Shen Changxiang: Build a "secure and credible" network space security protection system

follow

Click the blue word "Tianjin Digital Port", follow us

< /g>

In the past ten years, it is a decade of the rapid development of the information technology revolution and the trend of the development of the digital economy. It is also a decade of deeply grasping the general trend of information development and actively responding to network security challenges. Since the 18th National Congress of the Communist Party of China, my country's network security work has entered the fast track. New starting point, new journey. Looking back at the past, what development achievements have been achieved in my country's network security industry? Based on the moment, what new challenges are facing? For the future, what new trends will emerge? China Network Space Research Institute's Institute of Network Security, "China Internet Information" Magazine Rong Media Center, Guangming Network Network Security Channel, and Anheng Information jointly launched a series of interviews. In this issue, Shen Changxiang, an academician of the Chinese Academy of Engineering, was invited to interview.

< /g>

Reporter: Please combine your own practice to talk about the development and changes of network security over the past ten years, and the new challenges and problems facing industry development.

Shen Changxiang: At present, network space has become the fifth largest national sovereign field space after Lu, sea, air, and heaven. It is also the evolution of the international strategy in the field of network society. my country's network security is facing severe challenges. The purpose is to "have no national security without network security", "security is the prerequisite for development, and development is the guarantee of security". In accordance with national network security laws and regulations and strategic requirements, promote security and credible products and services. History mission. Since the 18th National Congress of the Communist Party of China, my country has achieved gratifying results in the field of network security. "Cyber ​​Security Law of the People's Republic of China" (hereinafter referred to as the "Network Security Law") "Code Law of the People's Republic of China" (hereinafter referred to The laws and regulations governance systems are gradually improved, and the development of the network security industry has laws and regulations, and there are chapters to follow; security and credible network products and service industry ecology are initially constructed, and the industrial structure is gradually reasonable; network space security first -level disciplines, talent training The system is initially established, the training of network security talents has been increasing, and the national network security guarantee capacity has been greatly improved.

At the same time, there is still a large gap in my country's network security compared with developed countries in terms of technology, industry, and capabilities. It is slightly passive in a complex network security game: insufficient self -innovation, and the main security of "follow -up". It is difficult to solve the problem of core technology "subject to people"; the network security protection technology system is not sound, and the network security guarantee capabilities in key areas are insufficient. Security and active defense system, network security guarantee measures are difficult to adapt to the rapid changes. To this end, we should occupy the high point of the strategic system in the forward -looking layout, form a set of network space security guarantee that both Chinese characteristics and the world development trend, and strive for strategic initiative with independent innovation industries. The world's leading and secure self -reliance self -strong network security industry ecosystem, fundamentally solve the problem of core technology subject to people, actively participate in international governance of network space, strengthen international cooperation in network space, and enhance my country's international status in the field of network space. During the "Fourteenth Five -Year Plan" period, strive to build a secure and credible core technology industry ecology, build a safe and credible network security foundation, establish a smooth and efficient organizational management system and systematic legal and regulatory governance system, and strengthen the funding guarantee for virtuous cycles. Make a multi -level talent training work, provide strong support for national network security, and build a solid foundation for the construction of a strong country.

Reporter: The "Network Security Law" puts forward higher requirements for guarding the network security line and building a security and credible network system. It also clearly proposes to promote secure and credible network products and services. How to understand the connotation of "safe and credible"? Shen Changxiang: "Security and credible" is the safety performance that the equipment should have used by the network, that is, while the equipment work, the inside safety parts perform dynamic and parallel and real -time safety inspection to ensure that the computing process and resources are not disturbed by disruption and damage. And tampering can correctly complete the task. This is the network products and services developed by active immunization and credibility 3.0 technology. It is equivalent to the human body that has immune capabilities. Leaving the blockage to check the "old three" passive protection, independent innovation solve the core technology card neck problem.

With the rapid development of information technology and the continuous changes in network security situations, we gradually realize that mastering the core technology of online information is the fundamental of my country's getting rid of network security and being subject to people, and it is also the prerequisite for ensuring important information systems and data security. The supply chain of basic software and hardware such as chips, whole machines, operating systems, databases and other basic software and hardware is safe and credible, and it has become the cornerstone of the guarantee of building a network power.

To achieve security and credibility, it is necessary to innovate independently and self -reliance. First of all, we must recognize the nature of network security risks. Safety risks originated from the three major primitives of the principle of the Turing machine, the structure of the von Nokaman architecture, and the lack of security governance of the network information engineering. It may be exhausted all the logical combinations, and can only deal with logical combinations related to computing tasks. There must be a large number of defective loopholes with incomplete logic incompleteness, so it is difficult to deal with malicious behaviors of artificial use of defective vulnerabilities to attack benefits.

In order to reduce security risks, scientific and technological innovations must be carried out from the aspects of logical correct verification, computing architecture, and computing mode to solve the problem of existing vulnerability defects that are not used by attackers and form a system of offensive and defensive unity. This is necessary to have human health. The immune system is the same. This is the new computing mode and architecture of China Trusted Calculation 3.0. Calculate the simultaneous protection of parallel, that is, based on physical trustworthy roots, first -level verification is the first level. By constructing a credible chain A variety of functions such as measuring and credible reports provide a trustworthy computing environment for the security of users' data resources and operation processes, and effectively reduce the security risks of the system. It can be seen that the "Cyber ​​Security Law" requires the promotion of security and credible network products and services. It is scientific and reasonable, and it is also efficient and feasible.

Reporter: In terms of building a "security and credible" network space security protection system and improving the active immune capacity of network security, what are the aspects of?

Shen Changxiang: First of all, it is necessary to innovate and develop an active immunization and trustworthy calculation 3.0 to create a good ecological environment for the security and credible industry.

Trusted computing 3.0 originated from my country. The research on the new and credible computing of the model began in the early 1990s. In February 1995, it passed the appraisal. The equipment was set up. After long -term research, the self -innovated trusted computing 3.0 technology system was formed.

Trusted computing 3.0 adopts the dual system architecture of computing and defensive parallel to perform safety protection while calculating the calculation operation. The credible computing technology is combined with the access control mechanism. The ingredients of "non -self -" ingredients are prohibited from unauthorized behavior, so that the attacker cannot use defects and vulnerabilities to perform illegal operations on the system, and finally achieves "unable to get in, unable to understand, cannot be changed, paralyzed, cannot be dependent on". " The effect is destroyed by the known and unknown virus.

Secondly, self -reliance and self -reliance establishes a security and trustworthy innovation system: First, the innovation of the trusted system structure. Trusted computing 3.0 creatively proposed a dual system architecture of computing nodes from parallel computing parts and protective components. In the case of maintaining the original application system, it will build an active immune computing environment. The guarantee mechanism of faith, actively intercept the operation of the operation of the system, conduct trusted judgments in accordance with the predetermined strategic rules, timely discover and prohibit behaviors that do not meet the expected behavior in time, and ensure the safe and credible operation of the whole process.

The second is the innovation of credible computing password technology. Trusted Calculation 3.0 Fragments based on the national standards (TCM) national standards released by the algorithm standard stipulated in the National "Crossing Law" to meet the credible computing needs, and there must be important innovations in three aspects: first of all, it constitutes symmetric and non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -non -impact Symmetric fusion password system, comprehensively supports trusted functions; second, credible calculation of the trusted computing password technology under the 3.0 architecture is based on the domestic password algorithm, the symmetrical key algorithm uses the SM4 algorithm, and the asymmetric key algorithm uses the SM2 algorithm. The hash algorithm uses the SM3 algorithm to efficiently implement identity authentication, encryption protection and consistency verification; then use a dual certificate system, use a platform certificate certification system, use encryption certificate to protect the key, and separate the encryption function and system certification function separation management management. In accordance with the requirements of the Electronic Signature Law of the People's Republic of China, it simplified the management of certificates and improved the security of the system to enhance encryption and certification functions through isolation.

Third, the innovation of the trusted platform control module. It proposes to use the trusted platform control module (TPCM) as a trusted root and connect to the computing component of the host to add a total line -level control mechanism for the system and peripherals on the basis of the trusted password module. TPCM is the source of the system, which combines the password mechanism with the control mechanism. At present, the national standard of TPCM has been released and has been developed into three models: card, motherboard SOC, and multi -core CPU credit core, which has been promoted in large quantities. Fourth, the innovation of the trusted motherboard. The trusted platform motherboard combines the protective parts with the computing parts. The protective components are composed of multiple measurement points (including the measurement mechanism of the TPCM on the BOOT ROM) in the TPCM and the system. The calculation parts remain unchanged. The trust chain began to be established at the "first moment of power generation", thereby improving system security. At the same time, multiple measurement points on the motherboard set the measurement proxy to achieve hardware control through these measurement agents, and provide trusted software layers with credible hardware measurement and control interfaces.

Fifth, the innovation of trusted software bases. The credible software base is under the support of TPCM. Based on the dual -system architecture, the original information system host software is used as the protection object to form a parallel dual software architecture. The credible software base is in the core position of the trusted computing system. It is connected with the fabricated management mechanism, protects the application through the active monitoring mechanism, and provides a credible system security mechanism to the underlying connection to the underlying connection to the underlying connection of TPCM and other trusted hardware resources. Support, at the same time, with other trusted software bases in the network environment, realize trusted collaboration. The credible software base is parallel to the host's basic software. Under the support of TPCM, active interception and measurement protection through the host operating system agent can be used to achieve the security capabilities of active immune defense.

Six are the innovation of credible network connection. Aiming at the network security environment of centralized control, the three -layer tribute trusted connection architecture was proposed creatively, which can effectively prevent conspiracy attacks internally and outside the outside world. At the same time, this architecture has a clear, trusted assessment, and trusted measurement of network access, trusted assessment, and credibility, making the system's structure clear and controlled. The triple control and identification between the visitor, the interview controller and the strategic arbiter, realized the network trusted connection mode of centralized control, and improved the strategic rules of the architecture.

Reporter: Strengthening the security of network space cannot be separated from the support and guidance of related industrial policies. In the future, in the future, what are the policies and innovation systems need to be improved in terms of further building a safe and credible industrial ecology?

Shen Changxiang: To optimize industrial policies and build a safe and credible industrial ecosystem. Strengthen overall planning, increase investment, support network security industries and projects, and accelerate the promotion of security and credible network products and services. Form a safe and trusted localization promotion mechanism to promote the application of security and trustworthy technology products. Introduce the corresponding policies to provide market application space for independent innovation products, promote technological product innovation, performance optimization and improvement, and industrial application collaborative development.

It is necessary to optimize the innovation and development environment of the network security industry with enterprises as the main body. Optimize the living environment of enterprises and stimulate the enthusiasm of mass entrepreneurship and innovation. Strengthen the position of innovation of enterprises, create a fair and reasonable market environment, combine the national “Belt and Road” initiative, create a more favorable international development environment, give full play to the role of government agencies, industry associations, and industry alliances. More international rights. Through the establishment of industrial mergers and acquisitions funds, sharing patent pools and other measures to support the international development of enterprises, reducing the pressure of domestic enterprises in international competition.

It is necessary to strengthen talent training and build a comprehensive network security talent team. Increase the training of talents and build a network security talent team with sufficient quantity and reasonable structure. Strengthen the construction of first -level disciplines of network space security, sort out talent needs such as professional institutions and industry enterprises, and at the same time strengthen the cooperation between employers and universities and professional training institutions to further shorten the gap between supply and demand for talents.

It is necessary to make overall planning and increase investment, strengthen funding supervision, and greatly improve the efficiency of national funds. Optimize funding support methods and regulatory models to improve funding input benefits. Through the establishment of a professional project management agency, the application of network security projects is uniformly accepted, the project resources are strictly judged, the original network security project resources are integrated, and the resources of the resources are focused on breaking the core technology bottleneck. Improve the existing funding supervision model, establish a reasonable funding application and review process, and strengthen audit at all links. Strengthen the cooperation of various aspects such as industry -university -research management and other aspects, and look forward to the direction of funding for funding. While prioritizing supporting basic and public welfare projects, fully consider the economic benefits of funding in investment, set up "Industrial Fund", "Innovation Fund", etc. Anthology, accelerate the marketization of technology research and development, and form a market -oriented funding support mechanism of a virtuous cycle.

Source: "China Internet Magazine" WeChat public account

Review: Zhang Zhihua Deng Jinglong

Edit: Pei Liyan Li Xiangfei

- END -