DSDP zero trust architecture for high-speed railway passenger service system
-
摘要:
为解决高速铁路旅客服务系统(简称:旅服系统)业务终端设备数量多且统一安全接入管理权限复杂、零信任访问控制手段不足,以及传统软件定义边界(SDP,Software Defined Perimeter)零信任架构在实际应用中存在单点故障等问题,设计一种DSDP(Dual-identity SDP)零信任架构,用以改造旅服系统主数据中心(简称:主数据中心)和铁路局集团公司服务器集群架构,保障其代管的车站业务终端设备接入的安全性;提出基于同态加密技术的双重认证流程算法,用以实现DSDP零信任架构下,主数据中心和铁路局集团公司SDP控制模块双向互认功能。实验结果表明: DSDP零信任架构可有效对抗劫持风险;在多用户的情况下,可保障旅服系统响应时间在合理范围内;具有可用性,可为旅服系统终端设备的统一接入与不同权限要求的零信任身份认证提供技术手段。
Abstract:To solve the problems of a large number of business terminal devices and complex unified security access management permissions in the high-speed railway passenger service system (referred to as the passenger service system), insufficient zero trust access control measures, and single point of failure in the traditional Software Defined Perimeter (SDP) zero trust architecture in practical applications, this paper designed a Dual identity SDP (DSDP) zero trust architecture to transform the main data center of the passenger service system and the server cluster architecture of the railway bureau group company, ensured the security of the station business terminal device access under its management. The paper proposed a dual authentication process algorithm based on homomorphic encryption technology to implement bidirectional mutual recognition between the main data center and the SDP control module of the railway group company under the zero trust architecture of DSDP. The experimental results show that the zero trust architecture of DSDP can effectively combat hijacking risks. In the case of multiple users, this architecture can ensure that the response time of the passenger service system is within a reasonable range and with availability, provide technical means for unified access of passenger service system terminal devices and zero trust identity authentication with different permission requirements.
-
-
表 1 符号定义
符号 定义 E( ),E’( ) 公钥加密 $ {m_i} $ 验证码 i D( ),D’( ) 私钥解密 M 验证码的逻辑与运算结果 $ \oplus $ 明文同态与运算 $ \odot $ 密文同态与运算 
下载: 导出CSV
-
[1] 中华人民共和国铁道部. 关于印发《铁路客运专线客运服务系统总体技术方案(暂行)》的通知(铁集成2008[41]号文)[R]. 北京:中华人民共和国铁道部,2008. [2] 国家铁路局. 铁路客运服务信息系统设计规范:TB 10074-2016[S]. 北京:中国铁道出版社,2016. [3] 百度百科. 软件定义边界(SDP)[DB/OL]. (2020-05-29)[2024-07-15]. https://baike.baidu.com/item/软件定义边界%28SDP%29/50363659?fr=aladdin. [4] 软件定义边界(SDP)工作组. SDP标准规范1.0[EB/OL]. (2020-07-06)[2024-07-15]. https://www.c-csa.cn/u_file/photo/20200706/40c72deb73.pdf. [5] 云安全联盟软件定义边界工作组. 软件定义边界(SDP)标准规范v2.0[EB/OL]. (2022-05-17)[2024-07-15]. https://www.c-csa.cn/u_file/photo/20220517/9286a8c3b5.pdf. [6] 诸葛程晨,王 群,刘家银,等. 零信任网络综述[J]. 计算机工程与应用,2022,58(22):12-29. [7] 谢欣梦. 软件定义边界的安全应用研究[D]. 成都:成都信息工程大学,2020. [8] Zhang L, Li H, Ge J G, et al. EDP: An eBPF-based dynamic perimeter for SDP in data center[C]//Proceedings of the 23rd Asia-Pacific Network Operations and Management Symposium, 28-30 September, 2022, Takamatsu, Japan. New York, USA: IEEE, 2022.
[9] Dong L M, Niu Z, Zhu Y, et al. Specifying and verifying SDP protocol based zero trust architecture using TLA+[C]//Proceedings of the 7th International Conference on Cyber Security and Information Engineering, 23-25 September, 2022, Brisbane, QLD, Australia. New York: ACM, 2022.
[10] Lucion E L R, Nunes R C. Software defined perimeter: improvements in the security of single packet authorization and user authentication[C]//Proceedings of 2018 XLIV Latin American Computer Conference, 01-05 October, 2018, Sao Paulo, Brazil. New York, USA: IEEE, 2018.
[11] Refaey A, Sallam A, Shami A. On IoT applications: a proposed SDP framework for MQTT[J]. Electronics Letters, 2019, 55(22): 1201-1203. DOI: 10.1049/el.2019.2334
[12] 吴克河,程 瑞,姜啸晨,等. 基于SDP的电力物联网安全防护方案[J]. 信息网络安全,2022,22(2):32-38. DOI: 10.3969/j.issn.1671-1122.2022.02.004 [13] 周 游,赵悠麒. 应对供应链攻击的铁路企业网络SDP部署方案研究[J]. 铁路计算机应用,2022,31(11):41-47. [14] 深信服科技有限公司. 深信服零信任的0号样板点[EB/OL]. (2023-03-30)[2024-07-15]. https://www.sangfor.com.cn/news/1680158317362. [15] 易安联网络技术有限公司. 易安联零信任助力奇瑞汽车项目落地案例[EB/OL]. (2021-11-26)[2024-07-15]. https://www.c-csa.cn/case/case-detail/i-222/. [16] 上海缔安科技股份有限公司. SDP解决方案在金融企业中的应用案例[EB/OL]. (2020-06-18)[2024-07-15]. https://www.c-csa.cn/case/case-detail/i-159/. [17] Kim D, Guyot C. Optimized privacy-preserving CNN inference with fully homomorphic encryption[J]. IEEE Transactions on Information Forensics and Security, 2023(18): 2175-2187. DOI: 10.1109/TIFS.2023.3263631
[18] Bay A, Erkin Z, Hoepman J H, et al. Practical multi-party private set intersection protocols[J]. IEEE Transactions on Information Forensics and Security, 2022(17): 1-15. DOI: 10.1109/TIFS.2021.3118879
[19] 邵 航,李子臣,王东飞. 基于ElGamal的同态云端密文存储检索方案[J]. 计算机系统应用,2022,31(10):108-115. [20] 陈志伟,张卷美,李子臣. 基于ElGamal变体同态的安全两方计算协议设计[J]. 通信学报,2015,36(2):204-211. [21] 方立娇,李子臣,丁海洋. 基于ElGamal的同态交换加密水印算法[J]. 计算机系统应用,2021,30(5):234-240. -
期刊类型引用(7)
1. 杨涛存,史维峰,李国华,代明睿,李文浩,杜文然. 人工智能视觉大模型在铁路线路异物入侵场景中的应用. 中国铁路. 2025(01): 23-29+48 . 
百度学术
2. 王增卿,谢征宇,姜忆玲,王佳丽,管岭,王力. 面向铁路周界远小目标入侵检测的视频超分辨率重建技术研究. 中国铁道科学. 2025(01): 200-211 . 百度学术
3. 杨文,胡昊,李凌志,冯爽,吴浩楠. 基于机器视觉的铁路限界入侵检测方法. 铁道科学与工程学报. 2025(03): 1328-1343 . 百度学术
4. 赵仲瑜,唐伟忠,张文辉,蒲伟,牛超群. 基于YOLOv5的铁路接触网异物检测模型初步研究. 铁路计算机应用. 2024(02): 13-18 . 本站查看
5. 郑相波,姚国栋,史方圆,廖炜炼,马清志. 大型施工机械监管系统智能视频分析模型研究. 铁路计算机应用. 2024(04): 23-29 . 本站查看
6. 陈伟迅,柯旭能,孟思明. 基于改进YOLOv8的铁路异物侵限检测方法. 机电工程技术. 2024(11): 211-214 . 百度学术
7. 张慧飞,姜汇川,刘宁,李洪. 基于YOLOv5s模型的地铁列车车顶关键部件检测算法研究. 铁路计算机应用. 2024(12): 1-7 . 本站查看
其他类型引用(3)
计量
- 文章访问数: 53
- HTML全文浏览量: 7
- PDF下载量: 23
- 被引次数: 10
