CN105592058A - Method and device for improving network communication safety - Google Patents
Method and device for improving network communication safety Download PDFInfo
- Publication number
- CN105592058A CN105592058A CN201510642391.1A CN201510642391A CN105592058A CN 105592058 A CN105592058 A CN 105592058A CN 201510642391 A CN201510642391 A CN 201510642391A CN 105592058 A CN105592058 A CN 105592058A
- Authority
- CN
- China
- Prior art keywords
- message
- authenticate
- application protocol
- authenticate ruler
- protocol module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention provides a method and device for improving network communication safety. The technical scheme comprises: when an application protocol module needs to send the message to a remote application protocol module, the message information is sent to an authentication rule module, and the authentication information returned by the authentication rule module is received; the authentication information is carried in the message to send to the remote application protocol module, the remote application protocol module sends the authentication information in the message to a local authentication rule module for authentication, if the authentication is successful, the message is processed, and if the authentication is failed, the message is abandoned. Therefore, the network communication safety may be improved, and the realization is simple.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of method and dress that improves Network Communicate SecurityPut.
Background technology
In existing communication network, when two application protocol processes communicate, have some disabled user's examinationsFigure altered data message or the authenticated user that disguises oneself as, thus Communication Security Problem caused. In order to identify thisThe message being tampered a bit and the user of camouflage, application protocol passes through configuration authenticate ruler, and use configurationAuthenticate ruler carries out authentification of message, thereby ensures communication safety.
An authenticate ruler of the long-term use of application protocol, can be easy to be cracked by disabled user, by keeperThe authenticate ruler of manual amendment's communicating pair, can prevent this problem to a certain extent, but when manyWhen application protocol is all wanted manual amendment's authenticate ruler, its realization will be very loaded down with trivial details.
Summary of the invention
In view of this, the object of the invention is to a kind of method and apparatus that improves Network Communicate Security, canTo ensure Network Communicate Security and to realize simple.
In order to achieve the above object, the invention provides following technical scheme:
A method that improves Network Communicate Security, comprising:
When application protocol module need to send message to far-end application protocol module, by message information to be sentSend to authenticate ruler module;
Application protocol module receives the certification that authenticate ruler module generates and returns according to described message informationInformation, is carried at described authentication information in message to be sent, and message to be sent is sent to far-end applicationProtocol module.
The another kind of method that improves Network Communicate Security, pre-configured authenticate ruler set, described certification ruleSet comprises multiple authenticate rulers; The method comprises:
Authenticate ruler module receives the message information to be sent that application protocol module sends;
Search and can be used for application protocol module in pre-configured authenticate ruler set according to current timeMessage send authenticate ruler, generate message to be sent based on this authenticate ruler and message information to be sentAuthentication information, this authentication information is returned to application protocol module.
Improve a device for Network Communicate Security, this application of installation, in application protocol module, comprising: locateReason unit, transmitting element;
Described processing unit, need to send message to far-end application protocol module for application protocol moduleTime, message information to be sent is sent to authenticate ruler module; For message information to be sent is sent toAfter authenticate ruler module, receive the certification letter that authenticate ruler module generates and returns according to described message informationBreath, is carried at authentication information in message to be sent;
Described transmitting element, for sending to far-end application protocol by the message to be sent that carries authentication informationModule.
The another kind of device that improves Network Communicate Security, this application of installation, in authenticate ruler module, comprising:Dispensing unit, processing unit;
Described dispensing unit, for pre-configured authenticate ruler set, described authenticate ruler set comprises manyIndividual authenticate ruler;
Described processing unit, the message information to be sent sending for receiving application protocol module, according to working asThe front time is searched the report that can be used for application protocol module in the pre-configured authenticate ruler set of dispensing unitThe authenticate ruler that literary composition sends, generates recognizing of message to be sent based on this authenticate ruler and message information to be sentCard information, returns to application protocol module by this authentication information.
From technical scheme above, in the present invention, pre-configured one comprises recognizing of many authenticate rulersCard regular collection; In the time that application protocol module need to send message to far-end application protocol module, by messageInformation sends to authenticate ruler module, is identified for sending application by authenticate ruler module according to current timeThe authenticate ruler of the message of protocol module, based on this authenticate ruler information generated authentication code and returned toApplication protocol module, application protocol module is carried at message authentication code in message, to send to far-end application associationView module, thus make far-end association instrument module carry out authentification of message to the message authentication code carrying in message,And determine and continue to process message or dropping packets according to authentication result. Can find out, compared with prior art,The present invention does not re-use single authenticate ruler, but based on current time and concrete application protocol module choosingSelect authenticate ruler, realize the authentification of message between application protocol module based on this authenticate ruler, thereby canEffectively improve Network Communicate Security.
Brief description of the drawings
Fig. 1 is wherein a kind of realization flow figure of the present invention;
Fig. 2 is the another kind of realization flow figure of the present invention;
Fig. 3 is wherein a kind of method flow diagram that improves Network Communicate Security of the present invention;
Fig. 4 is the another kind of method flow diagram that improves Network Communicate Security of the present invention;
Fig. 5 is wherein a kind of structural representation of the device that improves Network Communicate Security of the present invention;
Fig. 6 is the structural representation of the another kind of device that improves Network Communicate Security of the present invention.
Detailed description of the invention
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing alsoAccording to embodiment, technical scheme of the present invention is elaborated.
Main thought of the present invention is: many authenticate rulers are set, and application protocol module is in different time sectionsUse different authentication rule and far-end application to assist instrument module to carry out authentification of message, solved use single authenticationThe problem easily being cracked by disabled user that rule is brought, can effectively improve Network Communicate Security.
Below the principle that realizes of the present invention is described:
Referring to Fig. 1, Fig. 1 is wherein a kind of realization flow figure of the present invention, comprises the following steps:
Step 101, the first application protocol module receive trigger command.
The first application protocol module can be the process modules such as Routing Protocol, VRRP, BFD.
In the time that communication between application protocol module need to be carried out authentification of message, can pass through to application protocol mouldPiece sends trigger command, makes application protocol module enable safety certification function according to trigger command.
It should be noted that, in the time that communication between application protocol module does not need to carry out authentification of message, also canWith by sending and remove order to application protocol module, application protocol module is closed according to removing orderSafety certification function.
Step 102, the first application protocol module, according to trigger command, are enabled safety certification function.
By sending trigger command to the first application protocol module, trigger the first application protocol module and enable peaceFull authentication function. In addition, in actual applications, the first application protocol module also can be automatic in the time startingEnable safety certification function.
When step 103, the first application protocol module need to send message to the second application protocol module, willThis message information sends to the first authenticate ruler module.
The first application protocol module and the second application protocol module far-end application protocol module each other.
The first authenticate ruler module and the first application protocol module in same equipment, the first authenticate ruler mouldPiece for example, is sent out for the message of local application protocol module (the first application protocol module of the present embodiment)Send and receive. The first authenticate ruler module is to load pre-configured authenticate ruler set and pre-First configuration application protocol module and identifying algorithm relation table, and according to load authenticate ruler set and shouldRealize the process of the function such as authentication information generation and checking of message with protocol module and identifying algorithm relation tableModule.
Because the first application protocol module has been enabled safety certification function, therefore need message letter to be sentBreath sends to the certification associative operation before the first authenticate ruler module sends.
In the present embodiment, message information can refer to that the data message carrying in message (is also in messageHold), for example, routing protocol packet, its message information is exactly the routing iinformation carrying in message.
Step 104, the first authenticate ruler module according to current time in pre-configured authenticate ruler setIn search and can be used for the authenticate ruler that the message of the first authenticate ruler module sends, based on this authenticate ruler andThis message information calculates the authentication information of this message, and this authentication information is returned to the first application protocol module.
In the present embodiment, set in advance authenticate ruler set, authenticate ruler set comprises many certification rule, every authenticate ruler comprises authenticate ruler mark (ID), identifying algorithm, authenticate key, activeTime, wherein the time of enlivening comprises that transmission enlivens the time and reception enlivens the time, and the transmission time of enlivening comprisesAt least one time period (each time period comprises initial time and end time), within these time periods,This authenticate ruler can be used for message and sends; The reception time of enlivening comprises at least one time period (each timeSection comprises initial time and end time), within these time periods, this authenticate ruler can be used for messageReceive. Generally, sending the time of enlivening should be with to enliven the time identical with reception, or can be alsoThe reception time of enlivening comprise send enlivens the time, the transmission time of enlivening of for example a certain authenticate ruler be [8,10], receiving the time of enlivening is [8,11], and wherein, interval [8,10] represent at 8 o'clock to 10 o'clock, [8,11]Represent at 8 o'clock to 11 o'clock. The reception time of enlivening comprises and sends that to enliven the object of time be for fear of missing reportLiterary composition, for example 10 of transmitting terminals send message, and while arriving opposite end, the time has exceeded 10 points, if rightThe reception time of enlivening of end is also [8,10], and the reception that can not be this authenticate ruler because of time of reception is livedJump the time and cause dropping packets.
Search and can be used for the first authenticate ruler in pre-configured authenticate ruler set according to current timeThe method of the authenticate ruler that the message of module sends is: according to pre-configured application protocol module and certificationAlgorithm relation table is determined identifying algorithm corresponding to the first application protocol module, in authenticate ruler set, searchesIdentifying algorithm is identifying algorithm corresponding to the first application protocol module and the transmission time of enlivening to comprise current timeAuthenticate ruler, using this authenticate ruler as can be used for the first application protocol module message send certificationRule.
In the present embodiment, described authentication information comprise authenticate ruler mark, message authentication code (MAC,MessageAuthenticationCode)。
The method that generates the authentication information of this message based on this authenticate ruler and this message information is: using shouldIdentifying algorithm in authenticate ruler and authenticate key are encrypted the information that obtains this message to this message informationAuthentication code, the authentication information using the message authentication code of this authenticate ruler mark and this message as this message.
Step 105, the first application protocol module receive the authentication information that the first authenticate ruler module is returned,This authentication information is carried in this message, this message is sent to the second application protocol module.
Step 106, the second application protocol module receive the message that the first application protocol module is sent, and obtainThe authentication information carrying in this message, sends to the second authenticate ruler by this authentication information and this message informationModule.
The second application protocol module and the second authenticate ruler module in same equipment, the second authenticate ruler mouldPiece and the first authenticate ruler module have identical function, (for example second answer for local application protocol moduleWith protocol module) message sending and receiving.
The second application protocol module also needs to enable safety certification function, can be to the second application protocol moduleSend trigger command, trigger the second application protocol module and enable safety certification function.
Owing to having enabled safety certification function, the second application protocol module receives after message, need to be by reportAuthentication information, message information etc. in literary composition is dealt into the second authenticate ruler module and carries out authentification of message.
Step 107, the second authenticate ruler module are being joined in advance according to the authentication information of current time and receptionIn the authenticate ruler set of putting, search the authenticate ruler of the message reception that can be used for the second application protocol module,Generate the authentication information of this message based on this authenticate ruler and this message information, by this message calculatingThe authentication information of authentication information and reception compares, if identical, returns to the second application protocol mouldPiece shows the authentication result of authentication success, if different, return to the second application protocol module and shows to recognizeDemonstrate,prove failed authentication result.
Searching in pre-configured authenticate ruler set according to the authentication information of current time and reception canThe method of the authenticate ruler receiving for the message of the second application protocol module is: should according to pre-configuredDetermine identifying algorithm corresponding to the second application protocol module with protocol module and identifying algorithm relation table, recognizingCard is searched authenticate ruler mark, the certification in the authentication information that authenticate ruler is designated reception in regular collectionAlgorithm is the authenticate ruler that this identifying algorithm and the reception time of enlivening comprises current time, by this authenticate rulerThe authenticate ruler receiving as the message that can be used for the second application protocol module.
In this step, generate the authentication information that generates message in the method for authentication information of message and step 104Method identical.
Step 108, the second application protocol module receive the authentication result that the second authenticate ruler module is returned,If authentication result is authentication success, message is processed, if authentication result is authentification failure,Dropping packets.
Here, only have the message of authentication success, the second application protocol module just can be according to normal process flow processMessage is processed, for the message of authentification failure, directly abandoned.
In the embodiment shown in fig. 1, before application protocol module sends message to opposite end application protocol module,The authentication information that first generates this message to local authenticate ruler module request, is carried at this authentication informationIn this message, send to opposite end application protocol module, opposite end application protocol module is to local authenticate ruler mouldPiece request generates the authentication information of this message, and compares with the authentication information receiving, and believes by certificationMessage or dropping packets are processed in the continuation that relatively determines whether of breath, can realize the authentification of message of communicating pair,In addition, because the authenticate ruler that the authentication information of generation message uses is selected based on current time,The authenticate ruler that different time uses may be not identical, and in prior art, uses single authentication ruleAuthentification of message scheme compare, be not easy to be cracked by disabled user, therefore can effectively improve network serviceSafety.
Referring to Fig. 2, Fig. 2 is the another kind of realization flow figure of the present invention, comprises the following steps:
Step 201, the first application protocol module receive trigger command.
Step 202, the first application protocol module, according to trigger command, are enabled safety certification function.
In the time that communication between application protocol module need to be carried out authentification of message, the first authenticate ruler module triggersThe first application protocol module is enabled safety certification function, and in actual applications, the first application protocol module alsoCan in the time starting, automatically enable safety certification function.
When step 203, the first application protocol module need to send message to the second application protocol module, willThis message information sends to the first authenticate ruler module.
The first application protocol module and the second application protocol module far-end application protocol module each other.
The first authenticate ruler module and the first application protocol module in same equipment, the first authenticate ruler mouldPiece for example, is sent out for the message of local application protocol module (the first application protocol module of the present embodiment)Send and receive. The first authenticate ruler module is to load pre-configured authenticate ruler set and pre-First configuration application protocol module and identifying algorithm relation table, and according to load authenticate ruler set and shouldRealize the process of the function such as authentication information generation and checking of message with protocol module and identifying algorithm relation tableModule.
Because the first application protocol module has been enabled safety certification function, therefore need message letter to be sentBreath sends to the certification associative operation before the first authenticate ruler module sends.
In the present embodiment, message information can refer to that the data message carrying in message (is also in messageHold), for example, routing protocol packet, its message information is exactly the routing iinformation carrying in message.
Step 204, the first authenticate ruler module according to current time in pre-configured authenticate ruler setIn search and can be used for the authenticate ruler that the message of the first authenticate ruler module sends, based on this authenticate ruler andThis message information generates the authentication information of this message, and this authentication information is returned to the first application protocol module.
In the present embodiment, set in advance authenticate ruler set, authenticate ruler set comprises many certification rule, every authenticate ruler comprises authenticate ruler mark (ID), identifying algorithm, authenticate key, activeTime, wherein the time of enlivening comprises that transmission enlivens the time and reception enlivens the time, and the transmission time of enlivening comprisesAt least one time period (each time period comprises initial time and end time), within these time periods,This authenticate ruler can be used for message and sends; The reception time of enlivening comprises at least one time period (each timeSection comprises initial time and end time), within these time periods, this authenticate ruler can be used for messageReceive.
Search and can be used for the first application protocol in pre-configured authenticate ruler set according to current timeThe method of the authenticate ruler that the message of module sends is: according to pre-configured application protocol module and certificationAlgorithm relation table is determined identifying algorithm corresponding to the first application protocol module, in authenticate ruler set, searchesIdentifying algorithm is the authenticate ruler that this identifying algorithm and the transmission time of enlivening comprises current time, by this certificationThe authenticate ruler that rule sends as the message that can be used for the first application protocol module.
In the present embodiment, described authentication information comprises: authenticate ruler mark, identifying algorithm, authentification of messageCode;
The method that generates the authentication information of this message based on this authenticate ruler and this message information is: using shouldIdentifying algorithm in authenticate ruler and authenticate key are encrypted the information that obtains this message to this message informationAuthentication code, by the identifying algorithm in this authenticate ruler mark, this authenticate ruler and the authentification of message of this messageCode is as the authentication information of this message.
Step 205, the first application protocol module receive the authentication information that the first authenticate ruler module is returned,Determine the canonical algorithm mark of the first application protocol module that identifying algorithm in this authentication information is corresponding, willIdentifying algorithm in this authentication information is revised as this canonical algorithm mark, and this authentication information is carried to this reportWen Zhong, sends to the second application protocol module by this message.
In actual applications, same identifying algorithm may be right in the application protocol module of different agreement typeShould be in different algorithm mark (being called the canonical algorithm mark of application protocol module), for example, MD5 calculatesMethod identifies with ID5 in the authentication protocol module of the first protocol type, the certification of the second protocol typeIn protocol module, by ID8 mark, the authentication protocol module of the first protocol type receives MD5 calculationAfter method, determine that the canonical algorithm mark that MD5 algorithm is corresponding is ID5, the certification association of the second protocol typeView module receives after MD5 algorithm, determines that the canonical algorithm mark that MD5 algorithm is corresponding is ID8.
Can in each application protocol module, configure in advance the canonical algorithm mark in this application protocol moduleWith the corresponding relation of identifying algorithm, thereby make application protocol module receive recognizing that authenticate ruler module returnsWhen card information, determine application protocol module corresponding to identifying algorithm in authentication information according to this corresponding relationIn canonical algorithm mark.
It should be noted that, the present embodiment and embodiment illustrated in fig. 1 in, the first application protocol module andThe second application protocol module belongs to the application protocol module of same protocol type.
Step 206, the second application protocol module receive this message, obtain the certification letter carrying in this messageBreath, determines that the canonical algorithm in this authentication information identifies corresponding identifying algorithm, by this authentication informationCanonical algorithm mark is revised as this identifying algorithm, this authentication information and this message information is sent to second and recognizeCard rule module.
The second application protocol module and the second authenticate ruler module in same equipment, the second authenticate ruler mouldPiece for example, for the message sending and receiving of local application protocol module (the second application protocol module).
The second application protocol module also needs to enable safety certification function, by sending trigger command to secondApplication protocol module, triggers the second application protocol module and enables safety certification function.
Owing to having enabled safety certification function, the second application protocol module receives after message, need to be by reportAuthentication information, message information etc. in literary composition is dealt into the second authenticate ruler module and carries out authentification of message.
Step 207, the second authenticate ruler module are being joined in advance according to the authentication information of current time and receptionIn the authenticate ruler set of putting, search the authenticate ruler of the message reception that can be used for the second application protocol module,Message information based on this authenticate ruler and reception generates the authentication information of this message, by the certification of this messageThe authentication information of information and reception compares, if different, returns to the second application protocol module tableThe authentication result of bright authentification failure; If identical, return to the second application protocol module and show to authenticate intoThe authentication result of merit.
Searching in pre-configured authenticate ruler set according to the authentication information of current time and reception canThe method of the authenticate ruler receiving for the message of the second application protocol module is: should according to pre-configuredDetermine identifying algorithm corresponding to the second application protocol module with protocol module and identifying algorithm relation table, recognizingCard is searched authenticate ruler mark, the certification in the authentication information that authenticate ruler is designated reception in regular collectionAlgorithm is the authenticate ruler that this identifying algorithm and the reception time of enlivening comprises current time, by this authenticate rulerThe authenticate ruler receiving as the message that can be used for the second application protocol module.
In this step, generate the authentication information that generates message in the method for authentication information of message and step 204Method identical.
Step 208, the second application protocol module receive the authentication result that the second authenticate ruler module is returned,If authentication result is authentication success, message is processed, if authentication result is authentification failure,Dropping packets.
Here, only have the message of authentication success, the second application protocol module just can be according to normal process flow processMessage is processed, for the message of authentification failure, directly abandoned.
Shown in Fig. 2, in the embodiment of the present invention, application protocol module is calculated the certification in the authentication information of messageThe canonical algorithm mark that method is converted to this application protocol module is carried at and in message, sends to opposite end application protocolModule, opposite end application protocol module is converted to identifying algorithm by the canonical algorithm mark in this authentication information again,And the authentication information of this authentication information and reception is compared, in this process, identifying algorithm and standardMutual conversion between algorithm mark can further verify that application protocol module both sides have used phaseSame authenticate ruler carries out authentification of message, compared with the embodiment of the present invention shown in Fig. 1, and can be furtherImprove Network Communicate Security.
It should be noted that, in the embodiment shown in Fig. 1 and Fig. 2, the first two step (step 101,102, step 201,202) all not necessarily, in actual applications, application protocol module is outwardsWhile sending message, can give tacit consent to and need first to send message information to obtain message to local authenticate ruler moduleAuthentication information, and then authentication information is carried in message and is sent together.
Above the principle that realizes of the present invention is had been described in detail, based on above-mentioned principle, the invention providesA kind of method of the raising Network Communicate Security that is applied to application protocol module and one be applied to certification ruleThe method of the raising Network Communicate Security of module, describes below in conjunction with Fig. 3, Fig. 4.
Referring to Fig. 3, Fig. 3 is wherein a kind of method flow diagram that improves Network Communicate Security of the present invention, asShown in Fig. 3, the method comprises the following steps:
When step 301, application protocol module need to send message to far-end application protocol module, will wait to send outSend message information to send to authenticate ruler module;
Step 302, application protocol module receive authenticate ruler module and generate and return according to described message informationThe authentication information returning, is carried at this authentication information in message to be sent, and message to be sent is sent to farEnd application protocol module.
Shown in Fig. 3, in method, further comprise:
Application protocol module receives the message of far-end application protocol module, obtains the certification letter carrying in messageBreath, sends to authenticate ruler module by the authentication information obtaining, message information and carries out authentification of message;
Application protocol module receives the authentication result that authenticate ruler module is returned, if authentication result is certificationSuccess, processes the message receiving, otherwise, abandon the message of reception.
Shown in Fig. 3, in method, described authenticate ruler comprises identifying algorithm;
Described authentication information comprises identifying algorithm;
Application protocol module further comprises before authentication information is carried in message to be sent: determineCanonical algorithm in application protocol module corresponding to identifying algorithm in this authentication information, by authentication informationIdentifying algorithm is revised as described canonical algorithm mark;
The message information of the authentication information obtaining, reception is sent to authenticate ruler module by application protocol moduleBefore carrying out authentification of message, further comprise: determine corresponding the recognizing of canonical algorithm mark in authentication informationCard algorithm, is revised as this identifying algorithm by the canonical algorithm mark in authentication information.
Referring to Fig. 4, Fig. 4 is the another kind of method flow diagram that improves Network Communicate Security of the embodiment of the present invention,The pre-configured authenticate ruler set of the method, described authenticate ruler set comprises multiple authenticate rulers, mainBag following steps:
Step 401, authenticate ruler module receive the message information to be sent that application protocol module sends;
Step 402, search in pre-configured authenticate ruler set according to current time can be used for applicationThe authenticate ruler that the message of protocol module sends, treats based on this authenticate ruler and message information to be sent generationThe authentication information that sends message, returns to application protocol module by this authentication information.
Shown in Fig. 4, method further comprises:
Authenticate ruler module receives authentication information and the message information that application protocol module sends;
Searching in pre-configured authenticate ruler set according to the authentication information of current time and reception canThe authenticate ruler receiving for the message of application protocol module, the message letter based on this authenticate ruler and receptionBreath generates the authentication information of this message, the authentication information of the authentication information of this message and reception compared,If identical, return to the authentication result that shows authentication success, otherwise return to the certification that shows authentification failureResult.
Shown in Fig. 4, in method, described authentication information comprises authenticate ruler mark, message authentication code;
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, instituteStating the time of enlivening comprises sending and enlivens the time and reception enlivens the time;
The authentication information that calculates this message based on authenticate ruler and message information comprises: use this authenticate rulerIn identifying algorithm and authenticate key message information is encrypted to the message authentication code that obtains this message, willThe message authentication code of this authenticate ruler mark and this message is as the authentication information of this message.
Shown in Fig. 4, in method, described authentication information comprises authenticate ruler mark, message authentication code, certificationAlgorithm;
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, instituteStating the time of enlivening comprises sending and enlivens the time and reception enlivens the time;
The authentication information that calculates this message based on authenticate ruler and message information comprises: use this authenticate rulerIn identifying algorithm and authenticate key message information is encrypted to the message authentication code that obtains this message, willIdentifying algorithm in this authenticate ruler mark, this authenticate ruler and the message authentication code of this message are as this reportThe authentication information of literary composition;
Shown in Fig. 4 in method,
Search and can be used for application protocol module in pre-configured authenticate ruler set according to current timeMessage send authenticate ruler comprise: according to pre-configured application protocol module and identifying algorithm relationTable is determined identifying algorithm corresponding to this application protocol module, searches identifying algorithm and be in authenticate ruler setThis identifying algorithm and the transmission time of enlivening comprise the authenticate ruler of current time, using this authenticate ruler as canThe authenticate ruler sending for the message of application protocol module;
Searching in pre-configured authenticate ruler set according to the authentication information of current time and reception canThe authenticate ruler receiving for the message of application protocol module comprises: according to pre-configured application protocol mouldPiece and identifying algorithm relation table are determined the identifying algorithm that this application protocol module is corresponding, in authenticate ruler setIn authenticate ruler mark, the identifying algorithm searched in the authentication information that authenticate ruler is designated reception recognize for thisCard algorithm and the reception time of enlivening comprise the authenticate ruler of current time, using this authenticate ruler as can be used forThe authenticate ruler that the message of application protocol module receives.
The present invention also provides a kind of device of the raising Network Communicate Security that is applied to application protocol moduleWith a kind of device of the raising Network Communicate Security that is applied to authenticate ruler module, below in conjunction with Fig. 5, Fig. 6Describe.
Referring to Fig. 5, Fig. 5 is wherein a kind of knot of the device that improves Network Communicate Security of the embodiment of the present inventionStructure schematic diagram, as shown in Figure 5, this application of installation, in application protocol module, comprising: processing unit 501,Transmitting element 502; Wherein,
Processing unit 501, need to send message to far-end application protocol module for application protocol module time,Message information to be sent is sent to authenticate ruler module; For message information to be sent is sent to certificationAfter rule module, receive the authentication information that authenticate ruler module generates and returns according to described message information,Authentication information is carried to message to be sent;
Transmitting element 502, for sending to far-end application protocol by the message to be sent that carries authentication informationModule.
Fig. 5 shown device also comprises receiving element 503;
Described receiving element 503, for receiving the message of far-end application protocol module;
Described processing unit 501, receives the message of far-end application protocol module for receiving element 503After, obtain the authentication information carrying in message, the message information of the authentication information obtaining and reception is sentCarry out authentification of message to authenticate ruler module; For receiving the authentication result that authenticate ruler module is returned, asFruit authentication result is authentication success, the message receiving processed, otherwise, abandon the message of reception.
In Fig. 5 shown device, described authentication information comprises identifying algorithm;
Described processing unit 501 further comprises before authentication information is carried in message to be sent:Determine the canonical algorithm in the application protocol module that identifying algorithm in this authentication information is corresponding, will authenticate letterThe identifying algorithm of breath is revised as described canonical algorithm mark;
The message information of the authentication information obtaining, reception is sent to authenticate ruler by described processing unit 501Module further comprises before carrying out authentification of message: determine that the canonical algorithm mark in authentication information is correspondingIdentifying algorithm, the canonical algorithm mark in authentication information is revised as to this identifying algorithm.
Referring to Fig. 6, Fig. 6 is the structure of the another kind of device that improves Network Communicate Security of the embodiment of the present inventionSchematic diagram, as shown in Figure 6, this application of installation, in authenticate ruler module, comprising: dispensing unit 601,Processing unit 602; Wherein,
Dispensing unit 601, for pre-configured authenticate ruler set, described authenticate ruler set comprises manyIndividual authenticate ruler;
Processing unit 602, the message information to be sent sending for receiving application protocol module, according to working asThe front time searches and can be used for application protocol module in the pre-configured authenticate ruler set of dispensing unit 601Message send authenticate ruler, generate message to be sent based on this authenticate ruler and message information to be sentAuthentication information, this authentication information is returned to application protocol module.
In Fig. 6 shown device,
Described processing unit 602, is further used for receiving that application protocol module sends for authentification of messageAuthentication information and message information, according to the authentication information of current time and reception in pre-configured certificationIn regular collection, search the authenticate ruler of the message reception that can be used for application protocol module, based on these certification ruleGenerate the authentication information of this message with the message information receiving, by the authentication information of this message and receptionAuthentication information compares, if identical, return to the authentication result that shows authentication success, otherwise returnsShow the authentication result of authentification failure.
In Fig. 6 shown device,
Described authentication information comprises authenticate ruler mark, message authentication code;
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, instituteStating the time of enlivening comprises sending and enlivens the time and reception enlivens the time;
Described processing unit 602 calculates the authentication information bag of this message based on authenticate ruler and message informationDraw together: use identifying algorithm and authenticate key in this authenticate ruler to be encrypted and to obtain this report message informationThe message authentication code of literary composition, using message authentication code the recognizing as this message of this authenticate ruler mark and this messageCard information.
In Fig. 6 shown device,
Described authentication information comprises authenticate ruler mark, message authentication code, identifying algorithm;
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, instituteStating the time of enlivening comprises sending and enlivens the time and reception enlivens the time;
Described processing unit 602 calculates the authentication information bag of this message based on authenticate ruler and message informationDraw together: use identifying algorithm and authenticate key in this authenticate ruler to be encrypted and to obtain this report message informationThe message authentication code of literary composition, by the identifying algorithm in this authenticate ruler mark, this authenticate ruler and this messageMessage authentication code is as the authentication information of this message;
In Fig. 6 shown device,
Described dispensing unit 601, for pre-configured application protocol module and identifying algorithm relation table;
Described processing unit 602 is searched available according to current time in pre-configured authenticate ruler setThe authenticate ruler sending in the message of application protocol module comprises: pre-configured according to dispensing unit 601Application protocol module and identifying algorithm relation table are determined the identifying algorithm that this application protocol module is corresponding, are recognizingIn card regular collection, searching identifying algorithm is this identifying algorithm and the transmission time of enlivening to comprise recognizing of current timeCard rule, the authenticate ruler that this authenticate ruler is sent as the message that can be used for application protocol module;
Described processing unit 602 is advised in pre-configured certification according to the authentication information of current time and receptionSet in search can be used for application protocol module message receive authenticate ruler comprise: according to configuration butBe willing to that 601 pre-configured application protocol module and identifying algorithm relation tables determine this application protocol module correspondenceIdentifying algorithm, in authenticate ruler set, search recognizing in the authentication information that authenticate ruler is designated receptionCard rule mark, identifying algorithm are the certification rule that comprise this identifying algorithm and the reception time of enlivening current time, the authenticate ruler this authenticate ruler being received as the message that can be used for application protocol module.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all at thisWithin the spirit and principle of invention, any amendment of making, be equal to replacement, improvement etc., all should be included inWithin the scope of protection of the invention.
Claims (16)
1. a method that improves Network Communicate Security, is characterized in that, the method comprises:
When application protocol module need to send message to far-end application protocol module, message information to be sent is sentTo authenticate ruler module;
Application protocol module receives the authentication information that authenticate ruler module generates and returns according to described message information,Described authentication information is carried in message to be sent, message to be sent is sent to far-end application protocol module.
2. method according to claim 1, is characterized in that, the method further comprises:
The message that application protocol module receives far-end application protocol module, obtains the authentication information carrying in message,The authentication information obtaining, message information are sent to authenticate ruler module and carry out authentification of message;
Application protocol module receives the authentication result that authenticate ruler module is returned, if authentication result is to authenticate intoMerit, processes the message receiving, otherwise, abandon the message of reception.
3. method according to claim 2, is characterized in that,
Described authentication information comprises identifying algorithm;
Application protocol module further comprises before authentication information is carried in message to be sent: determine that this recognizesCanonical algorithm in application protocol module corresponding to identifying algorithm in card information, calculates the certification of authentication informationMethod is revised as described canonical algorithm mark;
Application protocol module sends to authenticate ruler module by the message information of the authentication information obtaining, reception and carries outBefore authentification of message, further comprise: determine that the canonical algorithm in authentication information identifies corresponding identifying algorithm,Canonical algorithm mark in authentication information is revised as to this identifying algorithm.
4. a method that improves Network Communicate Security, is characterized in that, pre-configured authenticate ruler set,Described authenticate ruler set comprises multiple authenticate rulers; The method comprises:
Authenticate ruler module receives the message information to be sent that application protocol module sends;
In pre-configured authenticate ruler set, search the report that can be used for application protocol module according to current timeThe authenticate ruler that literary composition sends, generates the certification of message to be sent based on this authenticate ruler and message information to be sentInformation, returns to application protocol module by this authentication information.
5. method according to claim 4, the method further comprises:
Authenticate ruler module receives authentication information and the message information that application protocol module sends;
Search and can be used in pre-configured authenticate ruler set according to the authentication information of current time and receptionThe authenticate ruler that the message of application protocol module receives, the message information based on this authenticate ruler and reception generatesThe authentication information of this message, compares the authentication information of the authentication information of this message and reception, if phaseWith, return to the authentication result that shows authentication success, otherwise return to the authentication result that shows authentification failure.
6. method according to claim 5, is characterized in that,
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, described workThe time of jumping comprises that transmission enlivens the time and reception enlivens the time;
The authentication information that calculates this message based on authenticate ruler and message information comprises: use in this authenticate rulerIdentifying algorithm and authenticate key are encrypted the message authentication code that obtains this message to message information, by this certificationThe message authentication code of rule mark and this message is as the authentication information of this message.
7. method according to claim 5, is characterized in that,
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, described workThe time of jumping comprises that transmission enlivens the time and reception enlivens the time;
The authentication information that calculates this message based on authenticate ruler and message information comprises: use in this authenticate rulerIdentifying algorithm and authenticate key are encrypted the message authentication code that obtains this message to message information, by this certificationIdentifying algorithm in rule mark, this authenticate ruler and the message authentication code of this message are as the certification of this messageInformation.
8. according to the method described in claim 6 or 7, it is characterized in that,
In pre-configured authenticate ruler set, search the report that can be used for application protocol module according to current timeThe authenticate ruler that literary composition sends comprises: determine according to pre-configured application protocol module and identifying algorithm relation tableThe identifying algorithm that this application protocol module is corresponding is searched identifying algorithm for this certification calculation in authenticate ruler setMethod and the transmission time of enlivening comprise the authenticate ruler of current time, using this authenticate ruler as can be used for application associationThe authenticate ruler that the message of view module sends;
Search and can be used in pre-configured authenticate ruler set according to the authentication information of current time and receptionThe authenticate ruler that the message of application protocol module receives comprises: according to pre-configured application protocol module with recognizeCard algorithm relation table is determined the identifying algorithm that this application protocol module is corresponding, in authenticate ruler set, searches and recognizesAuthenticate ruler mark, identifying algorithm in the regular authentication information that is designated reception of card is this identifying algorithm and connectsTime of jumping of accepting orders for repairs or processing comprises the authenticate ruler of current time, using this authenticate ruler as can be used for application protocol moduleMessage receive authenticate ruler.
9. a device that improves Network Communicate Security, is characterized in that, this application of installation is in application protocol mouldPiece, comprising: processing unit, transmitting element;
Described processing unit, need to send message to far-end application protocol module for application protocol module time, willMessage information to be sent sends to authenticate ruler module; For message information to be sent is sent to authenticate rulerAfter module, receive the authentication information that authenticate ruler module generates and returns according to described message information, will authenticateInformation is carried in message to be sent;
Described transmitting element, for sending to far-end application protocol mould by the message to be sent that carries authentication informationPiece.
10. device according to claim 9, is characterized in that, this device also comprises receiving element;
Described receiving element, for receiving the message of far-end application protocol module;
Described processing unit, receives for receiving element after the message of far-end application protocol module, obtains messageIn the authentication information that carries, the message information of the authentication information obtaining and reception is sent to authenticate ruler moduleCarry out authentification of message; For receiving the authentication result that authenticate ruler module is returned, if authentication result is certificationSuccess, processes the message receiving, otherwise, abandon the message of reception.
11. devices according to claim 10, is characterized in that,
Described authentication information comprises identifying algorithm;
Described processing unit further comprises before authentication information is carried in message to be sent: determine that this recognizesCanonical algorithm in application protocol module corresponding to identifying algorithm in card information, calculates the certification of authentication informationMethod is revised as described canonical algorithm mark;
The message information of the authentication information obtaining, reception is sent to authenticate ruler module by described processing unit to carry outBefore authentification of message, further comprise: determine that the canonical algorithm in authentication information identifies corresponding identifying algorithm,Canonical algorithm mark in authentication information is revised as to this identifying algorithm.
12. 1 kinds are improved the device of Network Communicate Security, it is characterized in that, this application of installation is in authenticate ruler mouldPiece, comprising: dispensing unit, processing unit;
Described dispensing unit, for pre-configured authenticate ruler set, described authenticate ruler set comprises multiplely to be recognizedCard rule;
Described processing unit, the message information to be sent sending for receiving application protocol module, when currentBetween in the pre-configured authenticate ruler set of dispensing unit, search the message that can be used for application protocol module and sendAuthenticate ruler, generate the authentication information of message to be sent based on this authenticate ruler and message information to be sent,This authentication information is returned to application protocol module.
13. devices according to claim 12, is characterized in that,
Described processing unit, is further used for receiving the letter of the certification for authentification of message that application protocol module sendsBreath and message information, according to the authentication information of current time and reception in pre-configured authenticate ruler setSearch the authenticate ruler of the message reception that can be used for application protocol module, based on the report of this authenticate ruler and receptionThe authentication information of this message of literary composition Information generation, compares the authentication information of this message and the authentication information of reception, if identical, return to the authentication result that shows authentication success, show recognizing of authentification failure otherwise returnCard result.
14. devices according to claim 13, is characterized in that,
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, described workThe time of jumping comprises that transmission enlivens the time and reception enlivens the time;
The authentication information that described processing unit calculates this message based on authenticate ruler and message information comprises: using shouldIdentifying algorithm in authenticate ruler and authenticate key are encrypted the authentification of message that obtains this message to message informationCode, the authentication information using the message authentication code of this authenticate ruler mark and this message as this message.
15. devices according to claim 13, is characterized in that,
Described authenticate ruler comprises authenticate ruler mark, identifying algorithm, authenticate key, enlivens the time, described workThe time of jumping comprises that transmission enlivens the time and reception enlivens the time;
The authentication information that described processing unit calculates this message based on authenticate ruler and message information comprises: using shouldIdentifying algorithm in authenticate ruler and authenticate key are encrypted the authentification of message that obtains this message to message informationCode, using the message authentication code of the identifying algorithm in this authenticate ruler mark, this authenticate ruler and this message asThe authentication information of this message.
16. according to the device described in claims 14 or 15, it is characterized in that,
Described dispensing unit, for pre-configured application protocol module and identifying algorithm relation table;
Described processing unit is searched in pre-configured authenticate ruler set according to current time and be can be used for applicationThe authenticate ruler that the message of protocol module sends comprises: according to the pre-configured application protocol module of dispensing unitDetermine with identifying algorithm relation table the identifying algorithm that this application protocol module is corresponding, in authenticate ruler set, look intoLooking for identifying algorithm is the authenticate ruler that this identifying algorithm and the transmission time of enlivening comprises current time, by this certificationThe authenticate ruler that rule sends as the message that can be used for application protocol module;
Described processing unit according to the authentication information of current time and reception in pre-configured authenticate ruler setIn search can be used for application protocol module message receive authenticate ruler comprise: join in advance according to dispensing unitApplication protocol module and the identifying algorithm relation table put are determined the identifying algorithm that this application protocol module is corresponding,In authenticate ruler set, search authenticate ruler mark, certification in the authentication information that authenticate ruler is designated receptionAlgorithm is the authenticate ruler that this identifying algorithm and the reception time of enlivening comprises current time, and this authenticate ruler is doneThe authenticate ruler receiving for can be used for the message of application protocol module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510642391.1A CN105592058A (en) | 2015-09-30 | 2015-09-30 | Method and device for improving network communication safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510642391.1A CN105592058A (en) | 2015-09-30 | 2015-09-30 | Method and device for improving network communication safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105592058A true CN105592058A (en) | 2016-05-18 |
Family
ID=55931275
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510642391.1A Pending CN105592058A (en) | 2015-09-30 | 2015-09-30 | Method and device for improving network communication safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592058A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106330968A (en) * | 2016-10-31 | 2017-01-11 | 杭州迪普科技有限公司 | Access device identity authentication method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101252584A (en) * | 2008-04-09 | 2008-08-27 | 华为技术有限公司 | Authentication method, system and equipment for bidirectional forwarding detection protocol conversation |
| CN101697529A (en) * | 2009-10-28 | 2010-04-21 | 北京星网锐捷网络技术有限公司 | Method, device and system for treating authentication message |
| CN101815296A (en) * | 2009-02-23 | 2010-08-25 | 华为技术有限公司 | Method, device and system for performing access authentication |
| CN101938428A (en) * | 2010-09-28 | 2011-01-05 | 杭州华三通信技术有限公司 | Message transmission method and equipment |
| CN102480429A (en) * | 2010-11-26 | 2012-05-30 | 华为数字技术有限公司 | Message processing method, apparatus thereof and system thereof |
| US20130305048A1 (en) * | 2011-01-12 | 2013-11-14 | Alcatel-Lucent | Methods and apparatuses for distributing keys for ptp protocol |
| CN103647777A (en) * | 2013-12-13 | 2014-03-19 | 华为技术有限公司 | Safety certificate method and bidirectional forwarding detection BFD equipment |
| CN103888418A (en) * | 2012-12-21 | 2014-06-25 | 中国电信股份有限公司 | Strategy authentication method and system |
-
2015
- 2015-09-30 CN CN201510642391.1A patent/CN105592058A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101252584A (en) * | 2008-04-09 | 2008-08-27 | 华为技术有限公司 | Authentication method, system and equipment for bidirectional forwarding detection protocol conversation |
| CN101815296A (en) * | 2009-02-23 | 2010-08-25 | 华为技术有限公司 | Method, device and system for performing access authentication |
| CN101697529A (en) * | 2009-10-28 | 2010-04-21 | 北京星网锐捷网络技术有限公司 | Method, device and system for treating authentication message |
| CN101938428A (en) * | 2010-09-28 | 2011-01-05 | 杭州华三通信技术有限公司 | Message transmission method and equipment |
| CN102480429A (en) * | 2010-11-26 | 2012-05-30 | 华为数字技术有限公司 | Message processing method, apparatus thereof and system thereof |
| US20130305048A1 (en) * | 2011-01-12 | 2013-11-14 | Alcatel-Lucent | Methods and apparatuses for distributing keys for ptp protocol |
| CN103888418A (en) * | 2012-12-21 | 2014-06-25 | 中国电信股份有限公司 | Strategy authentication method and system |
| CN103647777A (en) * | 2013-12-13 | 2014-03-19 | 华为技术有限公司 | Safety certificate method and bidirectional forwarding detection BFD equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106330968A (en) * | 2016-10-31 | 2017-01-11 | 杭州迪普科技有限公司 | Access device identity authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100596062C (en) | Secure protection device and method for distributed packet transfer | |
| CN105634956B (en) | A kind of message forwarding method, device and system | |
| CN107086979B (en) | User terminal verification login method and device | |
| CN101252584B (en) | Authentication method, system and equipment for bidirectional forwarding detection protocol conversation | |
| CN105592047B (en) | A kind of transmission method and device of service message | |
| CN106899500B (en) | Message processing method and device for cross-virtual extensible local area network | |
| CN104410622A (en) | Safety authentication method, client side and system for logging in Web system | |
| CN102984031B (en) | Method and device for allowing encoding equipment to be safely accessed to monitoring and control network | |
| CN111385180B (en) | Communication tunnel construction method, device, equipment and medium | |
| CN109104475A (en) | Connect restoration methods, apparatus and system | |
| CN104219626B (en) | A kind of identity authentication method and device | |
| CN104993993A (en) | Message processing method, device, and system | |
| WO2017005163A1 (en) | Wireless communication-based security authentication device | |
| CN109302397A (en) | A kind of network safety managing method, platform and computer readable storage medium | |
| CN105592141A (en) | Connection number control method and device | |
| CN107547680B (en) | Data processing method and device | |
| US10511494B2 (en) | Network control method and apparatus | |
| CN103139201A (en) | Network strategy acquiring method and data center switchboard | |
| CN105743649A (en) | User signature and user signature decryption method, device and system | |
| CN104702612B (en) | A kind of user authentication process method and device | |
| CN105592058A (en) | Method and device for improving network communication safety | |
| CN106685861B (en) | A kind of software defined network system and its message transmission control method | |
| CN106533700B (en) | Method and device for realizing interface function | |
| CN103368967A (en) | Security access method and equipment for IP phone | |
| CN104601459A (en) | Method and device for processing messages in group-domain virtual private network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160518 |