Broadband man Overview

The construction of broadband man in China is not perfect yet, but the access technology is constantly mature. Many people may not understand the problems encountered in the Construction of broadband MAN, after reading this article, you must have gained a lot. I hope this article will teach you more things. By using the smart trust and authorization technology of PKI/PMI platform with independent intellectual property rights of the national information security infrastructure Research Center, we can build a trusted network environment for IP Broadband man, the digital certificate is used to authenticate and authorize IP Broadband man users.

The main idea is to issue the user with PKCS (including the user's personal information, such as the serial number, IP address, MAC address, and so on) and AC (including the user's attribute information, such as roles and access control permissions ). On the basis of "one entity and one certificate", the uniqueness of PKCS accurately identifies the user identity. The certificate and port (including IP addresses) can be flexibly mapped by the controllability of access authentication switch ports and backend authentication management functions, in addition, it determines whether users can access the IP Broadband man, and provides statistics on the traffic, duration, and duration of the connected users, you can manage permissions, durations, billing methods, and other attributes based on the AC. In this way, a certificate-and port-Based IP Broadband man security management mode is built through flexible binding of certificates and ports, similar to the PSTN line-based management mode.

In addition, the Public Key digital certificate is embedded in an entity authentication secret (Digital Certificate material carrier), using a USB interface. Each entity authentication secret also has a PIN code protection. After several unsuccessful PIN input consecutive times, the Entity Authentication secret will be automatically locked, making dictionary attacks on the entity authentication secret very difficult, in this way, only the Entity Authentication secret and the corresponding PIN code can be obtained at the same time to impersonate legitimate users. This authentication method is more secure than the simple user name and PIN code method, it can effectively identify valid identities of users entering the network and prevent counterfeiting.

In specific implementation, the security application and management of IP Broadband man are implemented through the intelligent security application management plane, the entire plane consists of three parts: intelligent trust and Authorization Service Support Platform, network trust domain and management platform, and integrated business management platform. The trust and Authorization Service Support Platform is at the core, the platform establishes a unified basic environment for intelligent trust and authorization of IP Broadband man through the authentication, authorization, and management of PKCS and AC, it provides trusted and secure services for the network trusted domain management platform and integrated business application management platform.

The network trust domain and Management Platform manage entities in the network to ensure that only trusted entities, that is, entities that have issued valid digital certificates, can access the network. Comprehensive business management is designed for users. Based on the IP Broadband User Certificates, device certificates, and user attribute certificates provided by the intelligent trust and Authorization Service Platform, users are billed and managed. A trust and Authorization Service support platform is built using the PKI/PMI System to provide trust and authorization services for IP Broadband man. The platform establishes a unified basic environment for intelligent trust and authorization through the authentication, authorization, and management of the entity PKCS and AC, it establishes an IP Broadband man Operation and Management Model of "one entity, one license, one uniform license, and one distributed step-by-step management.

The so-called "uniform issuance" refers to the PKC of users and devices that are uniformly issued by a third-party certificate and Certification Center (CA; the trust and Authorization Service Support Platform provides unified issuance of AC and unified management of certificates to ensure the network trust domain management service. "Distributed level-by-level management" refers to the division of network trust domains based on actual responsibilities and management scope, the IP Broadband man system in each city or region can also divide basic trust domains based on user types (such as distinguishing common household users and major accounts ), each basic trust domain has its own management system responsible for managing this trust domain. The network trust domain management system provides support for trust and authorization services through the trust and Authorization Service Support Platform. This model builds a network trust domain and management system with clear responsibilities, convenient management, and full coverage of the entire system.

(1) Certificate Service System
Based on the key management (KM) system, the Certificate Service System provides digital certificate application and review services through CA, certificate review registry (RA), and so on.

(2) Certificate query and Verification Service System
The certificate query and verification service system provides certificate authentication services for the business application management platform, including the directory query service and certificate online status query service. The certificate query and verification service system mainly includes the Lightweight Directory Access Protocol (LDAP) server and the Online Certificate Status Protocol (OCSP) server. It provides various certificate publishing and Certificate Revocation Lists (CRL) online query of publishing and certificate status.

(3) authorize the Service System
Based on the certificate service system, PMI provides authorization management and resource management services for users and applications. It is mainly responsible for providing application-related Authorization Service Management to the application system, provides the ing function from user identity to application authorization.

(4) Trusted Timestamp Service System
The Trusted Timestamp service system provides accurate and trusted timestamps for secure business application management systems based on the national authoritative time source and public key technology, ensure the existence of data processing at a certain time and the relative time sequence of related operations, and provide effective support for the non-repudiation and auditability of business processing. The Trusted Timestamp service system obtains the unified time of the whole system from the national authoritative time source, that is, the authoritative time from the National Time Service Center.