CN101145915B - An authentication system and method of trustable router - Google Patents

An authentication system and method of trustable router Download PDF

Info

Publication number
CN101145915B
CN101145915B CN2007101757254A CN200710175725A CN101145915B CN 101145915 B CN101145915 B CN 101145915B CN 2007101757254 A CN2007101757254 A CN 2007101757254A CN 200710175725 A CN200710175725 A CN 200710175725A CN 101145915 B CN101145915 B CN 101145915B
Authority
CN
China
Prior art keywords
router
trustable
couple
message
permission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2007101757254A
Other languages
Chinese (zh)
Other versions
CN101145915A (en
Inventor
张珺
刘靖
许智君
张玉军
李军
叶新铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HANGZHOU HEZHONG DATA TECHNOLOGY CO., LTD.
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN2007101757254A priority Critical patent/CN101145915B/en
Publication of CN101145915A publication Critical patent/CN101145915A/en
Application granted granted Critical
Publication of CN101145915B publication Critical patent/CN101145915B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a credible router authentication system and a method. The system comprises terminal equipment, an access router, a multi-grade middle router and a trust anchor router, and a graded router-level trust structure is constructed between the routers; the terminal equipment comprises a terminal authentication module for launching TRPS to the access router after receiving an unauthenticated RA; after receiving TRPA message, verify the content in the TRPA and accomplish the credible identity authentication of the access router; the access router comprises a first authentication module for receiving the TRPS message delivered by the receiving terminal equipment and delivering TR<2>PS message to the trust anchor router; receive the TR<2>PA message delivered by the trust anchor router, and deliver the TRPA message to the terminal equipment; the trust router comprises a third authentication module for issuing a router authorization license and delivering the router authorization license to the access router via the TR<2>PA message. The invention can perform the access router authentication safer, more efficiently and more rapidly.

Description

A kind of credible router authentication system and method
Technical field
The present invention relates to field of communication security, particularly relate to a kind of credible router authentication system and method, it provides a kind of method that is used for the authentication couple in router legal identity of the terminal equipment safety on the communication network.
Background technology
At IPv6 (Internet protocol v6, internet protocol version 6) in the communication network, the prerequisite of the normal access communications network of terminal equipment (as Internet Internet) is according to router advertisement (the Router Announcement that receives, RA) the IPv6 address of message arrangement oneself, and select to issue the router of this router advertisement (RA) message as couple in router (Access Router, AR), finish the function of access communications network by it.(seeing No. 2461 document of agreement of the Internet engineering duty group, i.e. IETF (Internet Engineering Task Force) [RFC2461])
How safer, authenticate the legal identity of couple in router more efficiently, and the address prefix that uses this router advertisement is as the important evidence of configuration self address, each access device is all had very important significance, if couple in router is insincere, then terminal equipment is subjected to the attack of malice router easily, even normal access communications network.At IETF[RFC3971] in (No. 3971 document of agreement of the Internet engineering duty group), IPv6 safety neighbor discovering agreement (SEcure Neighbor Discovery has been proposed, SEND), adopt devolution to find (Authorization Delegation Discovery, ADD) mechanism ensures that the discovery procedure of IPv6 router can move safely and reliably.
The devolution discovery procedure is when terminal equipment is connected to link-local, authentication may become the legal identity of its default router, certain trust anchor (TrustAnchor, certificate chain TA), the authentication of realization router that it is believed to main frame by verifying this router.
But, the mechanism that this devolution is found is for the IPv6 access device, require the complicated certificate chain proof procedure of operation thereon, to determine the legal identity of couple in router, the computing cost of terminal equipment is big, and this is especially inapplicable for some computing capability mobile handheld terminal weak, energy constraint.In addition, transmit a large amount of certificates in the certificate chain, increased the transport overhead of local network, especially under wireless communications environment, consumed valuable wireless network bandwidth resource at router with between accessing terminal.And, between terminal equipment and router, in the process of the longer certificate chain of transmission, network, router and terminal are exposed under the attack of malice more, increased by the possibility of malicious attack.
Summary of the invention
Problem to be solved by this invention is to provide a kind of credible router authentication system and method.It can carry out the authentication of couple in router safer, efficiently, apace.
Be a kind of credible router authentication system that realizes that the present invention provides, comprise terminal equipment, couple in router, the trust anchor router, also comprise multistage intermediate router, constitute the router level trust structure of a classification between described router, have direct trusting relationship between the router of adjacent level, the low layer router has its even higher level of node and directly is presented to its certificate of certification;
Described terminal equipment comprises the terminal authentication module, is used for after receiving the couple in router announcement message of a unauthenticated, initiates the trustable router license request to this couple in router; After receiving trustable router permission announcement message, verify the content in this trustable router permission announcement message, finish the trusted identity authentication of couple in router;
Described couple in router has to the certificate chain of described trust anchor router, is used to finish the authentication of described terminal equipment to couple in router.Described couple in router comprises first authentication module, is used for the trustable router permission request message that receiving terminal apparatus sends, and sends permission request message between trustable router to the trust anchor router; Permit announcement message between the trustable router that reception trust anchor router sends, and send trustable router permission announcement message to terminal equipment;
Described trust anchor router comprises the 3rd authentication module, is used to issue a router ticket for authorization, and sends to couple in router by permission announcement message between trustable router.
Described credible router authentication system also comprises multistage intermediate router;
Described intermediate router comprises second authentication module, is used to receive permission request message between trustable router, and after verifying this message, sends permission request message between the trustable router that comprises own digital signature to the router of even higher level of node;
Wherein, the trustable router permission request message that described couple in router receiving terminal apparatus sends, and by intermediate router permission request message between trust anchor router transmission trustable router.
Described couple in router also comprises the first encryption and decryption module, is used for using the PKI of the router of its even higher level of node of router level trust structure that permission request message between the trustable router of described structure is encrypted; And receiving between the encryption trustable router of replying behind the permission announcement message that the private key that uses self obtains the content in the permission announcement message between trustable router after with its deciphering by a trust anchor router; After structure formation trustable router is permitted announcement message, adopt the PKI of terminal equipment that this trustable router permission announcement message is encrypted formation encryption trustable router permission announcement message;
Described intermediate router also comprises the second encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; With the PKI of the router of even higher level of node in the level trust permission request message between the trustable router of self structure is encrypted;
Described trust anchor router also comprises the 3rd encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; Use the PKI of couple in router to encrypt permission announcement message between trustable router.
Described trustable router permission request message constitutes:
TRPS={Nonce;TAs}
Wherein, the TAs field is represented the trust anchor router-list that disposed on this terminal equipment;
The Nonce field is used to mate a pair of request and replys message;
Described trustable router permission announcement message constitutes:
TRPA={Nonce;TA;RAP}
Wherein, the RAP field is represented the trustable router licence issued by a trust anchor router;
The TA field represents to issue the trust anchor router of this licence;
The Nonce field is to copy from the Nonce value in the trustable router permission request message.
Permission request message constitutes between described trustable router:
TR2PS={Nonce,TA,AddrAR,CertAR,SIG}
Wherein, the Nonce field is copy Nonce value in the permission request message between the trustable router of the router of trustable router permission request message or next stage node;
The TA field represents to copy the sign of the trust anchor in the permission request message between the trustable router of the router of trustable router permission request message or next stage node;
The AddrAR field is represented the IP address of couple in router;
The CertAR field represents that the router of the credible even higher level of node of couple in router is presented to its certificate of certification, is used for providing when the trust anchor router is issued the router ticket for authorization to couple in router the information of couple in router;
The SIG field represents that the transmit leg of permission request message between trustable router uses the private key of oneself that Nonce described in the message, TA, AddrAR, CertAR content are generated digital signature, and the router of receiving the even higher level of node of permission request message between trustable router is by permission request message content between this digital signature authentication trustable router;
The permission announcement message constitutes between described trustable router:
TR 2PA={Nonce,TA,RAP}
Wherein, the Nonce field is copy Nonce value in the permission request message between trustable router;
The TA field is a trust anchor router self identification;
The RAP field is presented to the router ticket for authorization of couple in router for the trust anchor router.
For realizing that the object of the invention also provides a kind of internet of trustable router authentication, comprise couple in router and trust anchor router, be used to insert the trusted identity of the terminal device authentication couple in router of internet, it is characterized in that, constitute the router level trust structure of a classification between described router, have direct trusting relationship between the router of adjacent level, the low layer router has its even higher level of node and directly is presented to its certificate of certification;
Described couple in router has to the certificate chain of described trust anchor router, is used to finish the authentication of described terminal equipment to couple in router.Described couple in router comprises first authentication module, is used for the trustable router permission request message that receiving terminal apparatus sends, and sends permission request message between trustable router to the trust anchor router; Permit announcement message between the trustable router that reception trust anchor router sends, and send trustable router permission announcement message to terminal equipment;
Described trust anchor router comprises the 3rd authentication module, is used to issue a router ticket for authorization, and sends to couple in router by permission announcement message between trustable router.
The internet of described trustable router authentication also comprises multistage intermediate router;
Described intermediate router comprises second authentication module, is used to receive permission request message between trustable router, and after verifying this message, sends permission request message between the trustable router that comprises own digital signature to the router of even higher level of node;
Wherein, the trustable router permission request message that described couple in router receiving terminal apparatus sends, and by intermediate router permission request message between trust anchor router transmission trustable router.
Described couple in router also comprises the first encryption and decryption module, is used for using the PKI of the router of its even higher level of node of router level trust structure that permission request message between the trustable router of described structure is encrypted; And receiving between the encryption trustable router of replying behind the permission announcement message that the private key that uses self obtains the content in the permission announcement message between trustable router after with its deciphering by a trust anchor router; After structure formation trustable router is permitted announcement message, adopt the PKI of terminal equipment that this trustable router permission announcement message is encrypted formation encryption trustable router permission announcement message;
Described intermediate router also comprises the second encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; With the PKI of the router of even higher level of node in the level trust permission request message between the trustable router of self structure is encrypted;
Described trust anchor router also comprises the 3rd encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; Use the PKI of couple in router to encrypt permission announcement message between trustable router.
For realizing that the object of the invention further provides a kind of trustable router authentication way, comprises the following steps:
After steps A, terminal equipment were received the couple in router announcement message of a unauthenticated, structure trustable router permission request message also sent to described couple in router;
Step B, described couple in router send permission request message between trustable router to the trust anchor router that described terminal is trusted step by step according to the certificate chain of trust anchor router; Between the described trustable router of described trust anchor router authentication after the permission request message, for described couple in router generates the router ticket for authorization, and by permitting between trustable router that announcement message is presented to described couple in router with described router ticket for authorization; Described couple in router is replied the trustable router permission announcement message that has described router ticket for authorization to described terminal equipment after receiving described router ticket for authorization;
Step C, described terminal equipment verify the content in the described trustable router permission announcement message after receiving described trustable router permission announcement message, finish the trusted identity authentication of couple in router;
Wherein, constitute the router level trust structure of a classification between described router, have direct trusting relationship between the router of adjacent level, the low layer router has its even higher level of node and directly is presented to its certificate of certification; In router level trust structure, described couple in router sends permission request message between trustable router to its upper level router; Permission request message between trustable router is constructed and sent to the intermediate router of nodes at different levels from the bottom to top afterwards, for described couple in router proxy requests trust anchor router is signed and issued licence for it.
In the described steps A, terminal equipment structure trustable router permission request message and the process that sends to couple in router comprise the following steps:
After steps A 1, terminal equipment are received the router advertisement message of a unauthenticated router on the local network, start the trustable router verification process;
Steps A 2, terminal equipment sends to couple in router to be certified according to trustable router permission request message form structure trustable router permission request message;
Wherein, each field contents is:
Nonce:, be used to mate a pair of request and reply message by the big random number that terminal generates;
TAs: the trust anchor tabulation of disposing on the terminal can comprise a plurality of trust anchor signs;
Steps A 3, terminal equipment enters wait state, wait for to receive by couple in router and replys the trustable router permission announcement message that has the router ticket for authorization that the trust anchor router issues.
Also comprise the following steps: after the described steps A 3
Steps A 4 if terminal is not received trustable router permission announcement message in setting-up time, represents that then terminal equipment does not obtain the couple in router ticket for authorization, and this router can not be as the credible couple in router of terminal.
The process of permission request message between trustable router is handled and sent to couple in router among the described step B, comprises the following steps:
Step B1, couple in router receive the trustable router permission request message of terminal equipment;
Step B2, couple in router extract the TAs sign in the trustable router permission request message, check that oneself whether having had one of them trust anchor router is presented to its router authorization certificate; If have then execution in step B9, otherwise execution in step B3;
Step B3, couple in router is constructed permission request message between trustable router according to permission request message form between trustable router;
Wherein, each field contents is as follows:
Nonce: the Nonce value that copy comprises in the trustable router permission request message that terminal equipment is received;
TA: the trust anchor sign that copy comprises in the trustable router permission request message that terminal equipment is received;
AddrAR: the IP address of couple in router;
CertAR: the router of the credible even higher level of node of couple in router is presented to its certificate content in the router level trust structure;
SIG: couple in router uses the private key of oneself that the Nonce in the permission request message between trustable router, TA, each field contents of AddrAR, CertAR are generated digital signature;
Step B4, couple in router uses the PKI of the router of its even higher level of node in the router level trust structure that permission request message between the trustable router of described structure is encrypted the back and forms permission request message between the encryption trustable router, sends to the router of even higher level of node;
Step B5, couple in router wait for receiving between the encryption trustable router that is sent by a trust anchor router and permit announcement message.
Described couple in router receives and handles the process of permission announcement message between trustable router, comprises the following steps:
Step B6, couple in router receive between the encryption trustable router of being replied by a trust anchor router and permit announcement message, obtain the content in the permission announcement message between trustable router after the private key of use couple in router is deciphered it;
Step B7, couple in router be Nonce and the TA field value in the permission announcement message between trustable router relatively, mates verification with corresponding contents in the trustable router permission request message of receiving;
Step B8, couple in router is preserved router ticket for authorization and corresponding trust anchor router thereof.
Described couple in router is replied the trustable router permission announcement message that has the router ticket for authorization to terminal equipment, comprises the following steps:
Step B9, couple in router forms trustable router permission announcement message with Nonce, TA and router ticket for authorization RAP field structure;
The PKI that step B10, couple in router adopt terminal equipment permits trustable router announcement message encrypt to form and encrypts trustable router permission announcement message, sends to terminal equipment as the response message of corresponding trustable router permission request message.
Described intermediate router sends the process of permission request message between trustable router, comprises the following steps:
Step B1 ', an intermediate router receive permission request message between the encryption trustable router that the intermediate router of next stage node sends, and deciphering obtains the content of permission request message between trustable router;
Step B2 ', the digital signature between the public key verifications trustable router of the intermediate router of described intermediate router use next stage node in the permission request message is accepted the content in the permission request message between trustable router after being proved to be successful;
Step B3 ', described intermediate router judge whether oneself is trust anchor router role, carry out if then jump to the trust anchor router; Otherwise execution in step B4 ';
Step B4 ', described intermediate router use the private key of oneself that the content in the permission request message between the trustable router that has just obtained is carried out obtaining the SIG value after the digital signature, continue structure and form permission request message between trustable router;
Step B5 ', intermediate router uses the PKI of the intermediate router of its even higher level of node in the level trust that permission request message between the trustable router of described structure is encrypted the back and forms permission request message between the encryption trustable router, sends to the intermediate router of even higher level of node; After the intermediate router of even higher level of node receives message, change step B1 ' over to and handle.
Among the described step B3 ', described trust anchor router implementation comprises the following steps:
Step B6 ', trust anchor router are that couple in router generates router authorization certificate;
Step B7 ', the trust anchor router will be permitted announcement message between Nonce, TA and each field value structure formation trustable router of router ticket for authorization RAP;
Step B8 ', trust anchor router adopt the PKI of couple in router that permission announcement message between trustable router is encrypted, and send.
Described router ticket for authorization school bag is drawn together the original certificate content CertAR and the trust anchor router signature of couple in router.
Among the described step C, terminal equipment is after receiving trustable router permission declaration TRPA message, and the content in the TRPA message is declared in the permission of checking trustable router, finishes the process of credible couple in router authentication, comprises the steps:
After step C1, terminal equipment receive the encryption trustable router permission announcement message of being replied by couple in router, use the PKI of couple in router that its deciphering is obtained trustable router permission announcement message;
Step C2, the content of each field in the terminal equipment checking trustable router permission announcement message;
Step C3 is if the success of terminal device authentication router is accepted as credible couple in router with this router;
Step C4, if terminal equipment does not obtain the couple in router ticket for authorization, this router can not be as the credible couple in router of terminal.
Among the described step C2, described proof procedure is:
Whether step C21, terminal equipment relatively the Nonce field value in the corresponding trustable router permission request message of trustable router permission announcement message and initialization be equal;
Step C22, terminal equipment permits trustable router the trust anchor tabulation TAs in the corresponding trustable router permission request message of trust anchor sign TA field value and initialization in the announcement message to mate, and judges that TA in the trustable router permission declaration identifies the TAs that whether belongs in the trustable router permission request message in tabulating;
Step C23, terminal equipment use the PKI of trust anchor router that the router ticket for authorization in the trustable router permission announcement message is carried out certification authentication;
More than the then trustable router permission announcement message proof procedure failure of this step of any failure in three processes, enter step C4; Otherwise enter step C3.
The invention has the beneficial effects as follows: credible router authentication system of the present invention and method, terminal equipment only need authenticate the ticket for authorization that once is presented to couple in router by trust anchor, and need not to carry out complicated router certificate chain proof procedure, not only reduced the computation complexity that terminal equipment carries out the couple in router authentication, save the energy consumption and the computational resource of terminal, simultaneously also reduced the time that terminal equipment is found credible couple in router; Only need transmission primaries authentication request/response message and a router certificate of authority between terminal equipment and the couple in router, tediously long certificate chain content and relevant interactive information have been avoided on local access network, transmitting, thereby the bandwidth resources that one side has been saved local network, also reduced the chance that terminal and couple in router are found tracking by malicious attacker and obtained amount of information on the other hand, the fail safe that has improved local network in carrying out the secure router discovery procedure.
Description of drawings
Fig. 1 is a credible router authentication system schematic diagram one of the present invention;
Fig. 2 is a credible router authentication system schematic diagram two of the present invention;
Fig. 3 is a trustable router authentication method flow chart of the present invention;
Fig. 4 is the terminal equipment process flowchart;
Fig. 5 is the process flowchart of couple in router;
Fig. 6 is the process flowchart of each level router except that couple in router.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, a kind of credible router authentication system of the present invention and method are further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Usually, in the communication network of IPv6, terminal equipment is to the composition structure and the proof procedure of certificate chain and lose interest in, and what its was concerned about is that the trust anchor whether couple in router is trusted by it correctly authenticates.That is to say, only need the identity authentication result of couple in router for terminal equipment.Consider that based on these the present invention proposes a kind of safe and efficient new method fast that terminal equipment is found trustable router.
The present invention is an example with Internet Internet, and credible router authentication system of the present invention and method are described in detail, still, should be noted that, credible router authentication system of the present invention and method are equally applicable to other communication network, as 3G, 4G communication network etc.
The present invention proposes a kind of trustable router authentication method (Trusted Router Discovering Protocol, TRDP) and system, be used to insert the terminal equipment of internet, particularly newly insert the trusted identity of the terminal device authentication couple in router of internet.
Credible router authentication system of the present invention, comprise terminal equipment 1, couple in router, intermediate routers at different levels, the trust anchor router has constituted the router level trust structure of a classification between router, promptly each level router on the internet constitutes level trust, couple in router has to the certificate chain of a trust anchor (TA), is used to finish 1 pair of couple in router authentication of terminal equipment.
Router level trust structure exemplary plot such as Fig. 1, shown in Figure 2.
As shown in Figure 1, the trust anchor (TA) of terminal equipment (main frame) 1 is a router four, and the couple in router to be certified of terminal equipment 1 is 2, and 2 have constituted certification path a: D1-C1-B1-A1 from the trust anchor router four to couple in router; Couple in router 2 has the certificate " B1A1 " that intermediate router 3 is issued, and intermediate router has the certificate " C1B1 " that the upper level intermediate router is issued, and the upper level intermediate router has the certificate " D1C1 " that the trust anchor router four is issued.
Certificate is signed by issuer, comprises information such as certificate holder's identity and PKI in the certificate content.The issuer of B1A1 certificate is an intermediate router 3, and the holder of B1A1 certificate is a couple in router 2; The issuer of C1B1 certificate is the upper level intermediate router, and the holder of C1B1 certificate is the next stage intermediate router; The issuer of D1C1 certificate is the trust anchor router four, and the holder of D1C1 certificate is an intermediate router.
As shown in Figure 2, the trust anchor of terminal equipment 1 (TA) is a router four, the couple in router of terminal equipment 1 is 2,2 have constituted certification path a: D2-C2-B2 from the trust anchor router four to couple in router, couple in router 2 has the certificate " C2B2 " that intermediate router 3 is issued, and intermediate router 3 has the certificate " D2C2 " that the trust anchor router four is issued.
In router level trust structure of the present invention, had direct trusting relationship between the router of adjacent level, the low layer router has its even higher level of node and directly is presented to its certificate of certification, and promptly high-rise router has authenticated information such as the identity of low layer router and PKI thereof.
Described terminal equipment 1 comprises terminal authentication module 11, be used for receiving couple in router announcement message (the Router Advertisement of a unauthenticated, RA) after, to this couple in router 2 initiate trustable router license request (Trusted Router Passport Solicitation, TRPS); Receiving that (Trusted Router Passport Advertisement TRPA) after the message, verifies the content in this trustable router permission announcement message, finishes the trusted identity authentication of couple in router 2 in trustable router permission declaration.
Described couple in router 2 comprises first authentication module 21, be used for the trustable router permission request message that receiving terminal apparatus 1 sends, and send license request (Trusted Router-to-Router Passport Solicitation, TR between trustable router to the trust anchor router four 2PS) message; Permission declaration (Trusted Router-to-Router PassportAdvertisement, TR between the trustable router that reception trust anchor router four sends 2PA) message, and to terminal equipment 1 transmission trustable router permission announcement message.
Request/response message between terminal equipment 1 and the couple in router 2 is called trustable router license request (TRPS) message and trustable router permission declaration (TRPA) message, wherein:
TRPS message is constructed as follows:
TRPS={Nonce;IAs} ---------------------------(1)
Wherein, the TAs field trust anchor router four tabulation representing to be disposed on this terminal equipment 1;
The Nonce field is used to mate a pair of request and replys message, prevents Replay Attack, preferably, is a big random number of being selected for use by terminal equipment 1.
TRPA message is constructed as follows:
TRPA={Nonce;TA;RAP} --------------------(2)
Wherein, the RAP field is represented the trustable router licence issued by a trust anchor router four;
The TA field represents to issue the trust anchor router four of this licence;
The Nonce field is to copy from the Nonce value in the TRPS message.
Described intermediate router 3 comprises second authentication module, be used to receive permission request message between trustable router permission request message/trustable router, and after verifying this message, send permission request message between the trustable router that comprises own digital signature to the router of even higher level of node;
Described trust anchor router four comprises the 3rd authentication module, be used to issue a router ticket for authorization (Router Authorization Passport, RAP), and by between trustable router the permission announcement message send to couple in router 2.This router ticket for authorization comprises the certificate of a trust anchor of terminal equipment trust to couple in router identity and public key information binding.
Request/response message between the router is called license request (TR between trustable router 2PS) permission declaration (TR between message and trustable router 2PA) message, wherein:
TR 2PS message is constructed as follows:
TR 2PS={Nonce,TA,AddrAR,CertAR,SIG} ----------(3)
Wherein, the Nonce field is the TR of copy from the intermediate router 3 of TRPS message or next stage node 2Nonce value in the PS message;
The TA field represents to copy the TR from the intermediate router 3 of TRPS message or next stage node 2Trust anchor sign in the PS message;
The AddrAR field is represented the IP address of couple in router 2, sends TR as last trust anchor router four to couple in router 2 2PA message is issued the destination address of router ticket for authorization;
The CertAR field represents that the router of the credible even higher level of node of couple in router 2 is presented to its certificate of certification content, is used for providing when the trust anchor router four issues the router ticket for authorization for couple in router 2 information of couple in router 2;
In addition, TR 2The transmit leg of PS message uses the private key of oneself that Nonce described in the message, TA, AddrAR, CertAR content are generated digital signature SIG field, receives TR 2The router of the even higher level of node of PS message is by this digital signature SIG checking TR 2The PS message content.
TR 2PA message is constructed as follows:
TR 2PA={Nonce,TA,RAP} ----------------(5)
Wherein, Nonce is for copying from TR 2Nonce value in the PS message;
TA is a trust anchor router four self identification;
RAP is presented to the router ticket for authorization of couple in router 2 for the trust anchor router four.
A kind of credible router authentication system of the present invention is deployed to the certificate chain proof procedure of couple in router 2 in the router level trust structure, and the pilot process of certificate chain checking and transmission is all finished by each level router in the hierarchical structure.
Preferably, described couple in router 2 also comprises the first encryption and decryption module, and the PKI of intermediate router 3 that is used for using its even higher level of node of router level trust structure is to the TR of described structure 2The PS message encryption forms ETR 2PS message; And receiving the ETR that replys by a trust anchor router four 2After the PA message, the private key that uses self obtains TR after with its deciphering 2Each field contents of Nonce in the PA message, TA and RAP; After structure forms TRPA message, adopt the PKI of terminal equipment 1 that the TRPA message encryption is formed ETRPA message.
Described intermediate router 3 also comprises the second encryption and decryption module, is used to use the private key deciphering ETR of self 2Obtain TR after the PS message 2The content of PS message; With the PKI of the intermediate router 3 of even higher level of node in the level trust TR to self structure 2The PS message encryption.
Described trust anchor router four also comprises the 3rd encryption and decryption module, is used to use the private key deciphering of self to obtain TR 2The content of PS message; With TR 2PA message uses the PKI of couple in router 2 to encrypt.
Through after a series of being proved to be successful, the trust anchor router four is directly issued a router ticket for authorization (RAP) to couple in router 2, and this licence promptly is the certificate of a trust anchor (TA) of terminal equipment trust to couple in router 2 identity and public key information binding;
1 on terminal equipment need propose router licence that ID authentication request and Receipt Validation issued by trust anchor TA to couple in router 2 and promptly finish authentication to this couple in router 2.
Describe a kind of trustable router authentication method of the present invention below in detail:
In embodiments of the present invention, the reciprocal process between each role is realized by a series of requests/response message in the trustable router authentication method (TRDP).Preferably, guarantee confidentiality and the credibility of these message in communication process by encrypt and digital signature etc.
The trustable router authentication method that example of the present invention is executed as shown in Figure 3, comprises the following steps:
Step S100, terminal equipment 1 receive a unauthenticated the couple in router announcement message (RouterAdvertisement, RA) after, structure TRPS message also sends to this couple in router 2;
The terminal equipment 1 of terminal equipment 1 or new access network is initiated TRPS message to couple in router to be certified 2, as the formula (1).
Step S200, couple in router 2 sends TR by intermediate routers 3 at different levels to the trust anchor router four 2PS message; Trust anchor router four checking TR 2After the PS message,, and pass through TR for couple in router 2 generates the router ticket for authorization 2PA message is presented to couple in router 2 with this RAP; Couple in router 2 is replied the TRPA message that has RAP to terminal equipment 1 behind the RAP that receives the trust anchor router four;
In router level trust structure, at first send TR to its upper level router by couple in router to be certified 2 2PS message.
Afterwards, TR is constructed and sent to the intermediate router 3 of nodes at different levels from the bottom to top 2PS message all is to sign and issue licence for couple in router 2 proxy requests trust anchor router fours for it.
Receive TR 2An intermediate router 3 of PS request message is verified this TR 2Continue after the PS message to send the TR that comprises own digital signature to the intermediate router 3 of its last layer node 2PS message, thus the proxy requests of asking trust anchor (TA) to sign and issue licence couple in router 2 is uploaded to the upper level router.
TR 2PS message sends until a trust anchor router four, and then the trust anchor router four is that couple in router 2 generates router ticket for authorization (RAP), and passes through TR 2PA message is presented to couple in router 2 with this router ticket for authorization (RAP).
Preferably, in order to guarantee information safety of transmission in the real network environment, can be with TR 2PS message uses the PKI of this message sink end to encrypt, and when the router of promptly low one-level node sends message to the router of high one-level node, uses the public key encryption message content of the router of high one-level node, prevents that information from being intercepted and captured or distorting by malice.
Equally, TR 2The PA message content uses the PKI of couple in router 2 to encrypt, and the information that prevents is intercepted and captured and distorted by malice.The i.e. safe TR that in the real network environment, sends 2PS message and safe TR 2The PA message format is:
ETR 2PS=Encrypt PK_upper_router(TR 2PS) ----------------(5)
ETR 2PA=Encrypt PK_AR(TR 2PA) ----------------(6)
Wherein, PK_upper_router is TR 2The reciever of PS message promptly sends the PKI of its upper level router of router of this message, and the PKI in the router level trust structure of disposing between the router of the superior and the subordinate's adjacent node is known mutually; PK_AR is the PKI of couple in router 2, can be by TR 2The certificate field CertAR of couple in router 2 is known in the PS message.
Step S300, terminal equipment 1 are after receiving TRPA message, and the content in the checking TRPA message is finished credible couple in router 2 authentications.
The TRPA message that couple in router 2 is replied to terminal equipment 1, as the formula (2).
Like this, if couple in router 2 have the router licence that any the trust anchor router four in the trust anchor router four tabulation that terminal equipment 1 trusted issued can be by the authentication of this terminal.
Preferably, intercepted and captured and distort by malice in order to prevent the information in the TRPA message, the content of TRPA message uses the PKI of terminal equipment 1 to encrypt, and it is as follows promptly to send to the final response message form of terminal equipment 1 by couple in router 2:
ETRPA=Encrypt PK_host(TRPA) ------------------(7)
Wherein, PK_host is the PKI of terminal equipment;
In formula (5), (6), (7), described PKI can adopt any public and private key algorithm (or claiming asymmetric arithmetic), as RSA Algorithm, and ECC algorithm etc.
Couple in router 2 can terminal send router solicitation (RouterSolicitation from the safety neighbor discovering process, RS) used IPv6 ciphered generation address (Cryptographically GeneratedAddress during message, CGA) PKI of this terminal equipment of acquisition in the parameter, detailed content sees also No. 3972 document of agreement of the Internet engineering duty group, be IETF[RFC3972], be a kind of prior art, describe in detail no longer one by one among the present invention.
As a kind of embodiment, describe in detail among the step S100 below in conjunction with accompanying drawing, terminal equipment 1 structure TRPS message and the process that sends to couple in router 2 as shown in Figure 4, comprise the steps S1.1~S1.3:
S1.1, terminal equipment 1 start trustable router verification process of the present invention after receiving the route announcement message (RA) of a unauthenticated router on the local network, i.e. TRDP trustable router discovery procedure (agreement).
S1.2, terminal equipment 1 sends to couple in router to be certified 2 according to TRPS message format structure TRPS message;
Wherein, each field contents is as follows:
Nonce: by a big random number of terminal generation;
TAs: the trust anchor tabulation of disposing on the terminal can comprise a plurality of trust anchor signs.
S1.3, terminal equipment 1 enters wait state, waits for receiving by couple in router 2 and replys the TRPA message that has trust anchor router four ticket for authorization.
Preferably, if terminal is not received TRPA message in setting-up time, then enter step S3.4; Otherwise enter the S3.1 step.
As a kind of embodiment, describe couple in router 2 below in detail and handle and send TR 2PS message, and receive and handle TR 2The process of PA message as shown in Figure 5, comprises the steps S2.1~S2.10:
S2.1, couple in router 2 receive the TRPS message of terminal equipment 1.
S2.2, couple in router 2 extract the TAs sign in the TRPS message, check that oneself whether having had one of them trust anchor router four is presented to its RAP certificate; If have then execution in step S2.9, otherwise execution in step S2.3.
S2.3, couple in router 2 is according to TRPS message format structure TR 2PS message;
Wherein, each field contents is as follows:
Nonce: the Nonce value that copy comprises in the TRPS message that terminal equipment 1 is received;
TA: copy in the TRPS message that terminal equipment 1 is received, comprise trust anchor sign;
AddrAR: the IP address of couple in router 2;
CertAR: the router of the credible even higher level of node of couple in router 2 is presented to its certificate content in the router level trust structure;
SIG: couple in router 2 uses the private key of oneself with TR 2Nonce in the PS message, TA, each field contents of AddrAR, CertAR generate digital signature.
S2.4, couple in router 2 use the TR of the PKI of the intermediate router 3 of its even higher level of node in the router level trust structure to described structure 2Form ETR behind the PS message encryption 2PS message sends to the router of even higher level of node.
S2.5, couple in router 2 wait for and receive the ETR that is sent by a trust anchor router four 2PA message.
S2.6, couple in router 2 receive the ETR that is replied by a trust anchor router four 2PA message, the private key of use couple in router 2 obtain TR after it is deciphered 2Each field contents of Nonce in the PA message, TA and RAP.
S2.7, couple in router 2 is TR relatively 2Nonce in the PA message and TA field value mate verification with corresponding contents in the TRPS message of receiving.
S2.8, couple in router 2 is preserved router ticket for authorization (RAP) and corresponding trust anchor router four (TA) thereof, in order to follow-up use.
S2.9, couple in router 2 forms TRPA message with Nonce, TA and RAP field structure.
S2.10, couple in router 2 adopt the PKI of terminal equipments 1 that the TRPA message encryption is formed ETRPA message, send to terminal equipment 1 as the response message of corresponding TRPS message.
As shown in Figure 6, the implementation flow chart for the intermediate routers at different levels 3 except that couple in router 2 in the router level trust structure comprises step S2.1 '~S2.8 ':
S2.1 ', an intermediate router 3 is received the ETR that the intermediate router 3 of next stage node is sent 2PS message, deciphering obtains TR 2The content of PS message.
S2.2 ', intermediate router 3 uses the public key verifications TR of the intermediate router 3 of next stage node 2Digital signature in the PS message obtains TR after being proved to be successful 2Each field contents Nonce, TA, AddrAR and CertAR in the PS message, and carry out subsequent step.
S2.3 ', intermediate router 3 judge whether oneself is trust anchor router four (TA) role, if then jump to step S3.6 ' execution, otherwise execution in step S3.4 '.
S2.4 ', intermediate router 3 uses the private key of oneself that Nonce, the TA, AddrAR and the CertAR value that have just obtained are carried out obtaining the SIG value after the digital signature, continues structure and forms TR 2PS message.
S2.5 ', intermediate router 3 uses the TR of the PKI of the intermediate router 3 of its even higher level of node in the level trust to described structure 2Form ETR behind the PS message encryption 2PS message sends to the intermediate router 3 of even higher level of node; After the intermediate router 3 of even higher level of node receives message, change step S2.1 ' over to and handle.
S2.6 ', trust anchor router four (TA) are that couple in router 2 generates router authorization certificate RAP.
Wherein, the RAP certificate comprises the original certificate content CertAR and trust anchor router four (TA) signature of couple in router 2.
S2.7 ', the trust anchor router four forms TR with Nonce, TA and each field value structure of RAP 2PA message.
S2.8 ', trust anchor router four adopt the PKI of couple in router 2 with TR 2The PA message encryption forms ETR 2PA message sends to couple in router 2.
As a kind of embodiment, describe in detail among the step S300 below in conjunction with accompanying drawing, terminal equipment 1 is after receiving TRPA message, the content in the checking TRPA message is finished the process that credible couple in router 2 authenticates, and as shown in Figure 4, comprises the steps:
After S3.1, terminal equipment 1 receive the ETRPA encrypting messages of being replied by couple in router 2, use the PKI of couple in router 2 that its deciphering is obtained TRPA message.
S3.2, the content of each field in the terminal equipment 1 checking TRPA message.
Its detailed process is:
Whether step S3.21, terminal equipment 1 relatively the Nonce field value in the corresponding TRPS message of TRPA message and initialization be equal;
Step S3.22, terminal equipment 1 mates the trust anchor tabulation TAs in the corresponding TRPS message of the trust anchor in TRPA message sign TA field value and initialization, judges that TA among the TRPA identifies the TAs that whether belongs in the TRPS message in tabulating;
Step S3.23, terminal equipment 1 uses the PKI of trust anchor router four that the router ticket for authorization RAP in the TRPA message is carried out certification authentication;
More than the then TRPA message authentication process failure of this step of any failure in three processes, enter the S3.4 step, otherwise enter the S3.3 step.
S3.3 is if terminal equipment 1 authentication router success is accepted as credible couple in router 2 with this router.
S3.4, if terminal equipment 1 does not obtain the couple in router ticket for authorization, this router can not be as the credible couple in router of terminal.
Credible router authentication system of the present invention and method, terminal equipment only need authenticate the ticket for authorization that once is presented to couple in router by trust anchor, and need not to carry out complicated router certificate chain proof procedure, not only reduced the computation complexity that terminal equipment carries out the couple in router authentication, save the energy consumption and the computational resource of terminal equipment, simultaneously also reduced the time that terminal equipment is found credible couple in router; Only need transmission primaries authentication request/response message and a router certificate of authority between terminal equipment and the couple in router, tediously long certificate chain content and relevant interactive information have been avoided on local access network, transmitting, thereby the bandwidth resources that one side has been saved local network, also reduced the chance that terminal equipment and couple in router are found tracking by malicious attacker and obtained amount of information on the other hand, the fail safe that has improved local network in carrying out the secure router discovery procedure.
In conjunction with the drawings to the description of the specific embodiment of the invention, others of the present invention and feature are conspicuous to those skilled in the art.
More than specific embodiments of the invention are described and illustrate it is exemplary that these embodiment should be considered to it, and be not used in and limit the invention, the present invention should make an explanation according to appended claim.

Claims (15)

1. credible router authentication system, comprise terminal equipment, couple in router, the trust anchor router, it is characterized in that, also comprise multistage intermediate router, constitute the router level trust structure of a classification between described router, have direct trusting relationship between the router of adjacent level, the low layer router has its even higher level of node and directly is presented to its certificate of certification;
Described terminal equipment comprises the terminal authentication module, is used for after receiving the couple in router announcement message of a unauthenticated, initiates the trustable router license request to this couple in router; After receiving trustable router permission announcement message, verify the router ticket for authorization that directly is presented to couple in router in this trustable router permission announcement message by described trust anchor router, finish the trusted identity authentication of couple in router;
Described couple in router, have to the certificate chain of described trust anchor router, be used to finish of the authentication of described terminal equipment to couple in router, described couple in router comprises first authentication module, be used for the trustable router permission request message that receiving terminal apparatus sends, and send permission request message between trustable router to the trust anchor router by intermediate router; Permit announcement message between the trustable router that reception trust anchor router sends, and send trustable router permission announcement message to terminal equipment;
Described trust anchor router comprises the 3rd authentication module, is used to issue a router ticket for authorization, and sends to couple in router by permission announcement message between trustable router;
Described intermediate router comprises second authentication module, is used to receive permission request message between trustable router, and after verifying this message, sends permission request message between the trustable router that comprises own digital signature to the router of even higher level of node.
2. credible router authentication system according to claim 1, it is characterized in that, described couple in router also comprises the first encryption and decryption module, is used to use the PKI of the router of couple in router even higher level of node described in the router level trust structure that permission request message between described trustable router is encrypted; And receiving between the encryption trustable router of replying behind the permission announcement message that the private key that uses self obtains the content in the permission announcement message between trustable router after with its deciphering by a trust anchor router; After structure formation trustable router is permitted announcement message, adopt the PKI of terminal equipment that this trustable router permission announcement message is encrypted formation encryption trustable router permission announcement message;
Described intermediate router also comprises the second encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; With the PKI of the router of even higher level of node in the level trust permission request message between the trustable router of self structure is encrypted;
Described trust anchor router also comprises the 3rd encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; Use the PKI of couple in router to encrypt permission announcement message between trustable router.
3. credible router authentication system according to claim 1 and 2 is characterized in that:
Described trustable router permission request message constitutes:
TRPS={Nonce;TAs}
Wherein, the TAs field is represented the trust anchor router-list that disposed on this terminal equipment;
The Nonce field is used to mate a pair of request and replys message;
Described trustable router permission announcement message constitutes:
TRPA={Nonce;TA;RAP}
Wherein, the RAP field is represented the trustable router licence issued by a trust anchor router;
The TA field represents to issue the trust anchor router of this licence;
The Nonce field is to copy from the Nonce value in the trustable router permission request message.
4. credible router authentication system according to claim 1 and 2 is characterized in that, permission request message constitutes between described trustable router:
TR 2PS={Nonc?e,TA,AddrAR,CertAR,SIG}
Wherein, the Nonce field is copy Nonce value in the permission request message between the trustable router of the router of trustable router permission request message or next stage node;
The TA field represents to copy the sign of the trust anchor in the permission request message between the trustable router of the router of trustable router permission request message or next stage node;
The AddrAR field is represented the IP address of couple in router;
The CertAR field represents that the router of the credible even higher level of node of couple in router is presented to the certificate of certification of couple in router, is used for providing when the trust anchor router is issued the router ticket for authorization to couple in router the information of couple in router;
The SIG field represents that the transmit leg of permission request message between trustable router uses the private key of oneself that Nonce described in the message, TA, AddrAR and CertAR content are generated digital signature, and the router of receiving the even higher level of node of permission request message between trustable router is by permission request message content between this digital signature authentication trustable router;
The permission announcement message constitutes between described trustable router:
TR 2PA={Nonce,TA,RAP}
Wherein, the Nonce field is copy Nonce value in the permission request message between trustable router;
The TA field is a trust anchor router self identification;
The RAP field is presented to the router ticket for authorization of couple in router for the trust anchor router.
5. the internet of trustable router authentication, be used to insert the trusted identity of the terminal device authentication couple in router of internet, the internet of described trustable router authentication, comprise couple in router and trust anchor router, also comprise multistage intermediate router, it is characterized in that, constitute the router level trust structure of a classification between described router, have direct trusting relationship between the router of adjacent level, the low layer router has its even higher level of node and directly is presented to its certificate of certification;
Described couple in router, have to the certificate chain of described trust anchor router, be used to finish of the authentication of described terminal equipment to couple in router, described couple in router comprises first authentication module, be used for the trustable router permission request message that receiving terminal apparatus sends, and send permission request message between trustable router to the trust anchor router; Receive that the trust anchor router sends comprise directly to be presented between the trustable router of router ticket for authorization of couple in router permit announcement message by described trust anchor router, and send trustable router permission announcement message to terminal equipment, make described terminal equipment only by verifying that described router licence finishes the authentication to couple in router;
Described trust anchor router comprises the 3rd authentication module, is used to issue a router ticket for authorization, and sends to couple in router by permission announcement message between trustable router;
Described intermediate router comprises second authentication module, is used to receive permission request message between trustable router, and after verifying this message, sends permission request message between the trustable router that comprises own digital signature to the router of even higher level of node;
Wherein, the trustable router permission request message that described couple in router receiving terminal apparatus sends, and by intermediate routers at different levels permission request message between trust anchor router transmission trustable router.
6. the internet of trustable router authentication according to claim 5, it is characterized in that, described couple in router also comprises the first encryption and decryption module, is used to use the PKI of the router of couple in router even higher level of node described in the router level trust structure that permission request message between described trustable router is encrypted; And receiving between the encryption trustable router of replying behind the permission announcement message that the private key that uses self obtains the content in the permission announcement message between trustable router after with its deciphering by a trust anchor router; After structure formation trustable router is permitted announcement message, adopt the PKI of terminal equipment that this trustable router permission announcement message is encrypted formation encryption trustable router permission announcement message;
Described intermediate router also comprises the second encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; With the PKI of the intermediate router of even higher level of node in the level trust permission request message between the trustable router of self structure is encrypted;
Described trust anchor router also comprises the 3rd encryption and decryption module, is used to use the private key of self to decipher the content that obtains permission request message between trustable router; Use the PKI of couple in router to encrypt permission announcement message between trustable router.
7. a trustable router authentication way is characterized in that, comprises the following steps:
After steps A, terminal equipment were received the couple in router announcement message of a unauthenticated, structure trustable router permission request message also sent to described couple in router;
Step B, described couple in router send permission request message between trustable router to the trust anchor router that described terminal is trusted according to the certificate chain of trust anchor router step by step by intermediate routers at different levels; Between the described trustable router of described trust anchor router authentication after the permission request message, for described couple in router generates the router ticket for authorization, and by permitting between trustable router that announcement message is presented to described couple in router with described router ticket for authorization; Described couple in router is replied the trustable router permission announcement message that has described router ticket for authorization to described terminal equipment after receiving described router ticket for authorization;
Step C, described terminal equipment is after receiving described trustable router permission announcement message, verify the router ticket for authorization that directly is presented to couple in router in the described trustable router permission announcement message by described trust anchor router, finish the trusted identity authentication of couple in router;
Wherein, constitute the router level trust structure of a classification between described router, have direct trusting relationship between the router of adjacent level, the low layer router has its even higher level of node and directly is presented to its certificate of certification; In router level trust structure, described couple in router sends permission request message between trustable router to its upper level router; Permission request message between trustable router is constructed and sent to the intermediate router of nodes at different levels from the bottom to top afterwards, for described couple in router proxy requests trust anchor router is signed and issued licence for it.
8. trustable router authentication method according to claim 7 is characterized in that, in the described steps A, terminal equipment structure trustable router permission request message and the process that sends to couple in router comprise the following steps:
After steps A 1, terminal equipment are received the router advertisement message of a unauthenticated router on the local network, start the trustable router verification process;
Steps A 2, terminal equipment sends to couple in router to be certified according to trustable router permission request message form structure trustable router permission request message;
Wherein, described each field contents of trustable router permission request message is:
Nonce:, be used to mate a pair of request and reply message by the big random number that terminal generates;
TAs: the trust anchor tabulation of disposing on the terminal can comprise a plurality of trust anchor signs;
Steps A 3, terminal equipment enters wait state, wait for to receive by couple in router and replys the trustable router permission announcement message that has the router ticket for authorization that the trust anchor router issues.
9. trustable router authentication method according to claim 8 is characterized in that, also comprises the following steps: after the described steps A 3
Steps A 4 if terminal is not received trustable router permission announcement message in setting-up time, represents that then terminal equipment does not obtain the couple in router ticket for authorization, and this router can not be as the credible couple in router of terminal.
10. trustable router authentication method according to claim 8 is characterized in that, the process of permission request message between trustable router is handled and sent to couple in router among the described step B, comprises the following steps:
Step B1, couple in router receive the trustable router permission request message of terminal equipment;
Step B2, couple in router extract the TAs sign in the trustable router permission request message, check that oneself whether having had one of them trust anchor router is presented to its router authorization certificate; If have then execution in step B9, otherwise execution in step B3;
Step B3, couple in router is constructed permission request message between trustable router according to permission request message form between trustable router;
Wherein, each field contents of permission request message is as follows between described trustable router:
Nonce: the Nonce value that copy comprises in the trustable router permission request message that terminal equipment is received;
TA: the trust anchor sign that copy comprises in the trustable router permission request message that terminal equipment is received;
AddrAR: the IP address of couple in router;
CertAR: the router of the credible even higher level of node of couple in router is presented to the certificate content of couple in router in the router level trust structure;
SIG: couple in router uses the private key of oneself that each field contents of the Nonce in the permission request message between trustable router, TA, AddrAR and CertAR is generated digital signature;
Step B4, couple in router uses the PKI of the router of its even higher level of node in the router level trust structure that permission request message between the trustable router of described structure is encrypted the back and forms permission request message between the encryption trustable router, sends to the router of even higher level of node;
Step B5, couple in router wait for receiving between the encryption trustable router that is sent by a trust anchor router and permit announcement message;
Step B6, couple in router receive between the encryption trustable router of being replied by a trust anchor router and permit announcement message, obtain the content in the permission announcement message between trustable router after the private key of use couple in router is deciphered it;
Step B7, couple in router be Nonce and the TA field value in the permission announcement message between trustable router relatively, mates verification with corresponding contents in the trustable router permission request message of receiving;
Step B8, couple in router is preserved router ticket for authorization and corresponding trust anchor router thereof;
Step B9, couple in router forms trustable router permission announcement message with Nonce, TA and router ticket for authorization RAP field structure;
The PKI that step B10, couple in router adopt terminal equipment permits trustable router announcement message encrypt to form and encrypts trustable router permission announcement message, sends to terminal equipment as the response message of corresponding trustable router permission request message.
11. trustable router authentication method according to claim 10 is characterized in that, described intermediate router sends the process of permission request message between trustable router, comprises the following steps:
Step B1 ', an intermediate router receive permission request message between the encryption trustable router that the intermediate router of next stage node sends, and deciphering obtains the content of permission request message between trustable router;
Step B2 ', the digital signature between the public key verifications trustable router of the intermediate router of described intermediate router use next stage node in the permission request message is accepted the content in the permission request message between trustable router after being proved to be successful;
Step B3 ', described intermediate router judge whether oneself is trust anchor router role, carry out if then jump to the trust anchor router; Otherwise execution in step B4 ';
Step B4 ', described intermediate router use the private key of oneself that the content in the permission request message between the trustable router that has just obtained is carried out obtaining the SIG value after the digital signature, continue structure and form permission request message between trustable router;
Step B5 ', intermediate router uses the PKI of the intermediate router of its even higher level of node in the level trust that permission request message between the trustable router of described structure is encrypted the back and forms permission request message between the encryption trustable router, sends to the intermediate router of even higher level of node; After the intermediate router of even higher level of node receives message, change step B1 ' over to and handle.
12. trustable router authentication method according to claim 11 is characterized in that, among the described step B3 ', described trust anchor router implementation comprises the following steps:
Step B6 ', trust anchor router are that couple in router generates router authorization certificate;
Step B7 ', the trust anchor router will be permitted announcement message between Nonce, TA and each field value structure formation trustable router of router ticket for authorization RAP;
Step B8 ', trust anchor router adopt the PKI of couple in router that permission announcement message between trustable router is encrypted, and send.
13. trustable router authentication method according to claim 12 is characterized in that, described router ticket for authorization school bag is drawn together the original certificate content and the trust anchor router signature of couple in router.
14. according to each described trustable router authentication method of claim 7 to 10, it is characterized in that, among the described step C, terminal equipment is after receiving trustable router permission declaration TRPA message, content in the checking trustable router permission declaration TRPA message, finish the process of credible couple in router authentication, comprise the steps:
After step C1, terminal equipment receive the encryption trustable router permission announcement message of being replied by couple in router, use the PKI of couple in router that its deciphering is obtained trustable router permission announcement message;
Step C2, the content of each field in the terminal equipment checking trustable router permission announcement message;
Step C3 is if the success of terminal device authentication router is accepted as credible couple in router with this router;
Step C4, if terminal equipment does not obtain the couple in router ticket for authorization, this router can not be as the credible couple in router of terminal.
15. trustable router authentication method according to claim 14 is characterized in that, among the described step C2, described proof procedure is:
Whether step C21, terminal equipment relatively the Nonce field value in the corresponding trustable router permission request message of trustable router permission announcement message and initialization be equal;
Step C22, terminal equipment permits trustable router the trust anchor tabulation TAs in the corresponding trustable router permission request message of trust anchor sign TA field value and initialization in the announcement message to mate, and judges that TA in the trustable router permission declaration identifies the TAs that whether belongs in the trustable router permission request message in tabulating;
Step C23, terminal equipment use the PKI of trust anchor router that the router ticket for authorization in the trustable router permission announcement message is carried out certification authentication;
More than the then trustable router permission announcement message proof procedure failure of this step of any failure in three processes, enter step C4; Otherwise enter step C3.
CN2007101757254A 2007-10-10 2007-10-10 An authentication system and method of trustable router Active CN101145915B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101757254A CN101145915B (en) 2007-10-10 2007-10-10 An authentication system and method of trustable router

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101757254A CN101145915B (en) 2007-10-10 2007-10-10 An authentication system and method of trustable router

Publications (2)

Publication Number Publication Date
CN101145915A CN101145915A (en) 2008-03-19
CN101145915B true CN101145915B (en) 2011-08-10

Family

ID=39208231

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101757254A Active CN101145915B (en) 2007-10-10 2007-10-10 An authentication system and method of trustable router

Country Status (1)

Country Link
CN (1) CN101145915B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572822A (en) * 2010-12-15 2012-07-11 中国科学技术大学 Method and device for realizing security routing
US9009465B2 (en) 2013-03-13 2015-04-14 Futurewei Technologies, Inc. Augmenting name/prefix based routing protocols with trust anchor in information-centric networks
US9391781B2 (en) * 2013-06-04 2016-07-12 Altera Corporation Systems and methods for intermediate message authentication in a switched-path network
US10181949B2 (en) 2014-10-13 2019-01-15 Futurewei Technologies, Inc. Data distributing over network to user devices
CN104486082B (en) * 2014-12-15 2018-07-31 中电长城网际系统应用有限公司 Authentication method and router
CN105188024B (en) * 2015-10-29 2019-06-14 小米科技有限责任公司 Access the method, apparatus and system of network
CN106603512B (en) * 2016-11-30 2019-07-09 中国人民解放军国防科学技术大学 A kind of authentic authentication method of the Intermediate System-Intermediate System based on SDN framework
CN106685987B (en) * 2017-01-23 2020-06-05 北京东土军悦科技有限公司 Security authentication method and device for cascade network
CN110417758B (en) * 2019-07-15 2020-05-05 中国人民解放军战略支援部队信息工程大学 Secure neighbor discovery operation mode detection method based on certificate request

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1399490A (en) * 2002-08-15 2003-02-26 西安西电捷通无线网络通信有限公司 Safe access method of mobile terminal to radio local area network
JP2004015725A (en) * 2002-06-11 2004-01-15 Canon Inc Communication system, authentication method in communication system, program therefor and recording medium therefor
CN1564516A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Allopatic access authentication method of mobile terminal of radio LAN
US7174456B1 (en) * 2001-05-14 2007-02-06 At&T Corp. Fast authentication and access control method for mobile networking
CN1976338A (en) * 2006-12-18 2007-06-06 西安西电捷通无线网络通信有限公司 Coordinate access control system of ternary structure

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7174456B1 (en) * 2001-05-14 2007-02-06 At&T Corp. Fast authentication and access control method for mobile networking
JP2004015725A (en) * 2002-06-11 2004-01-15 Canon Inc Communication system, authentication method in communication system, program therefor and recording medium therefor
CN1399490A (en) * 2002-08-15 2003-02-26 西安西电捷通无线网络通信有限公司 Safe access method of mobile terminal to radio local area network
CN1564516A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Allopatic access authentication method of mobile terminal of radio LAN
CN1976338A (en) * 2006-12-18 2007-06-06 西安西电捷通无线网络通信有限公司 Coordinate access control system of ternary structure

Also Published As

Publication number Publication date
CN101145915A (en) 2008-03-19

Similar Documents

Publication Publication Date Title
CN101145915B (en) An authentication system and method of trustable router
CN105917689B (en) Secure peer-to-peer groups in information-centric networks
US8327143B2 (en) Techniques to provide access point authentication for wireless network
US8001381B2 (en) Method and system for mutual authentication of nodes in a wireless communication network
JP4002035B2 (en) A method for transmitting sensitive information using unsecured communications
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
CN101170413B (en) A digital certificate and private key acquisition, distribution method and device
CN108964896B (en) Kerberos identity authentication system and method based on group key pool
Aura et al. Reducing reauthentication delay in wireless networks
Patel et al. Vehiclechain: Blockchain-based vehicular data transmission scheme for smart city
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
Jiang et al. Secure DHCPv6 Using CGAs
CN101808142A (en) Method and device for realizing trusted network connection through router or switch
Younes Securing ARP and DHCP for mitigating link layer attacks
CN101394395B (en) Authentication method, system and device
CN114430552B (en) Vehicle networking v2v efficient communication method based on message pre-authentication technology
Bansal et al. Lightweight authentication protocol for inter base station communication in heterogeneous networks
US8275987B2 (en) Method for transmission of DHCP messages
CN108965266B (en) User-to-User identity authentication system and method based on group key pool and Kerberos
JP2004194196A (en) Packet communication authentication system, communication controller and communication terminal
Eren Wimax security architecture-analysis and assessment
Hathal et al. Token-based lightweight authentication scheme for vehicle to infrastructure communications
Modares et al. Enhancing security in mobile IPv6

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: HANGZHOU UNIMAS INFORMATION TECHNOLOGY CO., LTD.

Free format text: FORMER OWNER: INSTITUTE OF COMPUTING TECHNOLOGY HINESE ACADEMY OF SCIENCES

Effective date: 20130104

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100080 HAIDIAN, BEIJING TO: 310052 HANGZHOU, ZHEJIANG PROVINCE

TR01 Transfer of patent right

Effective date of registration: 20130104

Address after: Hangzhou City, Zhejiang province Binjiang District 310052 shore road 1180 building 3 layer 1-3

Patentee after: Hangzhou Unimas Information Engineering Co., Ltd.

Address before: 100080 Haidian District, Zhongguancun Academy of Sciences, South Road, No. 6, No.

Patentee before: Institute of Computing Technology, Chinese Academy of Sciences

C56 Change in the name or address of the patentee

Owner name: HANGZHOU UNIMASSYSTEM DATA TECHNOLOGY CO., LTD.

Free format text: FORMER NAME: HANGZHOU UNIMAS INFORMATION TECHNOLOGY CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: Hangzhou City, Zhejiang province Binjiang District 310052 shore road 1180 building 3 layer 1-3

Patentee after: HANGZHOU HEZHONG DATA TECHNOLOGY CO., LTD.

Address before: Hangzhou City, Zhejiang province Binjiang District 310052 shore road 1180 building 3 layer 1-3

Patentee before: Hangzhou Unimas Information Engineering Co., Ltd.

CP02 Change in the address of a patent holder

Address after: 310052 floors 5-8, building 3, No. 399, Danfeng Road, Xixing street, Binjiang District, Hangzhou City, Zhejiang Province (self declaration)

Patentee after: HANGZHOU HEZHONG DATA TECHNOLOGY Co.,Ltd.

Address before: 310052 1-3 / F, building 3, 1180 Bin'an Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee before: HANGZHOU HEZHONG DATA TECHNOLOGY Co.,Ltd.

CP02 Change in the address of a patent holder