面向高铁旅客服务系统的DSDP零信任架构设计  

作　　者：吴兴华 姚洪磊 刘勇 王朋函 WU Xinghua;YAO Honglei;LIU Yong;WANG Penghan(School of Computer and Information Technology,Beijing Jiaotong University,Beijing 100044,China;Institute of Computing Technologies,China Academy of Railway Sciences Corporation Limited,Beijing 100081,China)

机构地区：[1]北京交通大学计算机与信息技术学院,北京100044 [2]中国铁道科学研究院集团有限公司电子计算技术研究所,北京100081

出　　处：《铁路计算机应用》2024年第10期40-47,共8页Railway Computer Application

基　　金：中国国家铁路集团有限公司重点课题(N2023S005)。

摘　　要：为解决高速铁路旅客服务系统(简称:旅服系统)业务终端设备数量多且统一安全接入管理权限复杂、零信任访问控制手段不足,以及传统软件定义边界(SDP,Software Defined Perimeter)零信任架构在实际应用中存在单点故障等问题,设计一种DSDP(Dual-identity SDP)零信任架构,用以改造旅服系统主数据中心(简称:主数据中心)和铁路局集团公司服务器集群架构,保障其代管的车站业务终端设备接入的安全性;提出基于同态加密技术的双重认证流程算法,用以实现DSDP零信任架构下,主数据中心和铁路局集团公司SDP控制模块双向互认功能。实验结果表明:DSDP零信任架构可有效对抗劫持风险;在多用户的情况下,可保障旅服系统响应时间在合理范围内;具有可用性,可为旅服系统终端设备的统一接入与不同权限要求的零信任身份认证提供技术手段。To solve the problems of a large number of business terminal devices and complex unified security access management permissions in the high-speed railway passenger service system(referred to as the passenger service system),insufficient zero trust access control measures,and single point of failure in the traditional Software Defined Perimeter(SDP)zero trust architecture in practical applications,this paper designed a Dual identity SDP(DSDP)zero trust architecture to transform the main data center of the passenger service system and the server cluster architecture of the railway bureau group company,ensured the security of the station business terminal device access under its management.The paper proposed a dual authentication process algorithm based on homomorphic encryption technology to implement bidirectional mutual recognition between the main data center and the SDP control module of the railway group company under the zero trust architecture of DSDP.The experimental results show that the zero trust architecture of DSDP can effectively combat hijacking risks.In the case of multiple users,this architecture can ensure that the response time of the passenger service system is within a reasonable range and with availability,provide technical means for unified access of passenger service system terminal devices and zero trust identity authentication with different permission requirements.

关 键 词：高速铁路 旅客服务系统 系统架构 零信任 SDP架构 同态加密 

分 类 号：U293.2[交通运输工程—交通运输规划与管理]