摘要
传统IT网络安全架构基于内网安全的假设,安全边界一旦被突破,传统网络安全防护就可能失效,导致网络系统受到严重破坏。为解决上述问题,设计了一种基于标识密码的零信任安全方案。在防护网络中,所有用户和设备都被赋予唯一访问标识,基于国产密码体系搭建标识密钥基础设施,构建统一身份认证体系,对系统主体及客体实施身份认证和加密传输,同时利用策略管理系统对安全凭证进行持续信任评估,实现了零信任网关对访问主体的动态访问控制并为其设定访问所需的最小权限,从而确保系统的整体安全。
The traditional IT cyber security architecture is based on the assumption of intranet security.Once the security boundary is broken through,the traditional cyber security protection may fail,resulting in serious damage to the network system.In order to deal with the above problems,a zero trust security scheme based on identity password is designed.All users and equipments are given unique access identities in the protected network.Based on the domestic cryptographic system,the IBC key infrastructure is built,and a unified identity authentication system is constructed to implement identity authentication and encrypted transmission for the system subject and object.At the same time,the policy management system is used to continuously evaluate the trust of security credentials,which realizes the dynamic access control of the zero trust gateway to the access subject,and sets the minimum access permissions,so as to ensure the overall security of the system.
作者
马俊明
MA Junming(CETC Pengyue Electronic Technology Co.,Ltd.,Taiyuan Shanxi 030028,China)
出处
《信息安全与通信保密》
2022年第1期81-88,共8页
Information Security and Communications Privacy
基金
山西省重点研发计划项目“基于IBC的工业网络安全管控系统”(No.201903D21140)。
关键词
零信任
标识密码
公开密钥基础设施
SM9
zero trust
identity-based cryptography
public key infrastructure
SM9
