CN113473463A - Mobile office communication method and system - Google Patents

Abstract

Translated fromChinese

本发明公开了一种移动办公通信方法及系统，所述方法包括：接收安全管理中心的管理策略；所述管理策略包括移动终端白名单；接受记录于移动终端白名单中的移动终端的通信请求，向所述移动终端收集身份信息；将所述移动终端上传的身份信息发送至所述安全管理中心进行身份认证；当所述安全管理中心确认所述移动终端对应的身份信息属实后，与所述移动终端建立I PSec隧道；通过所述I PSec隧道与所述移动终端进行数据交换。采用本发明提供移动办公通信方法及系统实施例，能有效解决现有技术中移动办公安全性低、访问速率低的问题。

The invention discloses a mobile office communication method and system. The method includes: receiving a management strategy of a security management center; the management strategy includes a mobile terminal whitelist; accepting a communication request from a mobile terminal recorded in the mobile terminal whitelist , collect identity information from the mobile terminal; send the identity information uploaded by the mobile terminal to the security management center for identity authentication; when the security management center confirms that the identity information corresponding to the mobile terminal is true, it will The mobile terminal establishes an IPSec tunnel; and performs data exchange with the mobile terminal through the IPSec tunnel. The embodiments of the mobile office communication method and system provided by the present invention can effectively solve the problems of low security and low access rate of mobile office in the prior art.

Description

Mobile office communication method and system

Technical Field

The invention relates to the field of mobile office, in particular to a mobile office communication method and a mobile office communication system.

Background

The mobile office breaks the restriction of the traditional wired network boundary, improves the working efficiency, simplifies the workflow and brings great convenience to enterprises and public institutions. However, the enterprise and public institution unit data extends to the mobile terminal equipment, so that not only is new challenge brought to equipment and system maintenance and management, but also the safety and information safety of the enterprise and public institution unit data are exposed to new hidden dangers.

Therefore, compared with the intranet office, the mobile office mainly has the following problems:

the safety problem is as follows: under the office scene of the company intranet, the data are circulated in the intranet, and the safety of the data is controllable. In a mobile office scene, mobile office personnel directly access internal data of an enterprise from the outside, and data security is easily threatened. At present, the wireless access device for field monitoring simply adopts an APN (access point name) private line of an operator to perform safety protection, cannot cover safety measures required by public communication network transmission, cannot perform identity authentication on an access terminal, and cannot perform fine-grained division on the authority of the terminal.

The access rate problem: in the office scene of the internal network of the company, the internal network usually has high-efficiency access to the internal service. However, in a mobile office scenario, due to the uncertainty of addresses and networks, the influence of network instability caused by cross-network and cross-region is very large.

Disclosure of Invention

The embodiment of the invention provides a mobile office communication method and a mobile office communication system, which can effectively solve the problems of low mobile office safety and low access rate in the prior art.

To achieve the above object, a first aspect of an embodiment of the present application provides a method, including:

receiving a management strategy of a security management center; the management strategy comprises a white list of the mobile terminal;

receiving a communication request of a mobile terminal recorded in a white list of the mobile terminal, and collecting identity information from the mobile terminal;

sending the identity information uploaded by the mobile terminal to the security management center for identity authentication;

after the safety management center confirms that the identity information corresponding to the mobile terminal is authentic, an IPSec tunnel is established with the mobile terminal;

and exchanging data with the mobile terminal through the IPSec tunnel.

In a possible implementation manner of the first aspect, the establishing an IPSec tunnel with the mobile terminal specifically includes:

confirming a working key to the mobile terminal and establishing ISAKMP SA; the core card of the mobile terminal comprises a key bank, wherein the key bank comprises the working key and the session key;

and establishing IPSEC SA according to the ISAKMP SA, and determining an IPSEC security policy and a session key communicated with the mobile terminal.

In a possible implementation manner of the first aspect, after the performing data exchange with the mobile terminal through the IPSec tunnel, the method further includes:

collecting the operation behavior, the safety condition and the abnormal condition of the safety terminal and integrating the operation behavior, the safety condition and the abnormal condition into a log data packet;

uploading the log data packet to the security management center;

and the safety management center generates an operation behavior log, a safety event log and an abnormal event log according to the log data packet.

In a possible implementation manner of the first aspect, before the exchanging data with the mobile terminal through the IPSec tunnel, the method further includes:

the encryption algorithm is adopted together with the core card of the mobile terminal to carry out encryption protection on a channel formed by the IPSec tunnel; the encryption algorithm comprises an asymmetric cryptographic algorithm, a symmetric cryptographic algorithm, a cryptographic hash algorithm and a random number generation algorithm.

A second aspect of an embodiment of the present application provides a mobile office system, including: the security management center, the security gateway and the mobile terminal containing the core sticking card;

the security management center is arranged in a central machine room and used for issuing a management strategy and authenticating the identity of the mobile terminal;

the security gateway is arranged under the same local area network as the security management center, the uplink of the security gateway is accessed to a central machine room and connected with the security management center, and the downlink of the security gateway is connected with an external network; the security gateway may perform the above-described mobile office communication method;

the mobile terminal is in communication connection with the security gateway through an external network, and before accessing a mobile office system, the mobile terminal needs to enter a white list of the mobile terminal through the authentication of the security management center.

In a possible implementation manner of the first aspect, the security management center has a log audit module, configured to record all system events of the mobile terminal; and the logs in the log auditing module are classified according to the system event types and are respectively operation behavior logs, safety event logs and abnormal event logs.

Compared with the prior art, the mobile office communication method and the mobile office communication system provided by the embodiment of the invention adopt the security management center to perform identity identification and access authorization on the mobile terminal accessed from the external network, adopt double authentication to prevent the terminal which is not authorized or passes through the identity authentication agreement from accessing the network, and adopt an approval algorithm of the national password administration to perform security protection on the established IPSec tunnel. Because the IPSec tunnel is exclusive to the mobile office system, the access to a plurality of unnecessary routing nodes is avoided in the middle, and the access rate is also guaranteed to a certain extent. The invention reduces unnecessary wired cable construction investment and improves the transmission safety of the mobile office system.

Drawings

Fig. 1 is a flow chart of a mobile office communication method according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a mobile office communication system according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, an embodiment of the present invention provides a mobile office communication method, including:

s10, receiving a management strategy of the security management center; the management policy includes a white list of mobile terminals.

And S11, receiving the communication request of the mobile terminal recorded in the white list of the mobile terminal, and collecting the identity information from the mobile terminal.

And S12, sending the identity information uploaded by the mobile terminal to the security management center for identity authentication.

And S13, establishing an IPSec tunnel with the mobile terminal after the security management center confirms that the identity information corresponding to the mobile terminal is authentic.

And S14, exchanging data with the mobile terminal through the IPSec tunnel.

It should be noted that the mobile office communication method provided in this embodiment is applied to a security gateway connected to a security management center. The security gateway can be arranged in a wired local area network environment or a wireless local area network, the uplink of the security gateway is accessed to a central machine room through a special optical fiber line, is connected with the security management center, and receives the management strategy of the security management center.

In this embodiment, the security management center is responsible for managing an operation policy of the security gateway and storing a white list of the mobile terminal and identity information of a user corresponding to the mobile terminal.

In practical application, a core card based on a security chip can be preferentially selected as password identification equipment, the thickness of the core card is mostly about 0.18mm, the core card is pasted on a mobile phone SIM card, high-speed password operation is provided for mobile intelligent equipment such as mobile phones and the like, the requirements of signature/signature verification, encryption/decryption and the like of application data can be met, the confidentiality, integrity and effectiveness of transmitted information are guaranteed, and a safe and perfect key management mechanism is provided. The customized smart card operating system (NPCOS) contained in the core card meets the requirements of relevant specifications of the national password administration, and the password application can use the password service of the core card by calling the standard interface function provided by the core card.

Meanwhile, only designated personnel access the controlled network by using the designated account and the designated equipment by adopting a hardware identity authentication mechanism of the identity token, so that the overall security of the office mobility of the power grid is greatly improved. In other words, only after the authorization list authentication and the identity information authentication of the security management center, the mobile terminal and the security gateway can establish the IPSec tunnel to be added into the mobile office system, and the IPSec tunnel is protected by the security of the encryption algorithm, so that the security of data interaction in the mobile office can be ensured.

Compared with the prior art, the mobile office communication system provided by the embodiment of the invention adopts the security management center 10 to identify and authorize the identity of the mobile terminal 30 accessed from the external network, adopts double authentication to avoid unauthorized or unauthorized terminal access to the network, and adopts an approval algorithm of the national crypto-authority to perform security protection on the established IPSec tunnel. Because the IPSec tunnel is exclusive to the mobile office system, the access to a plurality of unnecessary routing nodes is avoided in the middle, and the access rate is also guaranteed to a certain extent. The invention reduces unnecessary wired cable construction investment and improves the transmission safety of the mobile office system.

Exemplarily, the establishing the IPSec tunnel with the mobile terminal in S13 specifically includes:

s130, confirming a working key to the mobile terminal and establishing an ISAKMP SA; the core card of the mobile terminal comprises a key bank, and the key bank comprises the working key and the session key.

S131, establishing IPSEC SA according to the ISAKMP SA, and determining the IPSEC security policy and session key communicated with the mobile terminal.

The embodiment of the invention follows IPSec protocol. And establishing a safe and reliable IPSec tunnel on the external network through the IPSec, so that each mobile terminal can carry out safe communication in a safe communication link.

Exemplarily, after the data exchange with the mobile terminal through the IPSec tunnel, the method further includes:

s14, collecting the operation behavior, the safety condition and the abnormal condition of the safety terminal and integrating into a log data packet;

and S15, uploading the log data packet to the security management center.

And S16, the security management center generates an operation behavior log, a security event log and an abnormal event log according to the log data packet.

Illustratively, before the exchanging data with the mobile terminal through the IPSec tunnel, the method further includes:

s132, carrying out encryption protection on a channel formed by the IPSec tunnel by adopting an encryption algorithm together with the core card of the mobile terminal; the encryption algorithm comprises an asymmetric cryptographic algorithm, a symmetric cryptographic algorithm, a cryptographic hash algorithm and a random number generation algorithm.

The encryption devices (the core card and the security gateway) adopted by the embodiment of the invention are all password devices approved by the national password administration, and use an asymmetric password algorithm, a symmetric password algorithm, a password hash algorithm and a random number generation algorithm approved by the national password administration, and specifically refer to the following table:

referring to fig. 2, an embodiment of the present invention further provides a mobile office system, where the system includes: a security management center 10, a security gateway 20 and a mobile terminal 30 containing a core card.

The security management center 10 is disposed in a central machine room, and is configured to issue a management policy and perform identity authentication on the mobile terminal 30.

The security gateway 20 is arranged under the same local area network as the security management center 10, an uplink of the security gateway 20 is accessed to a central machine room and connected with the security management center 10, and a downlink of the security gateway 20 is connected with an external network; the security gateway 20 may perform the mobile office communication method provided by the above-described embodiment.

The mobile terminal 30 is in communication connection with the secure gateway 20 through an external network, and needs to be authenticated by the security management center 10 to enter a mobile terminal white list before accessing a mobile office system.

Illustratively, the security management center 10 has a log auditing module for recording all system events of the mobile terminal; and the logs in the log auditing module are classified according to the system event types and are respectively operation behavior logs, safety event logs and abnormal event logs.

The embodiment of the invention adopts the centralized management and control of the security management center 10, and only authorized terminals (terminals on the white list) can be accessed by issuing management strategies (including accessing the white list) and utilizing the white list mode, and meanwhile, the system has an auditing function, and all system events have related log records. The logs are classified according to event types and are respectively operation behavior logs, safety event logs and abnormal event logs, so that each event can be traced and audited.

Compared with the prior art, the mobile office communication system provided by the embodiment of the invention adopts the security management center 10 to identify and authorize the identity of the mobile terminal 30 accessed from the external network, adopts double authentication to avoid unauthorized or unauthorized terminal access to the network, and adopts an approval algorithm of the national password administration to perform security protection on the established IPSec tunnel. Because the IPSec tunnel is exclusive to the mobile office system, the access to a plurality of unnecessary routing nodes is avoided in the middle, and the access rate is also guaranteed to a certain extent. The invention reduces unnecessary wired cable construction investment and improves the transmission safety of the mobile office system.

While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (6)

Translated fromChinese

1.一种移动办公通信方法，其特征在于，所述方法包括：1. A mobile office communication method, characterized in that the method comprises:接收安全管理中心的管理策略；所述管理策略包括移动终端白名单和身份认证策略；Receive a management policy of the security management center; the management policy includes a mobile terminal whitelist and an identity authentication policy;接受记录于移动终端白名单中的移动终端的通信请求，根据所述身份认证策略向所述移动终端收集身份信息；accepting the communication request of the mobile terminal recorded in the mobile terminal whitelist, and collecting identity information from the mobile terminal according to the identity authentication policy;将所述移动终端上传的身份信息发送至所述安全管理中心进行身份认证；sending the identity information uploaded by the mobile terminal to the security management center for identity authentication;当所述安全管理中心确认所述移动终端对应的身份信息属实后，与所述移动终端建立IPSec隧道；After the security management center confirms that the identity information corresponding to the mobile terminal is true, establish an IPSec tunnel with the mobile terminal;通过所述IPSec隧道与所述移动终端进行数据交换。Perform data exchange with the mobile terminal through the IPSec tunnel.2.如权利要求1所述的一种移动办公通信方法，其特征在于，所述与所述移动终端建立IPSec隧道，具体包括：2. a kind of mobile office communication method as claimed in claim 1, is characterized in that, described establishing IPSec tunnel with described mobile terminal, specifically comprises:向所述移动终端确认工作密钥，建立ISAKMP SA；所述移动终端的贴芯卡含有密钥库，所述密钥库包括所述工作密钥和会话密钥；Confirm the working key to the mobile terminal, and establish ISAKMP SA; the core-mounted card of the mobile terminal contains a key store, and the key store includes the working key and the session key;根据所述ISAKMP SA，建立IPSEC SA，确定与所述移动终端通讯的IPSEC安全策略和会话密钥。According to the ISAKMP SA, an IPSEC SA is established, and the IPSEC security policy and session key communicated with the mobile terminal are determined.3.如权利要求1所述的一种移动办公通信方法，其特征在于，在所述通过所述IPSec隧道与所述移动终端进行数据交换之后，还包括：3. A mobile office communication method according to claim 1, characterized in that, after the data exchange is performed with the mobile terminal through the IPSec tunnel, the method further comprises:收集所述安全终端的操作行为、安全状况、和异常状况并整合成日志数据包；Collect the operation behavior, security status, and abnormal status of the security terminal and integrate them into log data packets;将所述日志数据包上传至所述安全管理中心；uploading the log data package to the security management center;所述安全管理中心根据所述日志数据包生成操作行为日志、安全事件日志、异常事件日志。The security management center generates an operation behavior log, a security event log, and an abnormal event log according to the log data package.4.如权利要求2所述的一种移动办公通信方法，其特征在于，在所述通过所述IPSec隧道与所述移动终端进行数据交换之前，还包括：4. A kind of mobile office communication method as claimed in claim 2, it is characterised in that before the data exchange is carried out with the mobile terminal through the IPSec tunnel, further comprising:与所述移动终端的贴芯卡一同采用加密算法对所述IPSec隧道形成的信道进行加密保护；所述加密算法包括非对称密码算法、对称密码算法、密码杂凑算法和随机数生成算法。The channel formed by the IPSec tunnel is encrypted and protected by using an encryption algorithm together with the core-mounted card of the mobile terminal; the encryption algorithm includes an asymmetric encryption algorithm, a symmetric encryption algorithm, a hash algorithm and a random number generation algorithm.5.一种移动办公系统，其特征在于，包括：安全管理中心、安全网关和含有贴芯卡的移动终端；5. A mobile office system, characterized in that, comprising: a security management center, a security gateway and a mobile terminal containing a core-mounted card;所述安全管理中心布置于中心机房，用于下发管理策略以及对所述移动终端进行身份认证；The security management center is arranged in the central computer room, and is used for issuing management policies and performing identity authentication on the mobile terminal;所述安全网关布置于和所述安全管理中心同一局域网下，所述安全网关的上行接入中心机房，与安全管理中心相连，所述安全网关的下行与外网连接；所述安全网关可以执行如权利要求1-4所述的移动办公通信方法；The security gateway is arranged in the same local area network as the security management center, the uplink of the security gateway is connected to the central computer room, and is connected to the security management center, and the downlink of the security gateway is connected to the external network; the security gateway can execute The mobile office communication method according to claims 1-4;所述移动终端通过外网与所述安全网关通信连接，在接入移动办公系统之前需要通过所述安全管理中心认证进入移动终端白名单。The mobile terminal communicates with the security gateway through an external network, and needs to be authenticated by the security management center to enter the mobile terminal whitelist before accessing the mobile office system.6.如权利要求5所述移动办公系统，其特征在于，所述安全管理中心具有日志审计模块，用于记录移动终端所有的系统事件；日志审计模块中的日志按照所述系统事件种类进行分类，分别为操作行为日志、安全事件日志、异常事件日志。6. mobile office system as claimed in claim 5, is characterized in that, described security management center has log audit module, is used for recording all system events of mobile terminal; The log in log audit module is classified according to described system event category , which are operation behavior log, security event log, and abnormal event log.

Images