[go: up one dir, main page]

CN100484024C - System and method for improving differential safety grade application service - Google Patents

System and method for improving differential safety grade application service Download PDF

Info

Publication number
CN100484024C
CN100484024C CNB2005100909068A CN200510090906A CN100484024C CN 100484024 C CN100484024 C CN 100484024C CN B2005100909068 A CNB2005100909068 A CN B2005100909068A CN 200510090906 A CN200510090906 A CN 200510090906A CN 100484024 C CN100484024 C CN 100484024C
Authority
CN
China
Prior art keywords
client
security level
application
security
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2005100909068A
Other languages
Chinese (zh)
Other versions
CN1863070A (en
Inventor
邵刚
闵国兵
莫彩文
张庆杰
王升琼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2005100909068A priority Critical patent/CN100484024C/en
Publication of CN1863070A publication Critical patent/CN1863070A/en
Application granted granted Critical
Publication of CN100484024C publication Critical patent/CN100484024C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明提供了一种提供不同安全级别的应用服务的方法和系统,该方法主要包括:在服务器中保存各种应用和安全级别信息之间的对应关系;所述服务器根据其设置情况,以及所述保存的客户端所请求的应用对应的安全级别信息,和客户端协商确定客户端所请求的应用的最终安全级别;所述服务器按照所述最终安全级别,给所述客户端提供所请求的应用服务。该系统主要包括服务器和客户端。利用本发明所述方法和系统,可以实现针对不同的应用提供不同的安全级别的服务。

Figure 200510090906

The present invention provides a method and system for providing application services with different security levels. The method mainly includes: storing the correspondence between various applications and security level information in a server; The stored security level information corresponding to the application requested by the client, negotiates with the client to determine the final security level of the application requested by the client; the server provides the client with the requested application services. The system mainly includes server and client. By using the method and system of the present invention, it is possible to provide different security level services for different applications.

Figure 200510090906

Description

提供不同安全级别的应用服务的系统和方法 System and method for providing application services with different security levels

技术领域 technical field

本发明涉及通讯领域,尤其涉及一种提供不同安全级别的应用服务的系统和方法。The present invention relates to the communication field, in particular to a system and method for providing application services with different security levels.

背景技术 Background technique

随着无线数据网络的逐渐成熟,各种无线业务也快速发展,除传统的语音业务外,更多的诸如多媒体业务、数据业务、电子商务、电子贸易等业务的应用也越来越广泛。针对无线数据网络中各种各样的无线应用业务来说,通信的安全问题是每一个业务都需要考虑并解决的一个通用问题。因此在无线应用中如何保证业务信息的安全已经成为一个迫切关注的问题。它不仅关系到用户、CP(内容提供商)、SP(服务提供商)和运营商的切身利益,而且直接影响到无线业务的推广使用。With the gradual maturity of wireless data networks, various wireless services are also developing rapidly. In addition to traditional voice services, more applications such as multimedia services, data services, e-commerce, and electronic commerce are becoming more and more extensive. For various wireless application services in the wireless data network, communication security is a general problem that every service needs to consider and solve. Therefore, how to ensure the security of business information in wireless applications has become an urgent concern. It is not only related to the vital interests of users, CP (content provider), SP (service provider) and operators, but also directly affects the popularization and use of wireless services.

现有技术中一种在无线应用中保证业务信息的安全的方法为:各个业务都各自实现自己的安全方案。该安全方案一般包括认证、授权、保密、完整性保护等几个方面。In the prior art, a method for ensuring the security of service information in wireless applications is: each service implements its own security solution. The security scheme generally includes several aspects such as authentication, authorization, confidentiality, and integrity protection.

该方法的缺点为:由于各个业务都各自实现自己的安全方案,造成许多安全功能被重复开发,没有有效地被重用,开发成本高。The disadvantage of this method is that since each business implements its own security solution, many security functions are repeatedly developed and not effectively reused, resulting in high development costs.

现有技术中另一种在无线应用中保证业务信息的安全的方法为:使用OMA(开放移动联盟)中的安全工作组提出的一个统一的安全功能框架。利用该安全功能框架,各个业务在开发或者部署时可以通过重用安全框架的功能或使用安全框架的服务来保证安全性。Another method for ensuring the security of service information in wireless applications in the prior art is to use a unified security function framework proposed by the security working group in OMA (Open Mobile Alliance). Using the security function framework, various services can ensure security by reusing the functions of the security framework or using the services of the security framework during development or deployment.

该方法的缺点为:OMA提供的公共安全功能框架提供对业务引擎的安全服务,并没有考虑到同时为多个引擎服务时,不同的业务引擎有不同的安全需求,甚至使用统一业务引擎上的不同应用也可能有不同的安全需求。实际上业务的安全级别应该由具体的应用来设置,而不应该由使用的业务引擎来统一设置。而且,对于同一业务上的不同用户,其安全级别也可以是有差别的。The disadvantage of this method is: the public security function framework provided by OMA provides security services for service engines, and does not take into account that different service engines have different security requirements when serving multiple engines at the same time, and even use the unified service engine Different applications may also have different security requirements. In fact, the security level of the business should be set by specific applications, not uniformly set by the business engine used. Moreover, for different users on the same service, their security levels may also be different.

比如,在实际应用中,服务器同时提供的各种各样的应用对安全的需求往往是不同的,如对于一般的应用,只要一般的完整性和保密性服务就可以满足要求,而对于涉及到付费、用户隐私,或经常传输高价值数据的应用,而且,对于不同的用户,其所要求的安全级别也是不同的。如对于使用该应用的用户是VIP用户,就有可能有提高安全级别的要求时,这样就要求服务器能够提供多种安全级别。For example, in practical applications, the various applications provided by the server at the same time often have different security requirements. For example, for general applications, only general integrity and confidentiality services can meet the requirements, while for applications involving Payment, user privacy, or applications that frequently transmit high-value data, and, for different users, the required security level is also different. If the user using the application is a VIP user, there may be a requirement to increase the security level, which requires the server to provide multiple security levels.

如对于移动游戏业务引擎来说,当游戏用户通过游戏服务器同时玩多个游戏时,游戏数据交换的安全级别应该由相应的游戏来决定,而不应该由与客户端直接交户的游戏平台来统一设置。For example, for a mobile game service engine, when a game user plays multiple games at the same time through the game server, the security level of game data exchange should be determined by the corresponding game, not by the game platform directly with the client. Unified settings.

发明内容 Contents of the invention

鉴于上述现有技术所存在的问题,本发明的目的是提供一种提供不同安全级别的应用服务的系统和方法,从而可以实现针对不同的应用提供不同的安全级别的服务。In view of the above-mentioned problems in the prior art, the purpose of the present invention is to provide a system and method for providing application services with different security levels, so as to provide services with different security levels for different applications.

本发明的目的是通过以下技术方案实现的:The purpose of the present invention is achieved through the following technical solutions:

一种提供不同安全级别的应用服务的方法,包括:A method of providing application services with different levels of security, comprising:

A、在服务器中保存应用的标识对应的安全级别信息;A. Save the security level information corresponding to the identity of the application in the server;

B、所述服务器根据接收到的客户端发出的包括所需要使用的应用的标识的请求消息,查询所述保存的应用的标识和对应的安全级别信息,获得对应的安全级别信息;所述服务器根据获得的对应的安全级别信息,和客户端的浏览器性质、安全级别设置情况、客户端本身的能力,通过服务器中的控制模块和客户端协商确定客户端所请求的应用的最终安全级别;B. According to the received request message sent by the client that includes the identification of the application to be used, the server queries the stored application identification and corresponding security level information, and obtains the corresponding security level information; the server According to the obtained corresponding security level information, the nature of the browser of the client, the setting of the security level, and the capabilities of the client itself, the final security level of the application requested by the client is determined through negotiation between the control module in the server and the client;

C、所述服务器按照所述最终安全级别,给所述客户端提供所请求的应用服务。C. The server provides the requested application service to the client according to the final security level.

所述的步骤A具体包括:Described step A specifically comprises:

各种应用向服务器发出包括应用的标识和对应的安全级别信息的注册信息,服务器将接收到的各种应用的标识和对应的安全级别信息进行保存。Various applications send registration information including application identifiers and corresponding security level information to the server, and the server stores the received various application identifiers and corresponding security level information.

所述的步骤A具体包括:Described step A specifically comprises:

在服务器中手工配置和保存各种应用的标识和对应的安全级别信息。The identifiers of various applications and the corresponding security level information are manually configured and saved in the server.

所述的步骤A还包括:Described step A also includes:

服务器根据各种应用的安全级别信息,确定各种应用的保密性算法、完整性算法和密钥长度信息,给各种应用配置相应的安全参数。According to the security level information of various applications, the server determines the confidentiality algorithm, integrity algorithm and key length information of various applications, and configures corresponding security parameters for various applications.

所述的步骤B具体包括:Described step B specifically comprises:

当独立的客户端代理作为客户端时,服务器接收到所述客户端发送的应用请求信息,查询其保存的应用和安全级别信息之间的对应关系,获得客户端所请求的应用的对应安全级别信息;When an independent client agent acts as a client, the server receives the application request information sent by the client, queries the correspondence between the stored application and security level information, and obtains the corresponding security level of the application requested by the client information;

所述服务器与所述客户端协商确定,所述对应安全级别信息为所述客户端所请求的应用的最终安全级别。The server negotiates with the client to determine that the corresponding security level information is the final security level of the application requested by the client.

所述的步骤B具体包括:Described step B specifically comprises:

当公共的浏览器作为客户端时,服务器接收到所述客户端发送的应用请求信息,查询其保存的应用和安全级别信息之间的对应关系,获得客户端所请求的应用的对应安全级别信息;When the public browser acts as the client, the server receives the application request information sent by the client, queries the correspondence between the stored application and security level information, and obtains the corresponding security level information of the application requested by the client ;

如果所述客户端的能力能够满足所述对应安全级别的要求,则所述服务器与所述客户端协商确定所述对应安全级别为所述客户端所请求的应用的最终安全级别;否则,根据实际情况,确定相应的安全级别为客户端所请求的应用的最终安全级别。If the capability of the client can meet the requirements of the corresponding security level, the server negotiates with the client to determine that the corresponding security level is the final security level of the application requested by the client; otherwise, according to the actual situation, determine the corresponding security level as the final security level of the application requested by the client.

所述的步骤B具体包括:Described step B specifically comprises:

当允许客户端自己设置安全级别时,服务器接收到所述客户端发送的应用请求信息,查询其保存的应用和安全级别信息之间的对应关系,获得客户端所请求的应用的对应安全级别信息;When the client is allowed to set the security level by itself, the server receives the application request information sent by the client, queries the correspondence between the stored application and the security level information, and obtains the corresponding security level information of the application requested by the client ;

所述服务器与所述客户端协商确定,选择所述客户端设置的安全级别和所述对应安全级别中的较高的安全级别为客户端所请求的应用的最终安全级别,或者,直接选择所述客户端设置的安全级别为客户端所请求的应用的最终安全级别。The server negotiates with the client to select the higher security level of the security level set by the client and the corresponding security level as the final security level of the application requested by the client, or directly selects the security level of the application requested by the client. The security level set by the client is the final security level of the application requested by the client.

一种提供不同安全级别的应用服务的系统,包括:A system for providing application services with different security levels, including:

服务器:用于保存应用的标识和对应的安全级别信息;根据接收到的客户端发出的包括所需要使用的应用的标识的请求消息,查询所述保存的应用的标识和对应的安全级别信息,获得对应的安全级别信息;根据获得的对应的安全级别信息,和客户端的浏览器性质、安全级别设置情况、客户端本身的能力,通过服务器中的控制模块和客户端协商确定客户端所请求的应用的最终安全级别;按照所述最终安全级别,给所述客户端提供应用服务;Server: used to save the application identification and corresponding security level information; query the stored application identification and corresponding security level information according to the received request message sent by the client including the identification of the application to be used, Obtain the corresponding security level information; according to the obtained corresponding security level information, the nature of the client's browser, the setting of the security level, and the capabilities of the client itself, the control module in the server negotiates with the client to determine the The final security level of the application; according to the final security level, provide application services to the client;

客户端:用于向服务器发出包括所需要使用的应用的标识的请求消息,和服务器协商确定所请求使用的应用的最终安全级别,按照所述最终安全级别通过相应的应用和服务器进行通信。Client: for sending a request message including the identification of the application to be used to the server, negotiating with the server to determine the final security level of the requested application, and communicating with the server through the corresponding application according to the final security level.

所述服务器包括安全组件单元,该安全组件单元包括:The server includes a security component unit, and the security component unit includes:

控制模块:用于接收各种应用的注册消息,将其中的各种应用的标识信息和安全级别信息传递给安全配置库,接收客户端发出的请求消息,将该请求消息中的应用标识信息传递给安全配置库,和客户端协商确定客户端所需要使用的应用的安全级别;Control module: used to receive the registration messages of various applications, transfer the identification information and security level information of various applications to the security configuration library, receive the request message sent by the client, and transfer the application identification information in the request message Give the security configuration library, and negotiate with the client to determine the security level of the application that the client needs to use;

安全配置库:用于保存各种应用的标识和对应的安全级别信息,根据接收到的应用标识信息,向控制模块返回相应的应用安全级别信息。Security configuration library: used to save the identification of various applications and the corresponding security level information, and return the corresponding application security level information to the control module according to the received application identification information.

所述控制模块包括:The control module includes:

注册模块:用于接收各种应用的注册消息,接收客户端发出的请求消息,和客户端进行相互鉴权操作或者将请求消息传递给相应的应用,由应用和客户端进行相互鉴权操作,将请求消息中的应用标识信息传递给安全配置库;Registration module: used to receive registration messages of various applications, receive request messages sent by the client, perform mutual authentication operations with the client or pass the request message to the corresponding application, and the application and the client will perform mutual authentication operations, Pass the application identification information in the request message to the security configuration library;

安全级别协商模块:用于根据安全配置库返回的应用的安全级别信息和客户端的浏览器性质、安全级别设置情况和客户端本身的能力信息中的至少一项,和客户端协商确定客户端所请求的应用的最终安全级别。Security level negotiation module: used for negotiating with the client to determine at least one of the security level information of the application returned by the security configuration library, the nature of the browser of the client, the setting of the security level, and the capability information of the client itself. The final security level of the requested app.

所述控制模块包括:The control module includes:

安全级别定义模块:用于根据各种应用的安全级别信息,确定各种应用的保密性算法、完整性算法和密钥长度信息,给各种应用配置相应的安全参数,该安全参数包括加密算法、摘要算法、密钥级别和是否强制使用。Security level definition module: used to determine the confidentiality algorithm, integrity algorithm and key length information of various applications according to the security level information of various applications, and configure corresponding security parameters for various applications, the security parameters include encryption algorithms , Digest Algorithm, Key Level, and Whether to Mandatory.

由上述本发明提供的技术方案可以看出,本发明通过在安全配置库中保存各种应用的标识和安全级别信息,从而可以在为上层的各种应用提供统一的安全服务的同时,还可以根据实际情况给不同的应用设置不同的安全级别,并提供不同的安全级别的服务。在本发明中不需要对每个应用单独开发其安全特性。It can be seen from the above-mentioned technical solution provided by the present invention that the present invention saves the identification and security level information of various applications in the security configuration library, so that it can provide unified security services for various applications on the upper layer, and can also Set different security levels for different applications according to the actual situation, and provide services with different security levels. In the present invention there is no need to develop security features for each application individually.

附图说明 Description of drawings

图1为每个客户端分别与服务器进行交互的组网示意图;FIG. 1 is a schematic diagram of a network in which each client interacts with a server respectively;

图2为所有客户端通过一个代理部件和服务器进行交互的组网示意图;Fig. 2 is a schematic diagram of a network in which all clients interact with a server through an agent component;

图3为本发明所述系统的结构图;Fig. 3 is a structural diagram of the system of the present invention;

图4为当应用的安全级别信息由服务器之外的其它装置或模块来确定时,安全配置库保存安全级别信息的具体处理流程图;Fig. 4 is a specific processing flow chart of saving the security level information in the security configuration library when the security level information of the application is determined by other devices or modules other than the server;

图5为本发明所述方法的具体处理流程图。Fig. 5 is a specific processing flowchart of the method of the present invention.

具体实施方式 Detailed ways

本发明提供了一种提供不同安全级别的应用服务的系统和方法,本发明的核心为:在安全配置库中保存各种应用的标识和安全级别信息,根据用户申请的应用返回相应的安全级别信息,并和客户端协商确定最终的安全级别。The present invention provides a system and method for providing application services with different security levels. The core of the present invention is: saving the identification and security level information of various applications in the security configuration library, and returning the corresponding security level according to the application applied by the user Information, and negotiate with the client to determine the final security level.

本发明所述系统和方法必须运行在C/S(Client/Server,客户端和服务器端)架构下。下面我们简单介绍一下C/S架构。The system and method of the present invention must run under the C/S (Client/Server, client and server) architecture. Let's briefly introduce the C/S architecture.

基于网络(包括互联网和无线网络)的C/S架构的最基本的实现方式是分别开发客户端和服务器端的应用,并分别部署在终端侧和服务器侧。在C/S架构中,服务器侧提供一个统一的运营支持平台,为上层开发的具体应用提供统一的管理和服务,并提供统一的接口供应用程序调用。The most basic way to implement the C/S architecture based on the network (including the Internet and wireless network) is to develop applications on the client side and the server side respectively, and deploy them on the terminal side and the server side respectively. In the C/S architecture, the server side provides a unified operation support platform, provides unified management and services for specific applications developed by the upper layer, and provides a unified interface for application calls.

C/S架构的客户端可以有两种实现方案,一种实现方案是每个客户端独立开发,通过服务器与对应的具体应用进行交互,该实现方案的组网示意图如图1所示;另一种实现方案是所有客户端共用一个通用的代理部件,通过该代理部件连接到服务器端,该代理部件可以为所有客户端的应用提供统一的功能接口,该实现方案的组网示意图如图2所示。The client of the C/S architecture can have two implementation schemes. One implementation scheme is that each client develops independently and interacts with the corresponding specific application through the server. The network diagram of this implementation scheme is shown in Figure 1; the other One implementation scheme is that all clients share a common proxy component, which is connected to the server through the proxy component, and the proxy component can provide a unified functional interface for all client applications. The network diagram of this implementation scheme is shown in Figure 2 Show.

在图1和图2中的服务器可以看作通用的安全服务代理,为各个应用或者业务提供安全服务。在C/S架构中,服务器与应用之间的通信是安全的,客户端与客户端代理之间的通信也是安全的。The server in Figure 1 and Figure 2 can be regarded as a general security service agent, providing security services for various applications or services. In the C/S architecture, the communication between the server and the application is safe, and the communication between the client and the client agent is also safe.

下面结合附图来详细描述本发明,本发明所述系统的结构图如图3所示。该系统包括服务器和客户端。The present invention will be described in detail below in conjunction with the accompanying drawings. The structural diagram of the system of the present invention is shown in FIG. 3 . The system includes server and client.

服务器:用于保存各种应用的安全级别信息,根据客户端发出的请求消息和保存的安全级别信息,和客户端协商确定客户端所需要使用的应用的最终安全级别。该服务器中包括安全组件单元和其它组件单元。安全组件单元包括控制模块、安全配置库和其它模块。Server: It is used to save the security level information of various applications, and negotiate with the client to determine the final security level of the application that the client needs to use according to the request message sent by the client and the stored security level information. The server includes a security component unit and other component units. Security component unit includes control module, security configuration library and other modules.

控制模块:用于控制整个安全会话在应用层的安全级别。是系统的核心调度模块,负责各种应用的初始级别注册、与客户端安全级别的协商及其它各种具体算法模块的调度。控制模块包括注册模块、安全级别定义模块和安全级别协商模块。Control module: used to control the security level of the entire security session at the application layer. It is the core scheduling module of the system, responsible for the initial level registration of various applications, the negotiation with the security level of the client, and the scheduling of various other specific algorithm modules. The control module includes a registration module, a security level definition module and a security level negotiation module.

其中,注册模块:用于接收客户端发出的初始请求消息,和客户端进行相互鉴权过程,相互鉴权完成后,将所述初始请求消息中的用户标识和应用标识信息传递给安全配置库。Among them, the registration module: used to receive the initial request message sent by the client, and perform a mutual authentication process with the client, after the mutual authentication is completed, transfer the user identification and application identification information in the initial request message to the security configuration library .

其中,安全级别定义模块:用于定义并保存安全级别信息。根据保密性算法(加密算法)、完整性算法(摘要算法)和密钥长度等信息定义应用的安全级别,并供安全配置库查找、使用。为应用在通信时定义具体的安全算法。Among them, the security level definition module: used to define and store security level information. The security level of the application is defined according to information such as confidentiality algorithm (encryption algorithm), integrity algorithm (digest algorithm) and key length, and can be searched and used by the security configuration library. Define specific security algorithms for applications when communicating.

其中,安全级别协商模块:用于根据安全配置库返回的应用的安全级别信息和客户端的浏览器性质、安全级别设置情况等信息,和客户端进行协商,确定用户请求使用的应用的最终安全级别。Among them, the security level negotiation module: it is used to negotiate with the client according to the security level information of the application returned by the security configuration library, the nature of the client's browser, and the setting of the security level to determine the final security level of the application requested by the user .

安全配置库:用于存储各种应用的标识和对应的安全级别信息。所述存储的信息可以在应用注册时录入也可以直接由控制模块传递过来。在用户登录时,根据客户端发出的请求消息中的应用标识信息向控制模块返回相应的应用安全级别信息。Security configuration library: used to store the identities of various applications and the corresponding security level information. The stored information can be entered when the application is registered or directly transmitted by the control module. When the user logs in, the corresponding application security level information is returned to the control module according to the application identification information in the request message sent by the client.

客户端:用于在登录时,向服务器发出包括用户标识和所请求使用的应用标识的初始请求消息,和服务器进行相互鉴权过程和安全级别协商操作。根据最终确定的安全级别通过服务器和相应的应用进行通信。Client: used to send an initial request message to the server including the user ID and the requested application ID when logging in, and perform mutual authentication and security level negotiation operations with the server. Communication is carried out through the server and the corresponding application according to the finally determined security level.

下面我们基于上述系统来描述本发明所述方法。Below we describe the method of the present invention based on the above system.

本发明所述方法首先需要在安全配置库中存储各种应用的ID(标识)信息和安全级别信息。该存储过程可以在服务器中通过手工配置各种应用的安全级别来实现,也可以在应用注册到服务器时提供安全级别注册信息来实现。其中应用的安全级别信息可以由服务器中的控制模块中的安全级别定义模块来确定,也可以由服务器之外的其它装置或模块来确定。The method of the present invention first needs to store ID (identification) information and security level information of various applications in the security configuration library. The stored procedure can be realized by manually configuring the security levels of various applications in the server, or by providing security level registration information when the applications are registered to the server. The security level information of the application can be determined by the security level definition module in the control module in the server, or can be determined by other devices or modules outside the server.

服务器中的控制模块中的安全级别定义模块对各种应用进行安全级别的定义主要是从以下几个方面来考虑:保密性算法(加密算法),完整性算法(摘要算法)和密钥长度。安全级别定义模块可以为每个安全级别定义安全参数,该安全参数包括加密算法、摘要算法、密钥级别和是否强制使用等。The security level definition module in the control module in the server defines the security level of various applications mainly from the following aspects: confidentiality algorithm (encryption algorithm), integrity algorithm (digest algorithm) and key length. The security level definition module can define security parameters for each security level, the security parameters include encryption algorithm, digest algorithm, key level and whether to use it forcibly, etc.

其中,加密算法参数可以指定具体的加密算法(如DES),加密算法参数为NULL表示不用加密,加密算法参数为ANY表示可以使用任意的加密算法。Wherein, the encryption algorithm parameter can specify a specific encryption algorithm (such as DES), the encryption algorithm parameter being NULL means no encryption, and the encryption algorithm parameter being ANY means that any encryption algorithm can be used.

其中,摘要算法参数可以指定具体的算法(如MD5),加密算法参数为NULL表示不用加密,加密算法参数为ANY表示可以使用任意的加密算法。Among them, the digest algorithm parameter can specify a specific algorithm (such as MD5), the encryption algorithm parameter is NULL, which means no encryption is required, and the encryption algorithm parameter is ANY, which means that any encryption algorithm can be used.

其中,密钥级别参数可以指定对称加密算法的密钥的长度,分为高强度>128bit,中等强度=128bit,低强度<128bit。Among them, the key level parameter can specify the length of the key of the symmetric encryption algorithm, which is divided into high strength>128bit, medium strength=128bit, and low strength<128bit.

其中,是否强制使用参数是指如果已经在传输层实施了安全策略的前提下是否仍然在应用层进行安全保护,默认为否。Among them, whether to use the mandatory parameter refers to whether to implement security protection at the application layer under the premise that the security policy has been implemented at the transport layer, and the default is no.

服务器对各种应用进行安全级别定义完成后,可以将确定的各种应用的的标识信息和对应的安全级别信息和保存在安全配置库中。After the server defines the security levels of various applications, it may store the identified identification information and corresponding security level information of various applications in the security configuration library.

当安全配置库中保存的信息通过应用的注册来实现时,其具体处理流程如图4所示。包括如下步骤:When the information stored in the security configuration library is implemented through application registration, its specific processing flow is shown in FIG. 4 . Including the following steps:

步骤41、各个应用向服务器中的控制模块发送注册消息,该注册信息至少包括应用的标识和应用的安全级别信息,其中的应用的安全级别信息是由服务器之外的其它装置或模块确定的。Step 41. Each application sends a registration message to the control module in the server. The registration information includes at least the application identification and application security level information, wherein the application security level information is determined by other devices or modules other than the server.

步骤42、服务器中的控制模块将接收到的注册消息中的应用的标识和应用的安全级别信息,传递给服务器中的安全配置库。安全配置库将收到的信息进行存储。Step 42, the control module in the server transmits the application identification and application security level information in the received registration message to the security configuration library in the server. The security configuration repository stores the received information.

步骤43、安全配置库在将收到的应用的标识和应用的安全级别信息存储成功后,向应用返回注册成功消息。Step 43: After successfully storing the received application identifier and application security level information, the security configuration library returns a registration success message to the application.

基于上述系统,本发明所述提供不同安全级别的应用服务的方法的具体处理流程图如图5所示,包括如下步骤:Based on the above system, the specific processing flowchart of the method for providing application services with different security levels according to the present invention is shown in Figure 5, including the following steps:

步骤5-1、客户端或客户端代理向服务器发送初始消息,和控制模块或应用完成相互鉴权过程。Step 5-1. The client or client proxy sends an initial message to the server, and completes the mutual authentication process with the control module or application.

首先,客户端或客户端代理向服务器发送初始请求消息,该初始请求消息中至少包括用户id(标识)和应用id(标识)信息。然后,服务器中控制模块与客户端或客户端代理进行相互的鉴权操作;或者,服务器根据接收到的应用id信息,将初始请求消息转发给相应的应用,由相应的应用与客户端或客户端代理进行相互的鉴权操作。First, the client or the client agent sends an initial request message to the server, and the initial request message includes at least user id (identification) and application id (identification) information. Then, the control module in the server performs a mutual authentication operation with the client or the client agent; or, the server forwards the initial request message to the corresponding application according to the received application id information, and the corresponding application communicates with the client or the client The end agents perform mutual authentication operations.

步骤5-2、控制模块向安全配置库请求用户要求使用的应用的安全级别。Step 5-2, the control module requests the security level of the application required by the user from the security configuration library.

在相互鉴权操作完成后,服务器中的控制模块向安全配置库发出请求安全级别消息,该消息中包括用户id和应用id信息。安全配置库查询其保存的应用的标识和应用的安全级别信息,然后,向服务器中的控制模块返回用户要求使用的应用的安全级别信息。After the mutual authentication operation is completed, the control module in the server sends a request security level message to the security configuration library, and the message includes user id and application id information. The security configuration library queries the stored application identification and application security level information, and then returns the security level information of the application requested by the user to the control module in the server.

步骤5-3、控制模块和客户端或客户端代理协商确定用户要求使用的应用的最终安全级别。Step 5-3: The control module negotiates with the client or the client agent to determine the final security level of the application required by the user.

控制模块在接收到安全配置库返回的应用的安全级别信息后,还需要根据实际情况,和客户端或客户端代理协商确定用户要求使用的应用的最终安全级别。After the control module receives the application security level information returned by the security configuration library, it needs to negotiate with the client or the client agent to determine the final security level of the application required by the user according to the actual situation.

协商最终安全级别的过程描述如下:The process of negotiating the final security level is described as follows:

最终安全级别的协商的一般原则是根据服务端的设置来执行的,客户端处于被动的地位。因为业务的提供者或开发者对于业务有很深的了解,可以对自己开放的业务定义适合的安全级别。本发明分如下三种情况分别来处理安全级别的协商过程:The general principle of negotiation of the final security level is to execute according to the setting of the server, and the client is in a passive position. Because the service provider or developer has a deep understanding of the service, he can define a suitable security level for the service he opens. The present invention divides following three kinds of situations to deal with the negotiation process of security level respectively:

第一种情况:针对独立的客户端代理作为客户端的情况。因为独立的客户端代理可以与服务器端的安全服务组件一起开发,因此,客户端对服务器端的安全均可以支持。安全级别协商时直接使用服务器端请求的算法和级别进行通信,即直接使用安全配置库返回的安全级别进行通信。The first case: for the case where the independent client agent acts as the client. Because the independent client-side agent can be developed together with the server-side security service component, therefore, both the client-side and the server-side security can be supported. When negotiating the security level, the algorithm and level requested by the server are directly used for communication, that is, the security level returned by the security configuration library is directly used for communication.

第二种情况:针对公共的浏览器作为客户端的情况。在鉴权过程中,客户端需要上报其支持的安全算法和级别,服务器的控制模块将比较客户端支持的安全级别与服务器设置的安全级别,如果客户端的能力能够满足服务器的安全级别要求,则直接应用服务器设置的安全级别;如果客户端的能力满足不了服务器的安全级别要求,则根据服务器的设置判断是否继续执行,同时向客户端发送提示,客户端也可以判断是否继续执行,执行时选择最接近应用安全级别的算法。The second case: the case where the public browser is used as the client. During the authentication process, the client needs to report the security algorithm and level it supports, and the control module of the server will compare the security level supported by the client with the security level set by the server. If the capability of the client can meet the security level requirements of the server, then Directly apply the security level set by the server; if the client's capabilities cannot meet the security level requirements of the server, it will judge whether to continue to execute according to the server's settings, and at the same time send a prompt to the client, and the client can also judge whether to continue to execute. Algorithms approaching application security levels.

第三种情况:针对允许客户端设置安全级别的情况。在该情况中客户端可以在应用中或客户端代理中设置安全级别。对于客户端的安全级别策略,可以在服务器中配置,配置项包括以下几种:只应用服务器端的安全策略;对于客户端安全级别高于服务器端安全级别的,采用客户端安全策略;对于未设置服务器端安全级别的应用,采用客户端安全策略;只应用客户端安全策略(安全隐患大)。The third case: for the case where the client is allowed to set the security level. In this case the client can set the security level in the application or in the client agent. For the security level policy of the client, it can be configured in the server. The configuration items include the following: only the security policy of the server is applied; The application of the terminal security level adopts the client security policy; only the client security policy is applied (big security risks).

同时,当应用中使用客户端之间的通信时,可以在两个客户端之间进行协商安全级别,在协商的过程中把被请求方看作服务器来处理。At the same time, when the communication between clients is used in the application, the security level can be negotiated between the two clients, and the requested party is treated as a server during the negotiation process.

步骤5-4、客户端或客户端代理通过服务器和应用进行安全的通信。Step 5-4, the client or the client agent communicates securely with the application through the server.

控制模块在和客户端或客户端代理协商确定了用户要求使用的应用的最终安全级别后,客户端或客户端代理便根据确定的终安全级别,通过服务器和应用进行安全的通信。After the control module negotiates with the client or the client agent to determine the final security level of the application required by the user, the client or the client agent communicates securely with the application through the server according to the determined final security level.

如果需要对某个应用对应的安全级别进行修改,则通过在服务器上修改安全配置库中指定应用的安全级别信息。If the security level corresponding to an application needs to be modified, the security level information of the specified application in the security configuration library is modified on the server.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art can easily conceive of changes or modifications within the technical scope disclosed in the present invention. Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (11)

1、一种提供不同安全级别的应用服务的方法,其特征在于,包括:1. A method for providing application services with different security levels, comprising: A、在服务器中保存应用的标识和对应的安全级别信息;A. Save the application identification and corresponding security level information in the server; B、所述服务器根据接收到的客户端发出的包括所需要使用的应用的标识的请求消息,查询所述保存的应用的标识和对应的安全级别信息,获得对应的安全级别信息;所述服务器根据获得的对应的安全级别信息,和客户端的浏览器性质、安全级别设置情况、客户端本身的能力,通过服务器中的控制模块和客户端协商确定客户端所请求的应用的最终安全级别;B. According to the received request message sent by the client that includes the identification of the application to be used, the server queries the stored application identification and corresponding security level information, and obtains the corresponding security level information; the server According to the obtained corresponding security level information, the nature of the browser of the client, the setting of the security level, and the capabilities of the client itself, the final security level of the application requested by the client is determined through negotiation between the control module in the server and the client; C、所述服务器按照所述最终安全级别,给所述客户端提供所请求的应用服务。C. The server provides the requested application service to the client according to the final security level. 2、根据权利要求1所述提供不同安全级别的应用服务的方法,其特征在于,所述的步骤A具体包括:2. The method for providing application services with different security levels according to claim 1, wherein said step A specifically includes: 各种应用向服务器发出包括应用的标识和对应的安全级别信息的注册信息,服务器将接收到的各种应用的标识和对应的安全级别信息进行保存。Various applications send registration information including application identifiers and corresponding security level information to the server, and the server stores the received various application identifiers and corresponding security level information. 3、根据权利要求1所述提供不同安全级别的应用服务的方法,其特征在于,所述的步骤A具体包括:3. The method for providing application services with different security levels according to claim 1, wherein said step A specifically includes: 在服务器中手工配置和保存各种应用的标识和对应的安全级别信息。The identifiers of various applications and the corresponding security level information are manually configured and saved in the server. 4、根据权利要求1所述提供不同安全级别的应用服务的方法,其特征在于,所述的步骤A还包括:4. The method for providing application services with different security levels according to claim 1, wherein said step A further comprises: 服务器根据各种应用的安全级别信息,确定各种应用的保密性算法、完整性算法和密钥长度信息,给各种应用配置相应的安全参数。According to the security level information of various applications, the server determines the confidentiality algorithm, integrity algorithm and key length information of various applications, and configures corresponding security parameters for various applications. 5、根据权利要求1至4任一项所述提供不同安全级别的应用服务的方法,其特征在于,所述的步骤B具体包括:5. The method for providing application services with different security levels according to any one of claims 1 to 4, wherein the step B specifically includes: 当独立的客户端代理作为客户端时,服务器接收到所述客户端发送的应用请求信息,查询其保存的应用和安全级别信息之间的对应关系,获得客户端所请求的应用的对应安全级别信息;When an independent client acts as a client, the server receives the application request information sent by the client, queries the correspondence between the stored application and security level information, and obtains the corresponding security level of the application requested by the client information; 所述服务器与所述客户端协商确定,所述对应安全级别信息为所述客户端所请求的应用的最终安全级别。The server negotiates with the client to determine that the corresponding security level information is the final security level of the application requested by the client. 6、根据权利要求1至4任一项所述提供不同安全级别的应用服务的方法,其特征在于,所述的步骤B具体包括:6. The method for providing application services with different security levels according to any one of claims 1 to 4, wherein the step B specifically includes: 当公共的浏览器作为客户端时,服务器接收到所述客户端发送的应用请求信息,查询其保存的应用和安全级别信息之间的对应关系,获得客户端所请求的应用的对应安全级别信息;When the public browser acts as the client, the server receives the application request information sent by the client, queries the correspondence between the stored application and security level information, and obtains the corresponding security level information of the application requested by the client ; 如果所述客户端的能力能够满足所述对应安全级别的要求,则所述服务器与所述客户端协商确定所述对应安全级别为所述客户端所请求的应用的最终安全级别;否则,根据实际情况,确定相应的安全级别为客户端所请求的应用的最终安全级别。If the capability of the client can meet the requirements of the corresponding security level, the server negotiates with the client to determine that the corresponding security level is the final security level of the application requested by the client; otherwise, according to the actual situation, determine the corresponding security level as the final security level of the application requested by the client. 7、根据权利要求1至4任一项所述提供不同安全级别的应用服务的方法,其特征在于,所述的步骤B具体包括:7. The method for providing application services with different security levels according to any one of claims 1 to 4, wherein the step B specifically includes: 当允许客户端自己设置安全级别时,服务器接收到所述客户端发送的应用请求信息,查询其保存的应用和安全级别信息之间的对应关系,获得客户端所请求的应用的对应安全级别信息;When the client is allowed to set the security level by itself, the server receives the application request information sent by the client, queries the correspondence between the stored application and the security level information, and obtains the corresponding security level information of the application requested by the client ; 所述服务器与所述客户端协商确定,选择所述客户端设置的安全级别和所述对应安全级别中的较高的安全级别为客户端所请求的应用的最终安全级别,或者,直接选择所述客户端设置的安全级别为客户端所请求的应用的最终安全级别。The server negotiates with the client to select the higher security level of the security level set by the client and the corresponding security level as the final security level of the application requested by the client, or directly selects the security level of the application requested by the client. The security level set by the client is the final security level of the application requested by the client. 8、一种提供不同安全级别的应用服务的系统,其特征在于,包括:8. A system for providing application services with different security levels, characterized by comprising: 服务器:用于保存应用的标识和对应的安全级别信息;根据接收到的客户端发出的包括所需要使用的应用的标识的请求消息,查询所述保存的应用的标识和对应的安全级别信息,获得对应的安全级别信息;根据获得的对应的安全级别信息,和客户端的浏览器性质、安全级别设置情况、客户端本身的能力,通过服务器中的控制模块和客户端协商确定客户端所请求的应用的最终安全级别;按照所述最终安全级别,给所述客户端提供应用服务;Server: used to save the application identification and corresponding security level information; query the stored application identification and corresponding security level information according to the received request message sent by the client including the identification of the application to be used, Obtain the corresponding security level information; according to the obtained corresponding security level information, the nature of the client's browser, the setting of the security level, and the capabilities of the client itself, the control module in the server negotiates with the client to determine the The final security level of the application; according to the final security level, provide application services to the client; 客户端:用于向服务器发出包括所需要使用的应用的标识的请求消息,和服务器协商确定所请求使用的应用的最终安全级别,按照所述最终安全级别通过相应的应用和服务器进行通信。Client: for sending a request message including the identification of the application to be used to the server, negotiating with the server to determine the final security level of the requested application, and communicating with the server through the corresponding application according to the final security level. 9、根据权利要求8所述提供不同安全级别的应用服务的系统,其特征在于,所述服务器包括安全组件单元,该安全组件单元包括:9. The system for providing application services with different security levels according to claim 8, wherein the server includes a security component unit, and the security component unit includes: 控制模块:用于接收各种应用的注册消息,将其中的各种应用的标识信息和安全级别信息传递给安全配置库,接收客户端发出的请求消息,将该请求消息中的应用标识信息传递给安全配置库,和客户端协商确定客户端所需要使用的应用的安全级别;Control module: used to receive the registration messages of various applications, transfer the identification information and security level information of various applications to the security configuration library, receive the request message sent by the client, and transfer the application identification information in the request message Give the security configuration library, and negotiate with the client to determine the security level of the application that the client needs to use; 安全配置库:用于保存各种应用的标识和对应的安全级别信息,根据接收到的应用标识信息,向控制模块返回相应的应用安全级别信息。Security configuration library: used to save the identification of various applications and the corresponding security level information, and return the corresponding application security level information to the control module according to the received application identification information. 10、根据权利要求9所述提供不同安全级别的应用服务的系统,其特征在于,所述控制模块包括:10. The system for providing application services with different security levels according to claim 9, wherein the control module includes: 注册模块:用于接收各种应用的注册消息,接收客户端发出的请求消息,和客户端进行相互鉴权操作或者将请求消息传递给相应的应用,由应用和客户端进行相互鉴权操作,将请求消息中的应用标识信息传递给安全配置库;Registration module: used to receive registration messages of various applications, receive request messages sent by the client, perform mutual authentication operations with the client or pass the request message to the corresponding application, and the application and the client will perform mutual authentication operations, Pass the application identification information in the request message to the security configuration library; 安全级别协商模块:用于根据安全配置库返回的应用的安全级别信息和客户端的浏览器性质、安全级别设置情况和客户端本身的能力信息中的至少一项,和客户端协商确定客户端所请求的应用的最终安全级别。Security level negotiation module: used for negotiating with the client to determine at least one of the security level information of the application returned by the security configuration library, the nature of the browser of the client, the setting of the security level, and the capability information of the client itself. The final security level of the requested app. 11、根据权利要求10所述提供不同安全级别的应用服务的系统,其特征在于,所述控制模块包括:11. The system for providing application services with different security levels according to claim 10, wherein the control module includes: 安全级别定义模块:用于根据各种应用的安全级别信息,确定各种应用的保密性算法、完整性算法和密钥长度信息,给各种应用配置相应的安全参数,该安全参数包括加密算法、摘要算法、密钥级别和是否强制使用。Security level definition module: used to determine the confidentiality algorithm, integrity algorithm and key length information of various applications according to the security level information of various applications, and configure corresponding security parameters for various applications, the security parameters include encryption algorithms , Digest Algorithm, Key Level, and Whether to Mandatory.
CNB2005100909068A 2005-08-19 2005-08-19 System and method for improving differential safety grade application service Expired - Fee Related CN100484024C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100909068A CN100484024C (en) 2005-08-19 2005-08-19 System and method for improving differential safety grade application service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100909068A CN100484024C (en) 2005-08-19 2005-08-19 System and method for improving differential safety grade application service

Publications (2)

Publication Number Publication Date
CN1863070A CN1863070A (en) 2006-11-15
CN100484024C true CN100484024C (en) 2009-04-29

Family

ID=37390403

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100909068A Expired - Fee Related CN100484024C (en) 2005-08-19 2005-08-19 System and method for improving differential safety grade application service

Country Status (1)

Country Link
CN (1) CN100484024C (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242629B (en) * 2007-02-05 2012-02-15 华为技术有限公司 Method, system and device for selection of algorithm of user plane
CN101764798B (en) * 2009-07-01 2012-10-24 北京华胜天成科技股份有限公司 Safety management system and method based on client terminal
CN102810139B (en) * 2012-06-29 2016-04-06 宇龙计算机通信科技(深圳)有限公司 Secure data operation method and communication terminal
CN103731402B (en) * 2012-10-12 2018-07-24 腾讯科技(深圳)有限公司 The access method and device of flag bit
CN103347116A (en) * 2012-11-09 2013-10-09 北京深思洛克软件技术股份有限公司 System and method for setting multi-security modes in smart phone
CN106096347B (en) * 2016-06-03 2018-10-09 上海携程商务有限公司 Hierarchical authorisation method based on login status and system
CN106209891A (en) * 2016-07-26 2016-12-07 广东道易鑫物联网科技有限公司 A kind of means of communication based on D BUS communications protocol
CN106850408A (en) * 2017-01-22 2017-06-13 山东鲁能软件技术有限公司 Power informatization system is based on the multi-protocols message mechanism of mobile mixed architecture
CN107609392A (en) * 2017-08-02 2018-01-19 宇龙计算机通信科技(深圳)有限公司 A kind of application program encryption method, device and mobile terminal
CN110059110B (en) * 2019-04-12 2021-05-28 北京百度网讯科技有限公司 Business data security processing method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN1863070A (en) 2006-11-15

Similar Documents

Publication Publication Date Title
US7542573B2 (en) Providing apparatus, communication device, method, and program
US8195153B1 (en) Mobile access to backup and recovery services
US8887296B2 (en) Method and system for object-based multi-level security in a service oriented architecture
CN101043478B (en) Service gateway and method for implementing secure message processing
US20020144151A1 (en) System and method for over the air configuration security
US20080098463A1 (en) Access control for a mobile server in a communication system
CN105307108A (en) Internet of things information interactive communication method and system
US20050278384A1 (en) External authentication against a third-party directory
US7496949B2 (en) Network system, proxy server, session management method, and program
CN1838590B (en) Method and system for providing internet key exchange during session initiation protocol signaling
CN100484024C (en) System and method for improving differential safety grade application service
CN101115062B (en) Distributed intelligent agent system, registration center and registration, message routing method
CN109150800A (en) Login access method, system and storage medium
CN106790251A (en) User access method and subscriber access system
CN103379093B (en) A kind of method and device for realizing account intercommunication
US8751673B2 (en) Authentication apparatus, authentication method, and data using method
CN115296866B (en) Access method and device for edge node
CN101848456B (en) A business processing method, communication system and related equipment
CN110610418B (en) Transaction state query method, system, device and storage medium based on block chain
CN101895849A (en) Service processing method, communication system and associated equipment
CN108199866B (en) A social network system with strong privacy protection
CN102624724B (en) Security gateway and method for securely logging in server by gateway
CN105162600B (en) The authentication information sending method and device of the Internet, applications
CN100536600C (en) Method for accessing positioning engine of positioning service to service management platform
CN101232379B (en) Method for implementing system login, information technology system and communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090429