Compared with traditional telecommunication networks, NGN faces many security threats, and its business security is also facing huge challenges. Business development and deployment require more security features and security functions. Umlsec uses UML Security Extension to analyze and model the security requirements of services in NGN. A fine-grained security requirement analysis method is proposed. Abstract abstract classes of security functions to describe the security requirements of NGN services. The security requirements based on security application interfaces are discussed through use cases, so that various security features can be integrated into the business more conveniently and flexibly.
The Next Generation Network (NGN) is a group network-based telecommunications network that integrates multiple services and opens up network capabilities. Its core network based on group exchange provides transmission infrastructure for business integration. Its open network capability improves service scalability, it provides a good opportunity for third-party business providers to enter the telecom business market. However, compared with traditional telecom networks, NGN's loose and open business structure features and rich business functions are exactly the same as the infrastructure of NGN based on the general computing platform and IP transmission network. A conflict is formed. Using an IP-based group network as the service bearer network makes it possible for many attacks against IP networks in the telecom network, general computing devices are used as control entities in the network to introduce computer security issues to each node in the network [1]. The openness of network and business capabilities also brings about a series of security issues unique to the business layer [2].
Currently, many security mechanisms have been used to ensure the security of networks and computing devices. However, these security mechanisms are designed for one or more specific security problems and specific environments, for example, key distribution, Entity authentication, confidentiality protection, and integrity protection, the NGN Service has different and comprehensive security requirements for different business characteristics and business execution environments. How to clarify business security requirements and try to pass the existing network security capabilities is a problem facing business developers.
In view of the complex security requirements faced by the business development process, this paper proposes to use the formal modeling language umlsec [3, 4] to analyze the business security requirements, the modeling language is used to extract the security features required by the business into security-aware classes, express fine-grained security functions through these classes, and express the security requirements of the business through the combination of these classes. The functions of these classes are implemented through secure application interfaces, such as GSS-API [5], NGSS-API [6], to integrate security features into the business. So that business developers can get rid of the security mechanism implementation details during business development, and make the developed business security features portable.
I. Analysis of NGN business security requirements
1. umlsec Extension
Umlsec is an umlprofile Based on the UML standard extension mechanism. By adding security-related constraints, labels, stereotypes, and other modeling elements to the UML meta-model, use UML diagrams to express security-related semantics and system requirements and constraints. However, the current umlsec is defined based on the computer network environment and needs to be extended for applying it to the NGN business security analysis. The main extension is to add a definition related to the NGN Environment to the umlsec element, so that it can more clearly and more specifically express the characteristics and needs of the NGN service. In this article, the bearer and execution nodes of the business are defined as the basic architecture of the business in NGN, and these elements are defined in the UML meta-model, as shown in 1.
Figure 1 NGN infrastructure model extension
This extension adds the bearing and node stereotypes in NGN for links, nodes, and two Metadata classes. This model can be further expanded as needed, for example, the stereotypes about access network bearer can be added.
2. umlsec-based Threat Analysis
For the stereotypes defined in figure 1 and the types of attackers that pose a threat to network security, the threat function theata (s) can be defined ). A Indicates the attacker type. Here, it is assumed that the attacker is an external attacker with a general capability, that is, the attacker can intercept data traffic on the broadcast channel and insert or delete data traffic, attackers can exploit system vulnerabilities to intrude into the system. This parameter indicates that the value of the type threat function defined in the model is {Delete, read, insert, access }. According to the characteristics of networks and computing nodes in NGN, we can obtain the following threat functions, as shown in table 1.
Table 1 threat functions of NGN infrastructure
Attackers can read, write, and delete data carried by IP addresses, so they can attack services hosted by IP addresses. For example, attackers can modify normal SIP messages to change the call route, send bye and other SIP messages, remove normal sip sessions, and intercept and decode the RTP packets for eavesdropping, A large amount of data can be inserted in an IP network to reduce the QoS of VoIP for DoS attacks.
Software is usually based on general operating systems, databases, and other software. These general software and protocol stack implementations may all have vulnerabilities that attackers can exploit. Through these security vulnerabilities, attackers can initiate Denial of Service (DoS) attacks on these devices or gain device access.
Because the NGN infrastructure is generally not empty for attack function values of General attackers, security mechanisms must be used to ensure business security during service development and deployment.
3. Business Security Requirements Analysis
Business security requirements may include the confidentiality, integrity, and availability of user information. Different types of services in NGN have different security requirements. For example, the main security requirements of session services are availability, and the main security requirements of message services are integrity. The security requirements of the same type of business should also be customized according to the business scenario. For example, normal two-party calls require that the correct routing of calls should be ensured even in the case of network intrusion, it also ensures the service quality of voice streams. If you require that the call be kept confidential, you also need to ensure the confidentiality of the signaling message and the confidentiality of the voice stream. You need to encrypt the signaling and voice streams. Security requirements of different services are a combination of security features. With the modeling language, the security features required by the business can be abstracted into security-aware classes for representation. The functions in these classes can be implemented using the security capabilities provided by the security application interface, and the security requirements of the business are expressed as a combination of classes. To clearly express business security requirements and facilitate the implementation of business security requirements, this article abstracts business security requirements into fine-grained security functions, each security function class expresses the needs of the business for different security features (such as confidentiality, integrity, authentication, etc.) of its components (such as signaling, media, and business functions.
The following uses two-party session based on SIP as an example to describe how to use umlsec to describe business security requirements. Assuming that the two-party call occurs between two users in the same sipproxy domain, the integrity of the signaling between the user UA and sipproxy must be ensured and cannot be tampered with by illegal intruders. The use case diagram and deployment diagram of this scenario are shown in 2 and 3 respectively.
Figure 2 example of signaling integrity
Figure 3 deployment of signaling Integrity Protection
The UA in Figure 3 represents the UA of usera or userb, because the signaling interaction between the two UA needs to pass the proxy, and its security requirements are consistent, so only one party is shown in the figure. UA and proxy are both nodes based on the general computing platform, and their access control needs to be protected. Therefore, guardedaccess is finalized on the mark. In addition to processing signaling, UA also needs to process the encoding and decoding and control of media streams. This case only involves the security of signaling. Therefore, UA only focuses on the components for signaling control. The communication between UA and proxy is based on IP address bearer. The number of threat letters defined in Table 1: threata (IP carrier) = {Delete, read, insert }, signaling integrity may be damaged under attacks, and corresponding security mechanisms must be used to protect signaling interactions.
The sender class and the worker er Class are two classes derived from the abstraction of communication security functions. These two categories provide security capabilities to ensure the integrity of message transmission between the sender and receiver. By aggregating the signaling control function of ua and the Call Control Function of proxy, the signaling integrity requirements of UA and proxy communication can be met at the high-level requirement level.
Accessguard is a class used to isolate access to protected objects. It is marked by the {Guard = accessguard} mark on protected objects, all access requests to protected objects must be submitted to the accessguard class first. After the accessguard Class determines the access permission based on the specific access control mechanism and access control policy, access requests can be executed on protected objects.
The sender and Cycler classes can further refine the granularity of different security requirements of services, and implement them through heavy load of the send () method. For example, when calling the send () method, you can use the qop [] (qualityofprotection) parameter to describe the business's protection-level requirements for security functions. Qop reflects the dynamic balance between overhead and security protection requirements for handling security issues. A level of qop can correspond to the encryption algorithm strength, key length, and authentication mechanism strength used in a specific security mechanism. However, the definition of qop still relies on a specific security mechanism and is random. There is no objective standard.
In a finer granularity, you can specify parameters related to the specific security mechanism in the send () method to control the security mechanism more accurately.
Figure 5 is a class diagram of the security capability abstract class that protects communication confidentiality. The send () method should ensure the encrypted transmission of messages. The receive () method of the receiver class is used to receive and decrypt messages. As with integrity protection, more meticulous and controllable confidentiality protection can be implemented through heavy loading of the send () and receive () methods.
In addition to the abstract classes used to protect the integrity and confidentiality of communications and the security capability of Object Access Control, as shown in Figure 4 and figure 5, more abstract classes of security capabilities can be abstracted according to the actual security requirements of the business. Each class implements a specific security function. For example, you can define an abstract class of the group key management function in a multimedia conference to meet the Group key generation, distribution, and authentication functions.
Figure 4 security function Abstract class diagram example
Figure 5 Functions of message confidentiality and security
II. Implementation Mechanism of business security
Based on the above analysis, the security requirements of the NGN service can be divided and abstracted from the security characteristics to form a series of fine-grained security function abstract classes. The implementation of each security function Abstract class can meet the security requirements of the business. In this paper, a model-driven fine-grained access control framework AC-PIM is proposed) maps to a variety of specific access control mechanisms, such as oasis saml (securityassertionmarkuplanguage), XACML (eXtensible Access Control Markup Language), and OMG rad (Resource Access demo-facility) and the Java access control model defined in Java authentication and authorization. The AC-PIM provides a way to implement the accessguard abstract class in Figure 4.
The following describes how to use the GSS-API to ensure the integrity of the Communication Security Ability abstract class, through the state chart shows to ensure the integrity of the Communication sender class send () method and receiver er Class receive () method of the GSS-API implementation. This article provides a schematic description, ignoring some error handling processes.
In Figure 6, after the send () method is called, sender first checks whether there is an available security context. If the available security context already exists, you can use the context handle as one of the parameters to call the get_getmic () method of the GSS-API. Parameters also include messages to be signed and optional qop. If the message signature can be completed normally, the sender can send the message together with the token generated after the signature to the destination. If the signature is abnormal, you can use the returned error code to identify the cause.
Figure 6 GSS-API Implementation of {integrity} sender
If no security context is available before calling the gss_getmic () method, the sender must first establish a security context with the receiver, after the security context is established through the interaction of Security Mechanism information, you can continue to call the gss_getmic () method to sign the message to be sent.
The communication integrity abstract class worker is used to check the message integrity, as shown in Process 7. The gss_verifymic () method checks whether the received message and its signature are consistent to determine its integrity. If no suitable context is available, establish a security context before calling gss_verifymic ().
Figure 7 GSS-API Implementation of {integrity} aggreger
If you need to implement confidentiality protection, the constraints of the sender class and the volume er Class are represented by {secrecy. The security functions of sender and receiver er can be realized through the gss_warp () method and gss_unwrap () method of GSS-API.
Sender and aggreger can also be implemented through NGSS-API. NGSS-API is a security application interface under the parlayapi architecture, which extracts network security capabilities and provides security capabilities for businesses. The NGSS-API provides ipcredentialmanager, ipcontextmanager, ipcontext and other classes are used to manage certificates, management security context and security capabilities provided by security mechanisms in the Network Based on Security Context integrity, confidentiality and so on. The process of using a NGSS-API for communication integrity and confidentiality protection is similar to that of a GSS-API.
Both GSS-API and NGSS-API can be used to abstract security functions based on business security requirements. The GSS-API is usually implemented by the local program language library and is suitable for business instances running on the terminal and network entity to ensure the security of local interaction with the destination. Based on parlayapi, The NGSS-API is mainly oriented to third-party business entities such as application servers. It is suitable for business instances running on application servers and interacting with Parlay gateway, its security requirements are implemented by coordinating entities in the network through the Parlay gateway to ensure overall security. The security granularity of the GSS-API is message-level, while the security granularity of the NGSS-API is relatively larger, starting from the point of view of the application server business logic, ensure the security of one caller or user interface.
GSS-API and NGSS-API are independent of specific security mechanisms, can adopt different security mechanisms and security protocols.
Iii. Conclusion
In this paper, umlsec is expanded based on the network characteristics of NGN, and the expanded umlsec is used to analyze the network environment and business security requirements of NGN. The security requirements of the NGN Service are abstracted as fine-grained security capability abstract classes and described using umlsec. The combination of these classes fully expresses the security features required by the NGN service. The security capability abstract class can meet the security requirements of the NGN business. This document describes how to use the secure application interface to implement the security capability abstract class. The implementation of security-based application interfaces has nothing to do with the details of specific security mechanisms, and is portable, so that business security features can be implemented through different security mechanisms in different environments. The next research will include modeling business availability and other security features, and improving the conversion rules between the demand model and the implementation model to achieve automatic conversion and verification between models.