that provides different;
Security context database SEDB is used to store various encryption keys;
Security context manager SEM, the key among the management SEDB;
Authentication, authorization and accounting engine AAAE carry out authentication to the mobile subscriber, carry out granted access and book keeping operation operation according to different roles, and AAAE depends on CE and SEDB carries out necessary crypto-operation;
Policy database PDB is used for store data, and the control different role is to the behavior of the operation of BWIP network;
Policy manager PM is used to manage PDB;
Credit database CDB is used to deposit user's credit data;
Credit management device CM is used to manage CDB;
Log database ADB is used to deposit the log record relevant with security activity;
Log manager AM is used to handle the daily record of safety function assembly;
Described BWIP safety executive system is the main system of Security Architecture, be the secure processing interface between Security Architecture and the internal-external network, form by force policy Control Engine PEE, authentication, checking and integrity checking engine AVIE and resource control framework RCF; Acting as of each assembly:
Force policy Control Engine PEE is used for all are controlled from the inflow request of Internet, makes the decision that receives or tackle; The packet that flows out to Internet from Intranet is filtered, make abandoning, detouring or encapsulation process;
Authentication, checking and integrity checking engine AVIE carry out inspection, Data Source authentication, the integrity checking of digital signature to the packet that flows into from Internet, and the packet that flows out is carried out secure package;
Resource control framework RCF controls, manages and monitor system resource, and various environmental variances are provided, and ADB provides basis of time for log database;
Described external security support system is the part of PKIX PKI, is made up of certificate agency CA, the AA of authorized organization and public credit database CP; Wherein:
Certification authority CA, be used to accept online certificate request, the the signing and issuing, examine and make of certificate, certificate issuance, the filing of certificate and cancelling, the renewal of certificate, the backup of key and recovery, cross-certification is for the certified component of AAAE provides user's authenticity to prove, CA is independent of outside the Security Architecture, is the secure and trusted mechanism that generally acknowledges;
The AA of authorized organization is used for validated user is authorized the power of using system resource;
Public credit database CP is used to deposit the relevant information that the proof user truly uses resource right;
Data call between each system is closed: the BWIP network management system to the BWIP safety system carry out strategy setting, preset shared symmetric key, toll rate be set, preferential period, user credit information and the resource control framework of BWIP safety executive system monitored; BWIP safety executive system is called each assembly in the BWIP safety system, to all inflows with flow out the BWIP output packet and connection request is examined, filtered, allows or forbids with decision; BWIP safety system visit external security support system is obtained mobile subscriber's public key certificate and credit information, and data is stored in security context database SEDB temporarily and credit database CDB is standby, to improve the operational efficiency of system; BWIP safety system and external security support system provide decision-making foundation for BWIP safety executive system jointly;
Utilize the BWIP network security architecture to realize the method for wide-band wireless IP network security, the utilization cryptographic algorithm is handled flowing out and flowing into data, realization is to confidentiality services, integrity service and authentication, the authorization and accounting AAA service of network, described confidentiality services is to encrypt flowing out data, is decrypted flowing into data; Described integrity service is to encapsulate at AVIE flowing out data, carries out integrity checking to flowing into data by AVIE; Described AAA service is to carry out two-way authentication, authorization and accounting to flowing out and flowing into packet.
Above-mentioned safe implementation method comprises flowing out safe handling, the secure package flow process of network data, the safe handling flow process that the network data are gone in convection current reaches flowing out and flow into authentication, the authorization and accounting AAA handling process of data, by above-mentioned safe handling flow process, realization is to the confidentiality services of broadband wireless IP network, integrity service, authentication, the AAA service of authorizing, keep accounts comprise the non-repudiation service.
The present invention has following characteristics compared with prior art:
1. highly versatile, the present invention fully takes into account the demand for security and the safety function of broadband wireless IP network, realize the security solution of network level, under the prerequisite that keeps present all wireless Internet technology, they are all included in the safety architecture, improved the fail safe and the practicality of broadband wireless IP network;
2. function is complete, present Security Architecture all is to realize safe practice and security needs from different aspects, the have an eye on the future development of wide-band wireless IP network security system of the present invention, to its function that should possess carried out organic integration, and labor and the implementation procedure of each major function is provided;
3. open good, adopt modular design method, made things convenient for the software reuse between each system component, system flexibility is good, is convenient to following new technology and the new algorithm of expanding;
4. the transparency is good, and the present invention designs by network infrastructure in the safety of network level realization broadband wireless IP network, provides corresponding security service by Network Provider, and Security Architecture is transparent to the user; Security mechanism to application layer and transport layer is directly used, and is transparent to the upper strata;
5. the present invention can reach standard-required, can confidentiality services, integrity service, authentication, authorization and accounting AAA service is provided and comprise undeniable sex service the broadband wireless IP network;
The present invention is integrated AAA, the PKI function is taken into account mobile subscriber, mobile operator, Internet supplier's requirement, in case come into operation, will good economic benefits be arranged to the BWIP in future.
Description of drawings
Fig. 1 is the realization position of BWIP Security Architecture;
Fig. 2 is a BWIP network security architecture model;
Fig. 3 is the outflow processing data packets flow chart of BWIP Security Architecture;
Fig. 4 is that the BWIP Security Architecture flows out the data encapsulation handling process;
Fig. 5 is the inflow processing data packets flow chart of BWIP Security Architecture;
Fig. 6 is the AAA handling process in the BWIP Security Architecture;
Embodiment
Referring to Fig. 1, transmission control protocol/Internet protocol stack TCP/IP comprises application layer, transport layer, network layer, link layer.The wide-band wireless IP network security architecture is in the network layer of the residing position of ICP/IP protocol stack in Fig. 1, and promptly network level safety realizes technology.Going up most two-layer is the application layer and the transport layer of ICP/IP protocol stack, and the safety architecture is directly used this two-layer security mechanism, and is promptly transparent to the upper strata.The bottom of Fig. 1 corresponding to the link in the ICP/IP protocol to host layer, support the existing or following wireless access wide band technology, its representative technology has: private wireless network WPAN, WLAN (wireless local area network) WLAN, wireless MAN WMAN, wireless wide area network WWAN, the present invention carries out transparent processing with above-mentioned broadband wireless access link safety technology, bring in the safety architecture, and keep the characteristic of access technology separately.The IPsec agreement of employing standard is not only applicable to IPv4 (the 4th edition IP address scheme), is suitable for following IPv6 (the 6th edition IP address scheme) environment yet, makes the present invention have good autgmentability and compatibility, is equivalent to network security infrastructure yet.
Referring to Fig. 2, Security Architecture of the present invention is made up of BWIP safety system, BWIP safety executive system, the BWIP NMS external security support system of unifying.Wherein the BWIP safety system is the core system of BWIP Security Architecture, bear the encryption and decryption in the broadband wireless IP network, message authentication code MAC safety calculating operation, authentication, mandate, book keeping operation, also be encryption key, trusting relationship, security policy manager responding system, form by crypto engine CE, security context database SEDB, security context manager SEM, Certificate Authority and book keeping operation engine AAAE, policy database PDB, policy manager PM, log database ADB, log manager AM, credit database CDB, credit management device CM; The function of each assembly is:
Crypto engine CE (Crypto Engine) provide different cryptographic algorithms, as symmetrical enciphering/deciphering, asymmetric enciphering/deciphering, Hash operation etc., for other assembly in the system provides enciphering/deciphering computing service;
Security context database SEDB (Security Environment Database,) store various encryption keys, use for CE as the security association SA of consulting by the key (MN-FA, MN-HA etc.) and the different node of IKE ike negotiation between the public private key pair of mobile node MN, MN and all communication entities;
Key among security context manager SEM (Security Environment Manager) the management SEDB provides the function of manual configuration encryption key with automatic managing keys, enables ike negotiation key and SA, and is kept among the SEDB;
Authentication, authorization and accounting engine AAAE (Authentication, Authorization, and Accounting Engine,) mobile subscriber is carried out authentication, carry out granted access and the operation of keeping accounts according to different roles, AAAE depends on CE and SEDB carries out necessary crypto-operation.Will be according to present AAA (authentication, authorization and accounting) as the trend of wireless network infrastructure, the BWIP Security Architecture is realized AAAE as the form of an engine, it suitable one act on behalf of parts, can be regularly and in the network other AAA carry out alternately, form the AAA management system of level shape, but not online the book keeping operation helps subtracting through BWIP offered load like this, improves networks efficiency.Authentication and authorization is put in the BWIP Security Architecture, and the fine granularity of being convenient to authenticate and visit is controlled the flexibility that has improved the BWIP security management system;
Policy database PDB (Policy Database) deposits policy data, is used for controlling the behavior of different role to the operation of BWIP network;
Policy manager PM (Policy Manager) manages PDB, provides the editting function of manual mode or automated manner implementation strategy database to authorized user, as by center strategic server download policy data;
Credit database CDB (Credential Database) deposits user's credit data, as public key certificate, Attribute certificate;
Credit management device CM (Credential Manager) manages CDB, provides manual mode, automated manner editting function to credit database to authorized user, as search or download credit data from outside credit interchange;
Log database ADB (Audit Database) deposits the log record of security-related activity;
Log manager AM (Audit Manager) handles the daily record of safety function assembly, for problem analysis and decision-making provide foundation.
BWIP safety executive system is a main system, is the secure processing interface between Security Architecture and internal-external network, is made up of force policy Control Engine PEE, authentication, checking and integrity checking engine AVIE and resource control framework RCF; The function of each assembly is:
Force policy Control Engine PEE (Policy Enforcement Engine) is the critical piece of safe executive system, and its effect is that all are controlled from the inflow request of Internet, makes the decision that receives or tackle; The packet that flows out to Internet from Intranet is filtered through the PEE filter, make abandoning, detouring or encapsulation process;
Authentication, checking and integrity checking engine AVIE (Authentication Verification IntegrityEngine) carry out inspection, Data Source authentication, the integrity checking of digital signature to the packet that flows into from Internet, and the packet that flows out is carried out secure package;
Resource control framework RCF (Resource Control Frame) controls, manages and monitor system resource, and various environmental variances are provided, and as system clock, ADB provides basis of time for log database;
The BWIP network management system is internal security administrative staff's man-machine interface, is made up of configuration management, safety management, fault-tolerant management, accounting management and performance management assembly; The present invention expands safety management, accounting management and performance management assembly, and above-mentioned five Management Units are equivalent to user interface, and by these management interfaces, the user adopts visualization method, easily network implementation is managed effectively.This management mode makes network management system separate with the safety system layer, is convenient to modular implementation, also makes the realization of BWIP Security Architecture become more flexible, is convenient to upgrade new algorithm.
The external security support system is the part of PKIX PKI, is made up of certificate agency CA, the AA of authorized organization and public credit database CP; Wherein:
Certification authority CA (Certification Authority) is the core component in the PKI system, accept online certificate request, the the signing and issuing, examine and make of certificate, certificate issuance, the filing of certificate and cancelling, the renewal of certificate, the backup of key and recovery, cross-certification proves for the certified component among the AAAE provides user's authenticity, CA is independent of outside the Security Architecture, is the secure and trusted mechanism that generally acknowledges;
The AA of authorized organization (Authorization Authority) authorizes the power of using system resource to validated user, normally authorizes with the form of Attribute certificate;
Public credit database CP (Credentialre Pository) deposits the relevant information that proof user authenticity is used resource right, can deposit public key certificate, Attribute certificate, certificate revocation list CRL.
The service relation that each system of expression carries out data call between each frame of broken lines by interface among Fig. 2, wherein BWIP safety executive system is the externally window of service of whole Security Architecture, be responsible for all inflows and flow out the BWIP output packet and connection request is examined filtration, whether allow or forbid with decision; BWIP safety executive system is called each parts in the BWIP safety system, and making it provides security service for BWIP safety executive system; Provide in the process of service in the BWIP safety system, when packet adopts public-key cryptosystem to provide secret and authentication etc. to serve, then the BWIP safety system also needs to visit the external security support system, provide mobile subscriber's public key certificate and credit information by it, and this data offered AAAE, these data are stored in temporarily among security context database SEDB and the credit database CDB simultaneously, its objective is when the BWIP Security Architecture provides service for the mobile subscriber once more in effective time, need not to visit once more the external security support system, to improve the operational efficiency of system; By the cooperation of BWIP safety system and external security support system, for BWIP safety executive system provides reliable decision-making foundation.
The BWIP network management system is the man-machine interface that is provided with for the flexibility that improves the BWIP Security Architecture, by the BWIP network management system, the safety manager can be easily for safety system is set strategy, preset shared symmetric key, toll rate and preferential mode are set, setting user's credit information and the resource of system monitored.
The present invention works in coordination by BWIP network management system, BWIP safety system, BWIP safety executive system and external security support system, realize the confidentiality services of broadband wireless IP network, integrity service, AAA (authentication, mandate, book keeping operation) service comprises every security services such as non-repudiation service.
The security service of BWIP network is to realize by the processing to inflow in the network system and outflow packet, each assembly in the Security Architecture also is that the needs according to safety function reasonably are organized into together, below in conjunction with accompanying drawing to realizing that by the BWIP network security architecture method of safety describes.In each accompanying drawing of Fig. 3 to Fig. 6, represent that with solid line control flow in the BWIP Security Architecture, dotted line represent the data call and the data interaction relation of carrying out between different system components.
Referring to Fig. 3, when the transport layer of system node or Intranet network are delivered the data message that comes when outer net transmits, the BWIP network security architecture is as follows to the handling process of the packet that flows out from network:
1. the filter among the force policy Control Engine PEE filters the database bag, and its operating process is IP address and the interface querying policy database PDB of filter request policy manager PM according to this packet, obtains processing policy;
2. carrying out strategy slightly handles: if security strategy is for abandoning, then force policy Control Engine PEE only need simply abandon this packet, and process information is passed to log manager AM, records among the log database ADB by AM; If security strategy is for detouring, show that then such packet is not need to carry out safe handling, as the managing signaling in the part BWIP network etc., then PEE only needs directly to give the IP layer with this packet and carries out the IP encapsulation, and carries out IP by the IP layer and transmit operation and get final product; If security strategy is an encapsulation process, then PEE just gives this packet authentication, checking and integrity checking engine AVIE;
3.AVIE carrying out secure package handles, AVIE is request security context manager SEM earlier, whether this communication entity of inquiry exists corresponding security association SA in security context database SEDB, if no SA exists or SA lost efficacy, then enable key agreement protocol IKE and carry out negotiations such as corresponding SA, encryption and decryption key, Hash key, cryptographic algorithm, identifying algorithm by SEM; If the security negotiation then packet discard of failing, and negotiation result information passed to log manager AM, record among the log database ADB by AM; When consulting successfully, the data of just preserving this negotiation earlier arrive security context database SEDB, and result is returned to authentication, checking and integrity checking engine AVIE;
4.AVIE request authentication, authorization and accounting engine AAAE authenticate accordingly, authorization and accounting AAA operation, AAAE returns to AVIE with operation result information.Because the AAA operation is the process of a complexity, represents with shading in Fig. 3.AVIE passes to log manager AM with the return results of AAAE earlier after receiving authentication, authorization and accounting engine AAAE operation return results, record among the log database ADB by AM, and personnel check daily record for system security management, improve security strategy;
5. authentication, checking and integrity checking engine AVIE handle the return results of authentication, authorization and accounting engine AAAE: if the AAA operation failure, then AVIE only need abandon this packet, and records among the log database ADB; If AAA operates successfully, show that system allows this packet to flow out network;
6.AVIE request security context manager SEM calls crypto engine CE, CE carries out corresponding secure package according to the security association SA parameter among the security context database SEDB and handles operation.The CE operation also is the process of a complexity, represents with shading among Fig. 3, after CE finishes data encapsulation, the result is returned to authentication, checking and integrity checking engine AVIE;
7.AVIE the packet after will encapsulating is directly given the IP layer, adds new IP head again by the IP layer, and joins among the IP forwarding queue, or directly send in the Internet network.
Referring to Fig. 4, the packet that allows among Fig. 3 to flow out network or safety system is carried out secure package process such as follows: authentication, checking and integrity checking engine AVIE give security context manager SEM with the transport layer data bag of required encapsulation, and SEM calls crypto engine CE this packet is carried out secure package;
1. crypto engine CE carries out preliminary treatment to data earlier, and this is to carry out event because of encryption technology with grouping, need add initial vector IV and fill character, and to form the integral multiple of cryptographic block, represents with M (Message) through pretreated message;
2.CE from security context database SEDB, take out the safe handling parameter of this security association SA correspondence, comprise encryption key K1, Hash key K2, signature key K3, sequence number SN, Security Parameter Index SPI;
3.CE message M is carried out cryptographic operation, and (M, the encapsulation load after K1) expression is encrypted, and sequence number SN and Security Parameter Index SPI inserted in the header format of tunneling form capsule header with f.By splicing, realized the confidentiality services of BWIP Security Architecture to capsule header and encapsulation load;
4. crypto engine CE continues with the hash algorithm of appointment in Hash key K2 and the security association SA encapsulation of data to be carried out the Hash operation in Fig. 4, to realize integrity service, with MAC=h (capsule header, encapsulation load, K2) expression;
5. also will carry out digital signature to message in view of some agreement, crypto engine CE also needs with signature key K3 the message authentication code MAC value that generates to be signed; Because signature service is optionally, with S (MAC, K3) signature of expression MAC value has been realized non-repudiation;
6. after crypto engine CE finishes above-mentioned secure package, the MAC behind generation capsule header, encapsulation load and the signature is stitched together, give the IP layer and carry out corresponding IP encapsulation, promptly add new IP head, form the IP packet, join again among the IP forwarding queue, wait for the data forwarding operation.
So far, the BWIP Security Architecture has been finished the safe handling process that flows out packet.
The transmit leg of message is after carrying out safe handling to packet in the BWIP network security architecture, and then the recipient also needs to carry out corresponding safety operation.
Referring to Fig. 5, the BWIP network security architecture is as follows at recipient's data inflow treatment step:
1. authentication, checking and integrity checking engine AVIE receive IP bag from Internet, seal Security Parameter Index SPI in the mounted head portion, request security context manager SEM query safe environment data base SEDB according to IP;
2. judge whether this SPI is effective: if this Security Parameter Index SPI does not exist or surpassed the term of validity, then AVIE will directly abandon this packet, and write down this process information among log database ADB;
3. if this SPI is effective, then AVIE just asks SEM to call crypto engine CE to carry out integrity checking earlier, judge whether this packet has been active attack in transmission course.AVIE carries out integrity checking to packet and is made of three steps:
The first step is that request crypto engine CE carries out cryptographic calculations, decrypt the mark that is used for message authentication code MAC protection, in order to finish this operation, CE need obtain decruption key from security context database SEDB, and decrypted result returns the HASH value that a transmit leg sends; If regulation MAC has carried out digital signature in the agreement, then security context manager SEM also needs to call the external security support system, from certificate agency CA, obtain mobile subscriber's valid certificate, PKI in the certificate of utility carries out signature verification to message authentication code MAC, if authentication failed is notification authentication, checking and integrity checking engine AVIE then, and provides failure cause; If be proved to be successful, the MAC after then will deciphering returns to AVIE;
Second step was the HASH value of AVIE request CE according to this packet of HASH function calculation of consulting, and returned to AVIE;
The 3rd step was that AVIE compares deciphering HASH value that obtains and the HASH value that recalculates, if equate, showed the integrity checking success of packet, otherwise was failure.
If integrity checking failure, authentication, checking and integrity checking engine AVIE will abandon the packet of this inflow automatically, and corresponding integrity check info is recorded among the log database ADB;
4. whole property inspection success, then AVIE carries out corresponding AAA operation with request call authentication, authorization and accounting engine AAAE, and AVIE receives that authentication, authorization and accounting engine AAAE operate return results;
5. the return results of AAAE is passed to log manager AM, record among the log database ADB by AM, personnel check daily record for system security management, improve security strategy;
6.AVIE the return results to authentication, authorization and accounting engine AAAE is handled, if the AAA operation failure, then AVIE only need abandon this packet, and records among the ADB; If AAA operates successfully, show that system allows this number
According to the bag accesses network, AVIE just asks security context manager SEM to call crypto engine CE;
(deciphering is put into the flow process back 7.CE corresponding decryption oprerations is carried out in the encapsulation load according to the security association SA parameter among the security context database SEDB, this is because decrypt is bigger, holding time is many, purpose is the treatment effeciency of raising system), the message after AVIE will decipher expressly passes to force policy Control Engine PEE;
8.PEE request call policy manager PM query strategy database PDB, PEE checks the safe handling strategy and the access mode of being inquired about;
9. if meet local policy, then transmit, otherwise just abandon this message expressly, and process information is recorded among the log database ADB to inner Intranet network or to the procotol high level.So far, also realized flowing into confidentiality, the integrity service of data.
Force policy Control Engine PEE of the present invention expressly carries out strategy to message to be checked, and helps packet is carried out information filtering and improves the BWIP security of network system.
The present invention carries out the AAA operation to the packet that flows into and flow out, and purpose is at the needs of bidirectional traffics statistics in the BWIP network, also can realize access control better simultaneously, helps improving the availability of BWIP Security Architecture.
Referring to Fig. 6, the authentication of BWIP Security Architecture, authorization and accounting AAA handle according to the following steps and implement:
One. authentication
1. authentication, checking and integrity checking engine AVIE request authentication, authorization and accounting engine AAAE authenticate, authorization and accounting AAA operation;
2. after AAAE received this request, certified component carried out source authentication, the subscriber authentication operation of packet by crypto engine CE to the Security Parameter Index SPI that comprises in the request package, and authentication can be adopted following execution mode:
Authentication execution mode one. adopt the authentication method of preset shared symmetric key
Crypto engine CE takes out symmetric key and the algorithm of consulting in advance according to security association SA from security context database SEDB, carry out corresponding crypto-operation, thereby determines the authenticity of user identity and informed source;
Authentication execution mode two. adopt the authentication method of public key system
The query safe environment data base SEDB of crypto engine CE elder generation, when not having relevant information such as PKI, CE is by security context manager SEM visit external security support system, certificate agency CA from the external security support system, public credit database CP and authorized organization AA place obtain mobile subscriber's public key certificate, mobile subscriber's credit information and user's authorization message, security context manager SEM is when these data of preservation arrive security context database SEDB, also ask credit management device CM that mobile subscriber's credit information is saved among the credit database CDB, purpose is to accelerate follow-up licensing process or accelerate the BWIP Security Architecture to provide AAA the process of service for the mobile subscriber once more in effective time.After crypto engine CE obtains user's public key information, PKI according to the user carries out cryptography calculating to signing messages, and result of calculation is returned to the certified component of authentication, authorization and accounting engine AAAE, carry out the checking of digital signature by certified component and compare, realized user's the authentication or the authentication of data source.
3. as if authentification failure, then certified component stops the AAA operating process, and passes through authentication, authorization and accounting engine AAAE with authentication failure message return authentication, checking and integrity checking engine AVIE;
4. if authentication success and needs continue Authorized operation, then carry out Authorized operation by authorized component.The purpose of authorization service is in order to prevent the unauthorized use to resource, to comprise network entity without approval, security information can not being sent to other network entity; And unwarranted user can not obtain the security information and the Internet resources of network internal.
Two. authorize
1. authorized component is carried out authorization decision according to the information that the title and the AVIE of mobile request object provides, and these information are extracted corresponding strategy and credit with the form of " index code " from policy database PDB and credit database CDB or public credit database CP respectively, authorized component also asks MOVING STRUCTURE that environmental variance is provided, and comprises system clock and monitoring resource assembly in the resource control framework RCF;
2. after collecting all information that need, authorized component is according to the Authorized operation of internal rule deal with data, and with " request is authorized successfully " or " mandate is refused " this succinct form as Authorization result;
3. as if authorization failure, then the authorized component information of will " authorizing and refuse " returns to authentication, checking and integrity checking engine AVIE by authentication, authorization and accounting engine AAAE, and AVIE records " authorizing refusal " information among the ADB and abandons this packet;
4. if authorize successfully and will keep accounts operation, then give accounting module, proceed the process of keeping accounts accordingly the control of system.
Three. book keeping operation
1. the book keeping operation operation is according to the identity of requestor ID, generating a band has recording of informations such as the destination of user ID, access time, visit, visit information amount, and deposit in the book keeping operation database of authentication, authorization and accounting engine AAAE, finished the billed services in the AAA service;
2. authentication, authorization and accounting engine AAAE are after the book keeping operation assembly is finished book keeping operation task to the user, processing result information is returned to authentication, checking and integrity checking engine AVIE, AVIE also records operation information among the log database ADB simultaneously, and the advantage of this employing double record is the dispute that helps solving the note expense.
Through above-mentioned inflow and outflow security processing, the BWIP network security architecture can be realized the needed various different security service purposes of present BWIP network well.

Claims (6)

1. wide-band wireless IP network B WIP Security Architecture, it is characterized in that realizing on network layer the general safety mechanism of broadband wireless IP network, it comprises BWIP safety system, BWIP safety executive system, BWIP network management system, external security support system;
Described BWIP safety system is carried out encryption and decryption in network, safety is calculated, authentication, mandate, book keeping operation and secure data management are made up of crypto engine CE, security context database SEDB, security context manager SEM, Certificate Authority and book keeping operation engine AAAE, policy database PDB, policy manager PM, log database ADB, log manager AM, credit database CDB, credit management device CM; Acting as of each assembly:
Crypto engine CE is used to the cryptographic algorithm that provides different;
Security context database SEDB is used to store various encryption keys;
Security context manager SEM, the key among the management SEDB;
Authentication, authorization and accounting engine AAAE carry out authentication to the mobile subscriber, granted access and book keeping operation operation, and AAAE depends on CE and SEDB carries out necessary crypto-operation;
Policy database PDB is used for store data, and the control mobile subscriber is to the operation behavior of BWIP network;
Policy manager PM is used to manage PDB;
Credit database CDB is used to deposit user's credit data;
Credit management device CM is used to manage CDB;
Log database ADB is used to deposit the log record relevant with security activity;
Log manager AM is used to handle the daily record of safety function assembly;
Described BWIP safety executive system is the secure processing interface between Security Architecture and the internal-external network, and by force policy Control Engine PEE, authentication, checking and integrity checking engine AVIE and resource control framework RCF form; Acting as of each assembly:
Force policy Control Engine PEE is used for all are controlled from the inflow request of Internet, makes the decision that receives or tackle; The packet that flows out to Internet from Intranet is filtered, make abandoning, detouring or encapsulation process;
Authentication, checking and integrity checking engine AVIE carry out inspection, Data Source authentication, the integrity checking of digital signature to the packet that flows into from Internet, and the packet that flows out is carried out secure package;
Resource control framework RCF controls, manages and monitor system resource, and various environmental variances are provided, and ADB provides basis of time for log database;
Described external security support system is the part of PKIX PKI, is made up of certificate agency CA, the AA of authorized organization and public credit database CP; Wherein:
Certificate agency CA, be used to accept online certificate request, the the signing and issuing, examine and make of certificate, certificate issuance, the filing of certificate and cancelling, the renewal of certificate, the backup of key and recovery, cross-certification is for the certified component of AAAE provides user's authenticity to prove, CA is independent of outside the Security Architecture, is the secure and trusted mechanism that generally acknowledges;
The AA of authorized organization is used for validated user is authorized the power of using system resource;
Public credit database CP is used to deposit the relevant information that the proof user truly uses resource right;
Data call between each system is closed: the BWIP network management system is carried out strategy setting, preset shared symmetric key, toll rate and preferential period and user's credit information is set and BWIP safety executive system resource is monitored the BWIP safety system; BWIP safety executive system is called each assembly in the BWIP safety system, to all inflows with flow out the BWIP output packet and connection request is examined, filtered, allows or forbids with decision; The BWIP safety system is visited the external security support system, obtains mobile subscriber's public key certificate and credit information, and cooperates with the external security support system, for BWIP safety executive system provides decision-making foundation; Said system is worked in coordination, for the broadband wireless IP network provides confidentiality services, and integrity service, authentication, authorize, keep accounts AAA service and undeniable sex service.
2. method of utilizing the described wide-band wireless IP network security architecture of claim 1 to realize the wide-band wireless IP network security, the utilization cryptographic algorithm is handled flowing out and flowing into data, realization is to confidentiality services, integrity service and authentication, the authorization and accounting AAA service of network, described confidentiality services is to encrypt flowing out data, is decrypted flowing into data; Described integrity service is to encapsulate at AVIE flowing out data, carries out integrity checking to flowing into data by AVIE; Described AAA service is to carry out two-way authentication, authorization and accounting to flowing out and flowing into packet.
3. the method for realization wide-band wireless IP network security according to claim 2 is characterized in that the processing of flowing out packet from the BWIP network is implemented according to the following steps:
1) delivers next data message to the outer net transmission from the transport layer or the Intranet network of system node, filter through force policy Control Engine PEE filters earlier, PEE filter request policy manager PM obtains security strategy according to the IP address and the interface querying policy database PDB of this packet;
2) security strategy is handled, if security strategy is defined as and abandons, then PEE abandons this packet, and process information is passed to log manager AM, records log database ADB by AM; If security strategy is defined as and detours, then PEE hands over the IP layer to carry out the IP encapsulation this packet, and carries out IP by the IP layer and transmit operation; If security strategy is defined as encapsulation process, then PEE gives authentication, checking and integrity checking engine AVIE with this packet and carries out secure package and handle;
3) authentication, checking and integrity checking engine AVIE request security context manager SEM, the security association SA of this communication entity of inquiry if security association SA is arranged, directly enters next program in security context database SEDB; If no SA exists or SA lost efficacy, then enable key agreement protocol IKE by SEM, consult corresponding SA, encryption and decryption key, Hash key, cryptographic algorithm, identifying algorithm, consult to fail then packet discard, negotiation information is recorded log database ADB; Consult successfully, just preserve the data of consulting and arrive SEDB, and result is returned to AVIE;
4) authentication, checking and integrity checking engine AVIE request authentication, authorization and accounting engine AAAE carry out the AAA operation, and AAAE returns object information to AVIE;
5) authentication, checking and integrity checking engine AVIE will authenticate, the return results of authorization and accounting engine AAAE is passed to log manager AM, record log database ADB by AM;
6) AVIE handles the return results of authentication, authorization and accounting engine AAAE; If the AAA operation failure, then AVIE abandons this packet, and records log database ADB;
7) if AAA operates successfully, authentication, checking and integrity checking engine AVIE request security context manager SEM call crypto engine CE and carry out the secure package operation;
8) crypto engine CE finishes the data security encapsulation, the result is returned to authentication, checking and integrity checking engine AVIE, directly give the IP layer with the packet of encapsulation, the IP layer adds new IP head again, and join among the IP forwarding queue, or directly send in the Internet network.
4. according to the method for claim 2 or 3 described realization wide-band wireless IP network securitys, it is characterized in that the secure package that allows to flow out output packet is carried out according to the following steps:
1) data that authentication, checking and integrity checking engine AVIE will need to encapsulate are delivered to security context manager SEM, call crypto engine CE by SEM these data are carried out secure package;
2) crypto engine CE carries out preprocessing process with data, adds initial vector IV and fills character, and forms the integral multiple of fixing group, represents with M through pretreated message;
3) crypto engine CE takes out the safe handling parameter of this security association SA correspondence from security context database SEDB, comprises encryption key K1, Hash key K2, signature key K3, sequence number SN, Security Parameter Index SPI;
4) crypto engine CE is to message M cryptographic operation, and (M, the encapsulation load after K1) expression is encrypted, and sequence number SN and Security Parameter Index SPI inserted in the header format of tunneling form capsule header, realize flowing out the confidentiality services of data with f;
5) crypto engine CE carries out the operation of Hash with the hash algorithm of appointment among Hash key K2 and the SA to encapsulation of data, and (K2) expression realizes flowing out the integrity service of data for capsule header, encapsulation load with MAC=h;
6) need message carry out digital signature person according to protocol requirement, crypto engine CE is with the message authentication code MAC value signature of signature key K3 to generating, with S (MAC, K3) signature of expression MAC value;
7) crypto engine CE finishes above-mentioned secure package, and the MAC behind the capsule header, encapsulation load and the signature that generate is spliced, and hands over the IP layer to carry out corresponding IP encapsulation, promptly add new IP head, form the IP packet, join again among the IP forwarding queue, wait for the data forwarding operation.
5. the method for realization wide-band wireless IP network security according to claim 2 is characterized in that the BWIP Security Architecture flows into processing enforcement according to the following steps to recipient's data:
1) authentication, checking and integrity checking engine AVIE receive an IP bag from Internet, seal Security Parameter Index SPI in the mounted head portion according to IP, request security context manager SEM query safe environment data base SEDB, judge the validity of this SPI, if this SPI does not exist or surpassed the term of validity, then AVIE directly abandons this packet, and this process information is recorded among the log database ADB; If SPI is effective, then AVIE request SEM calls crypto engine CE and carries out integrity checking;
2) crypto engine CE carries out integrity checking to flowing into packet, if the integrity checking failure, AVIE abandons this stream packets automatically, and inspection message is recorded log database ADB;
3) if integrity checking is successful, the authentication of AVIE request call, authorization and accounting engine AAAE authenticate, authorization and accounting AAA operation;
4) authentication, checking and integrity checking engine AVIE receive the operating result of authentication, authorization and accounting engine AAAE, and outcome record is arrived log database ADB;
5) authentication, checking and integrity checking engine AVIE to the authentication, authorization and accounting engine AAAE return results handle, if the authentication, the authorization and accounting operation failure, then AVIE abandons this packet, and records log database ADB; If operate successfully, show that system allows this packet accesses network;
6) AVIE request security context database SEM calls crypto engine CE, according to the security association SA parameter among the SEDB corresponding decryption oprerations is carried out in the encapsulation load;
7) message after authentication, checking and integrity checking engine AVIE will decipher expressly passes to force policy Control Engine PEE, request query strategy database PDB;
8) force policy Control Engine PEE checks the safe handling strategy and the access mode of inquiry, if meet local policy, then transmits to inner Intranet network or to the procotol high level; Otherwise abandon this message, and process information is recorded among the log database ADB.
6. according to the method for claim 2 or 3 or 5 described realization wide-band wireless IP network securitys, it is characterized in that authentication, authorization and accounting AAA handle by following flow implementation:
1) authentication, checking and integrity checking engine AVIE request authentication, authorization and accounting engine AAAE carry out the AAA operation;
2) after authentication, authorization and accounting engine AAAE received this request, certified component carried out source authentication, the subscriber authentication of packet to the Security Parameter Index SPI that comprises in the request package by crypto engine CE;
1. adopt the authentication method of preset shared symmetric key, CE calls key and the algorithm consulted in advance according to security association SA from security context database SEDB and carries out corresponding crypto-operation, to determine the authenticity of user identity and informed source;
2. verify data adopts the authentication method of public key system, crypto engine CE elder generation query safe environment data base SEDB then, when there not being relevant public key information, then by security context manager SEM visit external security support system, from certificate agency CA, public credit database CP and authorized organization AA place obtain mobile subscriber's public key certificate, mobile subscriber's credit information and user's authorization message, SEM also asks credit management device CM that mobile subscriber's credit information is saved among the credit database CDB when these data of preservation arrive security context database SEDB; After CE obtains user's public key information, PKI according to the user carries out cryptography calculating to signing messages, and result of calculation is returned to the certified component of authentication, authorization and accounting engine AAAE, carry out the checking of digital signature by certified component and compare, to realize user's the authentication or the authentication of data source;
3) as if authentification failure, then certified component stops the AAA operation, and by AAAE authentification failure is returned to authentication, checking and integrity checking engine AVIE;
4) if authentication success, the then Authorized operation that is undertaken by authorized component;
5) aaa authorization process determines according to following data message: authorized component is carried out authorization decision according to the information that the title and the AVIE of mobile request object provides, and these information are extracted corresponding strategy and credit with the form of " index code " from policy database PDB and credit database CDB or public credit database CP respectively, authorized component also asks MOVING STRUCTURE that environmental variance is provided, and comprises system clock and monitoring resource assembly in the resource control framework RCF;
6) authorized component is collected the information that all need, and carries out Authorized operation according to internal rule, if authorization failure, then authorized component will " be authorized refusal " information is returned AVIE by AAAE, records among the log database ADB and abandons this packet;
7) if the operation of authorizing successfully and will keep accounts, then by the AAA assembly operation of keeping accounts of keeping accounts;
8) the book keeping operation assembly is according to the identity of requestor ID, generate a band destination of user ID, access time, visit and the information record of visit information amount are arranged, and deposit the book keeping operation database of authentication, authorization and accounting engine AAAE in, finish the billed services in the AAA service;
9) after the book keeping operation assembly is finished book keeping operation, the processing result information of authentication, authorization and accounting engine AAAE is returned to authentication, checking and integrity checking engine AVIE, AVIE also records log database ADB with this information simultaneously, adopts this dual logging to help solving the dispute of note expense.
CNB2004100262119A 2004-06-04 2004-06-04 Wide-band wireless IP network safety system structure and realizing method Expired - Fee Related CN100358326C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100262119A CN100358326C (en) 2004-06-04 2004-06-04 Wide-band wireless IP network safety system structure and realizing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100262119A CN100358326C (en) 2004-06-04 2004-06-04 Wide-band wireless IP network safety system structure and realizing method

Publications (2)

Publication Number Publication Date
CN1585405A CN1585405A (en) 2005-02-23
CN100358326C true CN100358326C (en) 2007-12-26

Family

ID=34601254

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100262119A Expired - Fee Related CN100358326C (en) 2004-06-04 2004-06-04 Wide-band wireless IP network safety system structure and realizing method

Country Status (1)

Country Link
CN (1) CN100358326C (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100512313C (en) 2007-08-08 2009-07-08 西安西电捷通无线网络通信有限公司 A trusted network connection system for security enhancement
CN101399698A (en) * 2007-09-30 2009-04-01 华为技术有限公司 Safety management system, device and method
CN101594229B (en) * 2009-06-30 2011-06-22 华南理工大学 A trusted network connection system and method based on combined public key
CN102724173A (en) * 2011-07-28 2012-10-10 北京天地互连信息技术有限公司 System and method for realizing IKEv2 protocol in MIPv6 environment
CN108475271B (en) * 2015-10-23 2021-09-14 甲骨文国际公司 Application container of container database
CN105897748B (en) * 2016-05-27 2019-05-10 飞天诚信科技股份有限公司 Symmetric key transmission method and device
CN115701145A (en) * 2021-07-31 2023-02-07 华为技术有限公司 Traffic management method, device, equipment and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1352434A (en) * 2001-11-29 2002-06-05 上海维豪信息安全技术有限公司 Electronic government affairs safety platform system based on trust and authorization service
US20030035548A1 (en) * 2001-08-17 2003-02-20 Netscape Communications Corporation Client controlled data recovery management
CN1444386A (en) * 2001-12-31 2003-09-24 西安西电捷通无线网络通信有限公司 Safe inserting method of wide-band wireless IP system mobile terminal
CN1457587A (en) * 2000-08-15 2003-11-19 维亚克沃公司 Method and apparatus for web-based application service model for security management

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1457587A (en) * 2000-08-15 2003-11-19 维亚克沃公司 Method and apparatus for web-based application service model for security management
US20030035548A1 (en) * 2001-08-17 2003-02-20 Netscape Communications Corporation Client controlled data recovery management
CN1352434A (en) * 2001-11-29 2002-06-05 上海维豪信息安全技术有限公司 Electronic government affairs safety platform system based on trust and authorization service
CN1444386A (en) * 2001-12-31 2003-09-24 西安西电捷通无线网络通信有限公司 Safe inserting method of wide-band wireless IP system mobile terminal

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种新的主动网络安全体系的设计 黎忠文,李乐民,李美蓉.通信学报,第25卷第1期 2004 *
宽带无线IP实验系统 李建东,刘乃安,黄振海,翁继伟.高技术通讯,第7期 2001 *

Also Published As

Publication number Publication date
CN1585405A (en) 2005-02-23

Similar Documents

Publication Publication Date Title
CN110996318B (en) A security communication access system for intelligent inspection robots in substations
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
Bonetto et al. Secure communication for smart IoT objects: Protocol stacks, use cases and practical examples
US7448081B2 (en) Method and system for securely scanning network traffic
CN101156352B (en) Authentication method, system and authentication center based on mobile network end-to-end communication
CN101094056B (en) Security system of wireless industrial control network, and method for implementing security policy
WO2004034645A1 (en) Identification information protection method in wlan interconnection
Khan et al. Design and implementation of security gateway for synchrophasor based real-time control and monitoring in smart grid
CN102710605A (en) Information security management and control method under cloud manufacturing environment
US20070199049A1 (en) Broadband network security and authorization method, system and architecture
CN101409619B (en) Flash memory card and realization method of virtual private network key exchange
CN103155512A (en) System and method for providing secured access to services
WO1997000471A2 (en) A system for securing the flow of and selectively modifying packets in a computer network
CN114726523A (en) Password application service system and quantum security capability open platform
CN116633576B (en) Secure and reliable NC-Link agent, control method, device and terminal
CN100358326C (en) Wide-band wireless IP network safety system structure and realizing method
Borselius Multi-agent system security for mobile communication
CN100401706C (en) Access method and system for client end of virtual private network
EP0807347A2 (en) A system for securing the flow of and selectively modifying packets in a computer network
CN101478389B (en) Multi-stage security supporting mobile IPSec transmission authentication method
Markovic Data protection techniques, cryptographic protocols and pki systems in modern computer networks
CN108923923A (en) A kind of design and its implementation of the code key agreement protocol based on trusted third party
Cremonini et al. Security, privacy, and trust in mobile systems and applications
CN113472528B (en) Method and system for safely transmitting data between institutions
Damiani et al. Security, Privacy, and Trust in Mobile Systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20071226

Termination date: 20110604