[go: up one dir, main page]

CN111818057B - Relay distribution transmission system and method for network configuration data - Google Patents

Relay distribution transmission system and method for network configuration data Download PDF

Info

Publication number
CN111818057B
CN111818057B CN202010658242.5A CN202010658242A CN111818057B CN 111818057 B CN111818057 B CN 111818057B CN 202010658242 A CN202010658242 A CN 202010658242A CN 111818057 B CN111818057 B CN 111818057B
Authority
CN
China
Prior art keywords
interconnection
configuration data
subsystem
security
management center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010658242.5A
Other languages
Chinese (zh)
Other versions
CN111818057A (en
Inventor
陶源
胡巍
李末岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Priority to CN202010658242.5A priority Critical patent/CN111818057B/en
Publication of CN111818057A publication Critical patent/CN111818057A/en
Application granted granted Critical
Publication of CN111818057B publication Critical patent/CN111818057B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明公开了一种网络配置数据中继分发传输系统及方法,本方案中集中安全管理中心与二系统安全互联装置的仲裁子系统相连,对仲裁子系统的配置数据集中安全管理中心直接下发,集中安全管理中心与传输子系统无直接数据交互路径,传输子系统的配置数据,由集中安全管理中心下发给仲裁系统,再有仲裁系统中继通过内部隔离传输系统分发给传输子系统。本方案能够更有效的提高传输子系统配置数据的安全性。

Figure 202010658242

The invention discloses a system and method for relay distribution and transmission of network configuration data. In this solution, a centralized security management center is connected to an arbitration subsystem of a two-system security interconnection device, and the centralized security management center directly issues the configuration data of the arbitration subsystem. There is no direct data exchange path between the centralized security management center and the transmission subsystem. The configuration data of the transmission subsystem is issued by the centralized security management center to the arbitration system, and then the arbitration system relays it to the transmission subsystem through the internal isolation transmission system. This solution can more effectively improve the security of the configuration data of the transmission subsystem.

Figure 202010658242

Description

一种网络配置数据中继分发传输系统及方法A network configuration data relay distribution transmission system and method

技术领域technical field

本发明涉及网络安全技术,具体涉及网络隔离以及不同等级安全域互联技术。The invention relates to network security technology, in particular to network isolation and interconnection technology of different levels of security domains.

背景技术Background technique

政府、企业、组织机构等一般将基础信息/业务网络和重要信息/业务网络分离,用于保护重要信息/业务网络和内部数据的安全,但也因此形成了“信息孤岛”。Governments, enterprises, organizations, etc. generally separate basic information/business networks from important information/business networks to protect the security of important information/business networks and internal data, but this also forms "information islands".

随着信息化的深入发展,不同等级网络间实现互联互通和信息共享是信息化发展的重要主题之一,也对跨级网络互联的安全提出了更高要求。With the in-depth development of informatization, the realization of interconnection and information sharing between different levels of networks is one of the important themes of informatization development, and it also puts forward higher requirements for the security of cross-level network interconnection.

然而在现有技术下,单纯地在不同等级系统间的网络边界处部署防火墙、安全网关等设备并不能有效地解决网络互联的安全问题,未进行有效隔离的内外网络和信息在网络传输过程中缺乏必要的访问控制措施等因素使得安全威胁很容易对内部系统和数据造成破坏。However, under the existing technology, simply deploying firewalls, security gateways and other devices at the network boundaries between different levels of systems cannot effectively solve the security problems of network interconnection. Factors such as the lack of necessary access control measures make it easy for security threats to cause damage to internal systems and data.

发明内容SUMMARY OF THE INVENTION

针对现有不同等级系统间的网络互联技术所存在的问题,本发明的目的在于提供一种网络配置数据中继分发传输系统,并基于该系统提供一种网络配置数据中继分发传输方法,由此来实现在资源访问过程中,保证配置数据的安全性。Aiming at the problems existing in the existing network interconnection technology between systems of different levels, the object of the present invention is to provide a system for relaying, distributing and transmitting network configuration data, and based on the system, a method for relaying, distributing and transmitting network configuration data is provided. This is to ensure the security of configuration data during resource access.

为了达到上述目的,本发明提供的网络配置数据中继分发传输系统,包括:二系统安全互联装置和集中安全管理中心;In order to achieve the above purpose, the network configuration data relay distribution transmission system provided by the present invention includes: two system security interconnection devices and a centralized security management center;

所述二系统安全互联装置包括互联仲裁系统、互联子系统,内部隔离传输子系统;The safety interconnection device of the two systems includes an interconnection arbitration system, an interconnection subsystem, and an internal isolation transmission subsystem;

所述互联仲裁系统可根据主客体的安全标记来仲裁是否可以进行互联访问;在系统中引入具有可信度检查能力的主体,通过检查主体,对客体进行动态的调整以使主客体的级别在保证了系统保密性的同时,利用可信度标识和约束条件来保护系统的完整性;The interconnection arbitration system can arbitrate whether the interconnection access can be performed according to the security marks of the subject and object; a subject with credibility checking capability is introduced into the system, and by checking the subject, the object is dynamically adjusted so that the level of the subject and object is within While ensuring the confidentiality of the system, the integrity of the system is protected by using the credibility identification and constraints;

所述互联子系统结合可信计算,采用白名单机制建立一个安全机制之间符合安全需求的通信路径;The interconnection subsystem combines trusted computing and adopts a whitelist mechanism to establish a communication path between security mechanisms that meets security requirements;

所述内部隔离传输子系统是由互联双方效验成功后进行可信认证,认证通过后双方建立加密传输方式的系统;The internal isolated transmission subsystem is a system in which the interconnected parties perform credible authentication after the verification is successful, and the two parties establish an encrypted transmission mode after the authentication is passed;

所述集中安全管理中心为应用系统中的自然人、安全防护设备及关键的进程、模块制定主客体的安全标记,并将应用系统中的主客体信息,按照一定转换规则转换后,同步到二系统安全互联装置中,由二系统安全互联装置根据标记实现强制访问控制。The centralized safety management center formulates subject and object security marks for natural persons, safety protection equipment, key processes and modules in the application system, and converts the subject and object information in the application system according to certain conversion rules, and then synchronizes them to the second system In the safety interconnection device, the safety interconnection device of the second system implements mandatory access control according to the mark.

进一步的,所述集中安全管理中心包括后台管理页面模块、数据存储模块、客户端代理模块;Further, the centralized security management center includes a background management page module, a data storage module, and a client agent module;

所述后台管理页面模块用于对集中安全管理中心进行管理和配置;The background management page module is used to manage and configure the centralized security management center;

所述数据存储模块根据业务系统的需要,结合客体资源的重要程度确定系统中所有客体资源的安全级,生成全局客体标记列表;同时根据用户在业务系统中的权限和角色确定主体的安全标记,生成全局主体标记列表;According to the needs of the business system, the data storage module determines the security level of all object resources in the system in combination with the importance of the object resources, and generates a global object mark list; at the same time, it determines the security mark of the subject according to the authority and role of the user in the business system, generate a list of global principal tokens;

所述客户端代理模块根据集中安全管理中心的需求生成和执行主体相关的策略,在相应的计算节点执行相关策略。The client agent module generates and executes subject-related policies according to the requirements of the centralized security management center, and executes relevant policies on corresponding computing nodes.

进一步的,所述互联仲裁系统包括配置数据子模块、信息封装子模块、审计子模块以及协议转换子模块;Further, the interconnection arbitration system includes a configuration data submodule, an information encapsulation submodule, an audit submodule, and a protocol conversion submodule;

所述配置数据子模块对所有主体和客体实施身份管理、标记管理、授权管理和策略管理;The configuration data sub-module implements identity management, label management, authorization management and policy management for all subjects and objects;

所述信息封装子模块确定系统中的所有合法用户的身份、工作密钥及证书等与安全相关的内容;The information encapsulation sub-module determines the identities of all legal users in the system, work keys and certificates and other security-related content;

所述审计子模块对身份认证、访问控制等安全机制的仲裁结果进行记录;The audit sub-module records the arbitration results of security mechanisms such as identity authentication and access control;

所述协议转换子模块根据采用的通信安全机制,建立相应的加密传输方式。The protocol conversion sub-module establishes a corresponding encrypted transmission mode according to the adopted communication security mechanism.

进一步的,所述互联子系统包括信息封装子模块和协议转换子模块;Further, the interconnection subsystem includes an information encapsulation submodule and a protocol conversion submodule;

所述信息封装子模块确定系统中的所有合法用户的身份、工作密钥及证书等与安全相关的内容;The information encapsulation sub-module determines the identities of all legal users in the system, work keys and certificates and other security-related content;

所述协议转换子模块根据采用的通信安全机制,建立相应的加密传输方式;The protocol conversion sub-module establishes a corresponding encrypted transmission mode according to the adopted communication security mechanism;

所述协议转换子模块根据信息封装子模块的用户身份、工作密钥及证书等与安全相关的内容建立相应的加密传输方式。The protocol conversion sub-module establishes a corresponding encrypted transmission mode according to the security-related content such as user identity, work key and certificate of the information encapsulation sub-module.

进一步的,所述内部隔离传输子系统在由外部代理模块、内部代理模块和隔离部件构成,外部代理模块与外部信息系统相连,为外部信息系统与内部信息系统互联提供代理服务;内部代理模块与内部信息系统相连,为内部信息系统与外部信息系统互联提供代理服务;隔离部件与内部代理模块、外部代理模块相连,为内外部二个信息系统互联提供策略执行。Further, the internal isolation transmission subsystem is composed of an external agent module, an internal agent module and an isolation component, and the external agent module is connected with the external information system to provide agency services for the interconnection between the external information system and the internal information system; the internal agent module is connected with the internal information system. The internal information system is connected to provide agency services for the interconnection between the internal information system and the external information system; the isolation component is connected to the internal agent module and the external agent module to provide policy execution for the interconnection of the two internal and external information systems.

为了达到上述目的,本发明提供的网络配置数据中继分发传输方法,包括:In order to achieve the above purpose, the network configuration data relay distribution transmission method provided by the present invention includes:

(1)当集中管理中心下发仲裁系统用户配置数据时,集中管理中心与仲裁子系统直接交互,下发配置管理数据;(1) When the centralized management center distributes the user configuration data of the arbitration system, the centralized management center directly interacts with the arbitration subsystem to deliver the configuration management data;

(2)当集中管理中心下发互联子系统配置数据时,集中管理中心与仲裁子系统交互,将互联子系统配置数据下发给仲裁子系统,仲裁子系统接受到互联子系统配置数据后,通过内部隔离传输子系统将互联子系统的配置数据下发给互联子系统;(2) When the centralized management center sends the configuration data of the interconnection subsystem, the centralized management center interacts with the arbitration subsystem, and sends the configuration data of the interconnection subsystem to the arbitration subsystem. After the arbitration subsystem receives the configuration data of the interconnection subsystem, Send the configuration data of the interconnection subsystem to the interconnection subsystem through the internal isolation transmission subsystem;

(3)当集中管理中心同时下发仲裁系统和互联子系统配置数据时,集中管理中心与仲裁子系统交互,将仲裁子系统配置数据和互联子系统配置数据下发给仲裁子系统,仲裁子系统识别配置数据类型,自身配置数据直接处理,互联子系统配置数据,通过内部隔离传输子系统将互联子系统的配置数据下发给互联子系统。(3) When the centralized management center releases the configuration data of the arbitration system and the interconnection subsystem at the same time, the centralized management center interacts with the arbitration subsystem, sends the configuration data of the arbitration subsystem and the interconnection subsystem to the arbitration subsystem, and the arbitration subsystem The system identifies the configuration data type, processes its own configuration data directly, interconnects the subsystem configuration data, and sends the configuration data of the interconnected subsystem to the interconnected subsystem through the internal isolation transmission subsystem.

本发明提供的通过网络配置数据中继分发传输方案,保障二系统安全互联装置的互联子系统的配置数据是通过隔离传输子系统中继分发,能够更有效的提高传输子系统配置数据的安全性。The transmission scheme provided by the present invention through network configuration data relay distribution ensures that the configuration data of the interconnected subsystems of the two system security interconnection devices is relayed and distributed through the isolated transmission subsystem, which can more effectively improve the security of the configuration data of the transmission subsystem .

在本方案中,集中管理中心与二系统安全互联装置的仲裁子系统相连,对仲裁子系统的配置数据集中管理中心直接下发,集中管理中心与传输子系统(即互联子系统)无直接数据交互路径,传输子系统(即互联子系统)的配置数据,由集中管理中心下发给仲裁系统,再有仲裁系统中继通过内部隔离传输系统分发给传输子系统。In this scheme, the centralized management center is connected to the arbitration subsystem of the safety interconnection device of the second system, and the centralized management center directly distributes the configuration data of the arbitration subsystem, and the centralized management center has no direct data with the transmission subsystem (ie, the interconnection subsystem) The interactive path, the configuration data of the transmission subsystem (that is, the interconnection subsystem), is issued by the centralized management center to the arbitration system, and then the arbitration system relay distributes it to the transmission subsystem through the internal isolation transmission system.

附图说明Description of drawings

以下结合附图和具体实施方式来进一步说明本发明。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

图1为本发明实例中网络配置数据中继分发传输系统的构成原理图;Fig. 1 is the constituent schematic diagram of the network configuration data relay distribution transmission system in the example of the present invention;

图2为本发明实例中集中安全管理中心的构成原理图;Fig. 2 is the constituent schematic diagram of centralized safety management center in the example of the present invention;

图3为本发明实例中二系统安全互联装置的构成原理图。Fig. 3 is a schematic diagram of the composition of the two-system safety interconnection device in the example of the present invention.

具体实施方式Detailed ways

为了使本发明实现的技术手段、创作特征、达成目的与功效易于明白了解,下面结合具体图示,进一步阐述本发明。In order to make the technical means, creative features, goals and effects achieved by the present invention easy to understand, the present invention will be further described below in conjunction with specific illustrations.

本实例以不同安全等级网络(低安全域和高安全域)之间数据交换的访问控制为出发点,构建有效安全的系统配置体系,确保在资源访问过程中,用户配置的安全性。This example takes the access control of data exchange between networks with different security levels (low security domain and high security domain) as the starting point to build an effective and safe system configuration system to ensure the security of user configuration during resource access.

参见图1,其所示为本实例据此构成的网络配置数据中继分发传输系统的构成示例。Referring to Fig. 1, it shows an example of the composition of the network configuration data relay distribution transmission system constituted according to this example.

本系统主要由二系统安全互联装置和集中安全管理中心配合构成,其中二系统安全互联装置用于二个信息系统(例如,内部信息系统和外部信息系统)建立严密的通信安全机制(例如,信息流单向、双向等),并根据该安全机制构建相应的加密传输方式(例如,HTTPS、SFTP、IPsec等),防止安全功能被旁路、被篡改。This system is mainly composed of two system safety interconnection devices and a centralized safety management center, in which the second system safety interconnection device is used for two information systems (for example, internal information system and external information system) to establish a strict communication security mechanism (for example, information Stream one-way, two-way, etc.), and build corresponding encrypted transmission methods (for example, HTTPS, SFTP, IPsec, etc.) based on this security mechanism to prevent security functions from being bypassed and tampered with.

再者,集中安全管理中心为应用系统中的自然人、安全防护设备及关键的进程、模块制定主客体的安全标记,并将应用系统中的主客体信息,按照一定转换规则转换后,同步到二系统安全互联装置中,由二系统安全互联装置根据标记实现强制访问控制。Furthermore, the centralized security management center formulates subject and object security marks for natural persons, security protection equipment, and key processes and modules in the application system, and converts the subject and object information in the application system according to certain conversion rules, and then synchronizes them to the secondary system. In the system safety interconnection device, the second system safety interconnection device implements mandatory access control according to the mark.

具体的,如图2所示,本系统中的集中安全管理中心主要由Browser、DB Base、Manage Agent模块相互配合构成,可实现系统管理、安全管理和审计管理等功能。Specifically, as shown in Figure 2, the centralized security management center in this system is mainly composed of Browser, DB Base, and Manage Agent modules, which can realize functions such as system management, security management, and audit management.

作为举例,这里的系统管理为应用系统中的自然人、安全防护设备及关键的进程、模块制定主客体的安全标记。As an example, the system management here formulates security marks of subject and object for natural persons, safety protection equipment, key processes and modules in the application system.

作为举例,这里的安全管理主要为将应用系统中的主客体信息,按照一定转换规则转换后,同步到现有二系统安全互联装置中。As an example, the security management here is mainly to convert the subject and object information in the application system according to a certain conversion rule, and then synchronize it to the existing security interconnection device of the two systems.

作为举例,这里的审计管理主要为对身份认证、访问控制等安全机制的仲裁结果进行记录,记录内容包括:事件时间、类型、操作内容等,确保跨系统以及抗抵赖性。As an example, the audit management here is mainly to record the arbitration results of security mechanisms such as identity authentication and access control. The recorded content includes: event time, type, operation content, etc., to ensure cross-system and non-repudiation.

本集中安全管理中心中的Browser模块是指集中安全管理中心的后台管理页面模块,用于对集中安全管理中心进行管理和配置。The Browser module in the centralized security management center refers to the background management page module of the centralized security management center, which is used to manage and configure the centralized security management center.

本集中安全管理中心中的DB Base模块是指集中安全管理中心的数据存储模块,用于根据业务系统的需要,结合客体资源的重要程度确定系统中所有客体资源的安全级,生成全局客体标记列表;同时根据用户在业务系统中的权限和角色确定主体的安全标记,生成全局主体标记列表。The DB Base module in the centralized security management center refers to the data storage module of the centralized security management center, which is used to determine the security level of all object resources in the system and generate a global object tag list according to the needs of the business system and in combination with the importance of object resources ; At the same time, according to the authority and role of the user in the business system, the security token of the subject is determined, and a global subject token list is generated.

本集中安全管理中心中的Manage Agent模块是指集中安全管理中心的客户端代理,用于根据集中安全管理中心的需求生成和执行主体相关的策略,包括强制访问控制策略及级别改变策略等,在相应的计算节点执行文件访问控制策略、网络访问控制策略、区域边界过滤策略、防火墙规则等一系列相关策略。The Manage Agent module in the centralized security management center refers to the client agent of the centralized security management center, which is used to generate and execute subject-related policies according to the requirements of the centralized security management center, including mandatory access control policies and level change policies, etc. The corresponding computing nodes implement a series of related policies such as file access control policies, network access control policies, regional border filtering policies, and firewall rules.

如图3所示,本系统中的二系统安全互联装置具体包括互联仲裁系统、互联子系统,内部隔离传输子系统,由此可实现网络安全隔离、数据验证、互联行为审计等功能。As shown in Figure 3, the security interconnection device of the two systems in this system specifically includes an interconnection arbitration system, an interconnection subsystem, and an internal isolation transmission subsystem, so that functions such as network security isolation, data verification, and interconnection behavior auditing can be realized.

这里的互联仲裁系统用于根据主客体的安全标记来仲裁是否可以进行互联访问。在系统中引入具有可信度检查能力的主体,通过检查主体,对客体进行动态的调整以使主客体的级别在保证了系统保密性的同时,利用可信度标识和约束条件来保护系统的完整性。The interconnection arbitration system here is used to arbitrate whether the interconnection access can be performed according to the security marks of the subject and the object. Introduce a subject with credibility checking capabilities into the system, and through checking the subject, dynamically adjust the object so that the level of the subject and object can protect the system by using the credibility identification and constraints while ensuring the confidentiality of the system. integrity.

这里的互联子系统是结合可信计算技术,采用白名单机制建立一个安全机制之间符合安全需求的通信路径的系统。The interconnection subsystem here is a system that combines trusted computing technology and adopts a whitelist mechanism to establish a communication path between security mechanisms that meets security requirements.

这里的内部隔离传输子系统是由互联双方效验成功后进行可信认证,认证通过后双方建立加密传输方式的系统。该系统可以保证通信双方的传输数据的完整性和保密性。The internal isolated transmission subsystem here is a system in which the interconnected parties perform trusted authentication after successful verification, and the two parties establish an encrypted transmission mode after the authentication is passed. The system can guarantee the integrity and confidentiality of the transmitted data of both communication parties.

由此构成的二系统安全互联装置能够消除系统组件之间的相互干扰,建立严密的交互结构,防止安全功能被旁路、被篡改。在运行时,首先由互联仲裁系统判断二个信息系统之间是否可以进行互联,由互联子系统判断二个信息系统之间采用何种安全机制进行通信(例如,信息流单向、双向等),由内部隔离传输子系统建立加密传输方式(例如,HTTPS、SFTP、IPsec等)。The two-system security interconnection device thus constituted can eliminate mutual interference between system components, establish a strict interactive structure, and prevent security functions from being bypassed and tampered with. During operation, firstly, the interconnection arbitration system judges whether the two information systems can be interconnected, and the interconnection subsystem judges which security mechanism is used for communication between the two information systems (for example, one-way information flow, two-way, etc.) , the encrypted transmission mode (for example, HTTPS, SFTP, IPsec, etc.) is established by the internal isolated transmission subsystem.

作为举例,本实例中的互联仲裁系统包括配置数据子模块、信息封装子模块、审计子模块以及协议转换子模块。As an example, the interconnection arbitration system in this example includes a configuration data submodule, an information encapsulation submodule, an audit submodule, and a protocol conversion submodule.

本互联仲裁系统中的配置数据子模块对所有主体和客体实施身份管理、标记管理、授权管理和策略管理。The configuration data sub-module in this interconnected arbitration system implements identity management, label management, authorization management and policy management for all subjects and objects.

本互联仲裁系统中的信息封装子模块确定系统中的所有合法用户的身份、工作密钥及证书等与安全相关的内容。The information encapsulation sub-module in the interconnection arbitration system determines the identities, work keys, certificates and other safety-related content of all legal users in the system.

本互联仲裁系统中的审计子模块对身份认证、访问控制等安全机制的仲裁结果进行记录,记录内容包括:事件时间、类型、操作内容等,确保跨系统以及抗抵赖性。The audit sub-module in this interconnected arbitration system records the arbitration results of security mechanisms such as identity authentication and access control. The recorded content includes: event time, type, operation content, etc., to ensure cross-system and non-repudiation.

本互联仲裁系统中的协议转换子模块根据采用的通信安全机制(例如,信息流单向、双向等),建立相应的加密传输方式(例如,HTTPS、SFTP、IPsec等)。The protocol conversion sub-module in the interconnection arbitration system establishes a corresponding encrypted transmission mode (for example, HTTPS, SFTP, IPsec, etc.) according to the adopted communication security mechanism (for example, information flow one-way, two-way, etc.).

进一步的,本实例中的互联子系统包括信息封装子模块和协议转换子模块。Further, the interconnection subsystem in this example includes an information encapsulation submodule and a protocol conversion submodule.

本互联子系统中的信息封装子模块确定系统中的所有合法用户的身份、工作密钥及证书等与安全相关的内容;The information encapsulation sub-module in this interconnection subsystem determines the identities, work keys, certificates and other security-related content of all legal users in the system;

本互联子系统中的协议转换子模块根据采用的通信安全机制(例如,信息流单向、双向等),建立相应的加密传输方式(例如,HTTPS、SFTP、IPsec等)。The protocol conversion sub-module in this interconnection subsystem establishes a corresponding encrypted transmission mode (for example, HTTPS, SFTP, IPsec, etc.) according to the communication security mechanism adopted (for example, information flow one-way, two-way, etc.).

由此构成的互联子系统在运行时,协议转换子模块根据信息封装子模块的用户身份、工作密钥及证书等建立相应的加密传输方式(例如,HTTPS、SFTP、IPsec等)。When the interconnection subsystem thus constituted is in operation, the protocol conversion submodule establishes a corresponding encrypted transmission mode (for example, HTTPS, SFTP, IPsec, etc.) according to the user identity, work key and certificate of the information encapsulation submodule.

进一步的,本实例中的内部隔离传输子系统用于互联双方效验成功后进行可信认证,认证通过后双方建立加密传输方式。该系统可以保证通信双方的传输数据的完整性和保密性。Furthermore, the internal isolated transmission subsystem in this example is used for credible authentication after successful verification of both parties to the interconnection, and the two parties establish an encrypted transmission mode after the authentication is passed. The system can guarantee the integrity and confidentiality of the transmitted data of both communication parties.

本内部隔离传输子系统具体可对二个信息系统之间的互联、互通、互操作进行安全保护,确保用户身份的真实性、操作的安全性以及抗抵赖性,并按安全策略对信息流向进行严格控制,确保进出二个信息系统之间的数据安全。This internal isolated transmission subsystem can specifically protect the interconnection, intercommunication, and interoperability between two information systems, ensure the authenticity of user identities, operational security, and non-repudiation, and monitor information flow according to security policies. Strict control to ensure data security between the two information systems.

本内部隔离传输子系统由外部代理模块、内部代理模块和隔离部件构成。The internal isolated transmission subsystem is composed of an external agent module, an internal agent module and isolation components.

外部代理模块与外部信息系统相连,为外部信息系统与内部信息系统互联提供代理服务;The external agent module is connected with the external information system to provide agency services for the interconnection between the external information system and the internal information system;

内部代理模块与内部信息系统相连,为内部信息系统与外部信息系统互联提供代理服务;The internal agent module is connected with the internal information system to provide agency services for the interconnection between the internal information system and the external information system;

隔离部件与内部代理模块、外部代理模块相连,为内外部二个信息系统互联提供策略执行。The isolation component is connected with the internal agent module and the external agent module to provide policy execution for the interconnection of the two internal and external information systems.

由此形成的网络配置数据中继分发传输系统中,集中安全管理中心与二系统安全互联装置的仲裁子系统相连,对仲裁子系统的配置数据,由集中安全管理中心直接下发,而集中安全管理中心与互联子系统无直接数据交互路径,互联子系统的配置数据,由集中安全管理中心下发给仲裁系统,再有仲裁系统中继通过内部隔离传输系统分发给互联子系统。In the network configuration data relay distribution transmission system thus formed, the centralized security management center is connected to the arbitration subsystem of the security interconnection device of the second system, and the configuration data of the arbitration subsystem is directly issued by the centralized security management center, while the centralized security management center There is no direct data exchange path between the management center and the interconnection subsystem. The configuration data of the interconnection subsystem is sent to the arbitration system by the centralized security management center, and then the arbitration system is relayed to the interconnection subsystem through the internal isolation transmission system.

故本网络配置数据中继分发传输系统的运行过程如下:Therefore, the operation process of the network configuration data relay distribution transmission system is as follows:

(1)当集中管理中心下发仲裁系统用户配置数据时,集中管理中心与仲裁子系统直接交互,下发配置管理数据;(1) When the centralized management center distributes the user configuration data of the arbitration system, the centralized management center directly interacts with the arbitration subsystem to deliver the configuration management data;

(2)当集中管理中心下发互联子系统配置数据时,集中管理中心与仲裁子系统交互,将互联子系统配置数据下发给仲裁子系统,仲裁子系统接受到互联子系统配置数据后,通过内部隔离传输子系统将互联子系统的配置数据下发给互联子系统;(2) When the centralized management center sends the configuration data of the interconnection subsystem, the centralized management center interacts with the arbitration subsystem, and sends the configuration data of the interconnection subsystem to the arbitration subsystem. After the arbitration subsystem receives the configuration data of the interconnection subsystem, Send the configuration data of the interconnection subsystem to the interconnection subsystem through the internal isolation transmission subsystem;

(3)当集中管理中心同时下发仲裁系统和互联子系统配置数据时,集中管理中心与仲裁子系统交互,将仲裁子系统配置数据和互联子系统配置数据下发给仲裁子系统,仲裁子系统识别配置数据类型,自身配置数据直接处理,互联子系统配置数据,通过内部隔离传输子系统将互联子系统的配置数据下发给互联子系统。(3) When the centralized management center releases the configuration data of the arbitration system and the interconnection subsystem at the same time, the centralized management center interacts with the arbitration subsystem, sends the configuration data of the arbitration subsystem and the interconnection subsystem to the arbitration subsystem, and the arbitration subsystem The system identifies the configuration data type, processes its own configuration data directly, interconnects the subsystem configuration data, and sends the configuration data of the interconnected subsystem to the interconnected subsystem through the internal isolation transmission subsystem.

由此本系统能够保障二系统安全互联装置的互联子系统的配置数据是通过隔离传输子系统中继分发,从而提高传输子系统配置数据的安全性。In this way, the system can ensure that the configuration data of the interconnection subsystem of the secure interconnection device of the two systems is relayed and distributed through the isolated transmission subsystem, thereby improving the security of the configuration data of the transmission subsystem.

以下结合图1,具体说明一下基于本网络配置数据中继分发传输系统进行网络配置数据中继分发传输的实施过程。The implementation process of relaying, distributing and transmitting network configuration data based on this system for relaying, distributing and transmitting network configuration data will be described in detail below in conjunction with FIG. 1 .

本方案进行网络配置数据中继分发传输的实施过程如下:The implementation process of relay distribution and transmission of network configuration data in this solution is as follows:

1)集中安全管理中心的配置管理模块获取用户配置数据后,与二系统安全互联装置的仲裁子系统的配置数据子模块交互。1) After the configuration management module of the centralized safety management center obtains the user configuration data, it interacts with the configuration data sub-module of the arbitration subsystem of the safety interconnection device of the second system.

2)配置数据子模块接收到配置数据,分析配置数据类型;2) The configuration data sub-module receives the configuration data and analyzes the configuration data type;

3)若配置数据类型是仲裁子系统配置时,配置数据子模块直接处理,配置仲裁系统;3) If the configuration data type is the configuration of the arbitration subsystem, the configuration data sub-module directly processes and configures the arbitration system;

4)若配置数据类型为传输子系统时,配置数据子模块将配置数据重新封装(即由信息封装子模块来完成),并通过协议转换子模块传输至互联系统的协议转换子模块,互联子系统的协议转换子模块收到配置数据后,配置互联子系统;4) If the configuration data type is the transmission subsystem, the configuration data sub-module repackages the configuration data (that is, is completed by the information packaging sub-module), and transmits it to the protocol conversion sub-module of the interconnection system through the protocol conversion sub-module, and the interconnection sub-module After the protocol conversion sub-module of the system receives the configuration data, it configures the interconnection subsystem;

5)若配置数据类型为复合类型即既有仲裁配置数据又有互联子系统配置数据,仲裁子系统解析配置数据,提取仲裁子系统配置数据配置自身系统,提取互联子系统配置数据重新封装,通过协议转换模块传输给互联子系统的协议转换模块配置互联子系统。5) If the configuration data type is a composite type, that is, there are both arbitration configuration data and interconnection subsystem configuration data, the arbitration subsystem parses the configuration data, extracts the arbitration subsystem configuration data to configure its own system, extracts the interconnection subsystem configuration data to repackage, and passes The protocol conversion module transmits to the protocol conversion module of the interconnection subsystem to configure the interconnection subsystem.

以上显示和描述了本发明的基本原理、主要特征和本发明的优点。本行业的技术人员应该了解,本发明不受上述实施例的限制,上述实施例和说明书中描述的只是说明本发明的原理,在不脱离本发明精神和范围的前提下,本发明还会有各种变化和改进,这些变化和改进都落入要求保护的本发明范围内。本发明要求保护范围由所附的权利要求书及其等效物界定。The foregoing has shown and described the basic principles, main features and advantages of the present invention. Those skilled in the industry should understand that the present invention is not limited by the above-mentioned embodiments. What are described in the above-mentioned embodiments and the description only illustrate the principle of the present invention. Without departing from the spirit and scope of the present invention, the present invention will also have Variations and improvements are possible, which fall within the scope of the claimed invention. The protection scope of the present invention is defined by the appended claims and their equivalents.

Claims (6)

1.一种网络配置数据中继分发传输系统,其特征在于,包括:二系统安全互联装置和集中安全管理中心;1. A network configuration data relay distribution transmission system, characterized in that it comprises: two system safety interconnection devices and a centralized safety management center; 所述二系统安全互联装置包括互联仲裁系统、互联子系统,内部隔离传输子系统;The safety interconnection device of the two systems includes an interconnection arbitration system, an interconnection subsystem, and an internal isolation transmission subsystem; 所述互联仲裁系统可根据主客体的安全标记来仲裁是否可以进行互联访问;在系统中引入具有可信度检查能力的主体,通过检查主体,对客体进行动态的调整以使主客体的级别在保证了系统保密性的同时,利用可信度标识和约束条件来保护系统的完整性;The interconnection arbitration system can arbitrate whether the interconnection access can be performed according to the security marks of the subject and object; a subject with credibility checking capability is introduced into the system, and by checking the subject, the object is dynamically adjusted so that the level of the subject and object is within While ensuring the confidentiality of the system, the integrity of the system is protected by using the credibility identification and constraints; 所述互联子系统结合可信计算,采用白名单机制建立一个安全机制之间符合安全需求的通信路径;The interconnection subsystem combines trusted computing and adopts a whitelist mechanism to establish a communication path between security mechanisms that meets security requirements; 所述内部隔离传输子系统是由互联双方效验成功后进行可信认证,认证通过后双方建立加密传输方式的系统;The internal isolated transmission subsystem is a system in which the interconnected parties perform credible authentication after the verification is successful, and the two parties establish an encrypted transmission mode after the authentication is passed; 所述集中安全管理中心为应用系统中的自然人、安全防护设备及关键的进程、模块制定主客体的安全标记,并将应用系统中的主客体信息,按照一定转换规则转换后,同步到二系统安全互联装置中,由二系统安全互联装置根据标记实现强制访问控制;所述集中安全管理中心与所述二系统安全互联装置的互联仲裁系统相连,对互联仲裁系统的配置数据集中管理中心直接下发,集中安全管理中心与互联子系统无直接数据交互路径,所述互联子系统的配置数据,由集中安全管理中心下发给互联仲裁系统,再由互联仲裁系统中继通过内部隔离传输子系统分发给互联子系统。The centralized safety management center formulates subject and object security marks for natural persons, safety protection equipment, key processes and modules in the application system, and converts the subject and object information in the application system according to certain conversion rules, and then synchronizes them to the second system In the safety interconnection device, the safety interconnection device of the second system realizes mandatory access control according to the mark; the centralized safety management center is connected with the interconnection arbitration system of the safety interconnection device of the second system, and the configuration data centralized management center of the interconnection arbitration system is directly downloaded There is no direct data interaction path between the centralized security management center and the interconnection subsystem. The configuration data of the interconnection subsystem is sent by the centralized security management center to the interconnection arbitration system, and then the interconnection arbitration system relays the transmission subsystem through the internal isolation. Distributed to interconnected subsystems. 2.根据权利要求1所述的网络配置数据中继分发传输系统,其特征在于,所述集中安全管理中心包括后台管理页面模块、数据存储模块、客户端代理模块;2. The network configuration data relay distribution transmission system according to claim 1, wherein the centralized safety management center includes a background management page module, a data storage module, and a client agent module; 所述后台管理页面模块用于对集中安全管理中心进行管理和配置;The background management page module is used to manage and configure the centralized security management center; 所述数据存储模块根据业务系统的需要,结合客体资源的重要程度确定系统中所有客体资源的安全级,生成全局客体标记列表;同时根据用户在业务系统中的权限和角色确定主体的安全标记,生成全局主体标记列表;According to the needs of the business system, the data storage module determines the security level of all object resources in the system in combination with the importance of the object resources, and generates a global object mark list; at the same time, it determines the security mark of the subject according to the authority and role of the user in the business system, generate a list of global principal tokens; 所述客户端代理模块根据集中安全管理中心的需求生成和执行主体相关的策略,在相应的计算节点执行相关策略。The client agent module generates and executes subject-related policies according to the requirements of the centralized security management center, and executes relevant policies on corresponding computing nodes. 3.根据权利要求1所述的网络配置数据中继分发传输系统,其特征在于,所述互联仲裁系统包括配置数据子模块、信息封装子模块、审计子模块以及协议转换子模块;3. The network configuration data relay distribution transmission system according to claim 1, wherein the interconnection arbitration system includes a configuration data submodule, an information encapsulation submodule, an audit submodule and a protocol conversion submodule; 所述配置数据子模块对所有主体和客体实施身份管理、标记管理、授权管理和策略管理;The configuration data sub-module implements identity management, label management, authorization management and policy management for all subjects and objects; 所述信息封装子模块确定系统中的所有合法用户的身份、工作密钥及证书与安全相关的内容;The information encapsulation sub-module determines the identities, work keys and certificates of all legal users in the system and security-related content; 所述审计子模块对身份认证、访问控制安全机制的仲裁结果进行记录;The audit sub-module records the arbitration result of identity authentication and access control security mechanism; 所述协议转换子模块根据采用的通信安全机制,建立相应的加密传输方式。The protocol conversion sub-module establishes a corresponding encrypted transmission mode according to the adopted communication security mechanism. 4.根据权利要求1所述的网络配置数据中继分发传输系统,其特征在于,所述互联子系统包括信息封装子模块和协议转换子模块;4. The network configuration data relay distribution transmission system according to claim 1, wherein the interconnection subsystem comprises an information encapsulation submodule and a protocol conversion submodule; 所述信息封装子模块确定系统中的所有合法用户的身份、工作密钥及证书与安全相关的内容;The information encapsulation sub-module determines the identities, work keys and certificates of all legal users in the system and security-related content; 所述协议转换子模块根据采用的通信安全机制,建立相应的加密传输方式;The protocol conversion sub-module establishes a corresponding encrypted transmission mode according to the adopted communication security mechanism; 所述协议转换子模块根据信息封装子模块的用户身份、工作密钥及证书与安全相关的内容建立相应的加密传输方式。The protocol conversion sub-module establishes a corresponding encrypted transmission mode according to the user identity, work key, certificate and security-related content of the information encapsulation sub-module. 5.根据权利要求1所述的网络配置数据中继分发传输系统,其特征在于,所述内部隔离传输子系统在由外部代理模块、内部代理模块和隔离部件构成,外部代理模块与外部信息系统相连,为外部信息系统与内部信息系统互联提供代理服务;内部代理模块与内部信息系统相连,为内部信息系统与外部信息系统互联提供代理服务;隔离部件与内部代理模块、外部代理模块相连,为内外部二个信息系统互联提供策略执行。5. The network configuration data relay distribution transmission system according to claim 1, wherein the internal isolation transmission subsystem is composed of an external agent module, an internal agent module and an isolation component, and the external agent module and the external information system connected to provide proxy services for the interconnection between external information systems and internal information systems; the internal proxy module is connected to internal information systems to provide proxy services for the interconnection between internal information systems and external information systems; the isolation component is connected to internal proxy modules and external proxy modules to provide The internal and external two information systems are interconnected to provide policy execution. 6.一种网络配置数据中继分发传输方法,其特征在于,所述方法基于权利要求1-5中任一项所述的网络配置数据中继分发传输系统实施,其包括:6. A method for relaying, distributing and transmitting network configuration data, characterized in that the method is implemented based on the system for relaying, distributing and transmitting network configuration data according to any one of claims 1-5, comprising: (1)当集中管理中心下发互联仲裁系统用户配置数据时,集中管理中心与互联仲裁系统直接交互,下发用户配置数据;(1) When the centralized management center distributes the user configuration data of the interconnected arbitration system, the centralized management center directly interacts with the interconnected arbitration system to issue the user configuration data; (2)当集中管理中心下发互联子系统配置数据时,集中管理中心与互联仲裁系统交互,将互联子系统配置数据下发给互联仲裁系统,互联仲裁系统接受到互联子系统配置数据后,通过内部隔离传输子系统将互联子系统的配置数据下发给互联子系统;(2) When the centralized management center issues the configuration data of the interconnection subsystem, the centralized management center interacts with the interconnection arbitration system and sends the configuration data of the interconnection subsystem to the interconnection arbitration system. After the interconnection arbitration system receives the configuration data of the interconnection subsystem, Send the configuration data of the interconnection subsystem to the interconnection subsystem through the internal isolation transmission subsystem; (3)当集中管理中心同时下发互联仲裁系统和互联子系统配置数据时,集中管理中心与互联仲裁系统交互,将互联仲裁系统配置数据和互联子系统配置数据下发给互联仲裁系统,互联仲裁系统识别配置数据类型,自身配置数据直接处理,互联子系统配置数据,通过内部隔离传输子系统将互联子系统的配置数据下发给互联子系统。(3) When the centralized management center issues the configuration data of the interconnection arbitration system and the interconnection subsystem at the same time, the centralized management center interacts with the interconnection arbitration system, and sends the configuration data of the interconnection arbitration system and the interconnection subsystem to the interconnection arbitration system, and the interconnection arbitration system The arbitration system identifies the configuration data type, processes its own configuration data directly, interconnects the subsystem configuration data, and sends the configuration data of the interconnected subsystem to the interconnected subsystem through the internal isolation transmission subsystem.
CN202010658242.5A 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data Active CN111818057B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010658242.5A CN111818057B (en) 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010658242.5A CN111818057B (en) 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data

Publications (2)

Publication Number Publication Date
CN111818057A CN111818057A (en) 2020-10-23
CN111818057B true CN111818057B (en) 2022-10-28

Family

ID=72842159

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010658242.5A Active CN111818057B (en) 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data

Country Status (1)

Country Link
CN (1) CN111818057B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
CN101534300A (en) * 2009-04-17 2009-09-16 公安部第一研究所 System protection framework combining multi-access control mechanism and method thereof
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN102325134A (en) * 2011-08-29 2012-01-18 浙江中烟工业有限责任公司 Three-system safety interconnection component subsystem of multi-level safety interconnection platform
CN202798788U (en) * 2012-03-26 2013-03-13 上海金电网安科技有限公司 Two-tiered networking device based on network isolation
CN106888191A (en) * 2015-12-16 2017-06-23 上海金电网安科技有限公司 Hierarchical protection multilevel security interacted system and its interconnected method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
CN101534300A (en) * 2009-04-17 2009-09-16 公安部第一研究所 System protection framework combining multi-access control mechanism and method thereof
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN102325134A (en) * 2011-08-29 2012-01-18 浙江中烟工业有限责任公司 Three-system safety interconnection component subsystem of multi-level safety interconnection platform
CN202798788U (en) * 2012-03-26 2013-03-13 上海金电网安科技有限公司 Two-tiered networking device based on network isolation
CN106888191A (en) * 2015-12-16 2017-06-23 上海金电网安科技有限公司 Hierarchical protection multilevel security interacted system and its interconnected method

Also Published As

Publication number Publication date
CN111818057A (en) 2020-10-23

Similar Documents

Publication Publication Date Title
US20040199768A1 (en) System and method for enabling enterprise application security
US20110173443A1 (en) Secure extranet server
CN108737348A (en) A kind of internet of things equipment access control method of the intelligent contract based on block chain
CN102710605A (en) Information security management and control method under cloud manufacturing environment
WO2003060671A2 (en) Communication security system
CN101247391A (en) OPC Security Proxy System and Proxy Method
US12425198B2 (en) Method and apparatus for sharing encrypted data, device and readable medium
CN116633576B (en) Secure and reliable NC-Link agent, control method, device and terminal
Wu et al. A gateway-based access control scheme for collaborative clouds
CN104219077A (en) Information management system for middle and small-sized enterprises
Cheung et al. On virtual private networks security design issues
CN114553577B (en) A network interaction system and method based on multi-host dual isolation and confidentiality architecture
Bameyi et al. End-to-end security in communication networks: a review
CN111818057B (en) Relay distribution transmission system and method for network configuration data
Foltz et al. Enterprise considerations for ports and protocols
JP2021533599A (en) A secure way to replicate on-premises secrets in a computing environment
CN118427856A (en) Method for cross-network secure access to database
CN112906032B (en) File secure transmission method, system and medium based on CP-ABE and block chain
CN116723555A (en) Terminal access and data distribution method and system based on 5G-R
Surya et al. Security issues and challenges in cloud
Boi et al. Decentralized Authentication in Microservice Architectures with SSI and DID in Blockchain
Kumar et al. Realization of threats and countermeasure in Semantic Web services
CN107342999A (en) A kind of system and method based on agent protection certificate is strengthened
Zhang et al. Formal Modeling and Verification of ICN-IoT Middleware Architecture (S).
Ran et al. Security XACML access control model based on SOAP encapsulate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant