CN101136928B - Reliable network access control system - Google Patents

Reliable network access control system Download PDF

Info

Publication number
CN101136928B
CN101136928B CN2007101760914A CN200710176091A CN101136928B CN 101136928 B CN101136928 B CN 101136928B CN 2007101760914 A CN2007101760914 A CN 2007101760914A CN 200710176091 A CN200710176091 A CN 200710176091A CN 101136928 B CN101136928 B CN 101136928B
Authority
CN
China
Prior art keywords
access
platform
requestor
assessment
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007101760914A
Other languages
Chinese (zh)
Other versions
CN101136928A (en
Inventor
沈昌祥
张兴
于昇
祝璐
周明
周艺华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN2007101760914A priority Critical patent/CN101136928B/en
Publication of CN101136928A publication Critical patent/CN101136928A/en
Application granted granted Critical
Publication of CN101136928B publication Critical patent/CN101136928B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

Frame of the invention includes three entities: accessing requestor, accessing controller, and strategy manager. The strategy manager manages the accessing requestor and the accessing controller as well as implements bidirectional user ID authentication between them, and evaluates integrality of platform. Based on decision made from the strategy manager, the accessing requestor and the accessing controller control local ports. Before terminal is connected to network, trusty network connection architecture (TNCA) measures state of platform. Based on secure protocol of trusty third party, the invention implements the said authentication and evaluation of platform so as to guarantee security of TNCA. Introducing strategy manager simplifies key management of the architecture, raises extensibility of the architecture. Features are: higher security for evaluating integrality of platform, centralized verifying integrality, and higher universality.

Description

A kind of reliable network access control system
Technical field
The present invention relates to computer network framework, gateway, network service standard, computer program, relate in particular to a kind of reliable network access framework and nucleus equipment thereof, belong to information security field.
Background technology
Along with informationalized development gradually, computer network is deep day by day to the mankind's influence, and information security issue has become important social concern.One talks information security, people expect often be to resist from the outside virus of computer, hacker's attack and invasion and attack, and then expect antivirus software and " fire compartment wall ", but often ignore to come the attack of network internal.According to the statistics of world security circle, the attack that various computer networks suffer and to destroy 80% be to come from inside.At present, information security measure in the industry mainly is to plug up a leak, do high-wall, anti-outer attack etc. " old three kinds ", but final result is hard to guard against.The main cause that produces this situation is that we do not go to control root---the terminal that produces unsafe problems, and always carries out shutoff in the periphery.Therefore, we should use the safety of node self to set about from improving with the pattern of " being that master, inside and outside holding concurrently are prevented in anti-", construct positive, comprehensive security protection system.
The authoritative institution of reliable computing technology is Trusted Computing tissue (Trusted ComputingGroup) in the world at present; This tissue is devoted to the formulation of trusted technology correlation technique standard always; Face the diverse network attack to trusted terminal; TCG formulated based on the network of trusted technology connect standard (TrustedNetwork Connect, TNC).Trusted Computing at first guarantees the credibility at all terminals, i.e. expecting of behavior set up believable network system through believable terminal, improves the controllability to network.
The main purpose of TNC framework is through providing a framework of being made up of the various protocols standard to realize the polynary network standard of a cover, and it provides following function:
Platform is differentiated: be used to verify network access request person's identity, and the integrality state of platform.
Terminal strategy mandate: for the state at terminal is set up a confidence levels, for example: confirm existence, state, the upgrade case of application program, the version of the rule base of upgrading anti-virus software and IDS, the Patch-level of terminal operating system and application program etc.Thereby thereby make the terminal be given one can logging in network authorization policy obtain to weigh in certain control of authority access to netwoks down.
Access strategy: confirm terminal machine and its user's authority, and set up confidence levels in the past, the already present standard of balance, product and technology at its connection network.
Assess, isolate and remedy: confirm that the terminal function that does not meet credible policy requirement is isolated in outside the trustable network, if possible carry out the remedial measure that is fit to.
1, the basic framework of TNC and related entities
The basic framework of TNC mainly comprises three entities, three levels and several interface modules etc.This framework has increased two-layer on traditional network insertion level, but the integrity verification between implementation platform, thus satisfy credibility, integrality and fail safe.
2, three types of primary entities:
Request visitor AR (the Access Requestor): function is for sending access request, and collecting platform integrality reliable information sends to PDP, connects thereby set up network.This entity comprises following assembly: network access request person (NAR) is responsible for sending access request, sets up network and connects.On an AR, several different NAR can be arranged, the difference of setting up with network connects; TNC client (TNCC) is responsible for gathering the integrity measurement information from IMC, measures and report the integrity information of platform and IMC self simultaneously; Integrity measurement gatherer (IMC) is carried out the integrity properties of measuring AR.On an AR, a plurality of different IMC can be arranged.
Strategy execution person PEP (Policy Enforcement Point): the control of this assembly is to by the visit of protecting network.Whether PEP consulting PDP decides visit should be performed.
Strategic decision-making person PDP (Policy Decision Point): function for according to the recommendation of TNCS and local security policy to the judgement of making a strategic decision of the access request of AR, result of determination for allow/forbid/isolate.This entity comprises following three assemblies: access to netwoks mandate (NAA) determines whether the access request of an AR is allowed to.Whether NAA can seek advice from TNCS and decide the integrality state of AR consistent with the security strategy of NAA, thereby whether the access request of decision AR is allowed to; TNC server (TNCS) is responsible for the information flow between control IMV and the IMC, gathers the visit decision from IMV, and forms the visit decision of an overall situation, passes to NAA; Integrity measurement discriminator (IMV) is responsible for the integrity measurement value about AR that receives from IMC is differentiated, and is made the visit decision.
3, three basic layers:
Network access layer (Network Access Layer): this one deck is used to support traditional network interconnection technique, like 802.1X, and VPN, mechanism such as AAA Server.In this one deck the inside three entity: NAR, PEP and PDP are arranged.
Integrity assessment layer (Integrity Evaluation Layer): the integrality of being responsible for the entity of all request accesses network of assessment.There are two important interface: IF-IMC (IntegrityMeasurement Collector Interface) and IF-IMV (Integrity Measurement VerifierInterface) in this one deck and upper strata.Wherein, IF-IMV is that IMC is with the interface between the TNCC.The major function of this interface is to collect the integrity measurement value from IMC, and supports IMC with the information flow between the IMV; : IF-IMV is the interface between IMV and the TNCS.The major function of this interface is that the integrity measurement value that obtains from IMC is passed to IMV, supports IMC with the information flow between the IMV, and the visit decision that IMV made is passed to TNCS.
Integrity measurement layer (Integrity Measurement Layer): the assembly of collection and check request visitor's integrality relevant information.
4, other important interface module:
IF-TNCCS is the interface between TNCC and the TNCS.This interface definition an agreement, the information that this agreement transmission is following: the information from IMC to IMV (like the integrity measurement value); Information from IMV to IMC (as requiring extra integrity measurement value); Session management information and some synchronizing informations.
IMC and IMV interface (IF-M): IF-M are the interfaces between IMC and the IMV.If some information relevant of the information spinner that on this interface, transmits with provider.
Network authorization host-host protocol (IF-T): IF-T is maintained in the message transmission between AR entity and the PDP entity.The assembly of in these two entities, safeguarding this interface is NAR and NAA.
Policy enforcement point interface (IF-PEP): IF-PEP is the interface between PDP and the PEP.This interface is safeguarded the message transmission between PDP and the PEP.Through it, PDP can indicate PEP that AR is carried out isolation to a certain degree, so that AR is repaired.After repairing completion, can authorize the right of AR accesses network.
Summary of the invention
The object of the invention is based on existing domestic and international trustable network interconnection technique research and analysis, the credible network connecting construction that has proposed to have independent intellectual property right.There are three entities in this credible network connecting construction: access requestor, access controller and policy manager; Two-way user identity discriminating and the platform integrity assessment between them managed and realized to policy manager to access requestor and access controller; Access requestor and access controller are controlled local port according to the decision-making of policy manager, thereby realize credible network connecting construction.
Credible network connecting construction was measured its platform status before accessing terminal to network; Have only the security strategy of satisfying just to allow to be linked in the network; Making directly access network of some computers that computer network is had a potential threat, is method a kind of active, that take precautions against in advance.Credible network connecting construction is an important component part of Trusted Computing architecture, and purpose is that trust chain is extended to network from the terminal, makes the trusted status at terminal expand to the interconnected systems at terminal.
The invention provides trustable network connecting frame and the nucleus equipment of realizing trustable network; Can not only control the trusted terminal access network; Can also accomplish two-way user identity discriminating, the discriminating of two-way user platform identity and platform thermodynamic state verification to the terminal, and can assess, isolate and repair the terminal.Simultaneously, lay a good foundation for Trusted Computing terminal, access control equipment, tactical management equipment, authenticating device, the Network Security Device of compatible different vendor.
1, basic framework
Credible network connecting construction is as shown in Figure 1:
Credible network connecting construction is described functional hierarchy, entity, assembly and interface.This framework is divided into three functional hierarchies: access to netwoks key-course, credible platform evaluation layer and integrity measurement layer; Have three entities: access requestor, access controller and policy manager; Each entity has comprised some functional units, is depositing a series of interfaces between the assembly.
2, entity
Credible network connecting construction has three entities:
Access requestor AR (Access Requestor): the entity that request connects.Its function is accomplished with the user identity of access controller and is differentiated for sending access request, collects the integrity measurement value and sends to access controller, and the completeness of platform assessment between completion and the access controller waits for that setting up network connects.This entity comprises following assembly: network access request person, trustable network connect client and integrality gatherer.
Access controller AC (Access Controller): function is the visit of control access requestor to network, receives the platform credible identification strategy and the assessment strategy of policy manager distribution; Receive the integrity measurement value of access requestor, collect the integrity measurement value of self, these integrity measurement values are sent to policy manager; Decision-making according to policy manager is carried out.This entity comprises following assembly: access to netwoks effector, trustable network Connection Service end and integrality gatherer.
Policy manager PM (Policy Manager): policy manager is responsible to define and distributing network access control policy and credible assessment strategy; Assisting access requestor and access controller to carry out user identity differentiates; The validity of the AIK certificate of authentication-access requestor and access controller; The completeness of platform of verification access requestor and access controller, the Policy Result of the access to netwoks control of generation access requestor and access controller.This entity comprises following assembly: identification strategy server, assessment strategy server and completeness check person.
This framework is the logical architecture of credible network connecting construction, and entity or assembly can be a software, also can be an equipment, or even a cover system.A plurality of entities can be implemented on the different equipment with assembly, also can be implemented in as required on the equipment.
3, level
Credible network connecting construction is divided into three levels from bottom to up:
Access to netwoks key-course (Network Access Control Layer): realize the two-way user identity discriminating between network access request person and the access to netwoks effector.It is to utilize trusted third party's entity that network access request person and access to netwoks effector's user identity is differentiated, promptly the identification strategy server realizes, access requestor and access controller are reciprocity in discrimination process.Access requestor and access controller are controlled the port of self according to the user identity identification result of access to netwoks key-course and the access decision-making of credible platform evaluation layer, thereby realize mutual access control.
Credible platform evaluation layer (Trusted Platform Evaluation Layer): realize that trustable network connects the completeness of platform assessment between client and the trustable network Connection Service end.Trustable network connects the completeness of platform assessment of client and trustable network Connection Service end, utilizes trusted third party, and promptly the assessment strategy server realizes.The completeness of platform assessment comprises discriminating of platform identity and platform completeness check.In the credible platform evaluation process, the checking and the completeness of platform verification of the AIK certificate of access requestor and access controller are accomplished by policy manager.Policy manager makes a policy to the completeness of platform of access requestor and access controller, and the access to netwoks key-course is carried out according to this decision-making and connected control.
Integrity measurement layer (Integrity Measurement Layer): the completeness of platform of being responsible for collection and verification access requestor and access controller.The integrality gatherer of access requestor and access controller collects the integrity information of platform separately respectively, and the completeness check person of policy manager is responsible for the completeness of platform of verification access requestor and access controller.
4, functional unit
Credible network connecting construction comprises following functional unit:
Network access request person (Network Access Requestor, NAR): function is initiated access request for being responsible for to access controller, realizes the two-way user identity discriminating on the access to netwoks key-course of access requestor and access controller; Be responsible for protocol data to access controller or policy manager forwarding credible platform evaluation layer; According to the Policy Result of identification strategy server generation and the Policy Result of assessment strategy server generation, the port of self is controlled to realize the connection control to access controller.
The access to netwoks effector (Network Access Controller, NAC): function is differentiated for the two-way user identity of realizing access requestor and access controller; Be responsible for transmitting the protocol data of credible platform evaluation layer to network access request person and identification strategy server; According to the Policy Result of identification strategy server generation and the Policy Result of assessment strategy server generation, the port of self is controlled to realize the access control to access requestor.
(Authentication Policy Server, APS): function is responsible for realizing the two-way user identity discriminating between access requestor and the access controller for serving as trusted third party to identification strategy server.
Trustable network connects client (TNC Client; TNCC): function is for asking and receive the integrality metric through the IF-IMC interface to upper strata integrality gatherer; Realize the bi-directional platform integrity assessment of access requestor and access controller, the assessment result that generates according to the assessment strategy server generates the connection decision-making and sends to network access request person.
Trustable network Connection Service end (TNC Server; TNCS): function is for asking and receive the integrality metric through the IF-IMC interface to upper strata integrality gatherer; Realize the bi-directional platform integrity assessment of access requestor and access controller, the assessment result that generates according to the assessment strategy server generates the access decision-making and sends to the access to netwoks effector.
(Evaluation Policy Server, EPS): function realizes the bi-directional platform integrity assessment of access requestor and access controller for serving as trusted third party to the assessment strategy server.The validity of the AIK certificate of assessment strategy server authentication-access requestor and access controller; The platform integrity metric value of sending access requestor and access controller to upper strata completeness check person IMV through the IF-IMV interface, and the check results of the platform integrity metric value of the access requestor that returns by IMV of reception and access controller.
(Integrity Measurement Collector, IMC): function is an integrity service of utilizing credible calculating platform to provide to integrality gatherer, collects the completeness of platform information of access requestor and access controller.
(Integrity Measurement Verifier, IMV): function is for utilizing Integrity Management mechanism, the completeness of platform information of verification access requestor and access controller for the completeness check person.
5, interface
Credible network connecting construction has a plurality of interfaces.These interface definitions relation and the agreement between the assembly between the assembly with exchange messages.These interfaces are:
Trustable network coffret (Trusted Network Transport Interface; IF-TNT): the interface between network access request person and the access to netwoks effector, integrality have defined the information exchange between network access request person and the access to netwoks effector.
(Authentication Policy Service Interface, IF-APS): the interface between access to netwoks effector and the identification strategy server has defined the information exchange between access to netwoks effector and the identification strategy server to the identification strategy service interface.
Trustable network connects client-trustable network Connection Service end interface (TNC Client-ServerInterface; IF-TNCCS): trustable network connects the interface between client and the trustable network Connection Service end, has defined trustable network and has connected the information exchange between client and the trustable network Connection Service end.
Assessment strategy service interface (Evaluation Policy Service Interface; IF-EPS): trustable network connects the interface between client trustable network Connection Service end and the assessment strategy server, has defined the information exchange between trustable network Connection Service end and the assessment strategy server.
The integrity measurement interface (Integrity Measurement Interface, IF-IM): the interface between integrality gatherer and the completeness check person, the interoperability agreement between the integrality gatherer of this each manufacturers produce of interface definition and the completeness check person.
Integrity measurement is collected interface (Integrity Measurement Collector Interface; IF-IMC): trustable network connects between client and the integrality gatherer and the protocol interface between trustable network Connection Service end and the integrality gatherer, this interface definition request and receiving platform integrity information.
Integrity measurement verification interface (Integrity Measurement Verifier Interface; IF-IMV): the protocol interface between assessment strategy server and the completeness check person, this interface definition sends the agreement that completeness of platform information is given the check results of integrality verifier and receiving platform integrity information.
Beneficial effect
The key management of this credible network connecting construction is simplified in the introducing of policy manager, has improved the extensibility of this architecture simultaneously.
Assessment strategy server's introducing in the policy manager; Help the centralized management and the distribution of platform credible strategy; Serve as trusted third party, make the completeness of platform assessment of credible platform evaluation layer have higher fail safe, realized the concentrated verification of completeness of platform simultaneously.
Description of drawings
Fig. 1 credible network connecting construction
The information flow chart of Fig. 2 credible network connecting construction
Numeral wherein is corresponding to the step of information flow
Embodiment
Information flow
The information flow of the one whole of credible network connecting construction is as shown in Figure 2.
The information flow of credible network connecting construction is:
(1) network access request person initiates access request to the access to netwoks effector;
(2) after the access to netwoks effector receives network access request person's access request, realize that with network access request person and identification strategy server the two-way user identity of access requestor and access controller is differentiated.In the user identity discrimination process, policy manager serves as trusted third party, consults a master key between access requestor and the access controller.Access requestor and access controller utilize this master key to consult the session key between them.Simultaneously, access requestor and access controller are controlled local port according to the result of two-way user identity discriminating;
(3) after user identity discriminating and the key agreement success, network access request person is mail to trustable network with successful information respectively with the access to netwoks effector and is connected client and trustable network Connection Service end;
(4) after trustable network Connection Service end is received this successful information; The bi-directional platform integrity assessment of requestor and access controller conducts interviews---and the platform identity is differentiated and the platform completeness check; Wherein the assessment strategy server is responsible for the AIK certificate of authentication-access requestor and access controller and the completeness of platform of verification access requestor and access controller, finally generates the completeness of platform assessment result of access requestor and access controller.In the completeness of platform evaluation process, integrality gatherer and completeness check person that trustable network connects client, trustable network Connection Service end and assessment strategy server needs and integrity measurement layer carry out information interaction;
(5) after the assessment of the completeness of platform of access requestor and access controller is accomplished; Trustable network connects client and trustable network Connection Service end inserts decision-making accordingly according to the completeness of platform assessment result generation that the assessment strategy server generates, and sends to network access request person and access to netwoks effector respectively;
Network access request person and access to netwoks effector control local port according to the access decision-making (allowing/forbid/isolate) of receiving separately; Thereby realization credible network connecting construction; Be access controller according to of the visit of Decision Control access requestor to network, and access requestor judges whether to be connected to this network according to decision-making.
Access requestor
Hardware: have the complete host computer system of credible platform control module, comprise processor, memory, network adapter etc.
Software: operating system, platform credible service, network access request module, trustable network connect client, integrality collection module.
Access controller
Hardware: have the complete host computer system of credible platform control module, comprise processor, memory, network adapter etc.
Software: operating system, platform credible service, access to netwoks control module, trustable network Connection Service module, integrality collection module.
Policy manager
Hardware: have the complete host computer system of credible platform control module, comprise processor, memory, network adapter etc.
Software: operating system, platform credible service, identification strategy service module, assessment strategy service module, completeness check module.
This programme and TNC contrast
There is not policy manager among the TNC.This programme adds policy manager, to the Centralized management of policy of trustable network, is convenient to centralized control; Concentrating of strategy and platform check avoided because controller is under attack by the terminal that attack causes; The key management of credible network connecting construction has been simplified in the wherein introducing of diploma system, has improved the extensibility of this architecture simultaneously.
The assessment strategy server helps the centralized management and the distribution of platform credible strategy, serves as trusted third party, makes the completeness of platform assessment of credible platform evaluation layer have higher fail safe, has realized the concentrated verification of completeness of platform simultaneously.

Claims (1)

1. a reliable network access control system is characterized in that, this system is divided into three functional hierarchies: access to netwoks key-course, credible platform evaluation layer and integrity measurement layer; Have three entities: access requestor, access controller and policy manager;
Reliable network access control system has three entities:
Access requestor: the entity that request connects; Its function is accomplished with the two-way user identity of access controller and is differentiated for sending access request, collects the integrity measurement value and sends to access controller, and the completeness of platform assessment between completion and the access controller waits for that setting up network connects; This entity comprises following assembly: network access request person, trustable network connect client and integrality gatherer;
Access controller: function is the visit of control access requestor to network, receives the platform credible identification strategy and the assessment strategy of policy manager distribution; Receive the integrity measurement value of access requestor, collect the integrity measurement value of self, these integrity measurement values are sent to policy manager; Decision-making according to policy manager is carried out; This entity comprises following assembly: access to netwoks effector, trustable network Connection Service end and integrality gatherer;
Policy manager: policy manager is responsible to define and distributing network access control policy and credible assessment strategy; Assisting access requestor and access controller to carry out user identity differentiates; The validity of the proof identity key certificate of authentication-access requestor and access controller; The completeness of platform of verification access requestor and access controller, the Policy Result of the access to netwoks control of generation access requestor and access controller; This entity comprises following assembly: identification strategy server, assessment strategy server and completeness check person;
Reliable network access control system is divided into three levels from bottom to up:
The access to netwoks key-course: network access request person, access to netwoks effector and identification strategy server are respectively access requestor, access controller and the policy manager functional units at this layer; Network access request person, access to netwoks effector and identification strategy server carry out the user identity authentication protocol; Realize that based on policy manager two-way user identity differentiates that access requestor and access controller are reciprocity between access requestor and access controller in discrimination process; Access requestor and access controller are controlled the port of self according to the user identity identification result of access to netwoks key-course and the assessment result of credible platform evaluation layer, thereby realize mutual access control;
The credible platform evaluation layer: it is respectively access requestor, access controller and the policy manager functional unit at this layer that trustable network connects client, trustable network Connection Service device and assessment strategy server; Trustable network connects client, trustable network Connection Service device and assessment strategy server and carries out credible platform assessment agreement; Realize the completeness of platform assessment between access requestor and access controller; Utilize trusted third party, promptly the assessment strategy server realizes; The completeness of platform assessment comprises platform credential discriminating and platform completeness check; In the credible platform evaluation process, the checking and the completeness of platform verification of the proof identity key certificate of access requestor and access controller are accomplished by policy manager; Policy manager is made assessment to the completeness of platform of access requestor and access controller, and the access to netwoks key-course is carried out access control according to this assessment;
Integrity measurement layer: the completeness check person of the integrality gatherer of access requestor, the integrality gatherer of access controller and policy manager is the functional unit in this layer, is responsible for the completeness of platform of collection and verification access requestor and access controller; The integrality gatherer of access requestor and access controller collects the integrity information of platform separately respectively, and the completeness check person of policy manager is responsible for the completeness of platform of verification access requestor and access controller;
Reliable network access control system comprises following functional unit:
Network access request person: function is initiated access request for being responsible for to access controller, differentiates with the two-way user identity that access to netwoks effector and identification strategy server are implemented on the access to netwoks key-course; Be responsible for data to access controller or policy manager forwarding credible platform evaluation layer; According to the Policy Result of identification strategy server generation and the Policy Result of assessment strategy server generation, the port of self is controlled to realize the access control to access controller;
The access to netwoks effector: the two-way user identity of realizing access requestor and access controller with network access request person and identification strategy server is differentiated; Be responsible for transmitting the data of credible platform evaluation layer to network access request person and identification strategy server; According to the Policy Result of identification strategy server generation and the Policy Result of assessment strategy server generation, the port of self is controlled to realize the access control to access requestor;
Identification strategy server: function is responsible for realizing the two-way user identity discriminating between access requestor and the access controller for serving as trusted third party;
Trustable network connects client: the integrality metric is asked and received to function for collect interface through integrity measurement to upper strata integrality gatherer; Realize the bi-directional platform integrity assessment of access requestor and access controller, the assessment result that generates according to the assessment strategy server generates the connection decision-making and sends to network access request person;
Trustable network Connection Service end: function is for collecting interface to upper strata integrality gatherer request and reception integrality metric through integrity measurement; Realize the bi-directional platform integrity assessment of access requestor and access controller, the assessment result that generates according to the assessment strategy server generates the connection decision-making and sends to the access to netwoks effector;
The assessment strategy server: function realizes the bi-directional platform integrity assessment of access requestor and access controller for serving as trusted third party; The validity of the proof identity key certificate of assessment strategy server authentication-access requestor and access controller; The platform integrity metric value of sending access requestor and access controller to upper strata completeness check person through integrity measurement verification interface, and receive the check results of the platform integrity metric value of the access requestor that returns by the completeness check person and access controller;
Integrality gatherer: function is an integrity service of utilizing credible calculating platform to provide, collects the completeness of platform information of access requestor and access controller;
The completeness check person: function is: utilize Integrity Management mechanism, the completeness of platform information of verification access requestor and access controller;
Reliable network access control system has a plurality of interfaces, and these interfaces are:
The trustable network coffret: the interface between network access request person and the access to netwoks effector has defined the information exchange between network access request person and the access to netwoks effector;
The identification strategy service interface: the interface between access to netwoks effector and the identification strategy server has defined the information exchange between access to netwoks effector and the identification strategy server;
Trustable network connects client-trustable network Connection Service end interface: trustable network connects the interface between client and the trustable network Connection Service end, has defined trustable network and has connected the information exchange between client and the trustable network Connection Service end;
The assessment strategy service interface: the interface between trustable network Connection Service end and the assessment strategy server has defined the information exchange between trustable network Connection Service end and the assessment strategy server;
Integrity measurement interface: the interface between integrality gatherer and the completeness check person, the interoperability agreement between the integrality gatherer of this each manufacturers produce of interface definition and the completeness check person;
Integrity measurement is collected interface: trustable network connects between client and the integrality gatherer and the protocol interface between trustable network Connection Service end and the integrality gatherer, this interface definition request and receiving platform integrity information;
Integrity measurement verification interface: the interface between assessment strategy server and the completeness check person, this interface definition sends the protocol information that completeness of platform information is given integrality verifier and receiving platform integrity information check results.
CN2007101760914A 2007-10-19 2007-10-19 Reliable network access control system Expired - Fee Related CN101136928B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101760914A CN101136928B (en) 2007-10-19 2007-10-19 Reliable network access control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101760914A CN101136928B (en) 2007-10-19 2007-10-19 Reliable network access control system

Publications (2)

Publication Number Publication Date
CN101136928A CN101136928A (en) 2008-03-05
CN101136928B true CN101136928B (en) 2012-01-11

Family

ID=39160754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101760914A Expired - Fee Related CN101136928B (en) 2007-10-19 2007-10-19 Reliable network access control system

Country Status (1)

Country Link
CN (1) CN101136928B (en)

Families Citing this family (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100566251C (en) * 2007-08-01 2009-12-02 西安西电捷通无线网络通信有限公司 A kind of trusted network connection method that strengthens fail safe
CN100534036C (en) 2007-08-01 2009-08-26 西安西电捷通无线网络通信有限公司 A trusted network connection method based on three-element peer authentication
CN100566252C (en) 2007-08-03 2009-12-02 西安西电捷通无线网络通信有限公司 A kind of trusted network connection system of differentiating based on the ternary equity
CN100512313C (en) * 2007-08-08 2009-07-08 西安西电捷通无线网络通信有限公司 A trusted network connection system for security enhancement
CN100553212C (en) 2007-11-16 2009-10-21 西安西电捷通无线网络通信有限公司 A kind of reliable network access control system of differentiating based on the ternary equity
CN100496025C (en) 2007-11-16 2009-06-03 西安西电捷通无线网络通信有限公司 Ternary equal identification based reliable network access control method
CN101247410B (en) * 2008-03-28 2011-06-08 上海中标软件有限公司 Method for implementing reliable network system based on reliable computation
CN101277303B (en) * 2008-05-16 2011-06-29 东南大学 Control method for reliable controllable network architecture
CN101286844B (en) 2008-05-29 2010-05-12 西安西电捷通无线网络通信有限公司 Entity bidirectional identification method supporting fast switching
CN100581170C (en) 2008-08-21 2010-01-13 西安西电捷通无线网络通信有限公司 Trusted network management method based on ternary peer-to-peer identification trusted network connections
CN101345660B (en) * 2008-08-21 2010-06-09 西安西电捷通无线网络通信有限公司 Reliable network management method based on TCPA/TCG reliable network connection
CN101383823B (en) * 2008-10-08 2011-03-23 东南大学 Network resource access control method in reliable access
CN101582882B (en) * 2008-10-10 2011-04-20 华为技术有限公司 Access method, network system and device
CN100581107C (en) 2008-11-04 2010-01-13 西安西电捷通无线网络通信有限公司 Trusted platform verification method based on three-element peer authentication
CN101447992B (en) * 2008-12-08 2011-04-06 西安西电捷通无线网络通信股份有限公司 Trusted network connection implementing method based on three-element peer-to-peer authentication
CN101784051B (en) * 2009-01-21 2012-11-21 华为技术有限公司 Method for verifying completeness of platform, network device and network system
CN101488851B (en) * 2009-02-25 2011-12-21 中国人民解放军信息工程大学 Method and apparatus for signing identity verification certificate in trusted computing
CN101527717B (en) * 2009-04-16 2012-11-28 西安西电捷通无线网络通信股份有限公司 Implementation method of ternary-equally recognizing credible network connecting architecture
CN101527718B (en) 2009-04-16 2011-02-16 西安西电捷通无线网络通信股份有限公司 Method for building ternary-equally recognizing credible network connecting architecture
CN101540676B (en) * 2009-04-28 2012-05-23 西安西电捷通无线网络通信股份有限公司 Platform identifying method suitable to identify credible network connecting construction in ternary equal way
CN101572706B (en) * 2009-06-08 2011-06-01 西安西电捷通无线网络通信股份有限公司 Platform authentication message management method suitable for tri-element peer authentication trusted network connect architecture
CN101572704B (en) * 2009-06-08 2012-05-23 西安西电捷通无线网络通信股份有限公司 Access control method suitable for tri-element peer authentication trusted network connect architecture
CN101635709B (en) * 2009-08-25 2011-04-27 西安西电捷通无线网络通信股份有限公司 Method for realizing two-way platform authentication
CN102215211B (en) * 2010-04-02 2016-01-20 中兴通讯股份有限公司 The security policy negotiation method and system of communication means, the access of support trustable network
CN101951607A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Reliability-based wireless local area network trusted accessing method and system
CN101989990A (en) * 2010-11-10 2011-03-23 西安西电捷通无线网络通信股份有限公司 Secure remote certification method and system suitable for trusted connect architecture
CN102035837B (en) * 2010-12-07 2013-06-05 广东金赋信息科技有限公司 Method and system for hierarchically connecting trusted networks
CN102045355B (en) * 2010-12-20 2013-01-16 西安西电捷通无线网络通信股份有限公司 Platform identification realizing method suitable for trusted network connection framework of trusted computing group (TCG)
CN102355467B (en) * 2011-10-18 2015-07-08 国网电力科学研究院 Power transmission and transformation equipment state monitoring system security protection method based on trust chain transmission
CN103067338B (en) * 2011-10-20 2017-04-19 上海贝尔股份有限公司 Third party application centralized safety management method and system and corresponding communication system
CN103312499B (en) 2012-03-12 2018-07-03 西安西电捷通无线网络通信股份有限公司 A kind of identity identifying method and system
CN103312670A (en) 2012-03-12 2013-09-18 西安西电捷通无线网络通信股份有限公司 Authentication method and system
CN103023911B (en) * 2012-12-25 2015-10-14 北京工业大学 Trustable network equipment access trustable network authentication method
CN103618613A (en) * 2013-12-09 2014-03-05 北京京航计算通讯研究所 Network access control system
CN103780395B (en) * 2014-01-24 2017-11-10 广东电网公司电力科学研究院 Network insertion proves the method and system of two-way measurement
CN104811465B (en) * 2014-01-27 2018-06-01 电信科学技术研究院 The decision-making technique and equipment of a kind of access control
CN104079570B (en) * 2014-06-27 2017-09-22 东湖软件产业股份有限公司 A kind of trusted network connection method based on IPsec
CN104462899A (en) * 2014-11-29 2015-03-25 中国航空工业集团公司第六三一研究所 Trust access control method for comprehensive avionics system
CN104468606B (en) * 2014-12-24 2018-10-09 国家电网公司 A kind of credible connection system and method controlling class system based on power generation
CN104618396B (en) * 2015-03-04 2018-01-02 浪潮集团有限公司 A kind of trustable network access and access control method
CN109714185B (en) * 2017-10-26 2022-03-04 阿里巴巴集团控股有限公司 Strategy deployment method, device and system of trusted server and computing system
CN109150866A (en) * 2018-08-09 2019-01-04 郑州云海信息技术有限公司 A kind of policy distribution feedback and check system and method
CN109413107A (en) * 2018-12-18 2019-03-01 北京可信华泰信息技术有限公司 A kind of credible platform connection method
CN109861970B (en) * 2018-12-18 2022-04-22 北京可信华泰信息技术有限公司 System based on credible strategy
CN109768967A (en) * 2018-12-18 2019-05-17 北京可信华泰信息技术有限公司 A kind of credible platform connection system
CN111654490B (en) * 2020-05-28 2022-08-30 全球能源互联网研究院有限公司 Power security credible monitoring system and credible dynamic association perception method
CN112966260A (en) * 2021-03-03 2021-06-15 北京中安星云软件技术有限公司 Data security agent system and method based on domestic trusted computing platform
CN113726727A (en) * 2021-05-30 2021-11-30 国网河北省电力有限公司信息通信分公司 Electric power Internet of things trusted connection method based on edge computing
CN113794685B (en) * 2021-08-16 2023-09-29 德威可信(北京)科技有限公司 Data transmission method and device based on credibility assessment
CN115001838A (en) * 2022-06-20 2022-09-02 上海电器科学研究所(集团)有限公司 Plug-and-play credible access verification method for edge equipment of network collaborative manufacturing platform

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
TCG Trusted Network Connect TNC Architecture forInteroperability Specification Version 1.1 Revision 2.2006,全文. *
张涛.可信网络连接(TNC))架构的应用研究.电脑知识与技术 2005年第11期.2005,(200511),24-26页.
张涛.可信网络连接(TNC))架构的应用研究.电脑知识与技术 2005年第11期.2005,(200511),24-26页. *

Also Published As

Publication number Publication date
CN101136928A (en) 2008-03-05

Similar Documents

Publication Publication Date Title
CN101136928B (en) Reliable network access control system
CN100553212C (en) A kind of reliable network access control system of differentiating based on the ternary equity
CN100566252C (en) A kind of trusted network connection system of differentiating based on the ternary equity
CN100512313C (en) A trusted network connection system for security enhancement
CN107682331B (en) Block chain-based Internet of things identity authentication method
US11733991B2 (en) Data processing method based on intelligent contract, device, and storage medium
CN100534036C (en) A trusted network connection method based on three-element peer authentication
CN100496025C (en) Ternary equal identification based reliable network access control method
CN100566251C (en) A kind of trusted network connection method that strengthens fail safe
CN103747036B (en) Trusted security enhancement method in desktop virtualization environment
US20070136603A1 (en) Method and apparatus for providing secure access control for protected information
CN104618395B (en) A kind of dynamic cross-domain access control system and method connected based on trustable network
CN103581203A (en) Trusted network connection method based on trusted computing
CN103310161A (en) Protection method and system for database system
CN102035837A (en) Method and system for hierarchically connecting trusted networks
CN101350721A (en) Network system, network access method and network appliance
KR20130054358A (en) Platform authentication strategy management method and device for trusted connection architecture
CN113676447A (en) Block chain-based scientific and technological service platform cross-domain identity authentication scheme
CN106713229A (en) Intelligent power grid terminal trusted access system based on user behaviors and intelligent power grid terminal trusted access method thereof
Malik et al. An approach to secure mobile agents in automatic meter reading
CN105790935A (en) Independent-software-and-hardware-technology-based trusted authentication server
CN103780395B (en) Network insertion proves the method and system of two-way measurement
Yan et al. [Retracted] Power IoT System Architecture Integrating Trusted Computing and Blockchain
TWI472189B (en) Network monitoring system and method for managing key
Wang et al. Design of terminal security access scheme based on trusted computing in ubiquitous electric internet of things

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120111

Termination date: 20211019

CF01 Termination of patent right due to non-payment of annual fee