CN104219217A - SA (security association) negotiation method, device and system - Google Patents
SA (security association) negotiation method, device and system Download PDFInfo
- Publication number
- CN104219217A CN104219217A CN201310221599.7A CN201310221599A CN104219217A CN 104219217 A CN104219217 A CN 104219217A CN 201310221599 A CN201310221599 A CN 201310221599A CN 104219217 A CN104219217 A CN 104219217A
- Authority
- CN
- China
- Prior art keywords
- communication
- key
- message
- initiator
- described communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Abstract
The invention discloses an SA (security association) negotiation method, device and system. The method includes the steps: a key server generates a private key for a communication initiator and a private key for a communication responder; the communication initiator and the communication responder encrypt digital digests of respective messages, to be transmitted, into signatures through the respective private keys, respectively; the signatures are packaged in the messages, to be transmitted, and transmitted to the other parity; the communication initiator and the communication responder determine each other's public keys and use the public keys and the received signatures in the messages to authenticate each other. Through the use of the SA negotiation method, device and system, the problems that an SA negotiation implementation process is complex and communication load is high can be solved; security supervision and lawful interception can be performed on deployment of communication of an IPSec (internet protocol security) protocol network.
Description
Technical field
The present invention relates to digital information transmission technical, particularly relate to a kind of security association (SA, Security Association) machinery of consultation, equipment and system.
Background technology
At present, Internet Protocol Version 4 (IPv4, Internet Protocol version4) the limited address space that defines is by depleted, the deficiency of address space will hinder further developing of the Internet, therefore, in order to expand address space, the network design based on IPv6 (IPv6, Internet Protocol version6) is brought into schedule gradually.
Compared with IPv4, IPv6 improves in a lot, such as: support Internet Protocol Security (IPSec at secure context, Internet Protocol Security) agreement, so, IPv6 network can realize end-to-end and gateway to the coded communication of gateway and authentication, thus has ensured the communication security of network.
Ipsec protocol can be divided into following three kinds in the scene of IPv6 network design:
(1) site-to-site (Site-to-Site) or gateway are to gateway, corresponding with it, ipsec protocol deployment scenario schematic diagram as shown in Figure 1a, three Distribution of Institutions of certain enterprise are different local three of the Internet, and three mechanisms use a gateway mutually to set up ipsec tunnel respectively, it is interconnected that data between some PC (PC, Personal Computer) of corporate intranet realize safety by the ipsec tunnel that these gateways are set up.
(2) end-to-end (End-to-End) or PC to PC, the communication between two PC is protected by the ipsec session between two PC, instead of is protected by gateway.
(3) hold website or PC to gateway (End-to-Site), the communication between two PC is protected by the ipsec session between gateway and strange land PC.
When disposing ipsec protocol in IPv6 network, due to mobile terminal support ipsec protocol to realize difficulty comparatively large, therefore, the application initial stage of IPv6 network mainly carries out the deployment of ipsec protocol under gateway to gateway scene, mainly contains following two kinds of situations:
(1) deployment under the traffic traverses IPv4 network of IPv6 network, Fig. 1 b is the schematic diagram of the traffic traverses IPv4 network of IPv6 network, as shown in Figure 1 b, the host A being positioned at the IPv6 network on an isolated island communicates with the host B of the IPv6 network be positioned on another isolated island, IPv6 network on two isolated islands is connected with gateway B by gateway A, and is communicated in IPv4 network by ipsec tunnel between gateway A and gateway B;
(2) deployment in IPv6 network, Fig. 1 c is the schematic diagram of ipv6 traffic passing through IPv 6 network, as illustrated in figure 1 c, the host A being positioned at the IPv6 network on an isolated island communicates with the host B of the IPv6 network be positioned on another isolated island, IPv6 network on two isolated islands is connected with gateway B by gateway A, and is communicated in IPv6 network by ipsec tunnel between gateway A and gateway B.
But, when adopting the communication security of ipsec protocol Logistics networks in IPv6 network, because ipsec protocol itself has higher requirement to aspects such as the performances of resource and network, for network real deployment and land and bring very large resistance, be in particular in the following aspects:
The first, ipsec protocol specifies: cipher key agreement process requires to support public key system and diploma system, and this just requires that the support end of IPSec needs to carry out issuing certificate, operation such as management certificate and authentication certificate etc., and realization flow is too complicated, traffic load is heavier.
To gateway scene, ipsec protocol deployment is described for gateway below, comprises two stages:
First stage: carry out internet key exchange (IKE between gateway, Internet Key Exchange) SA negotiation, namely set up IKE security association (SA, Security Association), consult to protect IPSec SA follow-up between gateway;
Second stage: carry out IPSec SA negotiation between gateway, namely set up IPSec SA, for communication follow-up between gateway is protected.
Wherein, need to carry out policy conferring, key material exchange and certification by six mutual message in the first stage between gateway, and the certificate that certification uses also needs extra communication overhead to realize, additional communication expense comprises, gateway needs certificate load to be encapsulated as message and is sent to peer-to-peer (namely carrying out another gateway of SA negotiation), or gateway informs the information of peer-to-peer certificate by negotiate in advance, cause that realization flow is too complicated, traffic load is heavier; And, gateway needs to carry out with multiple gateway SA when consulting, need the identifying operation of the certificate carrying out corresponding multiple gateway, this just relates to the system of distributing different PKI, authentication authorization and accounting mandate (CA, Certificate Authority) intercommunication at center, and also need between IPSec manufacturer to carry out interoperability, realization flow is too complicated, traffic load is heavier.
Second; ipsec protocol specifies: the communication of the support end of IPSec is encrypted protection; this shields security control and Lawful Interception to a certain extent, therefore before ipsec security supervision rationally solves, is difficult to real deployment based on the network of ipsec protocol under IPv6 environment.
In sum, how to solve the realization flow complexity that SA consults, the problem that traffic load is heavy, and security control and Lawful Interception are carried out to the network service disposing ipsec protocol, become problem demanding prompt solution.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of SA machinery of consultation, equipment and system, the realization flow complexity that SA consults can be solved, the problem that traffic load is heavy, and security control and Lawful Interception can be carried out to the communication of the network disposing ipsec protocol.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention provides a kind of SA machinery of consultation, the key server being used for key management is set; The method comprises:
Key server is that communication initiator and communication response side generate the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively;
Described communication initiator and described communication response side utilize respective private key that the digital digest of respective message to be sent is encrypted as signing messages, described signing messages is encapsulated into described message to be sent and is sent to the other side;
Described communication initiator and described communication response side determine the PKI of the other side respectively, and utilize the PKI of described the other side determined and the signing messages received separately in message to carry out certification to the other side.
Preferably, described key server is that communication initiator and communication response side generate the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively, comprising:
Described key server generates master key, and determines the private key of corresponding described communication initiator according to the ID of described master key and described communication initiator, and, the private key of corresponding described communication response side is determined according to the ID of described master key and described communication response side;
Described communication initiator and described communication response side determine the PKI of the other side respectively, comprising:
Described key server generates open parameter, and sends to described communication initiator and described communication response side respectively;
The described open parameter that described communication initiator and described communication response root send according to ID and the described key server of the other side, determines the PKI of the other side.
Preferably, the method also comprises: described key server also sends the exchange of the other side and key distribution (DH, Diffie-Hellman) public value and random number respectively to described communication initiator and described communication response side;
Accordingly, described communication initiator and described communication response side are respectively according to the DH public value received and random number determination encryption key and Integrity Key, utilize the encryption key determined separately to be encrypted message to be sent, and utilize the Integrity Key determined separately to carry out completeness check to the message received.
Preferably, described communication initiator and described communication response side utilize the PKI of described the other side determined and the signing messages received separately in message to carry out certification to the other side, comprise: described communication initiator and described communication response root are decrypted the signing messages in the message received separately according to the described PKI determined, when the digital digest deciphered is consistent with the digital digest that the DH public value sent according to ID and the described key server of the other side is determined, determine authentication success.
Preferably, after described communication initiator and described communication response side carry out authentication success to the other side, the method also comprises: the message that described communication initiator and described communication response side send with described encryption keys, and carries out completeness check with described Integrity Key to the message received.
Preferably, the method also comprises: described communication initiator forwards IPSec policy conferring message by described key server to described communication response side, and described communication response side forwards IPSec policy conferring result message by described key server to described communication initiator;
Wherein, described IPSec policy conferring message and described IPSec policy conferring result message carry the random number of transmit leg, Security Parameter Index (SPI, Security Parameters Index) and protocol information;
Accordingly, random number, SPI and protocol information that described key server carries according to described IPSec policy conferring message, or according to random number, SPI and protocol information that described IPSec policy conferring result message carries, the encryption key of use when determining that described communication initiator and described communication response side carry out data communication and Integrity Key.
Present invention also offers a kind of key server, this key server comprises: Key generating unit and the first communication unit; Wherein,
Described Key generating unit, for generating the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively for the communication initiator in communication equipment and the communication response side in communication equipment;
Described first communication unit, the private key correspondence for being generated by described Key generating unit is sent to described communication initiator and described communication response side.
Preferably, described Key generating unit, also for generating master key, and determines the private key of corresponding described communication initiator according to the ID of described master key and described communication initiator, and, the private key of corresponding described communication response side is determined according to the ID of described master key and described communication response side.
Preferably, described first communication unit, also for sending DH public value and the random number of the other side respectively to described communication initiator and described communication response side.
Preferably, described first communication unit, is also sent to described communication response side with by the IPSec policy conferring message from described communication initiator, and the IPSec policy conferring result message from described communication response side is sent to described communication initiator;
Described Key generating unit, random number, SPI and protocol information also for carrying according to the IPSec policy conferring message of described first communication unit reception, or according to IPSec policy conferring result the message random number, SPI and the protocol information that carry that described first communication unit receives, the encryption key of use when determining that described communication initiator and described communication response side carry out data communication and Integrity Key.
The present invention also provides a kind of communication equipment, and this communication equipment comprises: the second communication unit and authentication ' unit; Wherein,
Described second communication unit, for utilizing local private key that the digital digest of message to be sent is encrypted as signing messages, being encapsulated into described message to be sent by described signing messages and being sent to counterparting communications equipment;
Described authentication ' unit, for determining the PKI of counterparting communications equipment, and the signing messages in the message utilizing the described PKI determined and described second communication unit to receive carries out certification to the other side's communication apparatus.
Preferably, described authentication ' unit, the open parameter also for generating according to ID and the described key server of counterparting communications equipment, determines the PKI of counterparting communications equipment.
Preferably, described second communication unit, also for receiving DH public value and the random number of the counterparting communications equipment that key server sends;
Described authentication ' unit, also for DH public value and the random number of the counterparting communications equipment according to described second communication unit reception, determine encryption key and Integrity Key, utilize described encryption key to be encrypted the message that described second communication unit is to be sent, and utilize described Integrity Key to carry out completeness check to the message that described second communication unit receives.
Preferably, described authentication ' unit, also for being decrypted the signing messages in the message of described second communication unit reception according to the described PKI determined, when the digital digest deciphered is consistent with the digital digest that the DH public value received according to ID and described second communication unit of the other side's communication apparatus is determined, determine authentication success.
Preferably, described second communication unit, also for the message that the encryption keys determined with described authentication ' unit sends, and carries out completeness check with the Integrity Key that described authentication ' unit is determined to the message received.
Preferably, described second communication unit, also for sending IPSec policy conferring message or IPSec policy conferring result message to described key server, wherein, described IPSec policy conferring message and described IPSec policy conferring result message carry the random number of transmit leg, SPI and protocol information.
Present invention also offers a kind of SA negotiating system, this system comprises: key server and communication equipment; Wherein,
Described key server, for generating the private key of corresponding described communication equipment for communication equipment;
Described communication equipment, for utilizing local private key that the digital digest of message to be sent is encrypted as signing messages, being encapsulated into described message to be sent by described signing messages and being sent to counterparting communications equipment; Determine the PKI of counterparting communications equipment, and utilize the described PKI determined and the signing messages received in message to carry out certification to counterparting communications equipment.
Preferably, described key server key comprises generation unit and the first communication unit; Described communication equipment comprises the second communication unit and authentication ' unit; Each Elementary Function is identical with the above.
By technical scheme of the present invention, when communication initiator and multiple communication response side carry out SA consult time, be that communication initiator and communication response side generate corresponding key by key server unification, realization flow is simple, and traffic load is low; And, the random number that key server carries according to the negotiation packet of communicating pair, SPI and protocol information, the encryption key used when determining described communication initiator and described communication response square tube letter and Integrity Key, can realize the security control to communicating pair and Lawful Interception.
Accompanying drawing explanation
Fig. 1 a be site-to-site or gateway to the scene schematic diagram of gateway deployment ipsec protocol;
Fig. 1 b is the scene schematic diagram that IPv6 network traffics dispose ipsec protocol when passing through IPv4 network;
Fig. 1 c is the scene schematic diagram that IPv6 network traffics dispose ipsec protocol when passing through IPv4 network;
Fig. 2 is the realization flow schematic diagram of the SA machinery of consultation of the embodiment of the present invention;
Fig. 3 is the composition structural representation of the SA negotiating system of the embodiment of the present invention;
Fig. 4 is the realization flow schematic diagram one that the SA of the embodiment of the present invention consults;
Fig. 5 is the realization flow schematic diagram two that the SA of the embodiment of the present invention consults.
Embodiment
Below in conjunction with drawings and the specific embodiments, the present invention is further described in more detail.
The embodiment of the present invention describes a kind of SA machinery of consultation, and Fig. 2 is the realization flow schematic diagram of the SA machinery of consultation of the embodiment of the present invention, as shown in Figure 2, comprising:
Step 201: key server is that communication initiator and communication response side generate the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively;
Described key server arranges and is used for key management.
Preferably, described key server generates master key, and according to the identify label (ID of described master key and described communication initiator, Identity) private key of corresponding described communication initiator is determined, and, the private key of corresponding described communication response side is determined according to the ID of described master key and described communication response side;
Step 202: described communication initiator and described communication response side utilize respective private key that the digital digest of respective message to be sent is encrypted as signing messages, described signing messages is encapsulated into described message to be sent and is sent to the other side;
Preferably, described key server generates open parameter, and sends to described communication initiator and described communication response side respectively; The described open parameter that described communication initiator and described communication response root send according to ID and the described key server of the other side, determines the PKI of the other side.
Preferably, described key server also sends DH public value and the random number of the other side respectively to described communication initiator and described communication response side;
Accordingly, described communication initiator and described communication response side are respectively according to the DH public value received and random number determination encryption key and Integrity Key, utilize the encryption key determined separately to be encrypted message to be sent in step 202, and utilize the Integrity Key determined separately to carry out completeness check to the message received.
Step 203: described communication initiator and described communication response side determine the PKI of the other side respectively, and utilize the PKI of described the other side determined and the signing messages received separately in message to carry out certification to the other side.
Preferably, described communication initiator and described communication response root are decrypted the signing messages in the message received separately according to the described PKI determined, when the digital digest deciphered is consistent with the digital digest that the DH public value sent according to ID and the described key server of the other side is determined, determine authentication success.
Preferably, after described communication initiator and described communication response side carry out authentication success to the other side, the message that described communication initiator and described communication response side send with described encryption keys, and with described Integrity Key, completeness check is carried out to the message received.
Preferably, described communication initiator forwards IPSec policy conferring message by described key server to described communication response side, and described communication response side forwards IPSec policy conferring result message by described key server to described communication initiator;
Wherein, described IPSec policy conferring message and described IPSec policy conferring result message carry the random number of transmit leg, SPI and protocol information;
Accordingly, random number, SPI and protocol information that described key server carries according to described IPSec policy conferring message, or according to random number, SPI and protocol information that described IPSec policy conferring result message carries, the encryption key of use when determining that described communication initiator and described communication response side carry out data communication and Integrity Key.
The embodiment of the present invention also describes a kind of SA system, and Fig. 3 is the composition structural representation of the SA negotiating system of the embodiment of the present invention, as shown in Figure 3, comprising: communication equipment 31 and key server 32; Wherein,
Described key server 32, for generating the private key of corresponding described communication equipment 31 for communication equipment 31;
Described communication equipment 31, for utilizing local private key that the digital digest of message to be sent is encrypted as signing messages, being encapsulated into described message to be sent by described signing messages and being sent to counterparting communications equipment 31; Determine the PKI of counterparting communications equipment 31, and utilize the described PKI determined and the signing messages received in message to carry out certification to counterparting communications equipment 31.
Described key server 32, comprising: Key generating unit 321 and the first communication unit 322; Wherein,
Described Key generating unit 321, for generating the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively for the communication response side in the communication initiator in communication equipment 31 and communication equipment 31;
Described first communication unit 322, the private key correspondence for being generated by described Key generating unit 321 is sent to described communication initiator and described communication response side.
Wherein, described Key generating unit 321, also for generating master key, and determines the private key of corresponding described communication initiator according to the ID of described master key and described communication initiator, and, the private key of corresponding described communication response side is determined according to the ID of described master key and described communication response side.
Wherein, described first communication unit 322, also for sending DH public value and the random number of the other side respectively to described communication initiator and described communication response side.
Wherein, described first communication unit 322, also for the IPSec policy conferring message from described communication initiator is sent to described communication response side, is sent to described communication initiator by the IPSec policy conferring result message from described communication response side;
Described Key generating unit 321, random number, SPI and protocol information also for carrying according to the IPSec policy conferring message of described first communication unit 322 reception, or according to IPSec policy conferring result the message random number, SPI and the protocol information that carry that described first communication unit 322 receives, the encryption key of use when determining that described communication initiator and described communication response side carry out data communication and Integrity Key.
Described communication equipment 31, comprising: the second communication unit 311 and authentication ' unit 312; Wherein,
Described second communication unit 311, for utilizing local private key that the digital digest of message to be sent is encrypted as signing messages, being encapsulated into described message to be sent by described signing messages and being sent to counterparting communications equipment 31;
Described authentication ' unit 312, for determining the PKI of counterparting communications equipment 31, and the signing messages in the message utilizing the described PKI determined and described second communication unit 311 to receive carries out certification to counterparting communications equipment 31.
Wherein, described authentication ' unit 312, the open parameter also for generating according to ID and the described key server 32 of counterparting communications equipment 31, determines the PKI of counterparting communications equipment 31.
Wherein, described second communication unit 311, also for receiving DH public value and the random number of the counterparting communications equipment 31 that key server 32 sends;
Described authentication ' unit 312, also for DH public value and the random number of the counterparting communications equipment 31 according to described second communication unit 311 reception, determine encryption key and Integrity Key, utilize described encryption key to be encrypted the message that described second communication unit 311 is to be sent, and utilize described Integrity Key to carry out completeness check to the message that described second communication unit 311 receives.
Wherein, described authentication ' unit 312, also for being decrypted the signing messages in the message of described second communication unit 311 reception according to the described PKI determined, when the digital digest deciphered is consistent with the digital digest that the DH public value received according to ID and described second communication unit 311 of counterparting communications equipment 31 is determined, determine authentication success.
Wherein, described second communication unit 311, also for the message that the encryption keys determined with described authentication ' unit 312 sends, and carries out completeness check with the Integrity Key that described authentication ' unit 312 is determined to the message received.
Wherein, described second communication unit 311, also for sending IPSec policy conferring message or IPSec policy conferring result message to described key server 32, wherein, described IPSec policy conferring message and described IPSec policy conferring result message carry the random number of transmit leg, SPI and protocol information.
Fig. 4 is the realization flow schematic diagram one that the security association of the embodiment of the present invention is consulted, and as shown in Figure 4, comprises the following steps:
Step 401 ~ step 402: gateway 1 (initiator) and gateway 2 (responder) carry out policy conferring, namely gateway 1 is proposed to gateway 2 sending strategy, and gateway 2 returns the strategy matched to gateway 1;
In step 401, gateway 1 sends one or more groups strategy to gateway 2 and proposes, this strategy is proposed to be encapsulated in the SA load of message, also encapsulate internet security in message to connect and IKMP (ISAKMP, Internet Security Association and Key Management Protocol) corresponding head (HDR, HeaDeR);
Here, described SA load comprises one or more groups strategy and proposes, in strategy is proposed, comprise five-tuple, be specially: cryptographic algorithm, hashing algorithm, exchange and key distribution (DH, Diffie-Hellman) algorithm, authentication method and IKE SA life cycle.
In step 402, gateway 2 is proposed according to the strategy of SA load in the message received, and proposes the strategy matched at local search and described strategy, and after matching, send the message of encapsulation HDR and SA load to gateway 1, described SA load comprises the policy information matched.
Step 403: the open parameter p arams that gateway 1 generates to the private key Pri1 of key server request corresponding gateway 1 and key server, the DH public value g^xr of gateway 2 and random number N r, and DH public value g^xi and the random number N i of gateway 1 is sent to key server.
Wherein, Pri1=Fuc (MasterKey, IDi), IDi is the ID of gateway 1, MasterKey is the master key that key server generates, Fuc () represent on the elliptic curve preset a bit with the algorithm of integer multiply, the key that Pri1 (private key) and Pub1 (PKI) is the pairing of corresponding gateway 1.
Wherein, gateway DH public value comprises gateway institute's bind address and port information.
Step 404: key server to the request of gateway 2 forward gateway 1 for g^xr and Nr, and sends private key Pri2, g^xr and Nr of params, corresponding gateway 2 to gateway 2.
Wherein, Pri2=Fuc (MasterKey, IDr), IDr are the ID of gateway 2; The key that Pri2 (private key) and Pub2 (PKI) is the pairing of corresponding gateway 2.
Step 405: gateway 2 sends g^xr and Nr to key server;
Step 406: key server sends params, Pri1, g^xr and Nr to gateway 1;
Step 407: gateway 1 and gateway 2, according to the other side ID and number params, are determined the PKI of corresponding the other side, and determined key material;
The PKI Pub2=Fuc (params, IDr) of corresponding gateway 2, the PKI Pub1=Fuc (params, IDi) of corresponding gateway 1.
Gateway 1 and gateway 2, according to g^xi, g^xr, Ni and Nr, are determined that first key material SKEYID is prf (Ni_b|Nr_b, g^xy), and are determined following key material according to SKEYID:
SKEYID_d=prf(SKEYID,g^xy|CKY-I|CKY-R|0) (1)
Prf () is hash function, for derived key material.
SKEYID_d is used for determining when second phase ipsec SA consults to encrypt the new key material used;
SKEYID_a=prf(SKEYID,SKEYID_d|g^xy|CKY-I|CKY-R|1) (2)
SKEYID_a is Integrity Key, carries out completeness check for the message consulted message and the present embodiment second stage IPSEC SA of the IKE SA negotiation after step 407;
SKEYID_e=prf(SKEYID,SKEYID_a|g^xy|CKY-I|CKY-R|2) (3)
SKEYID_e is encryption key, is encrypted for the message consulted message and the present embodiment second stage IPSEC SA of the IKE SA negotiation after step 407.
Step 408: gateway 2 authentication gateway 1;
To use digital signature to carry out certification, gateway 1 determines the digital digest HASH_I of the message to gateway 2 to be sent according to following formula:
HASH_I=prf(SKEYID,g^xi|g^xr|CKY-I|CKY-R|SAi_b|IDi_b) (4)
Gateway 1 utilizes Pri1 to generate signature SIG_I to HASH_I encryption, SIG_I load and IDi load are encapsulated into message to be sent, and the SKEYID_e utilizing step 407 to determine will be sent to gateway 2 after payload encryption;
Gateway 2 determines HASH_I according to formula (4), and the Pub1 utilizing step 407 to determine is decrypted SIG_I, by the HASH_I decrypted with determine HASH_I comparison according to formula (4), if consistent, authentication gateway 1 success, otherwise, abort process.
Step 409: gateway 1 authentication gateway 2;
To use digital signature to carry out certification, gateway 2 determines the digital digest HASH_R of the message to gateway 1 to be sent according to following formula:
HASH_R=prf(SKEYID,g^xr|g^xi|CKY-R|CKY-I|SAi_b|IDr_b) (5)
Gateway 2 utilizes Pri2 to generate signature SIG_R to HASH_R encryption, SIG_R load IDr load is encapsulated into message to be sent, and the SKEYID_e utilizing step 407 to determine is sent to gateway 2 by after the payload encryption of message to be sent;
Gateway 1 determines HASH_R according to formula (5), and the Pub2 utilizing step 407 to determine is decrypted SIG_R, by the HASH_R decrypted with determine HASH_R comparison according to formula (5), if consistent, authentication gateway 2 success, otherwise, abort process.
Second stage: carry out IPSec SA negotiation between gateway.
Fig. 5 is the realization flow schematic diagram two that the security association of the embodiment of the present invention is consulted, and as shown in Figure 5, comprises the following steps:
Step 501: gateway 1 sends SA negotiation packet to key server;
Wherein, this negotiation packet encapsulation HDR*, HASH [1] load, SA load (comprising IPSec strategy to propose) and random number (NONCE) load, this negotiation packet can also encapsulate DH load, KE load and ID load, NONCE load comprises the random number N i of gateway 1, DH load comprises the DH public value of gateway 1, and HASH [1] determines according to formula (6):
HASH[1]=prf(SKEYID_a,M-ID|SA|Ni[|KE][|IDci|IDcr) (6)
Described HDR* represents the SKEYID_e encrypted transmission that the load in message is determined by first stage step 407; HASH [1] load comprises the HASH_I that gateway 1 redefines according to formula (4), and gateway 2 does completeness check according to this HASH_I, with authentication gateway 1 again; IPSEC SA strategy comprises security protocol (AH or ESP), SPI, hashing algorithm, pattern (tunnel mode or transmission mode) and IPSEC SA life cycle;
The SKEYID_a that load in message uses first stage step 407 to determine carries out completeness check.
Step 502: key server forwards the message of step 501 to gateway 2;
Step 503: gateway 2 returns the message carrying negotiation result to key server;
The strategy that gateway 2 E-Packets according to key server is proposed, proposes the strategy mated at local search and strategy, and returns to key server the message that coupling carries matching result.
SA load (comprise IPSec strategy and propose matching result), NONCE load (comprising the random number N r of gateway 2) and HASH [2] load is encapsulated in the message that gateway 2 returns, HASH [2] load comprises the HASH_R that gateway redefines according to formula (5), when encapsulating DH load, KE load and ID load in the message that gateway 2 receives, accordingly, also encapsulate DH load, KE load and ID load in the message that gateway 2 sends to key server, HASH [2] determines according to formula (7):
HASH [2]=prf (SKEYID_a, M-ID|Ni_b|SA|Nr [| KE] [| IDci|IDcr) the encryption key SKEYID_e that determined by first stage step 407 of the load of message encapsulation that returns of (7) gateway 2 is encrypted, and carries out completeness check by the Integrity Key SKEYID_a that first stage step 407 is determined.
The random number N i that gateway 2 carries according to message, determine new key material KEYMAT, and determine key material based on this KEYMAT, this process is specially:
If do not need perfection to maintain secrecy (PFS, Perfect Forward Secrecy) forward and do not encapsulate KE load in the message received, then determine new key material according to formula (8):
KEYMAT=prf(SKEYID_d,protocol|SPI|Ni_b|Nr_b) (8)
If need PFS and receive in message to encapsulate KE load, then determine new key material according to formula (9):
KEYMAT=prf(SKEYID_d,g(qm)^xy|protocol|SPI|Ni_b|Nr_b) (9)
Wherein, protocol (agreement) and SPI obtains from SA load.
Based on above-mentioned new key material, KEYMAT is substituted into the SKEYID in formula (1), (2), (3), determine new SKEYID_e and SKEYID_a, use SKEYID_e to be encrypted the message transmitted when gateway 1 and gateway 2 subsequent communications, and use SKEYID_a to carry out completeness check to the message transmitted when gateway 1 and gateway 2 subsequent communications.
Step 504: the message that key server forward gateway 2 returns is to gateway 1;
Step 505: gateway 1 sends confirmation message to gateway 2.
This message encapsulation HASH [3] load, confirm the message receiving gateway 2, and prove that gateway 1 is in activity (Active) state, the message that namely gateway 1 sends in step 501 is not forged, and HASH [3] determines according to formula (10):
HASH[3]=prf(SKEYID_a,0|M-ID|Ni_b|Nr_b) (10)
The definition of the present embodiment Chinese style (1) ~ formula (10) each parameter is identical with specification RFC2409.
Gateway 1 is according to the Nr in message, redefine key material KEYMAT, and determine new key material SKEYID_e and SKEYID_a based on this KEYMAT, concrete process is identical with step 503, gateway 1 and gateway 2 use the load of SKEYID_e to the message of subsequent communications to be encrypted, and use SKEYID_a to carry out completeness check to the load of the message of subsequent communications.
In above-mentioned interactive step, SA load in the message that key server preservation gateway 1 and gateway 2 send and random number N i, Nr, when needing the communicating of supervision gateway 1 and gateway 2, KEYMAT is determined according to step 502, and parameter SKEYID KEYMAT substituted in formula (1), (2), (3), determine new SKEYID_e and SKEYID_a, when so can communicate with gateway 2 to gateway 1, the enciphered data of transmission is decrypted, and reaches and communicate with gateway 2 object of supervising to gateway 1.
After step 505, SKEYID_e and SKEYID_a that gateway 1 and gateway 2 are consulted by second stage, protection communication session and data.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.
Claims (18)
1. a security association SA machinery of consultation, is characterized in that, arranges the key server being used for key management; The method comprises:
Key server is that communication initiator and communication response side generate the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively;
Described communication initiator and described communication response side utilize respective private key that the digital digest of respective message to be sent is encrypted as signing messages, described signing messages is encapsulated into described message to be sent and is sent to the other side;
Described communication initiator and described communication response side determine the PKI of the other side respectively, and utilize the PKI of described the other side determined and the signing messages received separately in message to carry out certification to the other side.
2. method according to claim 1, is characterized in that, described key server is that communication initiator and communication response side generate the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively, comprising:
Described key server generates master key, and the private key of corresponding described communication initiator is determined according to the identify label ID of described master key and described communication initiator, and, the private key of corresponding described communication response side is determined according to the ID of described master key and described communication response side;
Described communication initiator and described communication response side determine the PKI of the other side respectively, comprising:
Described key server generates open parameter, and sends to described communication initiator and described communication response side respectively;
The described open parameter that described communication initiator and described communication response root send according to ID and the described key server of the other side, determines the PKI of the other side.
3. method according to claim 1 and 2, is characterized in that, the method also comprises: described key server also sends the exchange of the other side and key distribution DH public value and random number respectively to described communication initiator and described communication response side;
Accordingly, described communication initiator and described communication response side are respectively according to the DH public value received and random number determination encryption key and Integrity Key, utilize the encryption key determined separately to be encrypted message to be sent, and utilize the Integrity Key determined separately to carry out completeness check to the message received.
4. method according to claim 3, it is characterized in that, described communication initiator and described communication response side utilize the PKI of described the other side determined and the signing messages received separately in message to carry out certification to the other side, comprise: described communication initiator and described communication response root are decrypted the signing messages in the message received separately according to the described PKI determined, when the digital digest deciphered is consistent with the digital digest that the DH public value sent according to ID and the described key server of the other side is determined, determine authentication success.
5. method according to claim 3, it is characterized in that, after described communication initiator and described communication response side carry out authentication success to the other side, the method also comprises: the message that described communication initiator and described communication response side send with described encryption keys, and carries out completeness check with described Integrity Key to the message received.
6. method according to claim 5, it is characterized in that, the method also comprises: described communication initiator forwards Internet Protocol Security IPSec policy conferring message by described key server to described communication response side, and described communication response side forwards IPSec policy conferring result message by described key server to described communication initiator;
Wherein, described IPSec policy conferring message and described IPSec policy conferring result message carry the random number of transmit leg, Security Parameter Index SPI and protocol information;
Accordingly, random number, SPI and protocol information that described key server carries according to described IPSec policy conferring message, or according to random number, SPI and protocol information that described IPSec policy conferring result message carries, the encryption key of use when determining that described communication initiator and described communication response side carry out data communication and Integrity Key.
7. a key server, is characterized in that, this key server comprises: Key generating unit and the first communication unit; Wherein,
Described Key generating unit, for generating the private key of corresponding described communication initiator and the private key of corresponding described communication response side respectively for the communication initiator in communication equipment and the communication response side in communication equipment;
Described first communication unit, the private key correspondence for being generated by described Key generating unit is sent to described communication initiator and described communication response side.
8. key server according to claim 7, is characterized in that,
Described Key generating unit, also for generating master key, and the private key of corresponding described communication initiator is determined according to the ID of described master key and described communication initiator, and, the private key of corresponding described communication response side is determined according to the ID of described master key and described communication response side.
9. key server according to claim 7, is characterized in that,
Described first communication unit, also for sending DH public value and the random number of the other side respectively to described communication initiator and described communication response side.
10. the key server according to claim 7,8 or 9, is characterized in that,
Described first communication unit, is also sent to described communication response side with by the IPSec policy conferring message from described communication initiator, and the IPSec policy conferring result message from described communication response side is sent to described communication initiator;
Described Key generating unit, random number, SPI and protocol information also for carrying according to the IPSec policy conferring message of described first communication unit reception, or according to IPSec policy conferring result the message random number, SPI and the protocol information that carry that described first communication unit receives, the encryption key of use when determining that described communication initiator and described communication response side carry out data communication and Integrity Key.
11. 1 kinds of communication equipments, is characterized in that, this communication equipment comprises: the second communication unit and authentication ' unit; Wherein,
Described second communication unit, for utilizing local private key that the digital digest of message to be sent is encrypted as signing messages, being encapsulated into described message to be sent by described signing messages and being sent to counterparting communications equipment;
Described authentication ' unit, for determining the PKI of counterparting communications equipment, and the signing messages in the message utilizing the described PKI determined and described second communication unit to receive carries out certification to the other side's communication apparatus.
12. communication equipments according to claim 11, is characterized in that,
Described authentication ' unit, the open parameter also for generating according to ID and the described key server of counterparting communications equipment, determines the PKI of counterparting communications equipment.
13. communication equipments according to claim 11, is characterized in that,
Described second communication unit, also for receiving DH public value and the random number of the counterparting communications equipment that key server sends;
Described authentication ' unit, also for DH public value and the random number of the counterparting communications equipment according to described second communication unit reception, determine encryption key and Integrity Key, utilize described encryption key to be encrypted the message that described second communication unit is to be sent, and utilize described Integrity Key to carry out completeness check to the message that described second communication unit receives.
14. communication equipments according to claim 13, is characterized in that,
Described authentication ' unit, also for being decrypted the signing messages in the message of described second communication unit reception according to the described PKI determined, when the digital digest deciphered is consistent with the digital digest that the DH public value received according to ID and described second communication unit of the other side's communication apparatus is determined, determine authentication success.
15. communication equipments according to claim 13, is characterized in that,
Described second communication unit, also for the message that the encryption keys determined with described authentication ' unit sends, and carries out completeness check with the Integrity Key that described authentication ' unit is determined to the message received.
16., according to claim 11 to the communication equipment described in 15 any one, is characterized in that,
Described second communication unit, also for sending IPSec policy conferring message or IPSec policy conferring result message to described key server, wherein, described IPSec policy conferring message and described IPSec policy conferring result message carry the random number of transmit leg, SPI and protocol information.
17. 1 kinds of SA negotiating systems, is characterized in that, this system comprises: key server and communication equipment; Wherein,
Described key server, for generating the private key of corresponding described communication equipment for communication equipment;
Described communication equipment, for utilizing local private key that the digital digest of message to be sent is encrypted as signing messages, being encapsulated into described message to be sent by described signing messages and being sent to counterparting communications equipment; Determine the PKI of counterparting communications equipment, and utilize the described PKI determined and the signing messages received in message to carry out certification to counterparting communications equipment.
18. SA negotiating systems according to claim 17, is characterized in that,
Described key server is key server described in any one of claim 7 to 10; Described communication equipment is the communication equipment described in any one of claim 11 to 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310221599.7A CN104219217B (en) | 2013-06-05 | 2013-06-05 | Security association negotiation method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310221599.7A CN104219217B (en) | 2013-06-05 | 2013-06-05 | Security association negotiation method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104219217A true CN104219217A (en) | 2014-12-17 |
| CN104219217B CN104219217B (en) | 2020-03-10 |
Family
ID=52100354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310221599.7A Active CN104219217B (en) | 2013-06-05 | 2013-06-05 | Security association negotiation method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104219217B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016184351A1 (en) * | 2015-05-21 | 2016-11-24 | 阿里巴巴集团控股有限公司 | Ip address allocation method and system for wireless network |
| CN106357650A (en) * | 2016-09-09 | 2017-01-25 | 庞己人 | System, device and method for safely transmitting verification data |
| WO2017035725A1 (en) * | 2015-08-31 | 2017-03-09 | 林建华 | Communication method for electronic communication system in open environment |
| CN107135206A (en) * | 2017-04-18 | 2017-09-05 | 北京思特奇信息技术股份有限公司 | Safe precaution method and system that a kind of internet environment lower interface is called |
| CN109768948A (en) * | 2017-11-10 | 2019-05-17 | 中国电信股份有限公司 | Information push method, system and messaging device |
| CN110266485A (en) * | 2019-06-28 | 2019-09-20 | 宁波奥克斯电气股份有限公司 | A kind of Internet of Things secure communication control method based on NB-IoT |
| CN110391902A (en) * | 2019-07-08 | 2019-10-29 | 新华三信息安全技术有限公司 | A kind of method and device of internet key exchange ike negotiation |
| CN111614692A (en) * | 2020-05-28 | 2020-09-01 | 广东纬德信息科技股份有限公司 | Inbound message processing method and device based on power gateway |
| CN111865564A (en) * | 2020-07-29 | 2020-10-30 | 北京浪潮数据技术有限公司 | IPSec communication establishing method and system |
| CN112929169A (en) * | 2021-02-07 | 2021-06-08 | 成都薯片科技有限公司 | Key negotiation method and system |
| CN113364811A (en) * | 2021-07-05 | 2021-09-07 | 北京慧橙信息科技有限公司 | Network layer safety protection system and method based on IKE protocol |
| US11368298B2 (en) | 2019-05-16 | 2022-06-21 | Cisco Technology, Inc. | Decentralized internet protocol security key negotiation |
| CN115529184A (en) * | 2022-09-28 | 2022-12-27 | 中国电信股份有限公司 | Message verification method and device, electronic equipment and storage medium |
| CN117061115A (en) * | 2023-10-11 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Key negotiation method, key negotiation apparatus, computer device, and computer-readable storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030147536A1 (en) * | 2002-02-05 | 2003-08-07 | Andivahis Dimitrios Emmanouil | Secure electronic messaging system requiring key retrieval for deriving decryption keys |
| US20070198836A1 (en) * | 2005-04-08 | 2007-08-23 | Nortel Networks Limited | Key negotiation and management for third party access to a secure communication session |
| CN101626374A (en) * | 2008-07-11 | 2010-01-13 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for negotiating security association (SA) in internet protocol version 6 (IPv6) network |
| WO2010093200A2 (en) * | 2009-02-12 | 2010-08-19 | Lg Electronics Inc. | Method and apparatus for traffic count key management and key count management |
| CN102656839A (en) * | 2009-12-21 | 2012-09-05 | 西门子公司 | Device and method for securing a negotiation of at least one cryptographic key between units |
| CN102694650A (en) * | 2012-06-13 | 2012-09-26 | 苏州大学 | Secret key generating method based on identity encryption |
| CN102761553A (en) * | 2012-07-23 | 2012-10-31 | 杭州华三通信技术有限公司 | IPSec SA consultation method and device |
| CN103078743A (en) * | 2013-01-15 | 2013-05-01 | 武汉理工大学 | E-mail IBE (Internet Booking Engine) encryption realizing method |
| US20130108045A1 (en) * | 2011-10-27 | 2013-05-02 | Architecture Technology, Inc. | Methods, networks and nodes for dynamically establishing encrypted communications |
-
2013
- 2013-06-05 CN CN201310221599.7A patent/CN104219217B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030147536A1 (en) * | 2002-02-05 | 2003-08-07 | Andivahis Dimitrios Emmanouil | Secure electronic messaging system requiring key retrieval for deriving decryption keys |
| US20070198836A1 (en) * | 2005-04-08 | 2007-08-23 | Nortel Networks Limited | Key negotiation and management for third party access to a secure communication session |
| CN101626374A (en) * | 2008-07-11 | 2010-01-13 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for negotiating security association (SA) in internet protocol version 6 (IPv6) network |
| WO2010093200A2 (en) * | 2009-02-12 | 2010-08-19 | Lg Electronics Inc. | Method and apparatus for traffic count key management and key count management |
| CN102656839A (en) * | 2009-12-21 | 2012-09-05 | 西门子公司 | Device and method for securing a negotiation of at least one cryptographic key between units |
| US20130108045A1 (en) * | 2011-10-27 | 2013-05-02 | Architecture Technology, Inc. | Methods, networks and nodes for dynamically establishing encrypted communications |
| CN102694650A (en) * | 2012-06-13 | 2012-09-26 | 苏州大学 | Secret key generating method based on identity encryption |
| CN102761553A (en) * | 2012-07-23 | 2012-10-31 | 杭州华三通信技术有限公司 | IPSec SA consultation method and device |
| CN103078743A (en) * | 2013-01-15 | 2013-05-01 | 武汉理工大学 | E-mail IBE (Internet Booking Engine) encryption realizing method |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106304400A (en) * | 2015-05-21 | 2017-01-04 | 阿里巴巴集团控股有限公司 | The IP address distribution method of wireless network and system |
| CN106304400B (en) * | 2015-05-21 | 2019-05-07 | 阿里巴巴集团控股有限公司 | The IP address distribution method and system of wireless network |
| WO2016184351A1 (en) * | 2015-05-21 | 2016-11-24 | 阿里巴巴集团控股有限公司 | Ip address allocation method and system for wireless network |
| WO2017035725A1 (en) * | 2015-08-31 | 2017-03-09 | 林建华 | Communication method for electronic communication system in open environment |
| CN106357650A (en) * | 2016-09-09 | 2017-01-25 | 庞己人 | System, device and method for safely transmitting verification data |
| CN107135206A (en) * | 2017-04-18 | 2017-09-05 | 北京思特奇信息技术股份有限公司 | Safe precaution method and system that a kind of internet environment lower interface is called |
| CN109768948A (en) * | 2017-11-10 | 2019-05-17 | 中国电信股份有限公司 | Information push method, system and messaging device |
| US11368298B2 (en) | 2019-05-16 | 2022-06-21 | Cisco Technology, Inc. | Decentralized internet protocol security key negotiation |
| US11831767B2 (en) | 2019-05-16 | 2023-11-28 | Cisco Technology, Inc. | Decentralized internet protocol security key negotiation |
| CN110266485A (en) * | 2019-06-28 | 2019-09-20 | 宁波奥克斯电气股份有限公司 | A kind of Internet of Things secure communication control method based on NB-IoT |
| CN110266485B (en) * | 2019-06-28 | 2022-06-24 | 宁波奥克斯电气股份有限公司 | Internet of things safety communication control method based on NB-IoT |
| CN110391902A (en) * | 2019-07-08 | 2019-10-29 | 新华三信息安全技术有限公司 | A kind of method and device of internet key exchange ike negotiation |
| CN111614692A (en) * | 2020-05-28 | 2020-09-01 | 广东纬德信息科技股份有限公司 | Inbound message processing method and device based on power gateway |
| CN111865564A (en) * | 2020-07-29 | 2020-10-30 | 北京浪潮数据技术有限公司 | IPSec communication establishing method and system |
| CN112929169A (en) * | 2021-02-07 | 2021-06-08 | 成都薯片科技有限公司 | Key negotiation method and system |
| CN113364811A (en) * | 2021-07-05 | 2021-09-07 | 北京慧橙信息科技有限公司 | Network layer safety protection system and method based on IKE protocol |
| CN115529184A (en) * | 2022-09-28 | 2022-12-27 | 中国电信股份有限公司 | Message verification method and device, electronic equipment and storage medium |
| CN117061115A (en) * | 2023-10-11 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Key negotiation method, key negotiation apparatus, computer device, and computer-readable storage medium |
| CN117061115B (en) * | 2023-10-11 | 2024-02-02 | 腾讯科技(深圳)有限公司 | Key negotiation method, key negotiation apparatus, computer device, and computer-readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104219217B (en) | 2020-03-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104219217A (en) | SA (security association) negotiation method, device and system | |
| Cao et al. | Fast authentication and data transfer scheme for massive NB-IoT devices in 3GPP 5G network | |
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| US8559640B2 (en) | Method of integrating quantum key distribution with internet key exchange protocol | |
| CN103155512B (en) | System and method for providing secure access to service | |
| US8082574B2 (en) | Enforcing security groups in network of data processors | |
| CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
| CN108075890A (en) | Data sending terminal, data receiver, data transmission method and system | |
| CN103118363B (en) | A kind of method of mutual biography secret information, system, terminal unit and platform device | |
| Chen et al. | An authentication scheme with identity‐based cryptography for M2M security in cyber‐physical systems | |
| US11637699B2 (en) | Rollover of encryption keys in a packet-compatible network | |
| KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
| CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
| CN102891848A (en) | Method for carrying out encryption and decryption by using IPSec security association | |
| CN114285571A (en) | Method, gateway device and system for using quantum key in IPSec protocol | |
| US20080072033A1 (en) | Re-encrypting policy enforcement point | |
| CN114422205B (en) | Method for establishing network layer data tunnel of special CPU chip for electric power | |
| CN101861712A (en) | Security method of mobile internet protocol based server | |
| CN113364811A (en) | Network layer safety protection system and method based on IKE protocol | |
| CN115459912A (en) | Communication encryption method and system based on quantum key centralized management | |
| CN101527708B (en) | Method and device for restoring connection | |
| CN110430221A (en) | A kind of NDP-ESP network security method based on Neighbor Discovery Protocol | |
| CN102281303A (en) | Data exchange method | |
| JP2022507488A (en) | Methods and architectures for protecting and managing networks of embedded systems with an optimized public key infrastructure | |
| KR20070006913A (en) | Fast and secure connectivity for a mobile node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |