CN101827106A - DHCP safety communication method, device and system - Google Patents

DHCP safety communication method, device and system Download PDF

Info

Publication number
CN101827106A
CN101827106A CN 201010166238 CN201010166238A CN101827106A CN 101827106 A CN101827106 A CN 101827106A CN 201010166238 CN201010166238 CN 201010166238 CN 201010166238 A CN201010166238 A CN 201010166238A CN 101827106 A CN101827106 A CN 101827106A
Authority
CN
China
Prior art keywords
client
server end
message
ciphertext
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 201010166238
Other languages
Chinese (zh)
Inventor
徐炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 201010166238 priority Critical patent/CN101827106A/en
Publication of CN101827106A publication Critical patent/CN101827106A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

The embodiment of the invention provides a dynamic host configuration protocol (DHCP) safety communication method, which comprises the following steps that: a server receives a first message transmitted by a client, wherein the first message comprises an access challenge request for requesting the server to authenticate the client; the server generates a server message and encrypts the server message to obtain a server cipher text; the server transmits a first response to the client, wherein the first response comprises the server cipher text; the server receives a second message returned by the client, wherein the second message comprises the server message which is obtained by decrypting the server cipher text by the client; the server verifies whether the server message in the second message is consistent with the server message locally stored at the server; and if so, the server confirms that the client is trustable. In addition, the embodiment of the invention also provides a server device and a client device.

Description

A kind of DHCP safety communicating method, device and system
Technical field
The embodiment of the invention relates to networking technology area, especially a kind of DHCP (Dynamic HostConfiguration Protocol, DHCP) safety communicating method, device and system.
Background technology
Along with development of internet technology, the network equipment has obtained extensive application.Because topology of networks is easy to change, a lot of network equipments need come access network by dynamically obtaining the IP address.In present implementation, these network equipments are much supported DHCP, distribute dynamic IP addressing by outside DHCP SERVER (server).But DHCP itself does not consider any safety measure, can have many potential safety hazards in the practical application, makes DHCP SERVER be subjected to rogue attacks easily.
In existing a solution, when the network equipment (being client) is initiated request to DHCP SERVER (being server end), carry the ID (identity) of oneself in request, whether server end comes identify customer end credible according to the ID of client, if credible, then allow client to insert.Because the ID of client is provided by client self, the assailant can intercept the identity information of client at an easy rate, thereby forged identity is initiated rogue attacks to server end, causes security of network system relatively poor.
Summary of the invention
The embodiment of the invention is to provide a kind of DHCP safety communicating method, device and system.
On the one hand, the embodiment of the invention provides a kind of DHCP safety communicating method, this method comprises: server end receives first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; Server end generates server end message, and encrypts and obtain the server end ciphertext; Server end sends first response to client, and first response comprises the server end ciphertext; Server end receives second message that client is returned, and second message comprises server end message, and wherein the server end message in second message is obtained after to the server end decrypt ciphertext by client; Server end is verified server end message in second message and the local server end of preserving of server end, and whether message is consistent, if unanimity then server end confirm that client is credible.
On the one hand, the embodiment of the invention provides also a kind of DHCP safety communicating method, this method comprises: server end receives first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; Server end generates server end message, and encrypts and obtain the server end ciphertext; Server end sends first response to client, and first response comprises the server end ciphertext; Server end receives second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client; Server end deciphering client second ciphertext obtains server end message; Server end verifies whether the server end message that obtains after the deciphering is consistent with the local server end message of preserving of server end, if then server end affirmation client is credible for unanimity.
On the one hand, the embodiment of the invention provides also a kind of DHCP safety communicating method, this method comprises: the user end to server end sends first message, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; First response that client reception server end returns, first response comprises the server end ciphertext; Client is deciphered described server end ciphertext and is obtained server end message, client generates client message, and client message encrypted obtains client first ciphertext or the combination of server end message and client message encrypted obtaining client second ciphertext; The user end to server end sends second message, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext; Second response that client reception server end returns, second response comprises client message, wherein client message is obtained after to client first ciphertext or client second decrypt ciphertext by server end; Whether the client message that client validation receives is consistent with the client message that client terminal local is preserved; If then client confirms that server end is credible.
On the other hand, the embodiment of the invention provides a kind of server-side device, comprising: first receiver module is used to receive first message that client sends, first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; Generation module is used for receiving access challenge request back at first receiver module and generates the server end ciphertext; First sending module is used for sending first response to client, and first response comprises the server end ciphertext that generation module generates; Second receiver module is used to receive second message that client is returned, and second message comprises the server end message that obtains after client is decrypted the server end ciphertext; Authentication module is used for verifying whether the server end message of second message is consistent with the local server end message of preserving of server end, confirms that when unanimity client is credible.
On the other hand, the embodiment of the invention also provides a kind of server-side device, comprising: first receiver module is used to receive first message that client sends, first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; Generation module is used for receiving access challenge request back at first receiver module and generates the server end ciphertext; First sending module is used for sending first response to client, and first response comprises the server end ciphertext that generation module generates; Second receiver module is used to receive second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client; Deciphering module is used to decipher client second ciphertext and obtains server end message; Whether the second receiver module server end message is consistent with the local server end message of preserving of server end, confirms that client is credible during as if unanimity.
Another aspect, the embodiment of the invention also provides a kind of client terminal device, comprising: first sending module is used for sending first message to server end, first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; First receiver module is used for first response that the reception server end returns, and first response comprises the server end ciphertext; First deciphering module is used for the server end ciphertext is decrypted and obtains server end message; Generation module is used to generate client message; Encrypting module is used for client message encrypted and obtains client first ciphertext or the combination of server end message and client message encrypted obtaining client second ciphertext; Second sending module is used for sending second message to server end, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext; Second receiver module is used for second response that the reception server end returns, and second response comprises client message, and wherein the client message in second response is obtained after to client first ciphertext or client second decrypt ciphertext by server end; Authentication module is used to verify whether the client message that client message that second receiver module receives and client terminal local preserve is consistent, and the affirmation server end is credible when unanimity.
On the one hand, the embodiment of the invention provides a kind of system, comprises above-mentioned client terminal device and server-side device again.
The server end message of server end after client sends encryption in the embodiment of the invention, and whether the server end message that checking client returns is consistent with the local server end message of preserving of server end, if it is consistent, confirm that then client can correctly decipher, thereby server end confirms that client is credible.This method is the legitimacy of checking client effectively, the rogue attacks that reduces or avoid server end to suffer, the fail safe of raising network application.
Description of drawings
A kind of DHCP safety communicating method schematic flow sheet that Fig. 1 provides for the embodiment of the invention.
The another kind of DHCP safety communicating method schematic flow sheet that Fig. 2 provides for the embodiment of the invention.
The another kind of DHCP safety communicating method schematic flow sheet that Fig. 3 provides for the embodiment of the invention.
The another kind of DHCP safety communicating method schematic flow sheet that Fig. 4 provides for the embodiment of the invention.
A kind of server-side device structural representation that Fig. 5 provides for the embodiment of the invention.
The another kind of server-side device structural representation that Fig. 6 provides for the embodiment of the invention.
A kind of client terminal device structural representation that Fig. 7 provides for the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing the embodiment of the invention is specified, obviously, the embodiments described below only are the present invention's part embodiment, rather than whole embodiment.
See also Fig. 1, a kind of DHCP safety communicating method that Fig. 1 provides for the embodiment of the invention.This method mainly comprises the steps.
Step 102, server end receives first message that client sends, and wherein first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated.
Step 104, server end generate server end message, and server end message encrypted obtain the server end ciphertext.
Server end receive insert the challenge request after, whether generating the server ciphertext, to be used for checking client reliable or credible.When concrete the application, server end message can be random number, this random number is encrypted can obtain the server end ciphertext.The cryptographic algorithm that server end adopts can be asymmetric arithmetic or symmetry algorithm.With the asymmetric arithmetic is example, consider the often corresponding a plurality of clients of server end, in order to reduce the workload of server end, can adopt the server end that generates in the last verification process of server end and this client to share key this random number is encrypted.
Step 106, server end sends first response to client, and wherein first response comprises the server end ciphertext.
Step 108, server end receives second message that client is returned, and second message comprises server end message; Wherein the server end message in second message is obtained after to the server end decrypt ciphertext by client.
Client can adopt the client private key that generates in the last verification process of server end and this client to decipher during to the server end decrypt ciphertext.
Further, can also comprise client first ciphertext in second message, client first ciphertext obtains after by client client message being encrypted in the present embodiment.Client message also can be a random number, when encrypting, can adopt the client that generates in the last verification process of server end and this client to share key this random number is encrypted, and obtains client first ciphertext.
Step 110, the server end message that the server end checking receives is consistent with the local server end message of preserving of server end.
For checking client whether credible, server end can by checking client correctly decryption server end ciphertext carry out.Whether the server end message that server authentication client specifically, is returned (i.e. the server end message that comprises in second message) is consistent with the local server end message of preserving of server end.
Step 112, if the server end message that server end receives is consistent with the local server end message of preserving of server end, then server end confirms that client is credible.
When the local server end message of preserving of server end message that receives at server end and server end was consistent, server end was thought correctly decryption server end ciphertext of client, thereby thinks that client is believable.
Further, if can also comprise client first ciphertext in second message, then server end can also be decrypted client first ciphertext and obtain client message, and sends second response to client, and wherein second response comprises the client message that obtains after this deciphering.Can play by the client and bring in the whether believable effect of authentication server end by send client message to client.
Server end is the server end ciphertext to the server end message that client sends after encrypting in the present embodiment, and whether the server end message that checking client returns is consistent with the local client message of preserving of server end, if it is consistent, confirm that then client can correctly decipher, thereby confirm that client is credible.This method is the legitimacy of checking client effectively, the rogue attacks that reduces or avoid server end to suffer, the fail safe of raising network application
It is to be noted, the embodiment of the invention is except that being applied to the internet, can also be applied to support the communications network system of DHCP agreement and I P agreement, cordless communication network for example, wherein client specifically can be the base station, server end specifically can be a base station controller, or other application mode, and the embodiment of the invention does not limit this.
See also Fig. 2, the another kind of DHCP safety communicating method that Fig. 2 provides for the embodiment of the invention.This method mainly comprises the steps.
Wherein step 202-206 and step 102-106 are roughly the same, specifically can no longer describe in detail referring to a last embodiment herein.
Step 208, server end receives second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client.
Server end message, client message all can be random numbers, will server end message and the client message combination after obtain a string at random, to this at random string encrypt and obtain client second ciphertext.If what adopt is asymmetric arithmetic, can adopt the client that generates in the last verification process of server end and this client share key to this at random string encrypt.
Step 210, server end deciphering client second ciphertext obtains server end message.
After server end deciphering client second ciphertext, obtain the combination of server end message and client message, string at random for example, and then can obtain server end message and client message according to the structure of this combination.
Usually in a message, can comprise as the lower part: type of message, message-length and message content.Server end message and client message are when making up, and a kind of combining structure can be the server end type of message, server end message-length, server end message content, client message type, client message length, client message content.Perhaps can be other combining structure, for example client message be placed before the server end message that the embodiment of the invention does not limit this.
When being decrypted, still be that example describes with the asymmetric arithmetic, since the client that generates in the last verification process of customer end adopted server end and this client share key to this at random string encrypt, correspondingly, server end can adopt the server end private key that generates in server end and the last verification process of this client to this at random string be decrypted.
Step 212, whether the server end message that obtains after the server end checking deciphering is consistent with the local server end message of preserving of server end.
For checking client whether credible, server end can by checking client correctly decryption server end ciphertext carry out.Specifically, after second message that server deciphering client is returned obtains server end message, verify whether the server end message that obtains after this deciphering is consistent with the local server end message of preserving of server end.
Step 214, if the server end message that obtains after the server end deciphering is consistent with the local server end message of preserving of server end, then server end confirms that client is credible.
When the local server end message of preserving of server end message that obtains after server end deciphering and server end was consistent, server end was thought correctly decryption server end ciphertext of client, thereby thinks that client is believable.
Server end is the server end ciphertext to the server end message that client sends after encrypting in the present embodiment, and second message returned of deciphering client, whether consistent by relatively deciphering the server end message that obtains with the local client message of preserving of server end, confirm whether client can correctly decipher, thereby confirm whether client is credible.This method is the legitimacy of checking client effectively, the rogue attacks that reduces or avoid server end to suffer, the fail safe of raising network application.
See also Fig. 3, the another kind of DHCP safety communicating method that Fig. 3 provides for the embodiment of the invention.This method mainly comprises the steps.
Step 302, the user end to server end sends first message, and wherein first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated.
First response that step 304, client reception server end are returned, first response comprises the server end ciphertext.
The server end ciphertext is encrypted server end message by server end and is obtained.When concrete the application, server end message can be random number, this random number is encrypted can obtain the server end ciphertext.The cryptographic algorithm that server end adopts can be asymmetric arithmetic or symmetry algorithm.With the asymmetric arithmetic is example, consider the often corresponding a plurality of clients of server end, in order to reduce the workload of server end, can adopt the server end that generates in the last verification process of server end and this client to share key this random number is encrypted.
Step 306, client are deciphered described server end ciphertext and are obtained server end message, and generate client first ciphertext or client second ciphertext.
Client generates client message, client message is encrypted obtained client first ciphertext; Perhaps client is encrypted the combination of server end message and client message and is obtained client second ciphertext.
When concrete the application, client message can be a random number.This random number is encrypted, obtain client first ciphertext; Perhaps will obtain a string at random after server end message and the client message combination, to this at random string encrypt and obtain client second ciphertext, with the asymmetric arithmetic is that example describes, when encrypting, can adopt the client that generates in the last verification process of server end and this client to share key and encrypt.
Step 308, the user end to server end sends second message, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext.
With the asymmetric arithmetic is example, when practical application, before step 308, client can also regenerate a client private key and client public key (promptly generating a new client private key and a new client public key) in this verification process, specific algorithm can no longer describe in detail with reference to prior art herein.
Client can further be preserved the client private key that this regenerates.
Client can also be carried this new client public key in second message, to guarantee that server end can generate a new server end according to this new client public key and share key in this verification process.
Second response that step 310, client reception server end are returned, second response comprises client message.
Server end if verify out that the server end message that comprises in second message is consistent with the local server end message of preserving of server end, can confirm that client is credible after receiving second message.Further, server end can be decrypted client first ciphertext and obtain server end message; Server end will send to client to the server end message that obtains after client first decrypt ciphertext, so that whether client can come the authentication server end credible.
Perhaps server end is after receiving second message, client second decrypt ciphertext is obtained server end message and client message, and verify out when the server end message that obtains after the deciphering is consistent with the local server end message of preserving of server end, can confirm that client is credible.Further, server end will send to client to the server end message that obtains after client second decrypt ciphertext, so that whether client can come the authentication server end credible.
Whether the client message that step 312, client validation receive is consistent with the client message that client terminal local is preserved.
Step 314, if the client message that client receives is consistent with the client message of client terminal local preservation, then client confirms that server end is credible.
When the client message that the client message that receives in client and client terminal local are preserved was consistent, client thought that server end can correctly decipher the client ciphertext, thereby thinks that server end is believable.
When practical application, in order further to strengthen the secure communication between server end and the client, client message in the step 310 also can be the client message after server end is encrypted again, and server end can utilize once the server end that generates in the verification process to share key when encrypting; Correspondingly, for client, utilize the private key that client generates in the last verification process to be decrypted.Perhaps, server end also can utilize the server end that generates in this verification process to share key when encrypting, at this moment server end also needs further the new server end PKI that generates in this verification process to be issued client, client generates a new client based on this new server end PKI and shares key, and promptly the client that generates in this verification process is shared key.
In addition, in step 310, can also comprise that server end distributes to the IP address of client in second response; Then client confirms that server end can also comprise after credible in step 314: client is obtained this IP address, connects with server end.
In the present embodiment at server end by after the authentication to client, further bring in server end authenticated by the client, can further strengthen the secure communication between server end and the client.
See also Fig. 4, the another kind of DHCP safety communicating method that Fig. 4 provides for the embodiment of the invention.The cryptographic algorithm that adopts among this embodiment is an asymmetric arithmetic.This method mainly comprises the steps.
Step 402, the user end to server end sends first message, and wherein first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated.
Consider and the compatibility of DHCP agreement that first message can be DHCPDISCOVER/OPTION message in the present embodiment.Further, can also carry client id, timestamp in this DHCP DISCOVER/OPTION message.
Step 404, server end generate server end message and encrypt, and generate server end first information summary.
Server end message can be random number s in the present embodiment, random number s is encrypted can obtain the server end ciphertext.Server end first information summary can be used to prevent that the server end ciphertext from being distorted.
Consider the often corresponding a plurality of clients of server end,, can adopt the server end that generates in the last verification process of server end and this client to share key random number s is encrypted in order to reduce the workload of server end.
Step 406, server end sends first response to client, and wherein first response comprises server end ciphertext and server end first information summary.
Here, first response can be a DHCP OFFER/OPTION message.
Step 408, client is decrypted the server end ciphertext, obtains server end message.Client generates client message, the combination of server end message and client message is encrypted obtain client second ciphertext.Client also generates the client-side information summary.In addition, client also generates client public key and client private key.
Obviously, the new client public key and the client private key that in this verification process, generate of client public key that is generated in the step 408 and client private key.
The client-side information summary can be used to prevent that client second ciphertext from being distorted.
Client message can be random number c in the present embodiment, a kind of c-s that is combined as of server end message and client message, being about to random number c and random number s merges and obtains string c-s at random, random number c-s encrypted obtains client second ciphertext, for example can adopt the client that generates in the last verification process of server end and this client share key to this at random string c-s encrypt.
Step 410, the user end to server end sends second message, and second message comprises client second ciphertext, client public key and client-side information summary.
During specific implementation, second message can be DHCP REQUEST/OPTION message, and this DHCPREQUEST/OPTION message is carried the c-s of string at random after client public key, client-side information summary and the encryption.
Step 412, server end deciphering client second ciphertext obtains server end message and client message, when the server end message that obtains after this deciphering is consistent with the local server end message of preserving of server end, confirms that client is credible.
Particularly, when being decrypted, adopt the server end private key that generates in last server end and this client authentication process to this at random string c-s encrypt, obtain random number c and random number s, if random number s does not change, confirm that then client is credible.
Server end also generates server end PKI and server end private key, and generates server end second informative abstract.
In addition, server end generates the shared key of server end according to client public key; Further, server end utilize this server end share key to client message for example random number c encrypt.
Step 414, server end returns second response to client, and second response comprises the server end PKI, the client message after the encryption, and server end second informative abstract.
Client message after server end second informative abstract is used to prevent to encrypt is distorted.
Particularly, second response can be a DHCP ACK message, and this DHCP ACK message is carried the server end PKI, the random number c after the encryption, and server end second informative abstract.
Step 416, client are decrypted and obtain client message, when the client message that obtains after this deciphering is consistent with the client message of client terminal local preservation, confirm that server end is credible.
Particularly, when being decrypted, client utilizes the client private key (being the client private key that generates in the step 408) that generates in this verification process to be decrypted, and obtains random number c, if random number c does not change, confirms that then server end is credible.
In the present embodiment concerning server end, the effective legitimacy of checking client, concerning client, the effective legitimacy of authentication server end, thereby guarantee the secure communication between the client and server end, the rogue attacks that reduces or avoid server end to suffer, the fail safe of raising network application.
A kind of server-side device structural representation that Fig. 5 provides for the embodiment of the invention.This device mainly comprises: first receiver module 502, generation module 504, the first sending modules, 506, the second receiver modules 508 and authentication module 510.
Wherein first receiver module 502 is used to receive first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; Generation module 504 is used for receiving access challenge request back at first receiver module 502 and generates the server end ciphertext; First sending module 506 is used for sending first response to client, and first response comprises the server end ciphertext that generation module 504 generates; Second receiver module 508 is used to receive second message that client is returned, and second message comprises the server end message that obtains after client is decrypted the server end ciphertext; Authentication module 510 is used for verifying whether the server end message of second message is consistent with the local server end message of preserving of server end, confirms that when unanimity client is credible.
Wherein generation module 504 is when generating the server end ciphertext, generate server end message and encrypt and obtain the server end ciphertext, for example concerning asymmetric arithmetic, can adopt the server end that generates in the last verification process of server end and this client to share key this random number is encrypted.
If also comprise client first ciphertext in second message, then server end can also comprise the deciphering module and second sending module, wherein deciphering module is used for after authentication module 510 confirms that client is credible, client first ciphertext is decrypted obtains client message, second sending module is used to send second response to client, and wherein second response comprises client message.
Server end is the server end ciphertext to the server end message that client sends after encrypting in the present embodiment, and whether the server end message that checking client returns is consistent with the local client message of preserving of server end, if it is consistent, confirm that then client can correctly decipher, thereby confirm that client is credible.This method is the legitimacy of checking client effectively, the rogue attacks that reduces or avoid server end to suffer, the fail safe of raising network application
The another kind of server-side device structural representation that Fig. 6 provides for the embodiment of the invention.This device mainly comprises: first receiver module 602, generation module 604, the first sending module 606, the second receiver modules 608, deciphering module 610 and authentication modules 612.
Wherein first receiver module 602 is used to receive first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; Generation module 604 is used for receiving access challenge request back at first receiver module and generates the server end ciphertext; First sending module 606 is used for sending first response to client, and first response comprises the server end ciphertext that generation module 604 generates; Second receiver module 608 is used to receive second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client; Deciphering module 610 is used to decipher client second ciphertext and obtains server end message; Authentication module 612 is used to verify whether the server end message that obtains after the deciphering is consistent with the local server end message of preserving of server end, confirms that client is credible during as if unanimity.
Wherein generation module 602 is when generating the server end ciphertext, generate server end message and encrypt and obtain the server end ciphertext, for example concerning asymmetric arithmetic, can adopt the server end that generates in the last verification process of server end and this client to share key this random number is encrypted.
Because deciphering module 610 deciphering clients second ciphertext is except that obtaining server end message, can also obtain client message, thereby server end can further include second sending module, is used to send second response to client, and wherein second response comprises client message.
Server end is the server end ciphertext to the server end message that client sends after encrypting in the present embodiment, and second message returned of deciphering client, whether consistent by relatively deciphering the server end message that obtains with the local client message of preserving of server end, confirm whether client can correctly decipher, thereby confirm whether client is credible.This method is the legitimacy of checking client effectively, the rogue attacks that reduces or avoid server end to suffer, the fail safe of raising network application.
A kind of client terminal device structural representation that Fig. 7 provides for the embodiment of the invention.This device mainly comprises: first sending module, 702, the first receiver modules, 704, the first deciphering modules 706, generation module 708, encrypting module 710, the second sending modules 712, the second receiver modules 714, authentication module 716.
Wherein, first sending module 702 is used for sending first message to server end, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated; First receiver module 704 is used for first response that the reception server end returns, and first response comprises the server end ciphertext; First deciphering module 706 is used for the server end ciphertext is decrypted and obtains server end message; Generation module 708 is used to generate client message; Encrypting module 710 is used for client message encrypted and obtains client first ciphertext or the combination of server end message and client message encrypted obtaining client second ciphertext; Second sending module 712 is used for sending second message to server end, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext; Second receiver module 714 is used for second response that the reception server end returns, and second response comprises client message, and wherein client message is obtained after to client first ciphertext or client second decrypt ciphertext by server end; Authentication module 716 is used to verify whether the client message that receives is consistent with the client message of client terminal local preservation, confirms that when unanimity server end is credible.
Further, if the client message in second response is the client message after server end is encrypted again; Then described client terminal device also comprises second deciphering module, is used for the client message after the described encryption again is decrypted.Whether the client message that authentication module 716 obtains after being used to confirm to decipher is consistent with the client message that client terminal local is preserved, and confirms that when unanimity server end is credible.
In addition, if comprise that also server end distributes to the IP address of client in second response, then client terminal device can also comprise connecting and sets up module, is used to obtain the IP address that server end is distributed to client, and connects with server end.
In the present embodiment at server end by after the authentication to client, return client message to client, whether bring in this client message that returns of checking by the client remains unchanged, thereby realize authentication, can further strengthen the secure communication between server end and the client server end.
In addition, the embodiment of the invention also provides a kind of system, and this system includes server end assembling device and client terminal device.Wherein, client terminal device or server end dress child specific implementation can be with reference to the foregoing description, herein enumeration no longer.
One of ordinary skill in the art will appreciate that all or part of step that realizes in above-mentioned all embodiment methods is to instruct relevant hardware to finish by program, this program can be stored in a kind of computer-readable recording medium.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (15)

1. a DHCP safety communicating method is characterized in that, comprising:
Server end receives first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Server end generates server end message, and encrypts and obtain the server end ciphertext;
Server end sends first response to client, and first response comprises the server end ciphertext;
Server end receives second message that client is returned, and second message comprises server end message, and the server end message in second message is obtained after to the server end decrypt ciphertext by client;
Server end verifies whether the server end message in second message is consistent with the local server end message of preserving of server end, if then server end affirmation client is credible for unanimity.
2. method according to claim 1 is characterized in that, described second message also comprises client first ciphertext, and described method also comprises:
Server end deciphering client first ciphertext obtains client message;
Server end sends second response to client, and second response comprises client message.
3. a DHCP safety communicating method is characterized in that, comprising:
Server end receives first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Server end generates server end message, and encrypts and obtain the server end ciphertext;
Server end sends first response to client, and first response comprises the server end ciphertext;
Server end receives second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client;
Server end deciphering client second ciphertext obtains server end message;
Server end verifies whether the server end message that obtains after the deciphering is consistent with the local server end message of preserving of server end, if then server end affirmation client is credible for unanimity.
4. method according to claim 3 is characterized in that, also obtains client message after server end deciphering client second ciphertext, and described method also comprises:
Server end sends second response to client, and second response comprises client message.
5. a DHCP safety communicating method is characterized in that, comprising:
The user end to server end sends first message, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
First response that client reception server end returns, first response comprises the server end ciphertext;
Client is deciphered described server end ciphertext and is obtained server end message, client generates client message, and client message encrypted obtains client first ciphertext or the combination of server end message and client message encrypted obtaining client second ciphertext;
The user end to server end sends second message, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext;
Second response that client reception server end returns, second response comprises client message, the client message in second response is obtained after to client first ciphertext or client second decrypt ciphertext by server end;
Whether the client message that client validation receives is consistent with the client message that client terminal local is preserved; If then client confirms that server end is credible.
6. method according to claim 5 is characterized in that, the client message in second response is the client message after server end is encrypted again;
Described method also comprises before described checking:
Client is decrypted the client message after encrypting again.
7. method according to claim 5 is characterized in that, comprises that also server end distributes to the IP address of client in second response;
Client confirms that the credible described method afterwards of server end also comprises:
Client is obtained this IP address, connects with server end.
8. a server-side device is characterized in that, comprising:
First receiver module is used to receive first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Generation module is used for receiving access challenge request back at first receiver module and generates the server end ciphertext;
First sending module is used for sending first response to client, and first response comprises the server end ciphertext that generation module generates;
Second receiver module is used to receive second message that client is returned, and second message comprises the server end message that obtains after client is decrypted the server end ciphertext;
Authentication module is used for verifying whether the server end message of second message is consistent with the local server end message of preserving of server end, confirms that when unanimity client is credible.
9. server-side device according to claim 8 is characterized in that, if also comprise client first ciphertext in second message, then server-side device also comprises:
Deciphering module is used for after authentication module confirms that client is credible, client first ciphertext is decrypted obtains client message;
Second sending module is used to send second response to client, and wherein second response comprises client message.
10. a server-side device is characterized in that, comprising:
First receiver module is used to receive first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Generation module is used for receiving access challenge request back at first receiver module and generates the server end ciphertext;
First sending module is used for sending first response to client, and first response comprises the server end ciphertext that generation module generates;
Second receiver module is used to receive second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client;
Deciphering module is used to decipher client second ciphertext and obtains server end message;
Authentication module is used to verify whether the server end message that the deciphering module deciphering obtains is consistent with the local server end message of preserving of server end, if the affirmation client is credible when consistent.
11. server-side device according to claim 10 is characterized in that, if also comprise client first ciphertext in second message, then server end also comprises:
Second sending module is used to send second response to client, and wherein second response comprises client message, and wherein client message is obtained by deciphering module deciphering client second ciphertext.
12. a client terminal device is characterized in that, comprising:
First sending module is used for sending first message to server end, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
First receiver module is used for first response that the reception server end returns, and first response comprises the server end ciphertext;
First deciphering module is used for the server end ciphertext is decrypted and obtains server end message;
Generation module is used to generate client message;
Encrypting module is used for client message encrypted and obtains client first ciphertext or the combination of server end message and client message encrypted obtaining client second ciphertext;
Second sending module is used for sending second message to server end, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext;
Second receiver module is used for second response that the reception server end returns, and second response comprises client message, and the client message in second response is obtained after to client first ciphertext or client second decrypt ciphertext by server end;
Authentication module is used to verify whether the client message that client message that second receiver module receives and client terminal local preserve is consistent, and the affirmation server end is credible when unanimity.
13. client terminal device according to claim 12 is characterized in that, comprises that also server end distributes to the IP address of client in described second response; Described client terminal device also comprises:
Connect and set up module, be used to obtain the IP address that server end is distributed to client, and connect with server end.
14. client terminal device according to claim 12 is characterized in that, the client message in second response is the client message after server end is encrypted again;
Described client terminal device also comprises:
Second deciphering module, the client message after the encryption again that is used for described second receiver module is received is decrypted;
Described authentication module is used to verify whether the client message that obtains after the deciphering of second deciphering module is consistent with the client message of client terminal local preservation, confirms that when unanimity server end is credible.
15. a system comprises server-side device, and as any described client terminal device among the claim 12-14.
CN 201010166238 2010-04-29 2010-04-29 DHCP safety communication method, device and system Pending CN101827106A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010166238 CN101827106A (en) 2010-04-29 2010-04-29 DHCP safety communication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010166238 CN101827106A (en) 2010-04-29 2010-04-29 DHCP safety communication method, device and system

Publications (1)

Publication Number Publication Date
CN101827106A true CN101827106A (en) 2010-09-08

Family

ID=42690807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010166238 Pending CN101827106A (en) 2010-04-29 2010-04-29 DHCP safety communication method, device and system

Country Status (1)

Country Link
CN (1) CN101827106A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790767A (en) * 2012-07-03 2012-11-21 北京神州绿盟信息安全科技股份有限公司 Information safety control method, information safety display equipment and electronic trading system
CN103209161A (en) * 2012-01-16 2013-07-17 深圳市腾讯计算机系统有限公司 Method and device for processing access requests
CN104954327A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Terminal connection control server and method, terminal and method and system
CN106034122A (en) * 2015-03-16 2016-10-19 联想(北京)有限公司 Information processing method, electronic equipment and server
US9479611B2 (en) 2011-12-26 2016-10-25 Huawei Technologies Co., Ltd. Method, device, and system for implementing communication after virtual machine migration
CN108055128A (en) * 2017-12-18 2018-05-18 数安时代科技股份有限公司 Generation method, device, storage medium and the computer equipment of RSA key
CN112367329A (en) * 2020-11-17 2021-02-12 北京知道创宇信息技术股份有限公司 Communication connection authentication method, communication connection authentication device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083660A (en) * 2007-05-30 2007-12-05 北京润汇科技有限公司 Session control based IP network authentication method of dynamic address distribution protocol
CN101127600A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A method for user access authentication
US7502929B1 (en) * 2001-10-16 2009-03-10 Cisco Technology, Inc. Method and apparatus for assigning network addresses based on connection authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7502929B1 (en) * 2001-10-16 2009-03-10 Cisco Technology, Inc. Method and apparatus for assigning network addresses based on connection authentication
CN101127600A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A method for user access authentication
CN101083660A (en) * 2007-05-30 2007-12-05 北京润汇科技有限公司 Session control based IP network authentication method of dynamic address distribution protocol

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9479611B2 (en) 2011-12-26 2016-10-25 Huawei Technologies Co., Ltd. Method, device, and system for implementing communication after virtual machine migration
CN103209161A (en) * 2012-01-16 2013-07-17 深圳市腾讯计算机系统有限公司 Method and device for processing access requests
CN103209161B (en) * 2012-01-16 2018-05-04 深圳市腾讯计算机系统有限公司 A kind of access request processing method and processing device
CN102790767A (en) * 2012-07-03 2012-11-21 北京神州绿盟信息安全科技股份有限公司 Information safety control method, information safety display equipment and electronic trading system
CN104954327A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Terminal connection control server and method, terminal and method and system
CN106034122A (en) * 2015-03-16 2016-10-19 联想(北京)有限公司 Information processing method, electronic equipment and server
CN108055128A (en) * 2017-12-18 2018-05-18 数安时代科技股份有限公司 Generation method, device, storage medium and the computer equipment of RSA key
CN112367329A (en) * 2020-11-17 2021-02-12 北京知道创宇信息技术股份有限公司 Communication connection authentication method, communication connection authentication device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN105471833B (en) A kind of safe communication method and device
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
CN101388770B (en) Method, server and customer apparatus for acquiring dynamic host configuration protocol cipher
EP1748615A1 (en) Method and system for providing public key encryption security in insecure networks
CN103763356A (en) Establishment method, device and system for connection of secure sockets layers
CN109495274A (en) A kind of decentralization smart lock electron key distribution method and system
CN102231725B (en) Method, equipment and system for authenticating dynamic host configuration protocol message
CN101827106A (en) DHCP safety communication method, device and system
CN108809633B (en) Identity authentication method, device and system
CN110493367B (en) Address-free IPv6 non-public server, client and communication method
CN106464654A (en) Configuration file acquisition method, apparatus and system
CN101938500B (en) Method and system for verifying source address
CN108683501A (en) Based on quantum communication network using timestamp as the multiple identity authorization system and method for random number
CN112637136A (en) Encrypted communication method and system
CN107483429B (en) A kind of data ciphering method and device
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
CN101471767B (en) Method, equipment and system for distributing cipher key
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
CN109962781B (en) Digital certificate distributing device
CN104767766A (en) Web Service interface verification method, Web Service server and client side
CN102045343B (en) DC (Digital Certificate) based communication encrypting safety method, server and system
JP2008098990A (en) Address management system, address management method and program
CN102281303A (en) Data exchange method
KR101241864B1 (en) System for User-Centric Identity management and method thereof
EP2663049B1 (en) Authentication method based on dhcp, dhcp server and client

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20100908