[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN117560224B - Password governance system and method - Google Patents

Password governance system and method Download PDF

Info

Publication number
CN117560224B
CN117560224B CN202410022518.9A CN202410022518A CN117560224B CN 117560224 B CN117560224 B CN 117560224B CN 202410022518 A CN202410022518 A CN 202410022518A CN 117560224 B CN117560224 B CN 117560224B
Authority
CN
China
Prior art keywords
password
security
data
security gateway
sends
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410022518.9A
Other languages
Chinese (zh)
Other versions
CN117560224A (en
Inventor
翁庆辉
陈庆文
赖月美
吴康明
游廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Hi Tech Industrial Park Information Network Co ltd
Original Assignee
Shenzhen Hi Tech Industrial Park Information Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Hi Tech Industrial Park Information Network Co ltd filed Critical Shenzhen Hi Tech Industrial Park Information Network Co ltd
Priority to CN202410022518.9A priority Critical patent/CN117560224B/en
Publication of CN117560224A publication Critical patent/CN117560224A/en
Application granted granted Critical
Publication of CN117560224B publication Critical patent/CN117560224B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a password governance system and a password governance method. The system comprises: the system comprises a password management center, a first security gateway, a second security gateway, a first switch, a second switch, a service application system, an event acquisition module, a security assessment center, a plurality of computer terminals, security software and password media. The invention can realize the safe data transmission between the areas with different network security levels and carry out the security assessment on the real-time state of the system.

Description

Password governance system and method
Technical Field
The invention relates to the technical field of information security, in particular to a password treatment system and a password treatment method.
Background
The data transmission is carried out between two systems with different security levels, the data is required to be encrypted, the user performs identity authentication through the password and the encryption of the user access data, but with the increase of the number of users and the password, the password management server faces the problems of high concurrency and large flow and continuously brings up new demands in the face of markets. CN109687959a discloses a key security management system and method, medium and computer program, the system comprising a secure host configured to receive a first operation request, authenticate the first operation request, and generate a second operation request based on the first operation request when authentication is passed, the first operation request and the second operation request both comprising an identity, the hardware security device configured to receive the second operation request from the secure host, authenticate the second operation request, and parse the type of the second operation request when authentication is passed, and perform an operation related to a key pair associated with the identity based on the type of the second operation request, wherein the key pair comprises a public key and a private key specific to the identity. However, the above-mentioned system is complicated in operation, and an effective solution cannot be given to the process between two systems of different security levels, and the system state cannot be evaluated. How to overcome the defects in the prior art is a problem to be solved in the technical field.
Disclosure of Invention
To overcome the above-described deficiencies of the prior art, the present invention provides a password administration system comprising:
The system comprises a password management center, a first security gateway, a second security gateway, a first switch, a second switch, a service application system, an event acquisition module, a security assessment center, a plurality of computer terminals, security software and password media; the password management center, the first security gateway, the first switch, the computer terminal, the event acquisition module and the security evaluation center are deployed in a user area, wherein the password management center, the first security gateway, the first switch, the event acquisition module and the security evaluation center are deployed in a user area machine room, the computer terminal is deployed in a user use environment, the security software is integrated in a user browser built in the computer terminal, and the password medium is held by a user; the second security gateway, the second switch and the service application system are deployed in an application area, and are specifically deployed in an application area machine room; the user area is a network security level protection secondary system area, and the application area is a network security level protection tertiary system area; the password management center, the first security gateway and the computer terminal are all in communication connection with the first switch, and the first switch is used for realizing data communication among the password management center, the first security gateway and the computer terminal; the event acquisition module is deployed at a bypass mirror image data port of the first switch, and the security assessment center is in communication connection with the event acquisition module; the first security gateway is in communication connection with the second security gateway and is used for realizing data communication between the user area and the application area. The second security gateway and the service application system are both in communication connection with the second switch, and the second switch is used for realizing data communication between the second security gateway and the service application system.
Further, the cryptographic medium is connectable to the computer terminal for securely storing cryptographic information; the password management center, the first security gateway and the security software jointly realize the initialization of the password medium and the password information distribution.
Further, in the initialization and password information distribution process, the password medium is connected to the computer terminal, and security software integrated in the computer terminal receives initialization data from the password medium and forwards the initialization data to the password management center through the first security gateway; the password management center performs password initialization operation by using the initialization data to generate an initial password, performs security protection operation on the initial password to generate a password to be distributed, and sends the password to be distributed to security software through a security gateway; the security software receives the password to be distributed and writes the password into the password medium, and the password medium processes the password to be distributed, generates a security password and encrypts and stores the security password.
Further, in the user identity authentication process, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium; the password medium receives the first identity authentication request, organizes identity authentication and password negotiation data based on the stored security password, and sends the identity authentication and password negotiation data to the security software as identity authentication data; the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway; the first security gateway performs identity authentication verification by utilizing a verification data set stored in advance, performs key negotiation, generates an identity authentication result and a session key, and sends the identity authentication result and the session key to the security software; and the security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not. The password medium receives the session key and stores the session key in an encrypted mode.
Further, in the data transmission process, a user initiates access to a service application system through a browser built in the computer terminal; the security software sends the accessed related data to the password medium; the cipher medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext, and sends the access service system ciphertext to the first security gateway through the security software; after receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain a plaintext of the access service system, encrypts the plaintext of the access service system by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext, and sends the first data transmission ciphertext to the second security gateway; after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system and sends the plaintext to the service application system; the service application system responds to the plaintext of the access service system, executes corresponding application functions, acquires return data, and sends the return data to the second security gateway in a plaintext manner; the second security gateway encrypts the return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext, and sends the second data transmission ciphertext to the first security gateway; after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext, encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext, and sends the return data ciphertext to the security software; and the security software sends the received return data ciphertext to the password medium, and the password medium decrypts the return data ciphertext to obtain the return data plaintext and sends the return data plaintext to a browser of the computer terminal through the security software.
Further, the event collection module is configured to analyze data flowing through the first switch, and send an analysis result to the security assessment center. And the security assessment center receives the data sent by the event acquisition module, processes the data according to a preset rule, and then performs visual display and security assessment.
The invention also relates to a password treatment method using the password treatment system, which comprises an initialization process and a password information distribution process, wherein the initialization process specifically comprises the following steps:
S101, connecting the password medium to the computer terminal, and executing password medium check; s102, generating initialization data; s103, the security software integrated in the computer terminal receives initialization data from the password medium; s104, the security software sends the initialization data to the first security gateway; s105, the first security gateway sends the initialization data to the password management center; s106, the password management center uses the initialization data to perform password initialization operation to generate an initial password; s107, the password management center carries out security protection operation on the initial password to generate a password to be allocated; s108, the password management center sends the password to be distributed to the first security gateway; s109, the first security gateway sends the password to be distributed to the security software; s110, the security software receives the password to be distributed and writes the password into the password medium; s111, the password medium processes the password to be distributed, generates a security password and stores the security password in an encrypted mode.
Further, the password information distribution flow specifically includes the following steps:
S201, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium; s202, the password medium receives the first identity authentication request and organizes identity authentication and password negotiation data based on a stored security password; s203, the password medium sends the identity authentication and password negotiation data to the security software as identity authentication data; s204, the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway; s205, the first security gateway performs identity authentication verification by utilizing a verification data set stored in advance, and performs key negotiation to generate an identity authentication result and a session key; s206, the first security gateway sends the identity authentication result and the session key to the security software; s207, the security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not, and the password medium receives the session key and stores the session key in an encrypted mode. S208, a user initiates access to a service application system to the security software through a browser built in the computer terminal; s209, the security software sends the accessed related data to the password medium; s210, the password medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext; s211, the password medium sends the access service system ciphertext to the security software; s212, the security software sends the access service system ciphertext to the first security gateway; s213, after receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain plaintext of the access service system; s214, encrypting the plaintext of the access service system by the first security gateway by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext; s215, the first security gateway sends the first data transmission ciphertext to the second security gateway; s216, after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system; s217, the second security gateway sends the plaintext of the access service system to the service application system; s218, the service application system responds to the plaintext of the access service system, executes corresponding application functions and acquires return data; s219, the service application system sends the return data to the second security gateway in a plaintext manner; s220, the second security gateway encrypts a return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext; s221, the second security gateway sends the second data transmission ciphertext to the first security gateway; s222, after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext; s223, the first security gateway encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext; s224, the first security gateway sends the return data ciphertext to the security software; s225, the security software sends the received return data ciphertext to the password medium; s226, decrypting the return data ciphertext by the password medium to obtain a return data plaintext, and sending the return data plaintext to the security software; and S227, the security software sends the return data plaintext to a browser of a computer terminal.
Further, the method comprises a security assessment flow, specifically comprising the following steps:
s301, acquiring a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in the current state of the system by the event acquisition module; the security evaluation center builds an original index data matrix A, and comprises the steps of obtaining risk evaluation values given by k experts to 4 indexes of a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in a investigation mode to form an initialization matrix C: Wherein/> The risk evaluation value given to the j-th index by the i-th expert is represented. The risk evaluation value is specifically a score value of 1 to 5 which represents the sequential increasing of risk levels;
s302, reconstructing the initialization matrix to obtain a calculation matrix S: Wherein, ; S303, calculating the measurement value/>, of the j-th index:/>; S304, calculating the weight value/>, of the j-th index:/>; S305, acquiring a weight value matrix: /(I); S306, acquiring and evaluating a risk matrix based on historical statistical data: Wherein risk potential is classified into 4 cases of very high, low, and very low according to the following intervals [60%,100% ], [40%, 60%), [10%, 40%), [0%,10% >, respectively,/> 、/>、/>The 1 st index of 4 indexes of the password application protocol type, the certificate validity period, the certificate authority credibility and the encryption algorithm type belongs to the probability value of the 4 conditions of very high, low and very low, and the probability value is expressed by positive numbers of more than or equal to 0 and less than or equal to 1, and/>; Similarly,/>、/>、/>The 2 nd index of 4 indexes of the password application protocol type, the certificate validity period, the reliability of a certificate issuing mechanism and the encryption algorithm type respectively belongs to the probability values of the 4 conditions of very high, low and very low, and the like; s307, acquiring a security evaluation result matrix A: /(I); S308, acquiring a safety evaluation result, specifically, judging the maximum value of each element in the safety evaluation result matrix A as a judgment basis, and if the maximum value falls into a section [0.5,1], [0.1,0.5 ], [0.01,0.1) or [0,0.01 ], outputting the safety evaluation result as a high risk state, a medium risk state, a low risk state and a controllable state.
The present invention also relates to a computer-readable storage medium having stored therein a computer-executable program, characterized in that the computer-executable program is executed by a computer to realize the password governance method as described above.
The technical scheme of the invention provides a password treatment system, which can be used for respectively deploying security gateways at two network boundaries of a user system and a service system, and ensuring the data security in a system link by carrying out encryption transmission on data between the security gateway networks. When a user accesses, the system and the user perform bidirectional identity authentication to ensure the validity of the user identity and the validity of the system, the user accesses data encryption to ensure the data security in a user link, and the security assessment can be performed on the real-time state of the system.
Drawings
FIG. 1 is a block diagram of a password administration system of the present invention.
Detailed Description
The application is further described below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present application, and are not intended to limit the scope of the present application. It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present application. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
As shown in fig. 1, embodiment 1 of the present invention relates to a password administration system, which includes a password management center, a first security gateway, a second security gateway, a first switch, a second switch, a service application system, an event acquisition module, a security evaluation center, and a plurality of computer terminals, security software, and password media.
The first security gateway and the second security gateway both comprise a management system, a database system, a log system and a security application, wherein the management system comprises a user management module, a state management module, a security management module and an abnormal alarm module, the security application comprises an identity authentication module, a data security module, a communication protocol module, a data packet management module and a bottom encryption algorithm, and the security application adopts a lightweight encryption communication architecture based on a kernel.
The functions of the security gateway include: (1) identity authentication. And performing bidirectional identity authentication with the security gateway. And (2) data packet processing. And processing and forwarding all the data received from the opposite-end security gateway and the local-end service system. And (3) encrypting and decrypting the data. And decrypting all the data acquired from the opposite-end security gateway and encrypting all the data acquired from the local-end service server. (4) user management. User management functions such as user registration, login verification, user logout, and the like. And (5) monitoring the state. And monitoring the data states of all the accessed security gateways and service systems and the working states of the security gateways. And (6) alarming abnormality. When abnormal states such as identity authentication failure, data encryption and decryption failure, abnormal flow and the like occur, an alarm is sent to an administrator. The method can use the alarm modes such as mail, short message and the like to alarm the manager.
The security software comprises an application API, a signature verification/symmetric encryption/decryption/asymmetric encryption/random number functional module, an initialization management module and a USB drive management module.
The security software supports the application of encryption algorithms such as SM2, SM3, SM4, ECC, AES and the like; the functions of identity authentication, data encryption and decryption and the like of a user side access service system are supported; and USB drive management is supported, the password medium is initialized, and the password medium is accessed to execute a password algorithm.
The password management center comprises a password service system and a password card, the password service system comprises a password service interface, an encryption card hardware management module, an algorithm service interface, an authentication service module, a log management module, a database and a Web management page module, and the encryption card comprises a key generation algorithm, a key management module, a security storage module, a configuration management module, a log audit module and a certificate management module. The password service system and the password card are connected through a PCIE high-speed interface.
The key functions of the password management center are as follows: providing password initialization to the user and the password medium; an administrator manages the secret key of the user through a web management page; providing a log management function of user safety management and audit; the generation and protection of the key is performed by the encryption card. The encryption card is internally provided with an encryption chip, and sensitive information such as an internal software code, a secret key and the like can not be exported.
The password management center, the first security gateway, the first switch, the computer terminal, the event acquisition module and the security assessment center are deployed in the user area. The password management center, the first security gateway, the first switch, the event acquisition module and the security assessment center are deployed in a user area machine room, the computer terminal is deployed in a user use environment, the security software is integrated in a user browser built in the computer terminal, and the password medium is held by a user.
The second security gateway, the second switch and the service application system are deployed in an application area, and are specifically deployed in an application area machine room.
The user area is a network security level protection secondary system area, and the application area is a network security level protection tertiary system area.
The password management center, the first security gateway and the computer terminal are all in communication connection with the first switch, and the first switch is used for realizing data communication among the password management center, the first security gateway and the computer terminal. The event acquisition module is deployed at a bypass mirror image data port of the first switch, and the security assessment center is in communication connection with the event acquisition module.
The first security gateway is in communication connection with the second security gateway and is used for realizing data communication between the user area and the application area. The second security gateway and the service application system are both in communication connection with the second switch, and the second switch is used for realizing data communication between the second security gateway and the service application system.
The cryptographic medium can be connected to the computer terminal for securely storing cryptographic information. The password management center, the first security gateway and the security software jointly realize the initialization of the password medium and the password information distribution.
In particular, the cryptographic medium may be a data storage medium of a USB interface, such as a USB Key.
In the initialization and password information distribution process, the password medium is connected to the computer terminal, security software integrated in the computer terminal receives initialization data from the password medium and forwards the initialization data to the password management center through the first security gateway, the password management center uses the initialization data to perform password initialization operation to generate an initial password, performs security protection operation on the initial password to generate a password to be distributed, and then sends the password to be distributed to the security software through the security gateway. The security software receives the password to be distributed and writes the password into the password medium, and the password medium processes the password to be distributed, generates a security password and encrypts and stores the security password.
The password management system can realize user identity authentication and encrypted data transmission, so that a user accesses application area data through equipment in a user area, and meanwhile, the data information security is ensured.
Specifically, in the user identity authentication process, the password medium is connected to the computer terminal, the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium, the password medium receives the first identity authentication request, organizes identity authentication and password negotiation data based on a stored security password thereof, and sends the identity authentication and password negotiation data as identity authentication data to the security software, and the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway. The first security gateway performs identity authentication verification by using a verification data set stored in advance, performs key negotiation, generates an identity authentication result and a session key, and sends the identity authentication result and the session key to the security software, and the security software sends the session key to the password medium or deletes the session key according to whether the identity authentication result is passed or not. The password medium receives the session key and stores the session key in an encrypted mode.
In the data transmission process, a user initiates an access service application system through a browser built in a computer terminal, the security software sends the accessed related data to the password medium, the password medium encrypts the received data by using the session key stored by the password medium in an encrypting manner to generate an access service system ciphertext, and the access service system ciphertext is sent to the first security gateway through the security software. After receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain a plaintext of the access service system, encrypts the plaintext of the access service system by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext, and sends the first data transmission ciphertext to the second security gateway. And after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system and sends the plaintext to the service application system. And the service application system responds to the plaintext of the access service system, executes corresponding application functions, acquires return data, and sends the return data to the second security gateway in a plaintext manner. And the second security gateway encrypts the return data plaintext through the data transmission key stored in the second security gateway to obtain a second data transmission ciphertext, and sends the second data transmission ciphertext to the first security gateway. And after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext, encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext, and sends the return data ciphertext to the security software. The security software sends the received return data ciphertext to the password medium, the password medium decrypts the return data ciphertext to obtain the return data plaintext, and the return data plaintext is sent to a browser of the computer terminal through the security software to be provided for a user.
The event acquisition module is used for analyzing the data flowing through the first switch and sending an analysis result to the security assessment center. And the security assessment center receives the data sent by the event acquisition module, processes the data according to a preset rule, and then performs visual display and security assessment.
The specific evaluation process comprises the following steps:
1. Constructing an original index data matrix A, and obtaining risk evaluation values given by k experts to 4 indexes of a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in a investigation mode to form an initialization matrix C: Wherein/> The risk evaluation value given to the j-th index by the i-th expert is represented. The risk assessment value is specifically a score value of 1 to 5 indicating that the risk levels are sequentially increased. 2. Reconstructing the initialization matrix to obtain a calculation matrix S: /(I)Wherein/>; 3. Calculating the measurement value/>, of the j-th index:/>,/>; 4. Calculating the weight value/>, of the j-th index; 5. Acquiring a weight value matrix: /(I); 6. Acquiring an estimated risk matrix based on historical statistical data: /(I)Wherein risk potential is classified into 4 cases of very high, low, and very low according to the following intervals [60%,100% ], [40%, 60%), [10%, 40%), [0%,10% >, respectively,/>、/>、/>The 1 st index of 4 indexes of the password application protocol type, the certificate validity period, the certificate authority credibility and the encryption algorithm type belongs to the probability value of the 4 conditions of very high, low and very low, and the probability value is expressed by positive numbers of more than or equal to 0 and less than or equal to 1, and/>; Similarly,/>、/>The 2 nd index of 4 indexes of the password application protocol type, the certificate validity period, the reliability of a certificate issuing mechanism and the encryption algorithm type belongs to the probability values of the 4 conditions of very high, low and very low, and the like. 7. Acquiring a security evaluation result matrix A: /(I); 8. And obtaining a safety evaluation result, namely judging the maximum value of each element in the safety evaluation result matrix A as a judgment basis, and outputting the safety evaluation result as a high risk state, a medium risk state, a low risk state and a controllable state if the maximum value falls into a range [0.5,1], [0.1,0.5 ], [0.01,0.1) or [0,0.01 ].
While only the preferred embodiments of the present invention have been described, it should be noted that modifications and variations can be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.

Claims (7)

1. A password administration system, the system comprising:
The system comprises a password management center, a first security gateway, a second security gateway, a first switch, a second switch, a service application system, an event acquisition module, a security assessment center, a plurality of computer terminals, security software and password media;
The password management center, the first security gateway, the first switch, the computer terminal, the event acquisition module and the security evaluation center are deployed in a user area, wherein the password management center, the first security gateway, the first switch, the event acquisition module and the security evaluation center are deployed in a user area machine room, the computer terminal is deployed in a user use environment, the security software is integrated in a user browser built in the computer terminal, and the password medium is held by a user;
the second security gateway, the second switch and the service application system are deployed in an application area, and are specifically deployed in an application area machine room;
The user area is a network security level protection secondary system area, and the application area is a network security level protection tertiary system area;
the password management center, the first security gateway and the computer terminal are all in communication connection with the first switch, and the first switch is used for realizing data communication among the password management center, the first security gateway and the computer terminal;
The event acquisition module is deployed at a bypass mirror image data port of the first switch, and the security assessment center is in communication connection with the event acquisition module;
The first security gateway is in communication connection with the second security gateway and is used for realizing data communication between the user area and the application area; the second security gateway and the service application system are both in communication connection with the second switch, and the second switch is used for realizing data communication between the second security gateway and the service application system;
In the user identity authentication process, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium;
the password medium receives the first identity authentication request, organizes identity authentication and password negotiation data based on the stored security password, and sends the identity authentication and password negotiation data to the security software as identity authentication data;
the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway;
the first security gateway performs identity authentication verification by utilizing a verification data set stored in advance, performs key negotiation, generates an identity authentication result and a session key, and sends the identity authentication result and the session key to the security software;
The security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not; the password medium receives the session key and stores the session key in an encrypted manner;
In the data transmission process, a user initiates access to a service application system through a browser built in a computer terminal;
the security software sends the accessed related data to the password medium;
the cipher medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext, and sends the access service system ciphertext to the first security gateway through the security software;
After receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain a plaintext of the access service system, encrypts the plaintext of the access service system by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext, and sends the first data transmission ciphertext to the second security gateway;
After receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system and sends the plaintext to the service application system;
The service application system responds to the plaintext of the access service system, executes corresponding application functions, acquires return data, and sends the return data to the second security gateway in a plaintext manner;
The second security gateway encrypts the return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext, and sends the second data transmission ciphertext to the first security gateway;
After receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext, encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext, and sends the return data ciphertext to the security software;
And the security software sends the received return data ciphertext to the password medium, and the password medium decrypts the return data ciphertext to obtain the return data plaintext and sends the return data plaintext to a browser of the computer terminal through the security software.
2. A password administration system according to claim 1, wherein the password medium is connectable to the computer terminal for securely storing password information; the password management center, the first security gateway and the security software jointly realize the initialization of the password medium and the password information distribution.
3. The password administration system of claim 1, wherein during initialization and password information distribution, the password medium is connected to the computer terminal, and security software integrated in the computer terminal receives initialization data from the password medium and forwards the initialization data to the password management center through the first security gateway;
The password management center performs password initialization operation by using the initialization data to generate an initial password, performs security protection operation on the initial password to generate a password to be distributed, and sends the password to be distributed to security software through a security gateway;
the security software receives the password to be distributed and writes the password into the password medium, and the password medium processes the password to be distributed, generates a security password and encrypts and stores the security password.
4. The password administration system of claim 1, wherein the event collection module is configured to analyze data flowing through the first switch and send the analysis result to the security assessment center; and the security assessment center receives the data sent by the event acquisition module, processes the data according to a preset rule, and then performs visual display and security assessment.
5. A cryptographic abatement method implemented using the cryptographic abatement system of any one of claims 1-4, the method comprising an initialization procedure and a cryptographic information distribution procedure, the initialization procedure comprising in particular the steps of:
S101, connecting the password medium to the computer terminal, and executing password medium check;
S102, generating initialization data;
s103, the security software integrated in the computer terminal receives initialization data from the password medium;
s104, the security software sends the initialization data to the first security gateway;
S105, the first security gateway sends the initialization data to the password management center;
s106, the password management center uses the initialization data to perform password initialization operation to generate an initial password;
S107, the password management center carries out security protection operation on the initial password to generate a password to be allocated;
s108, the password management center sends the password to be distributed to the first security gateway;
S109, the first security gateway sends the password to be distributed to the security software;
s110, the security software receives the password to be distributed and writes the password into the password medium;
S111, the password medium processes the password to be distributed, generates a safe password and stores the safe password in an encrypted mode;
The password information distribution flow specifically comprises the following steps:
S201, the password medium is connected to the computer terminal, and the security software integrated in a user browser built in the computer terminal initiates a first identity authentication request to the password medium;
s202, the password medium receives the first identity authentication request and organizes identity authentication and password negotiation data based on a stored security password;
S203, the password medium sends the identity authentication and password negotiation data to the security software as identity authentication data;
s204, the security software generates a second identity authentication request based on the identity authentication data and sends the second identity authentication request to the first security gateway;
s205, the first security gateway performs identity authentication verification by utilizing a verification data set stored in advance, and performs key negotiation to generate an identity authentication result and a session key;
s206, the first security gateway sends the identity authentication result and the session key to the security software;
S207, the security software sends the session key to the password medium or deletes the session key according to whether the generated identity authentication result is passed or not, and the password medium receives the session key and stores the session key in an encrypted mode;
s208, a user initiates access to a service application system to the security software through a browser built in the computer terminal;
S209, the security software sends the accessed related data to the password medium;
S210, the password medium encrypts the received data by using the session key stored by encryption to generate an access service system ciphertext;
S211, the password medium sends the access service system ciphertext to the security software;
s212, the security software sends the access service system ciphertext to the first security gateway;
S213, after receiving the ciphertext of the access service system, the first security gateway decrypts the ciphertext to obtain plaintext of the access service system;
S214, encrypting the plaintext of the access service system by the first security gateway by means of a data transmission key stored in the first security gateway to obtain a first data transmission ciphertext;
S215, the first security gateway sends the first data transmission ciphertext to the second security gateway;
S216, after receiving the first data transmission ciphertext, the second security gateway decrypts the first data transmission ciphertext to obtain a plaintext of the access service system;
S217, the second security gateway sends the plaintext of the access service system to the service application system;
s218, the service application system responds to the plaintext of the access service system, executes corresponding application functions and acquires return data;
S219, the service application system sends the return data to the second security gateway in a plaintext manner;
S220, the second security gateway encrypts a return data plaintext through a data transmission key stored in the second security gateway to obtain a second data transmission ciphertext;
S221, the second security gateway sends the second data transmission ciphertext to the first security gateway;
S222, after receiving the second data transmission ciphertext, the first security gateway decrypts the second data transmission ciphertext to obtain a return data plaintext;
S223, the first security gateway encrypts the return data plaintext by means of a session key stored in the first security gateway to obtain a return data ciphertext;
s224, the first security gateway sends the return data ciphertext to the security software;
S225, the security software sends the received return data ciphertext to the password medium;
S226, decrypting the return data ciphertext by the password medium to obtain a return data plaintext, and sending the return data plaintext to the security software;
and S227, the security software sends the return data plaintext to a browser of a computer terminal.
6. The password governance method of claim 5, comprising a security assessment procedure, comprising the steps of:
S301, acquiring a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in the current state of the system by the event acquisition module; the security evaluation center builds an original index data matrix A0, and comprises the steps of obtaining risk evaluation values given by k experts to 4 indexes of a password application protocol type, a certificate validity period, a certificate issuing mechanism credibility and an encryption algorithm type in a investigation mode to form an initialization matrix C: Wherein/> A risk evaluation value given to the j index by the i-th expert is represented, wherein the risk evaluation value is specifically a score value from 1 to 5 which represents sequentially increasing risk levels;
s302, reconstructing the initialization matrix to obtain a calculation matrix S: Wherein,
S303, calculating the measurement value of the j-th index:/>,/>
S304, calculating the weight value of the j-th index:/>
S305, acquiring a weight value matrix:
S306, acquiring and evaluating a risk matrix based on historical statistical data: Wherein risk potential is classified into 4 cases of very high, low, and very low according to the following intervals [60%,100% ], [40%, 60%), [10%, 40%), [0%,10% >, respectively,/> 、/>、/>The 1 st index of 4 indexes of the password application protocol type, the certificate validity period, the certificate authority credibility and the encryption algorithm type belongs to the probability value of the 4 conditions of very high, low and very low, and the probability value is expressed by positive numbers of more than or equal to 0 and less than or equal to 1
In the same way, the processing method comprises the steps of,、/>、/>The 2nd index of 4 indexes of the password application protocol type, the certificate validity period, the reliability of a certificate issuing mechanism and the encryption algorithm type respectively belongs to the probability values of the 4 conditions of very high, low and very low, and the like;
S307, acquiring a security evaluation result matrix A:
S308, acquiring a safety evaluation result, specifically, judging the maximum value of each element in the safety evaluation result matrix A as a judgment basis, and if the maximum value falls into a section [0.5,1], [0.1,0.5 ], [0.01,0.1) or [0,0.01 ], outputting the safety evaluation result as a high risk state, a medium risk state, a low risk state and a controllable state.
7. A computer-readable storage medium having a computer-executable program stored therein, wherein the computer-executable program is executed by a computer to implement the cryptographic management method as recited in claim 5 or 6.
CN202410022518.9A 2024-01-08 2024-01-08 Password governance system and method Active CN117560224B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410022518.9A CN117560224B (en) 2024-01-08 2024-01-08 Password governance system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410022518.9A CN117560224B (en) 2024-01-08 2024-01-08 Password governance system and method

Publications (2)

Publication Number Publication Date
CN117560224A CN117560224A (en) 2024-02-13
CN117560224B true CN117560224B (en) 2024-04-26

Family

ID=89818788

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410022518.9A Active CN117560224B (en) 2024-01-08 2024-01-08 Password governance system and method

Country Status (1)

Country Link
CN (1) CN117560224B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468310A (en) * 2014-11-14 2015-03-25 国家电网公司 Power communication system and method
CN111478891A (en) * 2019-12-24 2020-07-31 上海可鲁系统软件有限公司 Industrial network isolation method and device with different security levels
CN113401148A (en) * 2021-08-04 2021-09-17 阿波罗智联(北京)科技有限公司 Control system of unmanned automobile and unmanned automobile
CN114553577A (en) * 2022-02-28 2022-05-27 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network interaction system and method based on multi-host double-isolation security architecture
WO2023141876A1 (en) * 2022-01-27 2023-08-03 京东方科技集团股份有限公司 Data transmission method, apparatus and system, electronic device, and readable medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274500B (en) * 2018-10-15 2020-06-02 百富计算机技术(深圳)有限公司 Secret key downloading method, client, password equipment and terminal equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468310A (en) * 2014-11-14 2015-03-25 国家电网公司 Power communication system and method
CN111478891A (en) * 2019-12-24 2020-07-31 上海可鲁系统软件有限公司 Industrial network isolation method and device with different security levels
CN113401148A (en) * 2021-08-04 2021-09-17 阿波罗智联(北京)科技有限公司 Control system of unmanned automobile and unmanned automobile
WO2023141876A1 (en) * 2022-01-27 2023-08-03 京东方科技集团股份有限公司 Data transmission method, apparatus and system, electronic device, and readable medium
CN114553577A (en) * 2022-02-28 2022-05-27 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network interaction system and method based on multi-host double-isolation security architecture

Also Published As

Publication number Publication date
CN117560224A (en) 2024-02-13

Similar Documents

Publication Publication Date Title
KR101294280B1 (en) System and Method capable of Preventing Individual Information Leakage by Monitoring Encrypted HTTPS-based Communication Data via Network Packet Mirroring
CN103001976A (en) Safe network information transmission method
CN101292496A (en) Method and devices for carrying out cryptographic operations in a client-server network
CN114338019B (en) Network communication method, system, device and storage medium based on quantum key distribution
CN112597462A (en) Industrial network safety system
CN116132989B (en) Industrial Internet security situation awareness system and method
CN108881298A (en) A kind of network safety system and implementation method based on big data platform
CN110505055A (en) Based on unsymmetrical key pond to and key card outer net access identity authentication method and system
CN102468962A (en) Personal identification verification method using personal password device and personal password device
Sathish Babu et al. A dynamic authentication scheme for mobile transactions
CN110378135A (en) Intimacy protection system and method based on big data analysis and trust computing
CN109861947B (en) Network hijacking processing method and device and electronic equipment
CN112073422A (en) Intelligent home protection system and protection method thereof
CN113872751B (en) Method, device and equipment for monitoring service data and storage medium
CN110289961A (en) Tele-medicine authentication method
Huang et al. Identity authentication and context privacy preservation in wireless health monitoring system
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN117560224B (en) Password governance system and method
CN113157588A (en) Safety test framework suitable for Internet of things
CN114189515B (en) SGX-based server cluster log acquisition method and device
CN116112234A (en) Electronic signing security verification method, system, medium and equipment
CN113922961A (en) Data encryption and decryption transmission method in intelligent security community platform data issuing and gathering
CN118349979B (en) User information safety processing control system applied to intelligent medical treatment
WO2019182545A1 (en) System for collecting, storing and securely transmitting data for verifying users
Babu et al. Transaction based authentication scheme for mobile communication: A cognitive agent based approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant