[go: up one dir, main page]

CN1529531A - A method for mobile users to access security gateway - Google Patents

A method for mobile users to access security gateway Download PDF

Info

Publication number
CN1529531A
CN1529531A CNA2003101018080A CN200310101808A CN1529531A CN 1529531 A CN1529531 A CN 1529531A CN A2003101018080 A CNA2003101018080 A CN A2003101018080A CN 200310101808 A CN200310101808 A CN 200310101808A CN 1529531 A CN1529531 A CN 1529531A
Authority
CN
China
Prior art keywords
security
security policy
policy
template
mobile user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2003101018080A
Other languages
Chinese (zh)
Inventor
李亚晖
赵洁
丁勇
陈海彬
陈开渠
彭志威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CNA2003101018080A priority Critical patent/CN1529531A/en
Publication of CN1529531A publication Critical patent/CN1529531A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The method includes configuring mode of access authentication, configuring and managing security policy as well as contents of generating and managing security alliance. The invention provides safety communication between remote side and private dedicated network in order to meet requirement of mobile communication and office work in current. Based on access mode of sharing secret key in advance, the invention provides secure authenticated access technique for mobile user, and configures own sharing secret key in advance for each mobile user.

Description

一种移动用户接入安全网关的方法A method for mobile users to access security gateway

技术领域technical field

本发明是属于信息技术领域中的信息安全技术,具体地说,涉及移动用户在使用IKE协议接入安全网关时,如何实现利用IPSEC/IKE协议进行安全保护的方法。The present invention belongs to the information security technology in the field of information technology, and in particular relates to how to realize security protection by using the IPSEC/IKE protocol when a mobile user accesses a security gateway using the IKE protocol.

背景技术Background technique

IKE(Internet Key Exchange protocol)协议是一种普遍用于在Internet上完成密钥协商功能的协议。它主要配合IPSEC(IP Security),对IP层的数据包进行安全保护。IKE协议适用于通信双方直接进行会话密钥的协商,这就要求双方事先必需有对方的身份信息和秘密信息,用来认证对方的身份。随着无线网络的快速发展,移动用户的安全数据通讯愈来愈被人们所重视。因为移动用户经常变换所在的物理位置,所以无法保证总是在企业或专用的安全网络内进行数据通信。当他们通过Internet访问私有网络时,必然要考虑数据在Internet上传输时的安全性。常用的移动用户接入私有网络的安全网关的技术是IPSEC/IKE协议,它支持移动用户与安全网关之间协商会话密钥,建立IPSEC安全关联,为IP层的数据提供安全保护。The IKE (Internet Key Exchange protocol) protocol is a protocol commonly used to complete the key negotiation function on the Internet. It mainly cooperates with IPSEC (IP Security) to protect the data packets at the IP layer. The IKE protocol is suitable for the communication parties to directly negotiate the session key, which requires both parties to have the other party's identity information and secret information in advance to authenticate the other party's identity. With the rapid development of wireless networks, people pay more and more attention to the secure data communication of mobile users. Because mobile users often change physical locations, there is no guarantee that data communications will always take place within an enterprise or dedicated secure network. When they access the private network through the Internet, they must consider the security of data transmission on the Internet. The commonly used security gateway technology for mobile users to access private networks is the IPSEC/IKE protocol, which supports the negotiation of session keys between mobile users and the security gateway, establishes IPSEC security associations, and provides security protection for data at the IP layer.

IKEv1协议的接入认证方式共有四种,由于公钥加密的计算量很大,所以通常的IKEv1的实现中只采用基于预共享密钥和数字签名的两种接入认证方式。但是,由于当前的公钥基础设施(PKI,Public Key Infrastructure)的建设很不完善,所以数字签名的接入认证方式使用有很大的局限性,多数的移动用户使用IKE协议接入安全网关的认证方式都是基于预共享密钥的形式。There are four access authentication methods in the IKEv1 protocol. Since public key encryption requires a large amount of calculations, only two access authentication methods based on pre-shared keys and digital signatures are used in common IKEv1 implementations. However, due to the imperfect construction of the current public key infrastructure (PKI, Public Key Infrastructure), the use of digital signature access authentication methods has great limitations. Most mobile users use the IKE protocol to access security gateways. The authentication methods are all based on the pre-shared key.

通常,移动用户使用IKE与安全网关连接时,需要用户的身份标识。在IKEv1中,用户的身份标识有多种,例如用户域名(user_fqdn)、完整域名(fqdn)和IP地址(ip_addr)等。在与用户连接时,安全网关通过用户身份来确定相应的安全数据,进行身份认证。当移动用户使用数值签名形式提供身份信息时,那么相应的安全数据也同时提供;而当移动用户采用预共享密钥方式进行身份认证时,必须通过发送ID信息来指明自己的身份,让安全网关能够查找匹配的认证信息来对它进行身份认证。然而在使用IKEv1第一阶段的主模式进行身份保护时,安全网关只能通过移动用户的IP地址来匹配预共享密钥,这样就由于移动用户IP地址的不确定性,将导致无法实现接入认证。如果采用IKEv1第一阶段的积极模式时,由于不对移动用户的ID信息进行加密,则可以快捷地完成接入认证。当前有些类似的实现方法,采用的方法是利用主模式实现IKE第一阶段的信息交换,要求所有的移动用户使用同一个默认的预共享密钥,这样的接入认证的安全性会受到很大的影响。Usually, when a mobile user uses IKE to connect to the security gateway, the user's identity is required. In IKEv1, there are many kinds of user identities, such as user domain name (user_fqdn), full domain name (fqdn), and IP address (ip_addr). When connecting with the user, the security gateway determines the corresponding security data through the user's identity and performs identity authentication. When a mobile user provides identity information in the form of a digital signature, the corresponding security data is also provided at the same time; and when a mobile user uses a pre-shared key for identity authentication, he must specify his identity by sending ID information, so that the security gateway Ability to look up matching credentials to authenticate it. However, when using the main mode of the first stage of IKEv1 for identity protection, the security gateway can only match the pre-shared key through the IP address of the mobile user, so due to the uncertainty of the IP address of the mobile user, access will not be realized certified. If the aggressive mode of the first phase of IKEv1 is adopted, the access authentication can be quickly completed because the ID information of the mobile user is not encrypted. There are currently some similar implementation methods, which use the main mode to realize the information exchange in the first phase of IKE, and require all mobile users to use the same default pre-shared key. The security of such access authentication will be greatly affected. Impact.

安全策略数据库为IKE自动进行第二阶段的协商提供安全信息资料,由于移动用户的IP地址不确定性,使得无法为其配置固定安全策略,需要动态生成协商安全关联所需要的临时安全策略。The security policy database provides security information for IKE to automatically carry out the second phase of negotiation. Due to the uncertainty of the IP address of mobile users, it is impossible to configure fixed security policies for them. It is necessary to dynamically generate temporary security policies for negotiating security associations.

发明内容Contents of the invention

本发明主要提出了一套完整的安全高效的移动用户接入安全网关的实现方法,主要是针对移动用户采用预共享密钥的方式来实现接入认证时的实现方法,包括接入认证方式的配置、安全策略的配置和管理、以及安全联盟的生成和维护等方面内容。The present invention mainly proposes a complete set of safe and efficient implementation methods for mobile users to access the security gateway, mainly aiming at the implementation methods when mobile users use pre-shared keys to achieve access authentication, including access authentication methods. Configuration, configuration and management of security policies, and creation and maintenance of security associations.

本发明所述移动用户接入安全网关的方法如下:The method for the mobile user of the present invention to access the security gateway is as follows:

一、在IKE协议配置中,当移动用户采用预共享密钥的方式来实现接入认证时,将他们的ID配置信息设置为非IP地址类型的,如用户域名(user_fqdn)、完整域名(fqdn)或其它在IKEv1中支持的形式;移动用户的接入认证模式设置为积极模式;1. In IKE protocol configuration, when mobile users use pre-shared keys to achieve access authentication, set their ID configuration information to non-IP address types, such as user domain name (user_fqdn), complete domain name (fqdn ) or other forms supported in IKEv1; the access authentication mode of the mobile user is set to aggressive mode;

二、在安全网关和移动用户的客户端的安全策略数据库中,为移动用户专门设置通用的安全策略模板,用来为移动用户动态地生成临时安全策略;2. In the security policy database of the security gateway and the client of the mobile user, a general security policy template is specially set for the mobile user, which is used to dynamically generate a temporary security policy for the mobile user;

三、在IKE的第二阶段的协商中,安全网关和移动用户遵循各自的临时安全策略进行安全关联的协商,生成一次会话所需要的安全关联;当会话持续较长久时,安全关联可以更新,但安全策略不需要更新;3. In the second phase of IKE negotiation, the security gateway and the mobile user follow their respective temporary security policies to negotiate security associations and generate the security associations needed for a session; when the session lasts for a long time, the security associations can be updated. However, the security policy does not need to be updated;

四、移动用户的临时安全策略在一次会话结束后,将被自动删除;删除临时安全策略的判断标准是,当隶属于该临时安全策略的安全关联的状态为DEAD。4. The temporary security policy of the mobile user will be automatically deleted after a session ends; the criterion for deleting the temporary security policy is when the status of the security association belonging to the temporary security policy is DEAD.

五、利用IKE进程设置时间调度,定期查看由临时安全策略生成的安全关联的生命期是否到期;当安全关联的生命期到期了,就查看临时安全策略是否记录着安全关联的为正在协商新的,如果是正在协商就不做处理,如果没有处于正在协商状态,就设置安全关联的状态为DEAD,然后删除安全关联和临时安全策略。5. Use the IKE process to set time scheduling, and regularly check whether the lifetime of the security association generated by the temporary security policy expires; when the lifetime of the security association expires, check whether the temporary security policy records that the security association is being negotiated If the new one is being negotiated, it will not be processed. If it is not in the negotiating state, set the state of the security association to DEAD, and then delete the security association and the temporary security policy.

上述的第一个步骤中,移动用户的身份ID不需要是在安全网关上申请的,但必须确保在安全网关上的用户名与预共享密钥是对应的。用户的密钥的存储可以是本地决定的,只要能够满足安全需求就可以了。In the first step above, the identity ID of the mobile user does not need to be applied for on the security gateway, but it must be ensured that the user name on the security gateway corresponds to the pre-shared key. The storage of the user's key can be determined locally, as long as the security requirements can be met.

上述的第一个步骤中,积极模式可以针对所有移动用户设置,也可以针对单个移动用户配置。因为有些移动用户可能采用的是数字签名的认证方式,所以可以采用IKE的主模式进行第一阶段的信息交换。In the first step above, the aggressive mode can be set for all mobile users, and can also be configured for a single mobile user. Because some mobile users may use the digital signature authentication method, the main mode of IKE can be used for the first phase of information exchange.

上述的第二个步骤中,主要包括以下几个方面:The above-mentioned second step mainly includes the following aspects:

1、安全策略模板必须包括以下内容:安全策略的选择符、数据包的处理方式(应用、通过、丢弃)、转码类型(包括协议和算法)等;1. The security policy template must include the following content: security policy selector, data packet processing method (application, pass, discard), transcoding type (including protocol and algorithm), etc.;

2、安全策略模板是一条特殊类型的安全策略记录,和其他类型的安全策略一样存储到安全策略数据库中。当移动用户发起第二阶段的协商时,由于模板策略的源地址为零,所以当无法查找到确切匹配的安全策略时,就会采用模板策略。(其中的查找原理,主要是根据安全策略数据库采用Radix树的实现技术。参见G.R.Wright和W.R.Stevens在1995年Addison-WesleyPublishing Company的″TCP/IP Illustrated,vol.2,″中介绍了一类特殊的Radix树,已经在Net/3、FreeBSD以及大多数高端路由器中用于组织路由表。)2. A security policy template is a special type of security policy record, which is stored in the security policy database like other types of security policies. When the mobile user initiates the second phase of negotiation, since the source address of the template policy is zero, when the exact matching security policy cannot be found, the template policy will be adopted. (wherein the search principle mainly adopts the realization technology of Radix tree according to the security policy database. Refer to G.R.Wright and W.R.Stevens in "TCP/IP Illustrated, vol.2," of Addison-Wesley Publishing Company in 1995, introducing a special Radix trees, already used in Net/3, FreeBSD, and most high-end routers to organize routing tables.)

上述第三个步骤中,主要包括以下几个步骤:The third step above mainly includes the following steps:

1、作为移动用户时安全策略模板的应用方式。当发起IKE的第二阶段的协商时,安全策略模板中选择符中的源地址为全零,用户只根据目标地址在安全策略数据库中检索时,就会找到模板策略。然后按照模板策略生成移动用户使用的临时安全策略,其中只需修改选择符中的源地址为本机当前IP地址即可;1. How to apply the security policy template as a mobile user. When initiating the second phase of IKE negotiation, the source address in the selector in the security policy template is all zeros, and the user will find the template policy only when searching in the security policy database based on the destination address. Then generate a temporary security policy for mobile users according to the template policy, where it is only necessary to modify the source address in the selector to be the current IP address of the machine;

2、作为安全网关时安全策略模板的应用方式。当接收第二阶段的第一个协商消息时,就根据消息中的源地址、目地址以及身份载荷中携带的端口号来查找SPD,由于是移动用户,SPD中没有针对临时获取的IP作为源地址的安全策略,于是会查找到安全策略模板。安全网关根据模板策略在安全策略数据库中产生临时的安全策略,其中要用发起者的IP地址替换模板策略的全零地址。2. The application method of the security policy template when it is used as a security gateway. When receiving the first negotiation message in the second phase, the SPD is searched according to the source address, destination address, and port number carried in the identity payload in the message. Since it is a mobile user, there is no temporarily obtained IP in the SPD as the source The security policy of the address, so the security policy template will be found. The security gateway generates a temporary security policy in the security policy database according to the template policy, in which the initiator's IP address is used to replace all zero addresses in the template policy.

3、由临时安全策略产生的安全联盟记录与正常的安全联盟的记录相同,但必须是以时间作为生命期的,这一点可以在安全策略模板中规定实现。隶属于临时安全策略的安全联盟记录仍然可以在生命期软到期时自动更新。上述第四个步骤中,临时安全策略是为单个移动用户暂时设立的,由于移动用户的IP地址的不确定性,当一次会话结束后,就没有保存的价值了。一次会话结束是指隶属于该安全策略的安全联盟的生命期已经到期了,并没有进行自动更新,就说明该安全关联已经不再使用了,其状态为DEAD。当发现安全关联的状态为DEAD时,就删除该安全关联和其隶属的临时安全策略。3. The security association record generated by the temporary security policy is the same as the normal security association record, but it must take time as the lifetime, which can be specified in the security policy template. Security association records belonging to the temporary security policy can still be automatically updated when the lifetime soft expires. In the above-mentioned fourth step, the temporary security policy is temporarily set up for a single mobile user. Due to the uncertainty of the IP address of the mobile user, after a session ends, there is no value of preservation. The end of a session means that the lifetime of the security association belonging to the security policy has expired and has not been automatically updated, which means that the security association is no longer used and its status is DEAD. When it is found that the state of the security association is DEAD, the security association and the temporary security policy to which it belongs are deleted.

采用本发明,可以为当前的移动办公用户提供在异地与私有专用网络进行安全通信,满足当前移动通讯和办公的需求。由于当前的公钥基础设施(PKI,Public KeyInfrastructure)建设还很不完善,使用数字签名的形式实现IKE协议的接入技术有很大的局限性。本发明基于预共享密钥的接入形式,为移动用户提供了安全的认证接入技术,针对每个移动用户配置各自的预共享密钥。By adopting the present invention, current mobile office users can be provided with safe communication with private private networks in different places, meeting the needs of current mobile communication and office work. Due to the imperfect construction of the current public key infrastructure (PKI, Public Key Infrastructure), the use of digital signatures to implement the access technology of the IKE protocol has great limitations. Based on the access form of the pre-shared key, the present invention provides safe authentication access technology for mobile users, and configures respective pre-shared keys for each mobile user.

附图说明Description of drawings

图1是移动用户使用IPSEC/IKE协议接入安全网关的应用场景示意图。Figure 1 is a schematic diagram of an application scenario in which a mobile user accesses a security gateway using the IPSEC/IKE protocol.

图2是安全策略模板在SPDB中存储示意图。Figure 2 is a schematic diagram of storing security policy templates in SPDB.

图3是临时安全策略生成流程示意图。FIG. 3 is a schematic diagram of a temporary security policy generation process.

图4是IKE利用时间调度轮询,由临时SP生成的SA状态的流程图。FIG. 4 is a flow chart of the SA state generated by the temporary SP using time scheduling polling by IKE.

具体实施方式Detailed ways

下面结合附图对技术方案的实施作进一步的详细描述:Below in conjunction with accompanying drawing, the implementation of technical scheme is described in further detail:

在图1中介绍了常见的一种移动办公用户需要与公司总部安全通信的场景。移动用户可以在所在地接入到当地ISP,获得网络通信的信道。由于要通过Internet这个开放的网络,所以传输的信息可能遭到恶意地攻击或蓄意地窃听。为了保护通信的数据的安全,需要在移动用户和企业总部的安全网关之间采用IPSEC/IKE建立安全保护通道,对数据进行加密保护和完整性保护。而在安全网关的后面是企业的内部网络,通常认为是安全的网络,无需再进行安全保护。Figure 1 introduces a common scenario where mobile office users need to securely communicate with the company headquarters. Mobile users can access the local ISP at their location to obtain a network communication channel. Due to the open network of the Internet, the transmitted information may be maliciously attacked or intentionally eavesdropped. In order to protect the security of the communication data, it is necessary to use IPSEC/IKE to establish a security protection channel between the mobile user and the security gateway of the enterprise headquarters to encrypt and protect the data. Behind the security gateway is the internal network of the enterprise, which is generally considered to be a secure network, and no further security protection is required.

在图2中简化地描述了一种基于Radix树组织的SPDB的结构。根据Radix树的构建原理,模板类型的SP在SPDB中的存储位置和其他类型的SP是相同的。In Fig. 2, the structure of an SPDB based on Radix tree organization is simplified. According to the construction principle of the Radix tree, the storage location of the template type SP in the SPDB is the same as that of other types of SP.

模板SP的选择符中的源IP地址必须设置为全零,当把移动用户的IP包中源地址和目的地址(这个目的地址应该是安全网关的IP地址)作为SP的选择符搜索SPDB时,在SPDB中将无法找到确切地SP条目与之想对应,根据Radix树的原理和SPDB的原理,将会用模板SP与之匹配。图2中,到安全网关的模板策略中,安全网关的地址是10.52.33.1,而选择符中的源地址是移动用户的地址,其值为全零。其中的安全策略的选择符进行了简化,忽略了上层协议和端口号。根据Radix树的构建原理,图2中是举例了一种模板类型的安全策略在SPDB中存储的场景。The source IP address in the selector of the template SP must be set to all zeros, when the source address and the destination address (this destination address should be the IP address of the security gateway) in the IP packet of the mobile user are used as the selector of the SP to search the SPDB, It will not be possible to find the exact SP entry corresponding to it in the SPDB. According to the principle of the Radix tree and the principle of the SPDB, the template SP will be used to match it. In Figure 2, in the template policy of the security gateway, the address of the security gateway is 10.52.33.1, and the source address in the selector is the address of the mobile user, and its value is all zeros. The selector of the security policy is simplified, ignoring the upper layer protocol and port number. According to the construction principle of the Radix tree, Figure 2 is an example of a scenario where a template-type security policy is stored in the SPDB.

在图3中详细描述了临时SP的产生流程。当一个IP包的请求到来时,需要在SPDB中查找所匹配的安全策略,这就要首先要构造一个SP的选择符。SP选择符的构造,需要从引起这次安全策略查找的IP包中获取源和目的地址、上层协议和端口号等。如果没有上层协议号或端口号,则在选择符中全部填零。然后在SPDB中按照选择符进行匹配查找,作为移动用户,必然会匹配一条模板类型的安全策略。当判断是模板类型的SP时,就按照选择符的内容生成一个新的安全策略,并插入到SPDB中。最后,修改这条新生成的安全策略的类型为临时类型。这个流程在安全网关和移动用户端都是相同的。不同之处是,在移动用户端获得模板SP的操作是由用户发送IP包激发的,当获得模板SP后,就会根据图3中的流程来产生IPSEC所需要的临时的SP;而在安全网关,是根据IKE第二阶段的协商消息来激发的,当获得模板SP后,也采用相同的流程产生所需要的临时SP,继续完成IKE第二阶段的协商。In Fig. 3, the generation process of the temporary SP is described in detail. When a request for an IP packet comes, it is necessary to search for the matching security policy in the SPDB, which requires constructing an SP selector first. The construction of the SP selector needs to obtain the source and destination addresses, upper-layer protocol and port number, etc. from the IP packet that caused the security policy search. If there is no upper layer protocol number or port number, all zeros will be filled in the selector. Then perform a matching search in the SPDB according to the selector. As a mobile user, it must match a security policy of the template type. When it is judged to be an SP of the template type, a new security policy is generated according to the content of the selector and inserted into the SPDB. Finally, modify the type of this newly generated security policy to be temporary. This process is the same on both the security gateway and the mobile client. The difference is that the operation of obtaining the template SP at the mobile client end is triggered by the user sending an IP packet. After the template SP is obtained, the temporary SP required by IPSEC will be generated according to the process in Figure 3; The gateway is activated according to the negotiation message of the second phase of IKE. After obtaining the template SP, it also adopts the same process to generate the required temporary SP, and continues to complete the negotiation of the second phase of IKE.

在图4中描述了在IKE中使用的时间调度机制来维护由临时SP产生的SA的生命期的流程。当IKE进程进入时间调度队列进行处理时,由于时间调度队列按照调度时间的由小到大排列,首先获取当前调度任务的SA的生命期,然后判断是否硬到期。如果SA的生命期没有硬到期,就退出时间调度队列的处理;如果SA的生命期已经硬到期了,则转向SA的处理任务。处理任务的流程是,从SADB中查找到该SA记录,并将该SA记录的状态设置为DEAD;获取其所隶属于的临时SP的选择符。然后,由IKE进程向SADB发送删除该SA记录的指令,接着向SPDB发送删除SA记录隶属于的临时SP的指令。执行完一个调度任务后,IKE进程判断当前是否为任务队列的末尾,如果不是就处理下一个调度任务,如果是就退出时间调度队列的处理。Figure 4 describes the flow of the time scheduling mechanism used in IKE to maintain the lifetime of the SA generated by the ephemeral SP. When the IKE process enters the time scheduling queue for processing, since the time scheduling queue is arranged in descending order of scheduling time, it first obtains the lifetime of the SA of the current scheduling task, and then determines whether it is hard to expire. If the lifetime of SA has not expired hard, it will exit the processing of the time scheduling queue; if the lifetime of SA has expired hard, it will turn to the processing task of SA. The process of processing the task is to find the SA record from the SADB, set the state of the SA record to DEAD, and obtain the selector of the temporary SP to which it belongs. Then, the IKE process sends an instruction to delete the SA record to the SADB, and then sends an instruction to the SPDB to delete the temporary SP to which the SA record belongs. After executing a scheduling task, the IKE process judges whether it is the end of the task queue. If not, it will process the next scheduling task, and if it is, it will exit the processing of the time scheduling queue.

在本发明中要求由临时SP产生的SA的生命期都必须是以时间记数的。在IKE中维护了一个调度队列来管理由临时SP生成的SA的生命期,它的调度时间间隔可以根据需要调整,一般无需太频繁,可以是以小时为单位的间隔。这个调度在IKE启动时就开始,直到IKE结束时才退出。In the present invention, it is required that the lifetime of the SA generated by the temporary SP must be counted by time. A scheduling queue is maintained in IKE to manage the lifetime of SAs generated by temporary SPs. Its scheduling interval can be adjusted as needed, generally not too frequently, and the interval can be in hours. This scheduling starts when IKE starts and does not exit until IKE ends.

调度队列的元素单元组成如下:The element unit of the dispatch queue is composed as follows:

1)SAID;1) SAID;

2)时间生命期;2) time lifetime;

由于每次遍历调度队列时不需要访问SADB,只有当出现过期的SA时,才会处理相应SA和SP,详细流程参见图4。Since there is no need to visit the SADB each time the scheduling queue is traversed, only when an expired SA appears, the corresponding SA and SP will be processed. See Figure 4 for the detailed process.

Claims (6)

1.一种移动用户接入安全网关的方法,其特征在于,所述方法包括以下处理步骤:1. A method for a mobile user to access a security gateway, characterized in that the method comprises the following processing steps: 1)在IKE协议配置中,当移动用户采用预共享密钥的方式来实现接入认证时,将它们的ID配置信息设置为非IP地址类型的,移动用户的接入认证模式设置为积极模式;1) In IKE protocol configuration, when mobile users use pre-shared keys to achieve access authentication, set their ID configuration information to non-IP address type, and set the access authentication mode of mobile users to active mode ; 2)在安全网关和移动用户的客户端的安全策略数据库中,为移动用户专门设置通用的安全策略模板,用来为移动用户动态地生成临时安全策略;2) In the security policy database of the security gateway and the client of the mobile user, a general security policy template is specially set for the mobile user, which is used to dynamically generate a temporary security policy for the mobile user; 3)在IKE的第二阶段的协商中,安全网关和移动用户遵循各自的临时安全策略进行安全关联的协商,生成一次会话所需要的安全关联;当会话持续较长久时,安全关联可以更新,但安全策略不需要更新;3) In the second phase of IKE negotiation, the security gateway and the mobile user follow their respective temporary security policies to negotiate security associations and generate security associations needed for a session; when the session lasts for a long time, the security associations can be updated. However, the security policy does not need to be updated; 4)移动用户的临时安全策略在一次会话结束后,将被自动删除:4) The temporary security policy of a mobile user will be automatically deleted after a session ends: 5)利用IKE进程设置时间调度,定期查看由临时安全策略生成的安全关联的生命期是否到期;当安全关联的生命期到期了,就查看临时安全策略是否记录着安全关联的为正在协商新的,如果是正在协商就不做处理,如果没有处于正在协商状态,就设置安全关联的状态为DEAD,然后删除安全关联和临时安全策略。5) Use the IKE process to set time scheduling, and regularly check whether the lifetime of the security association generated by the temporary security policy expires; when the lifetime of the security association expires, check whether the temporary security policy records that the security association is being negotiated If the new one is being negotiated, it will not be processed. If it is not in the negotiating state, set the state of the security association to DEAD, and then delete the security association and the temporary security policy. 2.根据权利要求1所述的移动用户接入安全网关的方法,其特征在于,所述步骤1)中移动用户的非IP地址类型的身份信息类型可以是用户域名、完整域名或其它在IKEv1中支持的形式,并确保在安全网关上的用户名与预共享密钥是对应的。2. The method for a mobile user to access a security gateway according to claim 1, wherein the identity information type of the non-IP address type of the mobile user in the step 1) can be a user domain name, a complete domain name or other in IKEv1 supported form, and ensure that the username on the security gateway corresponds to the pre-shared key. 3.根据权利要求1或2所述的移动用户接入安全网关的方法,其特征在于,所述步骤1)中积极模式可以针对所有移动用户设置,也可以针对单个移动用户配置。3. The method for mobile users to access the security gateway according to claim 1 or 2, characterized in that the aggressive mode in step 1) can be set for all mobile users, or can be configured for a single mobile user. 4.根据权利要求1所述的移动用户接入安全网关的方法,其特征在于,所述步骤2)中还包括:4. the method for mobile user access security gateway according to claim 1, is characterized in that, described step 2) also comprises: a.安全策略模板包括以下内容:安全策略的选择符、数据包的处理方式、转码类型;a. The security policy template includes the following contents: the selector of the security policy, the processing method of the data packet, and the type of transcoding; b.安全策略模板是一条特殊类型的安全策略记录,和其他类型的安全策略一样存储到安全策略数据库中;当移动用户发起第二阶段的协商时,由于模板策略的源地址为零,所以当无法查找到确切匹配的安全策略时,就会采用模板策略。b. The security policy template is a special type of security policy record, which is stored in the security policy database like other types of security policies; when the mobile user initiates the second phase of negotiation, since the source address of the template policy is zero, when Template policies are used when an exact matching security policy cannot be found. 5.根据权利要求1所述的移动用户接入安全网关的方法,其特征在于,所述步骤3)中包括以下处理步骤:5. The method for mobile user access security gateway according to claim 1, characterized in that, said step 3) includes the following processing steps: a.作为移动用户时安全策略模板的应用方式,当发起IKE的第二阶段的协商时,安全策略模板中选择符中的源地址为全零,用户只根据目标地址在安全策略数据库中检索时,就会找到模板策略;然后按照模板策略生成移动用户使用的临时安全策略,其中只需修改选择符中的源地址为本机当前IP地址即可;a. When the security policy template is used as a mobile user, when the second phase of IKE negotiation is initiated, the source address in the selector in the security policy template is all zeros, and the user only searches the security policy database based on the target address , you will find the template policy; then generate a temporary security policy for mobile users according to the template policy, where you only need to modify the source address in the selector to the current IP address of the machine; b.作为安全网关时安全策略模板的应用方式,当接收第二阶段的第一个协商消息时,就根据消息中的源地址、目地址以及身份载荷中携带的端口号来查找SPD,由于是移动用户,SPD中没有针对临时获取的IP作为源地址的安全策略,于是会查找到安全策略模板;安全网关根据模板策略在安全策略数据库中产生临时的安全策略,其中要用发起者的IP地址替换模板策略的全零地址;b. When the security policy template is used as a security gateway, when receiving the first negotiation message in the second phase, the SPD is searched according to the source address, destination address, and port number carried in the identity payload in the message. For mobile users, there is no security policy for the temporarily obtained IP as the source address in the SPD, so the security policy template will be found; the security gateway generates a temporary security policy in the security policy database according to the template policy, and the IP address of the initiator is used Replace the all-zero address of the template policy; c.由临时安全策略产生的安全联盟记录与正常的安全联盟的记录相同,但必须是以时间作为生命期的,这一点可以在安全策略模板中规定实现;隶属于临时安全策略的安全联盟记录仍然可以在生命期软到期时自动更新。c. The security association record generated by the temporary security policy is the same as the normal security association record, but it must be timed as the lifetime, which can be implemented in the security policy template; the security association record belonging to the temporary security policy It is still possible to automatically renew when the lifetime soft expires. 6.根据权利要求1所述的移动用户接入安全网关的方法,其特征在于,所述步骤4)中,删除临时安全策略的判断标准是,当隶属于该临时安全策略的安全关联的状态为DEAD。6. The method for a mobile user to access a security gateway according to claim 1, characterized in that in step 4), the criterion for deleting the temporary security policy is that when the status of the security association belonging to the temporary security policy is for DEAD.
CNA2003101018080A 2003-10-17 2003-10-17 A method for mobile users to access security gateway Pending CN1529531A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2003101018080A CN1529531A (en) 2003-10-17 2003-10-17 A method for mobile users to access security gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2003101018080A CN1529531A (en) 2003-10-17 2003-10-17 A method for mobile users to access security gateway

Publications (1)

Publication Number Publication Date
CN1529531A true CN1529531A (en) 2004-09-15

Family

ID=34304203

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2003101018080A Pending CN1529531A (en) 2003-10-17 2003-10-17 A method for mobile users to access security gateway

Country Status (1)

Country Link
CN (1) CN1529531A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100413269C (en) * 2004-10-29 2008-08-20 卡米尔资讯股份有限公司 System and method for mobile terminal to access network host
CN100456882C (en) * 2005-10-15 2009-01-28 华为技术有限公司 Method and system for realizing security update of mobile terminal through association response system
CN101273571B (en) * 2006-02-16 2010-05-19 中兴通讯股份有限公司 Implementation method of key negotiation security policy in cross-domain multi-gatekeeper group network
WO2010083685A1 (en) * 2009-01-22 2010-07-29 中兴通讯股份有限公司 Method for realizing authentication center and authentication system
CN101188492B (en) * 2006-11-17 2010-08-18 中兴通讯股份有限公司 System and method for implementing security services
CN1848838B (en) * 2005-04-15 2010-10-27 华为技术有限公司 Method and system for realizing wireless network service control in wireless communication system
CN101052217B (en) * 2006-04-06 2010-12-22 华为技术有限公司 Automatic installation method and association response system of security association agent
US7933584B2 (en) 2005-10-15 2011-04-26 Huawei Technologies Co., Ltd. Method for implementing security update of mobile station and a correlative reacting system
CN1863048B (en) * 2005-05-11 2012-04-11 中兴通讯股份有限公司 Negotiation method for Internet key exchange between user and access device
CN102592092A (en) * 2012-01-09 2012-07-18 中标软件有限公司 Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem
CN101729568B (en) * 2009-12-11 2012-08-08 北京交通大学 Safety access system and method for guaranteeing source address authenticity by using token mechanism
CN106572112A (en) * 2016-11-09 2017-04-19 北京小米移动软件有限公司 Access control method and device
CN107786554A (en) * 2017-10-24 2018-03-09 哈尔滨工业大学(威海) A kind of method and apparatus of automatic detection IPsec agreement man-in-the-middle attacks
CN111193771A (en) * 2019-12-03 2020-05-22 云深互联(北京)科技有限公司 Mobile-end enterprise browser-based access method and device
EP4593324A1 (en) * 2024-01-26 2025-07-30 Nokia Solutions and Networks Oy Cryptographic system and method for dynamic and automated secure preshared key rotation and distribution

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100413269C (en) * 2004-10-29 2008-08-20 卡米尔资讯股份有限公司 System and method for mobile terminal to access network host
CN1848838B (en) * 2005-04-15 2010-10-27 华为技术有限公司 Method and system for realizing wireless network service control in wireless communication system
CN1863048B (en) * 2005-05-11 2012-04-11 中兴通讯股份有限公司 Negotiation method for Internet key exchange between user and access device
US7933584B2 (en) 2005-10-15 2011-04-26 Huawei Technologies Co., Ltd. Method for implementing security update of mobile station and a correlative reacting system
CN100456882C (en) * 2005-10-15 2009-01-28 华为技术有限公司 Method and system for realizing security update of mobile terminal through association response system
CN101273571B (en) * 2006-02-16 2010-05-19 中兴通讯股份有限公司 Implementation method of key negotiation security policy in cross-domain multi-gatekeeper group network
CN101052217B (en) * 2006-04-06 2010-12-22 华为技术有限公司 Automatic installation method and association response system of security association agent
CN101188492B (en) * 2006-11-17 2010-08-18 中兴通讯股份有限公司 System and method for implementing security services
WO2010083685A1 (en) * 2009-01-22 2010-07-29 中兴通讯股份有限公司 Method for realizing authentication center and authentication system
US8527762B2 (en) 2009-01-22 2013-09-03 Zte Corporation Method for realizing an authentication center and an authentication system thereof
CN101729568B (en) * 2009-12-11 2012-08-08 北京交通大学 Safety access system and method for guaranteeing source address authenticity by using token mechanism
CN102592092A (en) * 2012-01-09 2012-07-18 中标软件有限公司 Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem
CN102592092B (en) * 2012-01-09 2015-01-21 中标软件有限公司 Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem
CN106572112A (en) * 2016-11-09 2017-04-19 北京小米移动软件有限公司 Access control method and device
CN107786554A (en) * 2017-10-24 2018-03-09 哈尔滨工业大学(威海) A kind of method and apparatus of automatic detection IPsec agreement man-in-the-middle attacks
CN107786554B (en) * 2017-10-24 2019-08-02 哈尔滨工业大学(威海) A kind of method of automatic detection IPsec agreement man-in-the-middle attack
CN111193771A (en) * 2019-12-03 2020-05-22 云深互联(北京)科技有限公司 Mobile-end enterprise browser-based access method and device
EP4593324A1 (en) * 2024-01-26 2025-07-30 Nokia Solutions and Networks Oy Cryptographic system and method for dynamic and automated secure preshared key rotation and distribution

Similar Documents

Publication Publication Date Title
US6976177B2 (en) Virtual private networks
US6807181B1 (en) Context based control data
CN102970299B (en) File safe protection system and method thereof
US7003662B2 (en) System and method for dynamically determining CRL locations and access methods
CN100592746C (en) Addressing mechanism in mobile internet protocol
US7181012B2 (en) Secured map messages for telecommunications networks
US20020178355A1 (en) System and method for multiple virtual private network authentication schemes
CN1529531A (en) A method for mobile users to access security gateway
US20050102514A1 (en) Method, apparatus and system for pre-establishing secure communication channels
HK1045419A1 (en) Method and system of enabling a proxy to participate in a secure communication and a cryptographic system
KR20050071359A (en) Method and system for authentication using infrastructureless certificates
KR20030075224A (en) Method of access control in wireless environment and recording medium in which the method is recorded
JP4330342B2 (en) Packet filtering method and packet communication system for ensuring communication security
CN1523808A (en) Data Encryption Method for Accessing Virtual Private Network (VPN)
US20090031395A1 (en) Security system for wireless networks
US20020178356A1 (en) Method for setting up secure connections
CN100352220C (en) Safety access method based on dynamic host configuration arrangment and network gate verification
CN1314221C (en) Safety proxy method
CN1949705B (en) A method for constructing a dynamic tunnel for secure access to a private local area network and a device for the method
CN1747436A (en) Access method and system for client end of virtual private network
CN102594822A (en) Implementation method for secure internet phone based on secure socket layer (SSL)
CN101997875A (en) Secure multi-party network communication platform and construction method and communication method thereof
JP2011054182A (en) System and method for using digital batons, and firewall, device, and computer readable medium to authenticate message
WO2010129164A2 (en) Method and apparatus for secure packet transmission
CN1770761A (en) Address renewing method based on network key exchange protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication