CN101582810A - Secure state evaluating method, network equipment and network system - Google Patents
Secure state evaluating method, network equipment and network system Download PDFInfo
- Publication number
- CN101582810A CN101582810A CNA2008100975896A CN200810097589A CN101582810A CN 101582810 A CN101582810 A CN 101582810A CN A2008100975896 A CNA2008100975896 A CN A2008100975896A CN 200810097589 A CN200810097589 A CN 200810097589A CN 101582810 A CN101582810 A CN 101582810A
- Authority
- CN
- China
- Prior art keywords
- evaluator
- communication entity
- evaluation result
- information
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明实施例公开了一种安全状态评估方法、网络设备和网络系统。本发明实施例提供的安全状态评估方法,包括:响应方接收来自请求方的通信请求,以及所述请求方所信任评估者的信息;根据所述评估者的信息,所述响应方或请求方确定双方都信任的评估者;所述响应方获取所述评估者对所述请求方的安全状态评估结果,所述安全状态评估结果由所述评估者根据来自请求方的安全状态信息获取;所述响应方根据所述评估结果对所述请求方的通信请求做出响应。本发明实施例适用于对通信实体进行安全状态评估。
The embodiment of the invention discloses a safety status evaluation method, a network device and a network system. The security status evaluation method provided by the embodiment of the present invention includes: the responder receives the communication request from the requester, and the information of the evaluator trusted by the requester; according to the information of the evaluator, the responder or the requester Determine an evaluator trusted by both parties; the responder obtains the evaluator's security status evaluation result of the requesting party, and the security status evaluation result is obtained by the evaluator based on the security status information from the requesting party; The responding party responds to the requesting party's communication request according to the evaluation result. The embodiment of the present invention is suitable for evaluating the security state of a communication entity.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a security status evaluation method, a network device, and a network system.
Background
With the continuous development of network technology, the network scale is larger and larger, and the application of the network is wider and wider. Meanwhile, the security problems in the network are more and more frequent, and the network security situation is more and more severe. The terminals such as the user host, the workstation and the server are the starting point and the ending point of the network data stream and are also the root of the network security event. A large number of insecure terminals accessed to the network not only become attacked objects, but also can be utilized by attackers, becoming intermediaries for virus propagation and hacking, and further seriously affecting the normal operation of the whole network. Therefore, the network security problem caused by the unsafe terminal must be solved from the source of network security hidden trouble.
The Trusted Computing Group (TCG) promulgated a Trusted Network Connection (TNC) standard for enterprise networks in 2005. The TNC architecture includes: an Access Requester (AR), a Policy Enforcement Point (PEP), a Policy Decision Point (PDP), a Metadata Access Point (MAP), a traffic controller, and a sensor. When the AR requests to access a protected network, the PDP completes the evaluation of the AR security state information according to the security policy configuration of the network, and makes a decision according to the evaluation result. This decision is then passed to the PEP, which responds to the AR's access request.
In the process of implementing the invention, the inventor finds that the following problems exist in the prior art:
in the existing TNC architecture, when a terminal requests to access a network, it is necessary to publish its own security state information to a network side, and the network side evaluates the security state information. Therefore, when the TNC architecture is adopted to evaluate the security state of the terminal, the privacy of the terminal cannot be protected, and the security of the terminal is low.
Disclosure of Invention
On one hand, embodiments of the present invention provide a security status assessment method, which can fully protect privacy of a communication entity, enhance security of the communication entity, and improve flexibility of security status assessment.
The safety state evaluation method of the embodiment of the invention adopts the following technical scheme:
a security state assessment method, comprising:
a responder receives a communication request from a requester and information of an evaluator trusted by the requester;
according to the information of the evaluator, the response party or the request party determines the evaluators trusted by both parties;
the response party acquires a security state evaluation result of the evaluator on the request party, wherein the security state evaluation result is acquired by the evaluator according to the security state information from the request communication entity;
and the responder responds to the communication request of the requester according to the evaluation result.
According to the safety state evaluation method, the request party and the response party negotiate to determine the evaluator, the evaluator evaluates the request party according to the safety state information of the request party, and the response party responds to the request party according to the evaluation result. Compared with the prior art, the requester does not need to publish the security state information of the requester to the responder, thereby avoiding the attack of the requester due to the leakage of the security state information, fully protecting the privacy of the communication entity, enhancing the security of the communication entity and improving the flexibility of the security state evaluation.
On the other hand, embodiments of the present invention provide a network device, which can fully protect privacy of a communication entity, enhance security of the communication entity, and improve flexibility of security status evaluation.
The network equipment of the embodiment of the invention adopts the following technical scheme:
a network device, comprising:
a security status information obtaining unit for obtaining security status information of the first communication entity;
and the evaluation unit is used for evaluating the security state of the first communication entity according to the security state information, sending an evaluation result to a second communication entity communicating with the first communication entity, and responding to the evaluated communication entity by the second communication entity according to the evaluation result.
In the network device according to the embodiment of the present invention, the security status information acquiring unit acquires the security status information of the communication entity to be evaluated, the evaluating unit evaluates the security status of the first communication entity according to the security status information, and sends the evaluation result to the second communication entity, and the second communication entity responds to the evaluated communication entity according to the result. Compared with the prior art, the first communication entity does not need to publish the security state information of the first communication entity to the second communication entity, the fact that the first communication entity is attacked due to leakage of the security state information is avoided, the privacy of the communication entity is fully protected, the security of the communication entity is enhanced, and the flexibility of security state evaluation is improved.
In a third aspect, embodiments of the present invention provide a network system, which can fully protect privacy of a communication entity, enhance security of the communication entity, and improve flexibility of security status evaluation.
The network system of the embodiment of the invention adopts the following technical scheme:
a network system, comprising:
the requesting party is used for requesting the responding party to establish communication and informing the responding party of the information of the trusted evaluator of the requesting party;
the response party is used for receiving the information of the evaluator sent by the requester, determining the evaluators trusted by both parties according to the information of the evaluators, acquiring the evaluation result of the evaluator on the requester, and responding to the requester according to the evaluation result;
and the evaluator is used for acquiring the security state information of the requester and evaluating the security state of the requester to obtain an evaluation result.
In the network system of the embodiment of the invention, the request party and the response party negotiate to determine the evaluator, the evaluator evaluates the request party according to the safety state information of the request party, and the response party responds to the request party according to the evaluation result. Compared with the prior art, the requester does not need to publish the security state information of the requester to the responder, thereby avoiding the attack of the requester due to the leakage of the security state information, fully protecting the privacy of the communication entity, enhancing the security of the communication entity and improving the flexibility of the security state evaluation.
In a fourth aspect, embodiments of the present invention provide a security status evaluation method, which can fully protect privacy of a communication entity, enhance security of the communication entity, and improve flexibility of security status evaluation.
The safety state evaluation method of the embodiment of the invention adopts the following technical scheme:
a security state assessment method, comprising:
the second communication entity receives a communication request from the first communication entity and information of an evaluator trusted by the first communication entity;
according to the information of the evaluator trusted by the first communication entity, the second communication entity or the first communication entity determines a first evaluator and a second evaluator trusted by both parties;
the second communication entity obtains the evaluation result of the first evaluator on the first communication entity, and the evaluation result of the first evaluator on the first communication entity is obtained by the first evaluator according to the security state information from the first communication entity;
the second communication entity responds to the first communication entity according to the evaluation result;
the first communication entity acquires the evaluation result of a second evaluator on the second communication entity, and the evaluation result of the second evaluator on the second communication entity is acquired by the second evaluator according to the security state information from the second communication entity;
the first communication entity responds to the second communication entity according to the evaluation result.
In the security state evaluation method of the embodiment of the invention, the first communication entity and the second communication entity collaborate to determine respective evaluators, each evaluators evaluates the communication entity according to the security state information of the communication entity evaluated by the evaluators, and the two communication entities respond to the opposite communication entity according to the evaluation result. Compared with the prior art, the two communication entities do not need to publish the own security state information to the opposite side communication entity, the attack on the communication entities caused by the leakage of the security state information is avoided, the privacy of the communication entities is fully protected, the security of the communication entities is enhanced, and the flexibility of security state evaluation is improved.
In a fifth aspect, embodiments of the present invention provide a network system, which can fully protect privacy of a communication entity, enhance security of the communication entity, and improve flexibility of security status evaluation.
The network system of the embodiment of the invention adopts the following technical scheme:
a network system, comprising:
the first communication entity is used for sending a communication request to the second communication entity, informing the second communication entity of the information of the self-trusted evaluator, acquiring the evaluation result of the second evaluator on the second communication entity, and responding to the second communication entity according to the evaluation result;
the second communication entity is used for receiving the information of the evaluator from the first communication entity, determining the first evaluator and the second evaluator which are trusted by both parties according to the information of the evaluator trusted by the first communication entity, acquiring the evaluation result of the first evaluator on the first communication entity, and responding to the first communication entity according to the evaluation result;
the first evaluator is used for acquiring the safety state information of the first communication entity and evaluating the safety state of the first communication entity to obtain an evaluation result;
and the second evaluator is used for acquiring the security state information of the second communication entity and evaluating the security state of the second communication entity to obtain an evaluation result.
In the network system of the embodiment of the invention, the first communication entity and the second communication entity collaborate determine respective evaluators, each evaluators evaluates the communication entity according to the safety state information of the communication entity evaluated by the evaluators, and the two communication entities respond to the opposite communication entity according to the evaluation result. Compared with the prior art, the two communication entities do not need to publish the own security state information to the opposite side communication entity, the attack on the communication entities caused by the leakage of the security state information is avoided, the privacy of the communication entities is fully protected, the security of the communication entities is enhanced, and the flexibility of security state evaluation is improved.
Drawings
FIG. 1 is a flow chart of a security state assessment method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a security status evaluation method according to an embodiment of the present invention;
FIG. 3 is a flowchart of a security status evaluation method according to an embodiment of the present invention;
FIG. 4 is a flowchart of another security state assessment method according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for evaluating a security status according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a network device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a network system according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another network system according to an embodiment of the present invention.
Detailed Description
In order to solve the problem that privacy of a terminal cannot be protected when the terminal is evaluated in the prior art, embodiments of the present invention provide a security state evaluation method, a network device, and a network system.
In order to make the advantages of the technical solutions of the present invention clearer, the present invention is described in detail below with reference to the accompanying drawings and examples.
In all the following embodiments of the present invention, the security status information includes version information of an operating system installed in the communication entity, patch information, firewall version information, antivirus software version information, browser version information, or the like.
In all the following embodiments of the present invention, the types of the requesting party, the responding party, and the communication entity may be a mobile phone, a PDA, a computer, a server, a home appliance, various network devices (such as a network server or a service provider or an application server), an electronic device or a computer-related device, and the like.
In all the following embodiments of the present invention, the type of the network may be a mobile network, a fixed network, a mobile-fixed converged network, a local area network, a metropolitan area network, a wide area network, a peer-to-peer network (P2P), a client/server architecture network (C/S), and the like.
In all the following embodiments of the present invention, the communication request may be a communication request of each layer of the network, including an access request of a physical layer and a link layer, and a service or service request of an application layer.
Embodiments of the present invention provide a security state assessment method, which can fully protect privacy of a communication entity, enhance security of the communication entity, and improve flexibility of security state assessment.
As shown in fig. 1, the security state evaluation method includes:
step 101: a responder receives a communication request from a requester and information of an evaluator trusted by the requester; the communication request and the information of the evaluator can be packaged in the same message or can be packaged and sent respectively;
step 102: according to the information of the evaluator, the response party or the request party determines the evaluators trusted by both parties;
the process by which the responder or requester determines the evaluator that both parties trust may be: the information of the evaluators comprises a plurality of selectable evaluators, and the response party selects and determines evaluators trusted by both parties; or, the response party informs the request party of the self-trusted evaluator, and the request party selects the evaluators trusted by both parties;
step 103: the response party acquires a safety state evaluation result of the evaluator on the request party, and the safety state evaluation result is acquired by the evaluator according to the safety state information from the request party;
step 104: and the responder responds to the communication request of the requester according to the evaluation result.
According to the safety state evaluation method, the request party and the response party negotiate to determine the evaluator, the evaluator evaluates the request party according to the safety state information of the request party, and the response party responds to the request party according to the evaluation result. Compared with the prior art, the requester does not need to publish the security state information of the requester to the responder, thereby avoiding the attack on the requester due to the leakage of the security state information, fully protecting the privacy of the communication entity, enhancing the security of the communication entity and improving the flexibility of security state evaluation.
The security status evaluation method is described in detail below with reference to specific embodiments.
The first embodiment is as follows:
in this embodiment, a requesting party a requests a network service from a responding party B, after negotiation between both parties, B selects an evaluator C trusted by both parties, and the evaluator C evaluates the security status information of the requesting party a. As shown in fig. 2, the specific implementation process of this embodiment includes the following steps:
step 201: the requester A requests the network service from the responder B, and simultaneously the requester A informs the responder B of the information of the evaluator C, D, E trusted by the requester A;
wherein the network service is web browsing or accessing a network domain managed by the responder B.
The requesting party a may send the name of the evaluator to the responding party B in a list manner, or may send the identifier of the evaluator, such as an IP address, a MAC address, and a device identifier, to the responding party B.
Step 202: the responder B directly selects an evaluator C trusted by both parties according to the information of the evaluator C, D, E trusted by the requester A;
step 203: the evaluator C obtains the safety state information of the requester A and finishes evaluation on the requester A;
the evaluator C can evaluate the requester a in real time according to the security state information and a security policy of the evaluator C or a security policy of the responder B;
or, the evaluator C directly calls the evaluation result of the requester a stored by the evaluator C.
Step 204: the responder B obtains the evaluation result of the evaluator C on the requester A;
wherein, the responder B can directly request the evaluator C for the evaluation result of the requester A;
or the evaluator C sends the evaluation result to the requester A, and the requester A sends the evaluation result with the identifier of the evaluator C to the responder B.
Step 205: the responder B responds to the requester A according to the evaluation result;
wherein, the response of the responder B to the requester A is as follows: the responder B allows the requester A to access the network completely, or the responder B allows the requester A to access the network partially, or the responder B refuses the requester A to access the network.
Example two:
in this embodiment, a requesting party a requests a responding party B to establish communication, after negotiation between both parties, an evaluator C trusted by both parties is selected by a, and the evaluator C evaluates the security status information of the requesting party a. As shown in fig. 3, the specific implementation process of this embodiment includes the following steps:
step 301: same as step 201;
step 302: responder B informs requestor a of its trusted evaluator C, D;
step 303: the request party A selects an evaluator C trusted by both parties;
step 304: same as step 203;
step 305: same as step 204;
step 306: as in step 205.
Therefore, the safety state evaluation method can fully protect the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
The embodiment of the invention provides another safety state evaluation method, which can fully protect the privacy of a communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
As shown in fig. 4, the security state evaluation method includes:
step 401: the second communication entity receives a communication request from the first communication entity and information of an evaluator trusted by the first communication entity;
step 402: according to the information of the evaluator trusted by the first communication entity, the second communication entity or the first communication entity determines a first evaluator and a second evaluator trusted by both parties; the first evaluator is responsible for evaluating the security state of the first communication entity, and the second evaluator is responsible for evaluating the security state of the second communication entity.
Step 403: the second communication entity obtains the evaluation result of the first evaluator on the first communication entity, and the evaluation result of the first evaluator on the first communication entity is obtained by the first evaluator according to the security state information from the first communication entity;
step 404: the second communication entity responds to the first communication entity according to the evaluation result;
step 405: the first communication entity acquires the evaluation result of a second evaluator on the second communication entity, and the evaluation result of the second evaluator on the second communication entity is acquired by the second evaluator according to the security state information from the second communication entity;
step 406: the first communication entity responds to the second communication entity according to the evaluation result.
In the security state evaluation method of the embodiment of the invention, the first communication entity and the second communication entity collaborate to determine respective evaluators, each evaluators evaluates the communication entity according to the security state information of the communication entity evaluated by the evaluators, and the two communication entities respond to the opposite communication entity according to the evaluation result. Compared with the prior art, the two communication entities do not need to publish the own security state information to the opposite side communication entity, the attack on the communication entities caused by the leakage of the security state information is avoided, the privacy of the communication entities is fully protected, the security of the communication entities is enhanced, and the flexibility of security state evaluation is improved.
The security status evaluation method is described in detail below with reference to specific embodiments.
Example three:
in this embodiment, both the communication entity a and the communication entity B that need to communicate need to know the evaluation result of the other party, the two parties negotiate to determine that the evaluator of the communication entity a is the evaluator C and the evaluator of the communication entity B is the evaluator D, the evaluators C and D respectively complete the evaluation of the communication entity a and the communication entity B, and the two communication parties respond to the request of the other party according to the evaluation result given by the evaluators. As shown in fig. 5, the specific implementation process of this embodiment includes the following steps:
step 501: the communication entity A requests the communication entity B to establish communication, and simultaneously informs the communication entity B of information of an evaluator C, D, E trusted by the communication entity A;
the communication entity a may send the name of the evaluator to the communication entity B in a list, or may send the identifier of the evaluator, such as an IP address, a MAC address, and a device identifier, to the communication entity B.
Step 502: communication entity B informs communication entity a of its trusted evaluator C, D;
step 503: the communication entity B selects an evaluator D as an evaluator of the communication entity B;
step 504: the communication entity A selects an evaluator C as an evaluator of the communication entity A;
step 505: the evaluator C completes the evaluation of the communication entity A;
step 506: the evaluator D completes the evaluation of the communication entity B;
step 507: the communication entity B acquires the evaluation result of the evaluator C on the communication entity A;
the evaluation result is obtained by the evaluator C evaluating the communication entity A according to the safety state information of the communication entity A;
or the evaluation result is the evaluation result of the communication entity A stored by the evaluator C.
Step 508: the communication entity A acquires an evaluation result of an evaluator D on the communication entity B;
the evaluation result is obtained by evaluating the communication entity B by the evaluator D according to the safety state information of the communication entity B;
or the evaluation result is the evaluation result of the communication entity B stored by the evaluator D.
Step 509: the communication entity B responds to the communication entity A according to the evaluation result of the evaluator C to the communication entity A;
step 510: the communication entity A responds to the communication entity B according to the evaluation result of the evaluator D on the communication entity B;
step 511: A. and B, finishing bidirectional evaluation and establishing communication between the two parties.
Wherein the step 503 may be performed after the step 504; the step 505 may be executed after the step 506, or the step 505 and the step 506 may be executed simultaneously; the step 507 may be executed after the step 508, or the step 507 and the step 508 may be executed simultaneously; said step 509 may be performed after step 510.
Example four:
in this embodiment, both the communication entity a and the communication entity B that need to communicate need to know the evaluation result of the other party, after negotiation between both parties, it is determined that the evaluators of the communication entity a and the communication entity B are the same evaluator C, the evaluator C completes evaluation of the communication entity a and the communication entity B, and both communication parties respond to the request of the other party according to the evaluation result given by the evaluator C. The specific implementation process of this embodiment is similar to that of the third embodiment, and is not described herein again.
Therefore, the safety state evaluation method can fully protect the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of the safety state evaluation of the communication entity.
The embodiment of the invention also provides network equipment which can fully protect the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
The network device may be a computer, a server, or implemented by software, and may be deployed at a network layer or an application layer.
As shown in fig. 6, the network device includes:
a security status information obtaining unit 601, configured to obtain security status information of a first communication entity;
an evaluating unit 602, configured to perform security status evaluation on the first communication entity according to the security status information, send an evaluation result to a second communication entity in communication with the first communication entity, and make a response to the evaluated communication entity by the second communication entity according to the evaluation result.
In the network device according to the embodiment of the present invention, the security status information obtaining unit 601 obtains the security status information of the communication entity that needs to be evaluated, the evaluating unit 602 evaluates the first communication entity according to the security status information, and sends the evaluation result to the second communication entity, and the second communication entity responds to the evaluated communication entity according to the result. Compared with the prior art, the first communication entity does not need to publish the security state information of the first communication entity to the second communication entity, the fact that the first communication entity is attacked due to leakage of the security state information is avoided, the privacy of the communication entity is fully protected, the security of the communication entity is enhanced, and the flexibility of security state evaluation is improved.
As shown in fig. 6, the network device further includes:
the storage unit 603 is configured to store an evaluation result of the evaluated communication entity.
Therefore, the network equipment of the embodiment of the invention can fully ensure the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
The embodiment of the invention also provides a network system which can fully protect the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
As shown in fig. 7, the network system includes:
the requesting party 701 is used for requesting the responding party to establish communication and informing the responding party of the information of the trusted evaluator of the requesting party;
the responder 702 is configured to receive information of an evaluator sent by the requester, determine, according to the information of the evaluator, an evaluator trusted by both parties, obtain an evaluation result of the evaluator on the requester, and respond to the requester according to the evaluation result;
the evaluator 703 is configured to obtain the security state information of the requestor, and evaluate the security state of the requestor to obtain an evaluation result.
In the network system of the embodiment of the invention, the request party and the response party negotiate to determine the evaluator, the evaluator evaluates the request party according to the safety state information of the request party, and the response party responds to the request party according to the evaluation result. Compared with the prior art, the requester does not need to publish the security state information of the requester to the responder, thereby avoiding the attack of the requester due to the leakage of the security state information, fully protecting the privacy of the communication entity, enhancing the security of the communication entity and improving the flexibility of the security state evaluation.
Wherein the evaluator 703 comprises:
a storage module 704, configured to store the evaluation result of the evaluated requester.
The storage module 704 stores the evaluated results of the requester, and the requester can directly obtain the evaluation results of the evaluator on the requester from the storage module.
Therefore, the network system of the embodiment of the invention can fully protect the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
The embodiment of the invention also provides another network system which can fully protect the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
As shown in fig. 8, the network system includes:
the first communication entity 801 is configured to send a communication request to the second communication entity, notify the second communication entity of information of an evaluator trusted by the first communication entity, obtain an evaluation result of the second evaluator on the second communication entity, and respond to the second communication entity according to the evaluation result;
the second communication entity 802 is configured to receive information of an evaluator from the first communication entity, determine, according to information of an evaluator trusted by the first communication entity, a first evaluator and a second evaluator trusted by both parties, obtain an evaluation result of the first evaluator on the first communication entity, and respond to the first communication entity according to the evaluation result;
the first evaluator 803 is configured to obtain security status information of the first communication entity, and evaluate the security status of the first communication entity to obtain an evaluation result;
the second evaluator 804 is configured to obtain the security status information of the second communication entity, and evaluate the security status of the second communication entity to obtain an evaluation result.
In the network system of the embodiment of the invention, the first communication entity and the second communication entity collaborate determine respective evaluators, each evaluators evaluates the communication entity according to the safety state information of the communication entity evaluated by the evaluators, and the two communication entities respond to the opposite communication entity according to the evaluation result. Compared with the prior art, the two communication entities do not need to publish the own security state information to the opposite side communication entity, the attack on the communication entities caused by the leakage of the security state information is avoided, the privacy of the communication entities is fully protected, the security of the communication entities is enhanced, and the flexibility of security state evaluation is improved.
Wherein the first evaluator and the second evaluator respectively comprise:
a storage module 805 for storing the evaluation result of the evaluated communication entity.
The storage module stores the evaluation result of the evaluated communication entity, and one side communication entity can directly obtain the evaluation result of the evaluator on the other side communication entity from the storage module.
Therefore, the network system of the embodiment of the invention can fully protect the privacy of the communication entity, enhance the safety of the communication entity and improve the flexibility of safety state evaluation.
All embodiments of the invention can be applied to network access services of temporary terminals in airports, coffee shops, libraries and other scenes. For example, in an airport, before a notebook, a PDA, or the like of a traveler requests access to a network management server in the airport, in order to protect privacy and security of the traveler, the traveler needs to negotiate with the network management server in the airport to determine a third-party evaluator trusted by both parties, and the third-party evaluator performs security status evaluation on the notebook, the PDA, or the like of the traveler; similarly, in order to protect the airport network management server from being attacked by an illegal access user, the airport network management server negotiates with a notebook computer, a PDA and the like of a traveler to determine a third party evaluator trusted by both parties, and the third party evaluator evaluates the security state of the airport network management server. The third-party evaluator may be a network device such as a server on a network.
The above description is only a specific implementation of the embodiments of the present invention, but the scope of the embodiments of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are also included in the scope of the present invention. Therefore, the protection scope of the embodiments of the present invention shall be subject to the protection scope of the claims.
Claims (15)
1. A method for evaluating a security state, comprising:
a responder receives a communication request from a requester and information of an evaluator trusted by the requester;
according to the information of the evaluator, the response party or the request party determines the evaluators trusted by both parties;
the response party acquires a safety state evaluation result of the evaluator on the request party, and the safety state evaluation result is acquired by the evaluator according to the safety state information from the request party;
and the responder responds to the communication request of the requester according to the evaluation result.
2. The security state assessment method of claim 1, wherein the step of the responder or the requester determining an evaluator trusted by both parties comprises:
the responder selects an evaluator trusted by both parties according to the information of the evaluator trusted by the requester; or,
the response party sends the information of the evaluator trusted by the response party to the request party, and the request party selects the evaluator trusted by both parties.
3. The security status evaluation method according to claim 1, wherein the step of obtaining the result of the security status evaluation by the evaluator based on the security status information from the requester comprises:
the evaluator evaluates the requester according to the safety state information; or,
and the evaluator extracts the evaluation result of the requester stored by the evaluator.
4. The security status assessment method according to claim 3, wherein said step of said evaluator assessing said requestor according to said security status information comprises:
the evaluator evaluates the request party according to the security state information according to the policy provided by the evaluator; or,
and the evaluator evaluates the requester according to the security state information according to the strategy provided by the responder.
5. The security status evaluation method according to claim 1, wherein the step of the responder obtaining the result of the security status evaluation of the evaluator on the requester comprises:
the response party requests the evaluation result of the request party from the evaluator; or,
the evaluator sends the evaluation result to the requester, and the requester sends the evaluation result with the evaluator identification to the responder.
6. The security status assessment method according to any one of claims 1 to 5, wherein said security status information comprises:
version information of an operating system installed by the requestor, patch information, firewall version information, antivirus version information, or browser version information.
7. A method for evaluating a security state, comprising:
the second communication entity receives a communication request from the first communication entity and information of an evaluator trusted by the first communication entity;
according to the information of the evaluator trusted by the first communication entity, the second communication entity or the first communication entity determines a first evaluator and a second evaluator trusted by both parties;
the second communication entity obtains the evaluation result of the first evaluator on the first communication entity, and the evaluation result of the first evaluator on the first communication entity is obtained by the first evaluator according to the security state information from the first communication entity;
the second communication entity responds to the first communication entity according to the evaluation result;
the first communication entity acquires the evaluation result of a second evaluator on the second communication entity, and the evaluation result of the second evaluator on the second communication entity is acquired by the second evaluator according to the security state information from the second communication entity;
the first communication entity responds to the second communication entity according to the evaluation result.
8. The security status assessment method according to claim 7, wherein the step of the first evaluator obtaining the assessment result of the first communication entity by the first evaluator based on the security status information from the first communication entity comprises:
the first evaluator evaluates the first communication entity according to the security state information from the first communication entity; or,
the first evaluator retrieves its own stored evaluation of the first communication entity.
9. The security status assessment method according to claim 7, wherein the step of the second evaluator obtaining the assessment result of the second communication entity according to the security status information from the second communication entity comprises:
the second evaluator evaluates the second communication entity according to the security state information from the second communication entity; or,
the second evaluator retrieves its own stored evaluation of the second communication entity.
10. A network device, comprising:
a security status information obtaining unit for obtaining security status information of the first communication entity;
and the evaluation unit is used for evaluating the security state of the first communication entity according to the security state information, sending an evaluation result to a second communication entity communicating with the first communication entity, and responding to the evaluated communication entity by the second communication entity according to the evaluation result.
11. The network device of claim 10, wherein the network device further comprises:
and the storage unit is used for storing the evaluation result of the evaluated communication entity.
12. A network system, comprising:
the requesting party is used for requesting the responding party to establish communication and informing the responding party of the information of the trusted evaluator of the requesting party;
the response party is used for receiving the information of the evaluator sent by the requester, determining the evaluators trusted by both parties according to the information of the evaluators, acquiring the evaluation result of the evaluator on the requester, and responding to the requester according to the evaluation result;
and the evaluator is used for acquiring the security state information of the requester and evaluating the security state of the requester to obtain an evaluation result.
13. The network system according to claim 12, wherein the evaluator comprises:
and the storage module is used for storing the evaluation result of the evaluated request party.
14. A network system, comprising:
the first communication entity is used for sending a communication request to the second communication entity, informing the second communication entity of the information of the self-trusted evaluator, acquiring the evaluation result of the second evaluator on the second communication entity, and responding to the second communication entity according to the evaluation result;
the second communication entity is used for receiving the information of the evaluator from the first communication entity, determining the first evaluator and the second evaluator which are trusted by both parties according to the information of the evaluator trusted by the first communication entity, acquiring the evaluation result of the first evaluator on the first communication entity, and responding to the first communication entity according to the evaluation result;
the first evaluator is used for acquiring the safety state information of the first communication entity and evaluating the safety state of the first communication entity to obtain an evaluation result;
and the second evaluator is used for acquiring the security state information of the second communication entity and evaluating the security state of the second communication entity to obtain an evaluation result.
15. The network system according to claim 14, wherein the first evaluator and the second evaluator comprise:
and the storage module is used for storing the evaluation result of the evaluated communication entity.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100975896A CN101582810A (en) | 2008-05-15 | 2008-05-15 | Secure state evaluating method, network equipment and network system |
| PCT/CN2009/071747 WO2009138026A1 (en) | 2008-05-15 | 2009-05-12 | A safety status estimate method, network apparatus and network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100975896A CN101582810A (en) | 2008-05-15 | 2008-05-15 | Secure state evaluating method, network equipment and network system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101582810A true CN101582810A (en) | 2009-11-18 |
Family
ID=41318364
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100975896A Pending CN101582810A (en) | 2008-05-15 | 2008-05-15 | Secure state evaluating method, network equipment and network system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101582810A (en) |
| WO (1) | WO2009138026A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102215211A (en) * | 2010-04-02 | 2011-10-12 | 中兴通讯股份有限公司 | Communication method, and security policy negotiation method and system for supporting trusted network connect |
| CN107864677A (en) * | 2015-07-22 | 2018-03-30 | 爱维士软件私人有限公司 | Access to content verifies system and method |
| CN110162958A (en) * | 2018-10-18 | 2019-08-23 | 腾讯科技(深圳)有限公司 | For calculating the method, apparatus and recording medium of the synthesis credit score of equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536807A (en) * | 2003-04-07 | 2004-10-13 | 西科姆株式会社 | File security transmission system and method thereof |
| CN100340084C (en) * | 2004-04-28 | 2007-09-26 | 联想(北京)有限公司 | A method for implementing equipment group and intercommunication between grouped equipments |
| US7716494B2 (en) * | 2004-07-15 | 2010-05-11 | Sony Corporation | Establishing a trusted platform in a digital processing system |
-
2008
- 2008-05-15 CN CNA2008100975896A patent/CN101582810A/en active Pending
-
2009
- 2009-05-12 WO PCT/CN2009/071747 patent/WO2009138026A1/en not_active Ceased
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102215211A (en) * | 2010-04-02 | 2011-10-12 | 中兴通讯股份有限公司 | Communication method, and security policy negotiation method and system for supporting trusted network connect |
| CN102215211B (en) * | 2010-04-02 | 2016-01-20 | 中兴通讯股份有限公司 | The security policy negotiation method and system of communication means, the access of support trustable network |
| CN107864677A (en) * | 2015-07-22 | 2018-03-30 | 爱维士软件私人有限公司 | Access to content verifies system and method |
| CN110162958A (en) * | 2018-10-18 | 2019-08-23 | 腾讯科技(深圳)有限公司 | For calculating the method, apparatus and recording medium of the synthesis credit score of equipment |
| CN110162958B (en) * | 2018-10-18 | 2023-04-18 | 腾讯科技(深圳)有限公司 | Method, apparatus and recording medium for calculating comprehensive credit score of device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009138026A1 (en) | 2009-11-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11843577B2 (en) | Fingerprinting to identify devices and applications for use in management and policy in the cloud | |
| Zhang et al. | Security and trust issues in fog computing: A survey | |
| JP6553524B2 (en) | System and method for utilizing a dedicated computer security service | |
| US9900346B2 (en) | Identification of and countermeasures against forged websites | |
| US9516062B2 (en) | System and method for determining and using local reputations of users and hosts to protect information in a network environment | |
| CN103634786B (en) | A kind of method and system for security detection and repair of wireless network | |
| US20110167474A1 (en) | Systems and methods for mobile application security classification and enforcement | |
| US20140020067A1 (en) | Apparatus and method for controlling traffic based on captcha | |
| CN111131176A (en) | Resource access control method, device, device and storage medium | |
| WO2017019534A1 (en) | Recommendations for security associated with accounts | |
| WO2014175721A1 (en) | A system and method for privacy management for internet of things services | |
| CN106899561B (en) | TNC (network node controller) authority control method and system based on ACL (Access control List) | |
| US10320829B1 (en) | Comprehensive modeling and mitigation of security risk vulnerabilities in an enterprise network | |
| Mukherjee et al. | Security and privacy issues and solutions for fog | |
| Fuster et al. | Analysis of security and privacy issues in wearables for minors | |
| US9622081B1 (en) | Systems and methods for evaluating reputations of wireless networks | |
| CN101521885B (en) | Authority control method, system and equipment | |
| WO2009155849A1 (en) | Method for monitoring and updating security status of terminal and system thereof | |
| US20140150069A1 (en) | Method for distinguishing and blocking off network node | |
| CN111935123B (en) | Method, equipment and storage medium for detecting DNS spoofing attack | |
| US10313384B1 (en) | Mitigation of security risk vulnerabilities in an enterprise network | |
| US20200213856A1 (en) | Method and a device for security monitoring of a wifi network | |
| CN101582810A (en) | Secure state evaluating method, network equipment and network system | |
| KR101494329B1 (en) | System and Method for detecting malignant process | |
| CN108282786B (en) | A method and device for detecting DNS spoofing attack in wireless local area network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20091118 |