1 Introduction
Ability of network and information security in the 21st century comprehensive national strength and economic competitiveness and viability of the symbol of the future international competition, "killer." At present, China is speeding up the process of national economic and social information, need to be a safe and reliable telecommunications infrastructure network platform, based on various information security applications.
With the development and evolution of network technology, IP Broadband Metropolitan Area Network broadband network has become the development direction of various information technology applications will be based on IP technology. However, the current IP broadband metropolitan area network management and security applications in many problems, such as: access to the network can not effectively identify the user's legal status; not on the user's personal information to achieve effective protection; can not effectively solve the problems of anti-repudiation.
These problems led one hand, broadband IP MAN can control, manage, management is poor; the other hand, directly affects the security of national information related to the safety of the country.
The main reason leading to these problems is due to the current broadband IP MAN with a "user name + password" authentication method can only achieve the primary, and simple management, security is not enough (such as ease of misappropriation, combined); user name and There is no fixed access lines corresponding relationship allows users to access hard to locate, difficult to manage user rights and so on.
Therefore, to effectively address the current IP broadband metropolitan area network management and security applications in the problems, we must first solve the user authentication, user authorization management and user orientation and other issues, to establish a trusted network environment.
In recent years, information security technology received extensive attention, and has made considerable progress, in particular, is based on public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) of trust and authority of intelligent technology breakthrough has been large-scale used in e-government, e-commerce system.
Therefore, this article will discuss how to use based on PKI / PMI trust and authority of intelligent IP technology to create a trusted environment for broadband metropolitan area network, how to digital certificate authentication, management of information security technology for broadband IP MAN operations management, to build a "can control, manage, operate," the carrier-grade IP broadband metropolitan area network, for a variety of information to provide a safe and reliable application of basic telecommunications network platform.
This is a totally new idea, a new attempt, IP MAN than other management methods more security and flexibility.
2 PKI / PMI Overview
2.1 PKI
PKI is a National Information Infrastructure (NISI) an important part, It 公开 Key Technology, based on data confidentiality, integrity, 网上 identity and behavior of the Buke repudiation as Anquanmudi for network applications (such as browsing devices, e-mail) to provide reliable security services. At the national information security infrastructure, PKI certificate system with dual key, which support the RSA asymmetric algorithm and elliptic curve public key (ECC) of two algorithms, symmetric ciphers supported the Office of the State Encryption Management Commission designated the cryptographic algorithm. Public key infrastructure trust services include system and key management system.
Confidence in service system of the main duty is to the entire system of public key-based PKI digital certificates (PKC) authentication mechanism of the physical authentication services, to enable 在 entire system-wide entities, the only true identity Deque Ding, in order to establish the whole system consistent basis within the trust.
Key management system provides the key to the system is mainly responsible for the management of the services, the provision of emergency management to authorize the special case of key recovery features.
2.2 PMI
PMI is an important part of NISI objective is to provide authorized users and application service management, is responsible for application systems and applications to authorized services related to management of user identities to provide authorization to the application of the mapping function.
PMI resource management as a core attribute-based certificates (AC) of the authorization and access control mechanisms, will be unified control over access to resources managed by the authorized institutions, from the owners of resources to carry out access control. Compared with the PKI, the main difference between the two is: PKI that users who, while the PMI to prove what permissions the user can do, and PMI need to provide PKI authentication services.
3 IP Broadband Metropolitan Area Network Security Solutions
3.1 IP Broadband Metropolitan Area Network Application Platform Security Architecture
IP Broadband Metropolitan Area Network Security Application Platform is the framework of the traditional IP over broadband metropolitan area network, based PKI / PMI network and information security technology, integrated business management as the core, building a complete and unified can be controlled, managed, can be operated broadband IP MAN.
Logically to the broadband IP MAN security application platform consists of outside to inside is divided into three levels, namely, access authentication layer, aggregation layer and core layer, shown in Figure 1.
Figure 1 three-tier architecture
* Access Authentication Layer: completion of IP broadband access users and network equipment certification, constitutes a network of trusted domain (by the authenticated user and the network equipment consisting of a network area). On the illicit network equipment and IP broadband users to automatically block and limitations of the system to prevent illegal access, security safe and reliable network system is the realization of broadband IP MAN can control, manage, operate basis.
* Tandem layer: one completion of various business streams tandem function; the other hand, through the deployment of PKI, PMI system, to realize the user identity authentication, trust, authorization and authentication within the network elements and management, integrated business management. The realization of broadband IP MAN can control, manage, operate or not.
* The core level: the completion of the high-speed transmission and exchange information to achieve interoperability with other networks.
In addition, broadband IP MAN again logically secure application platform architecture is divided into two levels, namely, broadband IP MAN plane and intelligent security application management plane, shown in Figure 2.
Figure 2 the two plane
Is not a simple superposition of two plane, but complementary, coordination, and organically combine to form a complete and unified can control, manage, operate broadband IP MAN.
· IP broadband MAN plane: the main form from the traditional IP broadband metropolitan area network to provide broadband IP MAN user access, information loading and exchange services, and finish with other post-interconnection network and the Internet is a broadband IP MAN cornerstone of security applications platform.
* Intelligent application management plane security: PKI and PMI, based on trust and authorized intelligence technology, build a trusted network environment and provide safe and reliable network equipment and user access, information transmission and exchange, business management services, IP Broadband Metropolitan Area Network security is a core application platform.
3.2 security applications and management solutions
Through the application of information security infrastructure based on national research centers with independent intellectual property of PKI / PMI trust and authorized intelligence platform technology, to build credibility MAN IP broadband network environment, using the digital certificate approach to achieve IP broadband city area network user authentication and authorization.
The main idea is presented to the user PKC (including your personal information, such as serial number, IP address, MAC address and other information) and AC (including the user's attribute information, such as the role, access control permissions, etc.). In the "one entity, one license" basis, by the uniqueness of PKC, and accurately identify the user identity. By the controllable switch port access authentication and certification management background, can the certificate with the port (it can also include IP address) to establish flexible correspondence, and determine whether the user can access broadband IP MAN, At the same time provide access to traffic, duration, time and other statistics, and the user rights under the AC, when the long, billing and other property management. This flexibility through certificates and port binding, to build a port on the certificate and IP Broadband Metropolitan Area Network security management model, similar to the PSTN line-based management model.
In addition, the public key digital certificate identification code embedded in a physical device (the material carriers of digital certificates), the use of USB interfaces. Entity authentication password for each device and a PIN code protection, succession of several unsuccessful PIN input, the entity device identification code will be automatically locked, making the entity device identification code is very difficult to conduct dictionary attacks, so that only entities in the same time be device identification code and the corresponding PIN code to pose as legitimate users, this authentication user name than the current simple way to add PIN code is more secure, more effective identification of network users access to legal status, to prevent counterfeiting.
In the specific implementation, through the intelligent application management plane security broadband IP MAN to implement and manage security applications, the entire plane, including trust and authorized intelligence service support platform, network and management platform for trusted domain and integrated business management platform of three parts .
Trust and authorization services which support the platform at the core of the platform adopted by the entity's PKC, AC authentication, authorization and management to create a unified IP broadband metropolitan area network based intelligent environment of trust and authority, the trust domain for the network management platform and integrated business application management platform to provide reliable, safe service.
Network management platform trusted domain and the entities on the network management, to ensure that only trusted entities that issued the digital certificate of the entity can be an effective access network.
Integrated business management directly to the user, trust and authority in the intelligent service platform to provide the IP broadband user certificates, equipment certificates and user attribute certificate based on the user billing, business management.
3.2.1 Intelligent support platform of trust and authorization service
Use of PKI / PMI System support platform of trust and authorization services for IP broadband metropolitan area networks to provide trust services and authorization services. Platform through entities PKC, AC authentication, authorization and management to create a unified basis for intelligent environment of trust and authority, established the "one entity a license, the unified certification, distributed sequential management" broadband IP MAN network operation and management mode.
The so-called "unified certification" means: by a third party certificate authentication center (CA) issued by the certification body responsible for unification of broadband IP MAN users, equipment PKC; authorized by the trust and support services, a unified platform to provide AC and achieve the certificate issued unified management, ensure network trusted domain management services. The "Distributed sequential administration" means: the network domain trust management according to the actual scope of responsibility and to divide, each city or metropolitan area IP broadband systems can also be the basic type of trust the user domain (such as distinguishing normal Home users, large customers, etc.), the basic trust of each domain has its own management system is responsible for the trusted domain management, network management system for the trust domain trust and authorization services through the support platform of trust and authority to provide service support. This model the responsibility to build a clear, easy management, system-wide network of trusted domains and management system.
(1) Operational System Certificate
Business services Certificate Key Management System (KM) system based on the adoption of CA, certificate of registry audit (RA) and other applications to provide digital certificates, audit services.
(2) certificate check verification service system
Inquiry system certification services for business application management platform to provide the certificate authentication service, including directory inquiry service and certificates online inquiry service. Inquiry authentication service system includes lightweight directory access protocol (LDAP) server and the Online Certificate Status Protocol (OCSP) server to provide, including various types of certificates issued, certificate revocation list (CRL) publishing and online certificate status check service.
(3) authorize the service system
PMI in the certificate based on the business service system, to provide authorized users and applications management and resource management services, primarily responsible for application systems and applications to authorized services related to management of user identities to applications authorized to provide the mapping functionality.
(4), trusted time stamp service system
Trusted time stamp service system is based on the time source of state authority and public key technologies, business applications for the security management system provides accurate and reliable time stamp to ensure the processing of data existence at a certain time and relative time sequence of related operations, for business handling non-repudiation and auditability to provide effective support. Trusted time stamp service system from the time the source of state authority and system-wide unity of time, from the National Time Service Center to obtain the authority of the time.
(5) basic security protection system
Basic security system consists of firewalls, intrusion detection systems, vulnerability scanning systems, security auditing, virus prevention systems, Web Information Systems and other tamper-resistant composition, the formation of an all round view of the basic safety barrier.
(6) Recovery and Disaster Recovery System
Disaster recovery and backup system includes: dual-key equipment for the local system backup and hot backup of important data of the cold, remote disaster recovery center building.
3.2.2 Network Domain and trust management platform
Critical equipment, it is important terminal and user adoption "of an entity of a certificate" means to build trust in network domains, including the credibility of network access, security, network communication and trust management services.
Credible implementation of network access authentication technology to Ethernet-based access mode, using PKI digital certificate technology, based on IEEE 802.1x standard, support for X.509 certificates, through the access authentication certificates who achieve port-based access control.
Secure communications network based on IP encryption gateway to achieve, which is based on IPSec protocol, using PKI technology for network information exchange between trusted domains to provide a safe and reliable access.
Network management system is mainly responsible for the trust domain trust within the network user data and network management, and map-type CPE location management, condition monitoring, remote parameter configuration management, while collecting various types of client access authentication switch collection IP business processing data, including the user port information, IP service using the data flow and use of time information.
3.2.3 Integrated Business Management Platform
Integrated business management platform directly to users, including business management, customer management, billing management, network resource management, system security management, system maintenance and management, new business development and management, knowledge management section. Integrated business management platform can be summarized as three-tier abstraction: data layer, business process layer, application layer.
Data storage layer of the main objects of the system data, including the certificate data, device data, core data system data three categories.
Business processing layer business logic processing, the process is encapsulated in separate modules in the system by scheduling modules unified business system functions of various inter-module calls.
Application layer is the customer-facing window for a wide range of IP broadband applications to provide value-added services and user interface, and ultimately in the business process layer handle all types of business, and background data layer for the business process layer to provide the corresponding System data services.
3.3 users on the offline process
In the program in a user in the enjoyment of broadband services before, Bixu with valid documents, 到 operator business acceptance Department for Banlishuozi Zheng Shu, digital certificate application is successful, by the salesmen to distribute the user an entity password Jianbie device and a IP address, Tongshidedao a password envelope, containing the entity password identification device serial number and password, so that users apply business success. Then, PC users need to access the login process to install and configure the allocation of IP addresses, so do the access preparations. Need Internet access, the user identification device plug entities password, start login procedure, enter the entity code identifying the serial number and password, then access authentication and authorization service switches and trust the user support platform for digital certificate-based authentication, certification after the passage of the user can enjoy broadband services; not passed, prohibiting user access. During the regular Internet users, the access authentication identification of the switch periodically sends the password to the entity the certificate request, and the entity device identification code to do authentication certificate to upload to ensure the legality of Internet users.
When users offline normal, the first certified by the login process to the access switch to send the request offline, offline access authentication request received after the switch, the user sends a response to the results, and to support the platform of trust and authorization service package to send off the assembly line and closed ports. When the user when non-normal offline (such as user passwords directly unplug the entity identifiers, off or unplug the network cable, etc.), access authentication switch will take the initiative to detect the event (due to exchange regularly access authentication password to the entity device identification Send the certificate request), then to the support platform of trust and authorization service package and closed the port to send off the assembly line, but the result does not send a response to the user.
4 Conclusion
The project is based in Shenzhen Telecom IP MAN carried out a certain amount of trial and in March 20, 2003 organized by Ministry of Science and expert inspection.
Is worth noting that, using this project as certificates and attribute certificates, can easily secure the user identity authentication, the user using value-added business is recorded in the attribute certificate in order to address the application of information technology security, billing, etc. issues such as authentication, pre-paid fees for value-added services to create good conditions for launching.