CN117560224A - Password governance system and method - Google Patents

Password governance system and method Download PDF

Info

Publication number
CN117560224A
CN117560224A CN202410022518.9A CN202410022518A CN117560224A CN 117560224 A CN117560224 A CN 117560224A CN 202410022518 A CN202410022518 A CN 202410022518A CN 117560224 A CN117560224 A CN 117560224A
Authority
CN
China
Prior art keywords
password
security
data
security gateway
sends
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410022518.9A
Other languages
Chinese (zh)
Other versions
CN117560224B (en
Inventor
翁庆辉
陈庆文
赖月美
吴康明
游廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Hi Tech Industrial Park Information Network Co ltd
Original Assignee
Shenzhen Hi Tech Industrial Park Information Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Hi Tech Industrial Park Information Network Co ltd filed Critical Shenzhen Hi Tech Industrial Park Information Network Co ltd
Priority to CN202410022518.9A priority Critical patent/CN117560224B/en
Publication of CN117560224A publication Critical patent/CN117560224A/en
Application granted granted Critical
Publication of CN117560224B publication Critical patent/CN117560224B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a password governance system and a password governance method. The system comprises: the system comprises a password management center, a first security gateway, a second security gateway, a user area switch, a second switch, a service application system, an event acquisition module, a security assessment center, a plurality of computer terminals, security software and password media. The invention can realize the safe data transmission between the areas with different network security levels and carry out the security assessment on the real-time state of the system.

Description

Password governance system and method
Technical Field
The invention relates to the technical field of information security, in particular to a password treatment system and a password treatment method.
Background
The data transmission is carried out between two systems with different security levels, the data is required to be encrypted, the user performs identity authentication through the password and the encryption of the user access data, but with the increase of the number of users and the password, the password management server faces the problems of high concurrency and large flow and continuously brings up new demands in the face of markets. In the prior art, CN109687959a discloses a key security management system and method, medium and computer program, the system comprising a secure host configured to receive a first operation request, authenticate the first operation request, and generate a second operation request based on the first operation request when the authentication is passed, the first operation request and the second operation request both comprising an identity, the hardware security device configured to receive the second operation request from the secure host, authenticate the second operation request, and parse the type of the second operation request when the authentication is passed, and perform an operation related to a key pair associated with the identity based on the type of the second operation request, wherein the key pair comprises a public key and a private key specific to the identity. However, the above-mentioned system is complicated in operation, and an effective solution cannot be given to the process between two systems of different security levels, and the system state cannot be evaluated. How to overcome the defects in the prior art is a problem to be solved in the technical field.
Disclosure of Invention
To overcome the above-described deficiencies of the prior art, the present invention provides a password administration system comprising: the system comprises a password management center, a first security gateway, a second security gateway, a user area switch, a second switch, a service application system, an event acquisition module, a security assessment center, a plurality of computer terminals, security software and password media; the password management center, the first security gateway, the user area switch, the computer terminal, the event acquisition module and the security evaluation center are deployed in a user area, wherein the password management center, the first security gateway, the user area switch, the event acquisition module and the security evaluation center are deployed in a user area machine room, the computer terminal is deployed in a user use environment, the security software is integrated in a user browser built in the computer terminal, and the password medium is held by a user; the second security gateway, the second switch and the service application system are deployed in an application area, and are specifically deployed in an application area machine room; the user area is a network security level protection secondary system area, and the application area is a network security level protection tertiary system area; the user area switch is used for realizing data communication among the password management center, the first security gateway and the computer terminal; the event acquisition module is deployed at a bypass mirror image data port of the user area switch, and the security assessment center is in communication connection with the event acquisition module; the first security gateway is in communication connection with the second security gateway and is used for realizing data communication between the user area and the application area. The second security gateway and the service application system are both in communication connection with the second switch, and the second switch is used for realizing data communication between the second security gateway and the service application system.
Further, the cryptographic medium is connectable to the computer terminal for securely storing cryptographic information; the password management center, the first security gateway and the security software jointly realize the initialization of the password medium and the password information distribution.
Further, in the initialization and password information distribution process, the password medium is connected to the computer terminal, and security software integrated in the computer terminal receives initialization data from the password medium and forwards the initialization data to the password management center through the first security gateway; the password management center performs password initialization operation by using the initialization data to generate an initial password, performs security protection operation on the initial password to generate a password to be distributed, and sends the password to be distributed to security software through a security gateway; the security software receives the password to be distributed and writes the password into the password medium, and the password medium processes the password to be distributed, generates a security password and encrypts and stores the security password.
Further, in the user identity authentication process, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium; the password medium receives the first identity authentication request, organizes identity authentication and password negotiation data based on the stored security password, and sends the identity authentication and password negotiation data to the security software as identity authentication data; the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway; the first security gateway performs identity authentication verification by utilizing a verification data set stored in advance, performs key negotiation, generates an identity authentication result and a session key, and sends the identity authentication result and the session key to the security software; and the security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not. The password medium receives the session key and stores the session key in an encrypted mode.
Further, in the data transmission process, a user initiates access to a service application system through a browser built in the computer terminal; the security software sends the accessed related data to the password medium; the cipher medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext, and sends the access service system ciphertext to the first security gateway through the security software; after receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain a plaintext of the access service system, encrypts the plaintext of the access service system by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext, and sends the first data transmission ciphertext to the second security gateway; after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system and sends the plaintext to the service application system; the service application system responds to the plaintext of the access service system, executes corresponding application functions, acquires return data, and sends the return data to the second security gateway in a plaintext manner; the second security gateway encrypts the return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext, and sends the second data transmission ciphertext to the first security gateway; after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext, encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext, and sends the return data ciphertext to the security software; and the security software sends the received return data ciphertext to the password medium, and the password medium decrypts the return data ciphertext to obtain the return data plaintext and sends the return data plaintext to a browser of the computer terminal through the security software.
Further, the event collection module is configured to analyze data flowing through the subscriber area switch, and send an analysis result to the security assessment center. And the security assessment center receives the data sent by the event acquisition module, processes the data according to a preset rule, and then performs visual display and security assessment.
The invention also relates to a password treatment method using the password treatment system, which comprises an initialization process and a password information distribution process, wherein the initialization process specifically comprises the following steps: s101, connecting the password medium to the computer terminal, and executing password medium check; s102, generating initialization data; s103, the security software integrated in the computer terminal receives initialization data from the password medium; s104, the security software sends the initialization data to the first security gateway; s105, the first security gateway sends the initialization data to the password management center; s106, the password management center uses the initialization data to perform password initialization operation to generate an initial password; s107, the password management center carries out security protection operation on the initial password to generate a password to be allocated; s108, the password management center sends the password to be distributed to the first security gateway; s109, the first security gateway sends the password to be distributed to the security software; s110, the security software receives the password to be distributed and writes the password into the password medium, S111, the password medium processes the password to be distributed, generates a security password and stores the security password in an encrypted mode.
Further, the password information distribution flow specifically includes the following steps: s201, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium; s202, the password medium receives the first identity authentication request and organizes identity authentication and password negotiation data based on a stored security password; s203, the password medium sends the identity authentication and password negotiation data to the security software as identity authentication data; s204, the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway; s205, the first security gateway performs identity authentication verification by utilizing a pre-stored verification data set of the first security gateway, performs key negotiation to generate an identity authentication result and a session key, and S206, the first security gateway sends the identity authentication result and the session key to the security software; s207, the security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not, and the password medium receives the session key and stores the session key in an encrypted mode; s208, a user initiates access to a service application system to the security software through a browser built in the computer terminal; s209, the security software sends the accessed related data to the password medium; s210, the password medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext; s211, the password medium sends the access service system ciphertext to the security software; s212, the security software sends the access service system ciphertext to the first security gateway; s213, after receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain plaintext of the access service system; s214, encrypting the plaintext of the access service system by the first security gateway by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext; s215, the first security gateway sends the first data transmission ciphertext to the second security gateway; s216, after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system; s217, the second security gateway sends the plaintext of the access service system to the service application system; s218, the service application system responds to the plaintext of the access service system, executes corresponding application functions and acquires return data; s219, the service application system sends the return data to the second security gateway in a plaintext manner; s220, the second security gateway encrypts a return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext; s221, the second security gateway sends the second data transmission ciphertext to the first security gateway; s222, after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext; s223, the first security gateway encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext; s224, the first security gateway sends the return data ciphertext to the security software; s225, the security software sends the received return data ciphertext to the password medium; s226, decrypting the return data ciphertext by the password medium to obtain a return data plaintext, and sending the return data plaintext to the security software; and S227, the security software sends the return data plaintext to a browser of a computer terminal.
Further, the method comprises a security assessment flow, specifically comprising the following steps: s301, acquiring a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in the current state of the system by the event acquisition module; the security evaluation center builds an original index data matrix A, and comprises the steps of obtaining risk evaluation values given by k experts to 4 indexes of a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in a investigation mode to form an initialization matrix C:the method comprises the steps of carrying out a first treatment on the surface of the Wherein the method comprises the steps ofThe risk evaluation value given to the j-th index by the i-th expert is represented. The risk evaluation value is specifically a score value of 1 to 5 which represents the sequential increasing of risk levels; s302, reconstructing the initialization matrix to obtain a calculation matrix S:the method comprises the steps of carrying out a first treatment on the surface of the Wherein,the method comprises the steps of carrying out a first treatment on the surface of the S303, calculating the measurement value of the j-th indexThe method comprises the steps of carrying out a first treatment on the surface of the S304, calculating the weight value of the j-th indexThe method comprises the steps of carrying out a first treatment on the surface of the S305, acquiring a weight value matrix:the method comprises the steps of carrying out a first treatment on the surface of the S306, acquiring and evaluating a risk matrix based on historical statistical data:the method comprises the steps of carrying out a first treatment on the surface of the Wherein the risk potential is set to fall within the following intervals [60%,100 ]]The terms "40%, 60%)," 10%, 40%), "0%, 10% are divided into 4 cases of very high, low, very low,the 1 st index of 4 indexes of the password application protocol type, the certificate validity period, the certificate authority credibility and the encryption algorithm type belongs to the probability value of the 4 conditions of very high, low and very low, and the probability value is expressed by positive numbers of more than or equal to 0 and less than or equal to 1The method comprises the steps of carrying out a first treatment on the surface of the In the same way, the processing method comprises the steps of,the 2 nd index of 4 indexes of the password application protocol type, the certificate validity period, the reliability of a certificate issuing mechanism and the encryption algorithm type respectively belongs to the probability values of the 4 conditions of very high, low and very low, and the like; s307, acquiring a security evaluation result matrix A:the method comprises the steps of carrying out a first treatment on the surface of the S308, acquiring a safety evaluation result, namely judging by taking the maximum value of each element in the safety evaluation result matrix A as a judgment basis, and if the maximum value falls into a section [0.5,1]](0.1, 0.5), (0.01,0.1) or (0,0.01), the security assessment result is output as a high risk state, a medium risk state, a low risk state, a controllable state.
The present invention also relates to a computer-readable storage medium having stored therein a computer-executable program, characterized in that the computer-executable program is executed by a computer to realize the password governance method as described above.
The technical scheme of the invention provides a password treatment system, which can be used for respectively deploying security gateways at two network boundaries of a user system and a service system, and ensuring the data security in a system link by carrying out encryption transmission on data between the security gateway networks. When a user accesses, the system and the user perform bidirectional identity authentication to ensure the validity of the user identity and the validity of the system, the user accesses data encryption to ensure the data security in a user link, and the security assessment can be performed on the real-time state of the system.
Drawings
FIG. 1 is a block diagram of a password administration system of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present invention, and are not intended to limit the scope of the present invention. It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments in accordance with the present application. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
As shown in fig. 1, embodiment 1 of the present invention relates to a password administration system, which includes a password management center, a first security gateway, a second security gateway, a subscriber zone switch, a second switch, a service application system, an event acquisition module, a security evaluation center, and a plurality of computer terminals, security software, and password media.
The first security gateway and the second security gateway both comprise a management system, a database system, a log system and a security application, wherein the management system comprises a user management module, a state management module, a security management module and an abnormal alarm module, the security application comprises an identity authentication module, a data security module, a communication protocol module, a data packet management module and a bottom encryption algorithm, and the security application adopts a lightweight encryption communication architecture based on a kernel.
The functions of the security gateway include: (1) identity authentication. And performing bidirectional identity authentication with the security gateway. And (2) data packet processing. And processing and forwarding all the data received from the opposite-end security gateway and the local-end service system. And (3) encrypting and decrypting the data. And decrypting all the data acquired from the opposite-end security gateway and encrypting all the data acquired from the local-end service server. (4) user management. User management functions such as user registration, login verification, user logout, and the like. And (5) monitoring the state. And monitoring the data states of all the accessed security gateways and service systems and the working states of the security gateways. And (6) alarming abnormality. When abnormal states such as identity authentication failure, data encryption and decryption failure, abnormal flow and the like occur, an alarm is sent to an administrator. The method can use the alarm modes such as mail, short message and the like to alarm the manager.
The security software comprises an application API, a signature verification/symmetric encryption/decryption/asymmetric encryption/random number functional module, an initialization management module and a USB drive management module.
The security software supports the application of encryption algorithms such as SM2, SM3, SM4, ECC, AES and the like; the functions of identity authentication, data encryption and decryption and the like of a user side access service system are supported; and USB drive management is supported, the password medium is initialized, and the password medium is accessed to execute a password algorithm.
The password management center comprises a password service system and a password card, the password service system comprises a password service interface, an encryption card hardware management module, an algorithm service interface, an authentication service module, a log management module, a database and a Web management page module, and the encryption card comprises a key generation algorithm, a key management module, a security storage module, a configuration management module, a log audit module and a certificate management module. The password service system and the password card are connected through a PCIE high-speed interface.
The key functions of the password management center are as follows: providing password initialization to the user and the password medium; an administrator manages the secret key of the user through a web management page; providing a log management function of user safety management and audit; the generation and protection of the key is performed by the encryption card. The encryption card is internally provided with an encryption chip, and sensitive information such as an internal software code, a secret key and the like can not be exported.
The password management center, the first security gateway, the user area switch, the computer terminal, the event acquisition module and the security assessment center are deployed in the user area. The password management center, the first security gateway, the user area switch, the event acquisition module and the security assessment center are deployed in a user area machine room, the computer terminal is deployed in a user use environment, the security software is integrated in a user browser built in the computer terminal, and the password medium is held by a user.
The second security gateway, the second switch and the service application system are deployed in an application area, and are specifically deployed in an application area machine room.
The user area is a network security level protection secondary system area, and the application area is a network security level protection tertiary system area.
The password management center, the first security gateway and the computer terminal are all in communication connection with the user area switch, and the user area switch is used for realizing data communication among the password management center, the first security gateway and the computer terminal. The event acquisition module is deployed at a bypass mirror image data port of the user area switch, and the security assessment center is in communication connection with the event acquisition module.
The first security gateway is in communication connection with the second security gateway and is used for realizing data communication between the user area and the application area. The second security gateway and the service application system are both in communication connection with the second switch, and the second switch is used for realizing data communication between the second security gateway and the service application system.
The cryptographic medium can be connected to the computer terminal for securely storing cryptographic information. The password management center, the first security gateway and the security software jointly realize the initialization of the password medium and the password information distribution.
In particular, the cryptographic medium may be a data storage medium of a USB interface, such as a USB Key.
In the initialization and password information distribution process, the password medium is connected to the computer terminal, security software integrated in the computer terminal receives initialization data from the password medium and forwards the initialization data to the password management center through the first security gateway, the password management center uses the initialization data to perform password initialization operation to generate an initial password, performs security protection operation on the initial password to generate a password to be distributed, and then sends the password to be distributed to the security software through the security gateway. The security software receives the password to be distributed and writes the password into the password medium, and the password medium processes the password to be distributed, generates a security password and encrypts and stores the security password.
The password management system can realize user identity authentication and encrypted data transmission, so that a user accesses application area data through equipment in a user area, and meanwhile, the data information security is ensured.
Specifically, in the user identity authentication process, the password medium is connected to the computer terminal, the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium, the password medium receives the first identity authentication request, organizes identity authentication and password negotiation data based on a stored security password thereof, and sends the identity authentication and password negotiation data as identity authentication data to the security software, and the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway. The first security gateway performs identity authentication verification by using a verification data set stored in advance, performs key negotiation, generates an identity authentication result and a session key, and sends the identity authentication result and the session key to the security software, and the security software sends the session key to the password medium or deletes the session key according to whether the identity authentication result is passed or not. The password medium receives the session key and stores the session key in an encrypted mode.
In the data transmission process, a user initiates an access service application system through a browser built in a computer terminal, the security software sends the accessed related data to the password medium, the password medium encrypts the received data by using the session key stored by the password medium in an encrypting manner to generate an access service system ciphertext, and the access service system ciphertext is sent to the first security gateway through the security software. After receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain a plaintext of the access service system, encrypts the plaintext of the access service system by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext, and sends the first data transmission ciphertext to the second security gateway. And after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system and sends the plaintext to the service application system. And the service application system responds to the plaintext of the access service system, executes corresponding application functions, acquires return data, and sends the return data to the second security gateway in a plaintext manner. And the second security gateway encrypts the return data plaintext through the data transmission key stored in the second security gateway to obtain a second data transmission ciphertext, and sends the second data transmission ciphertext to the first security gateway. And after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext, encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext, and sends the return data ciphertext to the security software. The security software sends the received return data ciphertext to the password medium, the password medium decrypts the return data ciphertext to obtain the return data plaintext, and the return data plaintext is sent to a browser of the computer terminal through the security software to be provided for a user.
The event acquisition module is used for analyzing the data flowing through the user area switch and sending the analysis result to the security assessment center. And the security assessment center receives the data sent by the event acquisition module, processes the data according to a preset rule, and then performs visual display and security assessment.
The specific evaluation process comprises the following steps: 1. an original index data matrix A is constructed, and risk evaluation values given by k experts to 4 indexes of a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type are obtained in a investigation mode to form an initialization matrix C.Wherein the method comprises the steps ofThe risk evaluation value given to the j-th index by the i-th expert is represented. The risk assessment value is specifically a score value of 1 to 5 indicating that the risk levels are sequentially increased. 2. Reconstructing the initialization matrix to obtain a calculation matrix S:the method comprises the steps of carrying out a first treatment on the surface of the Wherein,the method comprises the steps of carrying out a first treatment on the surface of the 3. Calculating the metric value of the j-th indexThe method comprises the steps of carrying out a first treatment on the surface of the 4. Calculating the weight value of the j-th indexThe method comprises the steps of carrying out a first treatment on the surface of the 5. Acquiring a weight value matrix:the method comprises the steps of carrying out a first treatment on the surface of the 6. Acquiring an estimated risk matrix based on historical statistical data:the method comprises the steps of carrying out a first treatment on the surface of the Wherein the risk potential is set to fall within the following intervals [60%,100 ]]The terms "40%, 60%)," 10%, 40%), "0%, 10% are divided into 4 cases of very high, low, very low,the 1 st index of 4 indexes of the password application protocol type, the certificate validity period, the certificate authority credibility and the encryption algorithm type belongs to the probability value of the 4 conditions of very high, low and very low, and the probability value is expressed by positive numbers of more than or equal to 0 and less than or equal to 1The method comprises the steps of carrying out a first treatment on the surface of the In the same way, the processing method comprises the steps of,the 2 nd index of 4 indexes of the password application protocol type, the certificate validity period, the reliability of a certificate issuing mechanism and the encryption algorithm type belongs to the probability values of the 4 conditions of very high, low and very low, and the like. 7. Acquiring a security evaluation result matrix A:the method comprises the steps of carrying out a first treatment on the surface of the 8. Obtaining a security evaluation result, specifically, judging by taking the maximum value of each element in the security evaluation result matrix A as a judgment basis, if the maximum value falls into a section [0.5,1]](0.1, 0.5), (0.01,0.1) or (0,0.01), the security assessment result is output as a high risk state, a medium risk state, a low risk state, a controllable state.
While only the preferred embodiments of the present invention have been described, it should be noted that modifications and variations can be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.

Claims (10)

1. A password administration system, the system comprising:
the system comprises a password management center, a first security gateway, a second security gateway, a user area switch, a second switch, a service application system, an event acquisition module, a security assessment center, a plurality of computer terminals, security software and password media;
the password management center, the first security gateway, the user area switch, the computer terminal, the event acquisition module and the security evaluation center are deployed in a user area, wherein the password management center, the first security gateway, the user area switch, the event acquisition module and the security evaluation center are deployed in a user area machine room, the computer terminal is deployed in a user use environment, the security software is integrated in a user browser built in the computer terminal, and the password medium is held by a user;
the second security gateway, the second switch and the service application system are deployed in an application area, and are specifically deployed in an application area machine room;
the user area is a network security level protection secondary system area, and the application area is a network security level protection tertiary system area;
the user area switch is used for realizing data communication among the password management center, the first security gateway and the computer terminal;
the event acquisition module is deployed at a bypass mirror image data port of the user area switch, and the security assessment center is in communication connection with the event acquisition module;
the first security gateway is in communication connection with the second security gateway and is used for realizing data communication between the user area and the application area; the second security gateway and the service application system are both in communication connection with the second switch, and the second switch is used for realizing data communication between the second security gateway and the service application system.
2. A password administration system according to claim 1, wherein the password medium is connectable to the computer terminal for securely storing password information; the password management center, the first security gateway and the security software jointly realize the initialization of the password medium and the password information distribution.
3. The password administration system of claim 1, wherein during initialization and password information distribution, the password medium is connected to the computer terminal, and security software integrated in the computer terminal receives initialization data from the password medium and forwards the initialization data to the password management center through the first security gateway;
the password management center performs password initialization operation by using the initialization data to generate an initial password, performs security protection operation on the initial password to generate a password to be distributed, and sends the password to be distributed to security software through a security gateway;
the security software receives the password to be distributed and writes the password into the password medium, and the password medium processes the password to be distributed, generates a security password and encrypts and stores the security password.
4. The password administration system of claim 1, wherein during user identity authentication, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first authentication request to the password medium;
the password medium receives the first identity authentication request, organizes identity authentication and password negotiation data based on the stored security password, and sends the identity authentication and password negotiation data to the security software as identity authentication data;
the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway;
the first security gateway performs identity authentication verification by utilizing a verification data set stored in advance, performs key negotiation, generates an identity authentication result and a session key, and sends the identity authentication result and the session key to the security software;
the security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not; the password medium receives the session key and stores the session key in an encrypted mode.
5. The password administration system as claimed in claim 4, wherein the user initiates access to the service application system through a browser built in the computer terminal during data transmission;
the security software sends the accessed related data to the password medium;
the cipher medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext, and sends the access service system ciphertext to the first security gateway through the security software;
after receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain a plaintext of the access service system, encrypts the plaintext of the access service system by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext, and sends the first data transmission ciphertext to the second security gateway;
after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system and sends the plaintext to the service application system;
the service application system responds to the plaintext of the access service system, executes corresponding application functions, acquires return data, and sends the return data to the second security gateway in a plaintext manner;
the second security gateway encrypts the return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext, and sends the second data transmission ciphertext to the first security gateway;
after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext, encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext, and sends the return data ciphertext to the security software;
and the security software sends the received return data ciphertext to the password medium, and the password medium decrypts the return data ciphertext to obtain the return data plaintext and sends the return data plaintext to a browser of the computer terminal through the security software.
6. The password administration system of claim 1, wherein said event collection module is configured to analyze data flowing through said subscriber area switch and send the analysis result to said security assessment center; and the security assessment center receives the data sent by the event acquisition module, processes the data according to a preset rule, and then performs visual display and security assessment.
7. A password governance method using the password governance system of any of claims 1-6, said method comprising an initialization procedure and a password information distribution procedure, said initialization procedure comprising in particular the steps of:
s101, connecting the password medium to the computer terminal, and executing password medium check;
s102, generating initialization data;
s103, the security software integrated in the computer terminal receives initialization data from the password medium;
s104, the security software sends the initialization data to the first security gateway;
s105, the first security gateway sends the initialization data to the password management center;
s106, the password management center uses the initialization data to perform password initialization operation to generate an initial password;
s107, the password management center carries out security protection operation on the initial password to generate a password to be allocated;
s108, the password management center sends the password to be distributed to the first security gateway;
s109, the first security gateway sends the password to be distributed to the security software;
s110, the security software receives the password to be distributed and writes the password into the password medium;
s111, the password medium processes the password to be distributed, generates a security password and stores the security password in an encrypted mode.
8. The method for managing passwords of claim 7, wherein the password information distribution flow specifically comprises the following steps:
s201, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium;
s202, the password medium receives the first identity authentication request and organizes identity authentication and password negotiation data based on a stored security password;
s203, the password medium sends the identity authentication and password negotiation data to the security software as identity authentication data;
s204, the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway;
s205, the first security gateway performs identity authentication verification by utilizing a verification data set stored in advance, and performs key negotiation to generate an identity authentication result and a session key;
s206, the first security gateway sends the identity authentication result and the session key to the security software;
s207, the security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not, and the password medium receives the session key and stores the session key in an encrypted mode;
s208, a user initiates access to a service application system to the security software through a browser built in the computer terminal;
s209, the security software sends the accessed related data to the password medium;
s210, the password medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext;
s211, the password medium sends the access service system ciphertext to the security software;
s212, the security software sends the access service system ciphertext to the first security gateway;
s213, after receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain plaintext of the access service system;
s214, encrypting the plaintext of the access service system by the first security gateway by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext;
s215, the first security gateway sends the first data transmission ciphertext to the second security gateway;
s216, after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system;
s217, the second security gateway sends the plaintext of the access service system to the service application system;
s218, the service application system responds to the plaintext of the access service system, executes corresponding application functions and acquires return data;
s219, the service application system sends the return data to the second security gateway in a plaintext manner;
s220, the second security gateway encrypts a return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext;
s221, the second security gateway sends the second data transmission ciphertext to the first security gateway;
s222, after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext;
s223, the first security gateway encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext;
s224, the first security gateway sends the return data ciphertext to the security software;
s225, the security software sends the received return data ciphertext to the password medium;
s226, decrypting the return data ciphertext by the password medium to obtain a return data plaintext, and sending the return data plaintext to the security software;
and S227, the security software sends the return data plaintext to a browser of a computer terminal.
9. The password governance method of claim 7, comprising a security assessment procedure, comprising the steps of:
s301, acquiring a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in the current state of the system by the event acquisition module; the security evaluation center builds an original index data matrix A, and comprises the steps of obtaining risk evaluation values given by k experts to 4 indexes of a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in a investigation mode to form an initialization matrix C:wherein->A risk evaluation value given to the j index by the i-th expert is represented, wherein the risk evaluation value is specifically a score value from 1 to 5 which represents sequentially increasing risk levels;
s302, reconstructing the initialization matrix to obtain a calculation matrix S:wherein,
s303, calculating the measurement value of the j-th index:/>,/>
S304, calculating the weight value of the j-th index:/>
S305, acquiring a weight value matrix:
s306, acquiring and evaluating a risk matrix based on historical statistical data:wherein the risk potential is set to fall within the following intervals [60%,100 ]](40%, 60%), (10%, 40%), (0%, 10%) are divided into 4 cases of very high, low, very low, < ->、/>、/>The 1 st index of 4 indexes of the password application protocol type, the certificate validity period, the certificate authority credibility and the encryption algorithm type belongs to the probability value of the 4 conditions of very high, low and very low, and the probability value is expressed by positive numbers of more than or equal to 0 and less than or equal to 1
In the same way, the processing method comprises the steps of,、/>、/>the 2 nd index of 4 indexes of the password application protocol type, the certificate validity period, the reliability of a certificate issuing mechanism and the encryption algorithm type respectively belongs to the probability values of the 4 conditions of very high, low and very low, and the like;
s307, acquiring a security evaluation result matrix A:
s308, acquiring a safety evaluation result, specifically, judging the maximum value of each element in the safety evaluation result matrix A as a judgment basis, and if the maximum value falls into a section [0.5,1], [0.1,0.5 ], [0.01,0.1) or [0,0.01 ], outputting the safety evaluation result as a high risk state, a medium risk state, a low risk state and a controllable state.
10. A computer-readable storage medium having a computer-executable program stored therein, wherein the computer-executable program is executed by a computer to implement the cryptographic management method of any one of claims 7-9.
CN202410022518.9A 2024-01-08 2024-01-08 Password governance system and method Active CN117560224B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410022518.9A CN117560224B (en) 2024-01-08 2024-01-08 Password governance system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410022518.9A CN117560224B (en) 2024-01-08 2024-01-08 Password governance system and method

Publications (2)

Publication Number Publication Date
CN117560224A true CN117560224A (en) 2024-02-13
CN117560224B CN117560224B (en) 2024-04-26

Family

ID=89818788

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410022518.9A Active CN117560224B (en) 2024-01-08 2024-01-08 Password governance system and method

Country Status (1)

Country Link
CN (1) CN117560224B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468310A (en) * 2014-11-14 2015-03-25 国家电网公司 Power communication system and method
CN111478891A (en) * 2019-12-24 2020-07-31 上海可鲁***软件有限公司 Industrial network isolation method and device with different security levels
CN113401148A (en) * 2021-08-04 2021-09-17 阿波罗智联(北京)科技有限公司 Control system of unmanned automobile and unmanned automobile
CN114553577A (en) * 2022-02-28 2022-05-27 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network interaction system and method based on multi-host double-isolation security architecture
WO2023141876A1 (en) * 2022-01-27 2023-08-03 京东方科技集团股份有限公司 Data transmission method, apparatus and system, electronic device, and readable medium
US20230353389A1 (en) * 2018-10-15 2023-11-02 Pax Computer Technology (Shenzhen) Co., Ltd. Method for downloading key, client, password device, and terminal device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468310A (en) * 2014-11-14 2015-03-25 国家电网公司 Power communication system and method
US20230353389A1 (en) * 2018-10-15 2023-11-02 Pax Computer Technology (Shenzhen) Co., Ltd. Method for downloading key, client, password device, and terminal device
CN111478891A (en) * 2019-12-24 2020-07-31 上海可鲁***软件有限公司 Industrial network isolation method and device with different security levels
CN113401148A (en) * 2021-08-04 2021-09-17 阿波罗智联(北京)科技有限公司 Control system of unmanned automobile and unmanned automobile
WO2023141876A1 (en) * 2022-01-27 2023-08-03 京东方科技集团股份有限公司 Data transmission method, apparatus and system, electronic device, and readable medium
CN114553577A (en) * 2022-02-28 2022-05-27 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network interaction system and method based on multi-host double-isolation security architecture

Also Published As

Publication number Publication date
CN117560224B (en) 2024-04-26

Similar Documents

Publication Publication Date Title
CN112218294B (en) 5G-based access method and system for Internet of things equipment and storage medium
KR101294280B1 (en) System and Method capable of Preventing Individual Information Leakage by Monitoring Encrypted HTTPS-based Communication Data via Network Packet Mirroring
CN103001976A (en) Safe network information transmission method
EP3777020B1 (en) Consensus-based online authentication
CN101292496A (en) Method and devices for carrying out cryptographic operations in a client-server network
CN103444123A (en) Shared key establishment and distribution
CN114338019B (en) Network communication method, system, device and storage medium based on quantum key distribution
CN108475309A (en) System and method for biological characteristic consensus standard
CN116132989B (en) Industrial Internet security situation awareness system and method
CN110505055A (en) Based on unsymmetrical key pond to and key card outer net access identity authentication method and system
CN111931249A (en) Medical secret data statistical analysis method supporting transmission fault-tolerant mechanism
CN102468962A (en) Method for personal identity authentication utilizing a personal cryptographic device
CN109861947B (en) Network hijacking processing method and device and electronic equipment
CN110378135A (en) Intimacy protection system and method based on big data analysis and trust computing
CN105379187B (en) Performance monitoring data processing
CN112073422A (en) Intelligent home protection system and protection method thereof
CN114024672B (en) Safety protection method and system for power line carrier communication system
CN108667801A (en) A kind of Internet of Things access identity safety certifying method and system
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN110035035B (en) Secondary authentication method and system for single sign-on
CN113904767A (en) System for establishing communication based on SSL
Huang et al. Identity authentication and context privacy preservation in wireless health monitoring system
CN117560224B (en) Password governance system and method
CN111368271A (en) Method and system for realizing password management based on multiple encryption
CN110289961A (en) Tele-medicine authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant