CN111431858B - Centralized safe transmission and authentication method for routing message - Google Patents

Centralized safe transmission and authentication method for routing message Download PDF

Info

Publication number
CN111431858B
CN111431858B CN202010123451.XA CN202010123451A CN111431858B CN 111431858 B CN111431858 B CN 111431858B CN 202010123451 A CN202010123451 A CN 202010123451A CN 111431858 B CN111431858 B CN 111431858B
Authority
CN
China
Prior art keywords
authentication
routing
neighbor
routing equipment
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010123451.XA
Other languages
Chinese (zh)
Other versions
CN111431858A (en
Inventor
张潇
吴响
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xuzhou Medical University
Original Assignee
Xuzhou Medical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xuzhou Medical University filed Critical Xuzhou Medical University
Priority to CN202010123451.XA priority Critical patent/CN111431858B/en
Publication of CN111431858A publication Critical patent/CN111431858A/en
Application granted granted Critical
Publication of CN111431858B publication Critical patent/CN111431858B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Abstract

The invention discloses a centralized safe transmission and authentication method facing to a routing message, which comprises the following steps that firstly, newly added routing equipment establishes a neighbor relation with each equipment participating in routing through a neighbor table; secondly, the newly added routing equipment performs equipment authentication through a centralized authentication center; thirdly, before the message is sent, the centralized authentication center carries out authentication confirmation on the neighbor routing equipment; and secondly, after the neighbor routing equipment completes authentication and confirmation, encrypting and sending the message to the neighbor routing equipment by using an asymmetric encryption technology, and finally, after receiving the encrypted message, decrypting the message by using the asymmetric encryption technology to obtain an original message for a specific routing protocol to use. The method adds a mechanism of newly added routing equipment authentication, improves the safety of each routing equipment in the domain, and carries out authentication confirmation on the neighbor routing equipment before message transmission, thereby reducing the leakage risk of message transmission between the routing equipment and greatly improving the safety of message transmission between the routing equipment.

Description

Centralized safe transmission and authentication method for routing message
Technical Field
The invention relates to the technical field of network communication, in particular to a centralized safe transmission and authentication method for routing messages.
Background
At present, routing protocols common in the internet include RIP, OSPF, EIGRP, IS-IS, IGRP, BGP and the like, the safety of various protocols mainly depends on the specific authentication methods of respective protocols, and the authentication of various protocols IS incompatible. However, in a new application such as a software-defined network, uniform security management needs to be performed on different routing protocols in many scenarios, and a universal method capable of ensuring communication security of all routing protocols is still lacking.
The invention is mainly used for solving the problem, and the whole idea is to establish a brand-new authentication mechanism outside the routing process of various routing protocols, and perform specific routing communication after the authentication is successful. The method performs shell adding outside the traditional routing protocol, thereby ensuring compatibility with various traditional routing protocols.
Disclosure of Invention
The invention provides a centralized safe transmission and authentication method facing to routing messages, which effectively improves the safety of message transmission among routes and reduces the risk of data leakage.
The invention is realized by the following technical proposal that a centralized safe transmission and authentication method facing to the routing message is characterized in that: the method comprises four processes of establishing a neighbor table of the routing equipment, performing centralized authentication on the routing equipment, confirming authentication of the neighbor routing equipment and encrypting and transmitting a message, and specifically comprises the following steps:
firstly, the newly added routing equipment establishes a neighbor relation with each equipment participating in routing through a neighbor table;
secondly, the newly added routing equipment performs equipment authentication through a centralized authentication center;
thirdly, before the message is sent, the centralized authentication center carries out authentication confirmation on the neighbor routing equipment;
secondly, after the neighbor routing equipment completes authentication and confirmation, the message is encrypted and sent to the neighbor routing equipment by using an encryption technology;
and finally, after receiving the encrypted message, the neighbor routing equipment decrypts the message by using an encryption technology to obtain an original message for a specific routing protocol to use.
Preferably, each device participating in routing establishes a neighbor table, and each interface in establishing a neighbor relationship experiences 5 states, which are: down state, Init state, delete state, Success state and Fail state; the specific design of each state is as follows:
(1) down state: the port is not started, and is in a Down state by default;
(2) the Init state: the port starts the method, sends a Discover exploration protocol packet, does not acquire a Coop packet of the opposite side yet, and replies the Coop packet if the Discover packet of the opposite side is received;
(3) decide status: receiving a Coop packet sent by the other party, and judging whether the authentication is successful or not;
(4) the Success state: after judging that the authentication in the Coop packet is consistent with the authentication set by the local computer, entering a Success state, and detecting once every 5 Coop packets are received in the Success state;
(5) a Fail state: the authentication in the Coop packet does not accord with the authentication set by the local computer, the state of Fail is entered, and the state of Init is entered after the authentication of 3 Coop packets is not accord with the authentication set by the local computer in the state of Fail.
Preferably, the packet sending time periods of the various packets are as follows: the discovery packet is sent once every 5 seconds in a default mode, the Coop packet is sent once every 10 seconds in a default mode, the Coop packet is sent once every 5 seconds when the routing equipment is in a delete state, and the Coop packet is sent once every 30 seconds when the routing equipment is in a Success state;
preferably, the format of the Discover packet is as follows: source address, destination address, time to live.
Preferably, the format of the Coop packet is: the routing device comprises a routing device name, a source address, a destination address, a survival time, a sending time and an authentication identifier.
Preferably, the authentication flow in the loop packet is as follows: after receiving the Coop packet, the routing equipment judges that the authentication identifier in the packet is consistent with the authentication identifier set by the local machine; if the authentication is inconsistent, entering a Fail state, and if the authentication is not successful for 3 times continuously, entering an Init state; and if the routing device name and the source address are consistent, recording the routing device name and the source address into the neighbor table.
Preferably, the newly added routing equipment performs equipment authentication through the centralized authentication center, if the authentication is successful, the newly added routing equipment is included in the authentication table, and if the authentication is failed, the newly added routing equipment is required to perform authentication again; the centralized authentication process of the routing equipment is as follows:
(1) in the same domain, when a routing device is added, a pair of public key and private key is distributed for the routing device, and a unique device-id is distributed;
(2) sending a data packet to a centralized authentication center by using a newly added route, wherein the field of the data packet comprises device-id, a public key and own IP;
(3) after receiving a data packet sent by a newly added route, the centralized authentication center records device-id, a public key and IP of the route equipment;
(4) the centralized authentication center returns the own public key to the newly added routing equipment;
(5) after receiving the public key, the newly added routing equipment encrypts the authentication key by using the public key and returns the encrypted authentication key to the centralized authentication center;
(6) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(7) if the comparison is consistent, recording the device-id, the public key and the IP into an authentication table, returning authentication success information to the newly added routing equipment, and if the comparison is inconsistent, sending authentication failure information to the newly added routing equipment for re-authentication.
Preferably, before the message is sent, the centralized authentication center authenticates and confirms the neighbor routing equipment, if the neighbor routing equipment is not authenticated in the centralized authentication center, the message is directly stopped being sent to the neighbor routing equipment, if the neighbor routing equipment is authenticated in the centralized authentication center and is not recorded in the local public key storage table, the message is secondarily authenticated in the centralized authentication center, and if the local public key storage table has records, the message is prepared for encrypted transmission; the authentication confirmation process of the neighbor route is as follows:
(1) after the routing engine generates a message, acquiring a neighbor routing device IP according to a neighbor table;
(2) the routing equipment generates a target IP to a centralized authentication center and carries out authentication confirmation request of neighbor routing equipment;
(3) after receiving the authentication confirmation request, the centralized authentication center inquires whether the IP of the neighbor routing equipment exists in an authentication table;
(4) if the neighbor routing equipment IP does not exist, returning authentication confirmation failure information to the routing equipment;
(5) if the neighbor route IP exists, returning the device-id corresponding to the neighbor route equipment IP to the route;
(6) after receiving the neighbor route device-id, the route inquires the device-id in a local public key storage table, if the device-id exists in the table, message encryption transmission is prepared, the process is finished, and if the device-id does not exist in the table, a secondary authentication confirmation request is sent to a centralized authentication center;
(7) after receiving the secondary authentication confirmation request, the centralized authentication center sends the public key of the centralized authentication center to the neighbor routing equipment for carrying out the authentication confirmation request;
(8) after receiving the authentication confirmation request, the neighbor routing equipment encrypts the authentication key by using the received public key and returns the encrypted authentication key to the centralized authentication center;
(9) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(10) if the comparison is inconsistent, returning authentication confirmation failure information and the neighbor routing equipment device-id to the route, and sending a re-authentication request to the neighbor route;
(11) after receiving the authentication confirmation failure information, the routing equipment stops sending the message to the neighbor routing equipment;
(12) if the comparison is consistent, the centralized authentication center returns the authentication and confirmation success information, the neighboring routing equipment device-id and the public key to the routing equipment;
(13) and after receiving the authentication and confirmation success information, the routing equipment records the neighbor routing equipment device-id and the public key into a local public key storage table and prepares for message encryption transmission.
Preferably, after the neighbor routing device completes authentication and confirmation, the message is encrypted and sent to the neighbor routing device by using an asymmetric encryption technology, and after the neighbor routing device receives the encrypted message, the message is decrypted by using the asymmetric encryption technology to obtain an original message for service requirement; the message encryption transmission flow is as follows:
(1) after the routing equipment generates a message and the neighbor routing equipment authenticates and confirms, obtaining the device-id of the neighbor routing equipment;
(2) inquiring in a public key storage table by using the neighbor routing equipment device-id to obtain a public key corresponding to the neighbor routing equipment;
(3) encrypting the original message by using a public key of the neighbor routing equipment, and sending the original message to the neighbor routing equipment;
(4) and after receiving the encrypted message, the neighbor routing equipment decrypts the encrypted message by using the private key to obtain an original message and processes the original message by using the routing engine.
Compared with the prior art, the invention has the following beneficial effects:
(1) on the basis of a routing protocol, a mechanism of newly adding routing authentication is added, so that the safety of each routing device in the domain is improved;
(2) before message transmission, authentication confirmation needs to be carried out on neighbor routing equipment, and the leakage risk of message transmission between the routing equipment is reduced;
(3) the risk that messages between the routing devices are grabbed and cracked in transmission is reduced by using the asymmetric encryption technology, and the security of message transmission between the routing devices is greatly improved.
Drawings
The invention will be further explained with reference to the drawings.
FIG. 1 is a schematic view of the present invention;
FIG. 2 is a schematic diagram of a neighbor establishment process in the present invention;
FIG. 3 is a schematic diagram illustrating a centralized authentication process according to the present invention;
FIG. 4 is a schematic diagram of a neighbor routing authentication confirmation process in the present invention;
FIG. 5 is a schematic diagram of a message encryption transmission flow in the present invention;
FIG. 6 is a diagram illustrating a public key storage table format according to the present invention;
FIG. 7 is a diagram illustrating an authentication table format according to the present invention;
FIG. 8 is a diagram illustrating a neighbor table format according to the present invention;
FIG. 9 is a diagram illustrating a Discover packet format according to the present invention;
FIG. 10 is a diagram illustrating the format of the Coop packet according to the present invention.
Detailed Description
As shown in fig. 1, a centralized secure transmission and authentication method for routing messages includes four processes, namely, establishment of a neighbor table of a routing device, centralized authentication of the routing device, authentication confirmation of the neighbor routing device, and encrypted transmission of messages. Firstly, a newly-added routing device establishes a neighbor relation with each device participating in routing through a neighbor table; secondly, the newly added route carries out equipment authentication through a centralized authentication center; thirdly, before the message is sent, the centralized authentication center carries out authentication confirmation on the neighbor routing equipment; and secondly, after the neighbor routing equipment completes authentication and confirmation, encrypting and sending the message to the neighbor routing equipment by using an asymmetric encryption technology, and finally, after receiving the encrypted message, decrypting the message by using the asymmetric encryption technology to obtain an original message for service requirements.
As shown in fig. 2, each device participating in routing establishes a neighbor table, and each interface in the establishment of a neighbor relationship experiences 5 states, which are: down state, Init state, delete state, Success state and Fail state; the specific design of each state is as follows:
(1) down state: the port is not started with the method designed by the invention and is in a Down state by default;
(2) the Init state: the port starts the method designed by the invention, sends the Discover exploration protocol packet, does not obtain the Coop packet of the opposite side yet, and replies the Coop packet if the Discover packet of the opposite side is received;
(3) decide status: receiving a Coop packet sent by the other party, and judging whether the authentication is successful or not;
(4) the Success state: after judging that the authentication in the Coop packet is consistent with the authentication set by the local computer, entering a Success state, and detecting once every 5 Coop packets are received in the Success state;
(5) a Fail state: the authentication in the Coop packet does not accord with the authentication set by the local computer, the state of Fail is entered, and the state of Init is entered after the authentication of 3 Coop packets is not accord with the authentication set by the local computer in the state of Fail.
In the above state: the Discover packet is sent once every 5 seconds in a default mode, the Coop packet is sent once every 10 seconds in a default mode, the Coop packet is sent once every 5 seconds when the routing equipment is in a delete state, and the Coop packet is sent once every 30 seconds when the routing equipment is in a Success state. As shown in fig. 9, the format of Discover packet is: source address, destination address, time to live. The Coop packet format as shown in FIG. 10 is: the routing device comprises a routing device name, a source address, a destination address, a survival time, a sending time and an authentication identifier.
As shown in fig. 3, the newly added routing device performs device authentication through the centralized authentication center, and if the authentication is successful, the newly added routing device is included in the authentication table, and if the authentication is failed, the newly added routing device is required to perform authentication again; the centralized authentication process of the routing device is as follows:
(1) in the same domain, a pair of public key and private key is distributed for the routing when the routing is added, and a unique device-id is distributed (in practical application, the device-id recommends using a point-to-point 10-ary representation format, such as 10.10.10.1);
(2) sending a data packet to a centralized authentication center by using a newly added route, wherein the field of the data packet comprises device-id, a public key and own IP (in practical application, JSON data packet format is recommended to be used, such as { "device-id": 10.10.10.1 "," key ": xxx", "IP": 10.10.1 "});
(3) after receiving a data packet sent by a newly added route, the centralized authentication center records the route device-id, the public key and the IP;
(4) the centralized authentication center returns the own public key to the newly added routing equipment;
(5) after receiving the public key, the newly added routing equipment encrypts the authentication key by using the public key and returns the encrypted authentication key to the centralized authentication center;
(6) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(7) and after the comparison is consistent, recording the device-id, the public key and the IP into an authentication table, returning authentication success information to the newly added route, and sending authentication failure information to newly added route equipment for re-authentication if the comparison is inconsistent.
As shown in fig. 4-8, before sending a message, the centralized authentication center authenticates and confirms the neighbor routing device, if the neighbor routing device is not authenticated in the centralized authentication center, the message is directly stopped from being sent to the neighbor routing device, if the neighbor routing device is authenticated in the centralized authentication center and is not recorded in the local public key storage table, the message is secondarily authenticated in the centralized authentication center, and if the record is recorded in the local public key storage table, the message is prepared for encrypted transmission; the authentication confirmation process of the neighbor route is as follows:
(1) after the routing engine generates a message, acquiring a neighbor routing device IP according to a neighbor table;
(2) the routing equipment generates a target IP to a centralized authentication center and carries out authentication confirmation request of neighbor routing equipment;
(3) after receiving the authentication confirmation request, the centralized authentication center inquires whether the IP of the neighbor routing equipment exists in an authentication table;
(4) if the neighbor routing equipment IP does not exist, returning authentication confirmation failure information to the routing equipment;
(5) if the neighbor route IP exists, returning the device-id corresponding to the neighbor route equipment IP to the route;
(6) after receiving the neighbor route device-id, the route inquires the device-id in a local public key storage table, if the device-id exists in the table, message encryption transmission is prepared, the process is finished, and if the device-id does not exist in the table, a secondary authentication confirmation request is sent to a centralized authentication center;
(7) after receiving the secondary authentication confirmation request, the centralized authentication center sends the public key of the centralized authentication center to the neighbor routing equipment for carrying out the authentication confirmation request;
(8) after receiving the authentication confirmation request, the neighbor routing equipment encrypts the authentication key by using the received public key and returns the encrypted authentication key to the centralized authentication center;
(9) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(10) if the comparison is inconsistent, returning authentication confirmation failure information and the neighbor routing equipment device-id to the route, and sending a re-authentication request to the neighbor route;
(11) after receiving the authentication confirmation failure information, the routing equipment stops sending the message to the neighbor routing equipment;
(12) if the comparison is consistent, the centralized authentication center returns the authentication and confirmation success information, the neighboring routing equipment device-id and the public key to the routing equipment;
(13) and after receiving the authentication and confirmation success information, the routing equipment records the neighbor routing equipment device-id and the public key into a local public key storage table and prepares for message encryption transmission.
As shown in fig. 5, after the neighbor routing device completes authentication and confirmation, the asymmetric encryption technology is used to encrypt and send the message to the neighbor routing device, and after receiving the encrypted message, the neighbor routing device decrypts the message by using the asymmetric encryption technology to obtain the original message for service requirement; the message encryption transmission flow is as follows:
(1) after a route generates a message and neighbor route authentication is confirmed, acquiring neighbor route device-id;
(2) inquiring in a public key storage table by using the neighbor route device-id to obtain a public key corresponding to the neighbor route;
(3) encrypting the original message by using a public key of the neighbor route, and sending the original message to the neighbor route;
(4) and after receiving the encrypted message, the neighbor router decrypts the encrypted message by using the private key to obtain an original message and processes the original message by using the routing engine.
According to the technical scheme, a mechanism of newly adding route authentication is added on a routing protocol, the safety of each routing device in the domain is improved, the neighbor routes need to be authenticated and confirmed before message transmission, the leakage risk of message transmission between the routes is reduced, the risk of grabbing and cracking of the messages between the routes in transmission is reduced by using an asymmetric encryption technology, and the safety of message transmission between the routes is greatly improved.

Claims (8)

1. A centralized safe transmission and authentication method facing to routing message is characterized in that: the method comprises four processes of establishing a neighbor table of the routing equipment, performing centralized authentication on the routing equipment, confirming authentication of the neighbor routing equipment and encrypting and transmitting a message, and specifically comprises the following steps:
firstly, the newly added routing equipment establishes a neighbor relation with each equipment participating in routing through a neighbor table;
secondly, the newly added routing equipment carries out equipment authentication through a centralized authentication center;
thirdly, before the message is sent, the centralized authentication center carries out authentication confirmation on the neighbor routing equipment;
secondly, after the neighbor routing equipment completes authentication confirmation, the message is encrypted and sent to the neighbor routing equipment by using an encryption technology;
finally, after receiving the encrypted message, the neighbor routing equipment decrypts the message by using an encryption technology to obtain an original message for a specific routing protocol to use;
before sending the message, the centralized authentication center authenticates and confirms the neighbor routing equipment, if the neighbor routing equipment is not authenticated in the centralized authentication center, the message is directly stopped to be sent to the neighbor routing equipment, if the neighbor routing equipment is authenticated in the centralized authentication center and is not recorded in the local public key storage table, the message is secondarily authenticated in the centralized authentication center, and if the local public key storage table has records, the message is prepared for encrypted transmission; the authentication confirmation process of the neighbor route is as follows:
(1) after the routing engine generates a message, acquiring a neighbor routing device IP according to a neighbor table;
(2) the routing equipment generates a target IP to a centralized authentication center and carries out authentication confirmation request of neighbor routing equipment;
(3) after receiving the authentication confirmation request, the centralized authentication center inquires whether the IP of the neighbor routing equipment exists in an authentication table;
(4) if the neighbor routing equipment IP does not exist, returning authentication confirmation failure information to the routing equipment;
(5) if the neighbor route IP exists, returning the device-id corresponding to the neighbor route equipment IP to the route;
(6) after receiving the neighbor route device-id, the route inquires the device-id in a local public key storage table, if the device-id exists in the table, message encryption transmission is prepared, the process is finished, and if the device-id does not exist in the table, a secondary authentication confirmation request is sent to a centralized authentication center;
(7) after receiving the secondary authentication confirmation request, the centralized authentication center sends the public key of the centralized authentication center to the neighbor routing equipment for carrying out the authentication confirmation request;
(8) after receiving the authentication confirmation request, the neighbor routing equipment encrypts the authentication key by using the received public key and returns the encrypted authentication key to the centralized authentication center;
(9) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(10) if the comparison is inconsistent, returning authentication confirmation failure information and the device-id of the neighbor routing equipment to the router, and sending a re-authentication request to the neighbor router;
(11) after receiving the authentication confirmation failure information, the routing equipment stops sending the message to the neighbor routing equipment;
(12) if the comparison is consistent, the centralized authentication center returns the authentication and confirmation success information, the neighboring routing equipment device-id and the public key to the routing equipment;
(13) and after receiving the authentication and confirmation success information, the routing equipment records the neighbor routing equipment device-id and the public key into a local public key storage table and prepares for message encryption transmission.
2. The centralized secure transmission and authentication method for routing-oriented packets according to claim 1, wherein: each device participating in routing establishes a neighbor table, and each interface in the established neighbor relation experiences 5 states, which are respectively: down state, Init state, delete state, Success state and Fail state; the specific design of each state is as follows:
(1) down state: the port is not started, and is in a Down state by default;
(2) the Init state: the port starts the method, sends a Discover exploration protocol packet, does not acquire a Coop packet of the other side, and replies the Coop packet if the Discover packet of the other side is received;
(3) decide status: receiving a Coop packet sent by the other party, and judging whether the authentication is successful or not;
(4) the Success state: after judging that the authentication in the Coop packet is consistent with the authentication set by the local computer, entering a Success state, and detecting once every 5 Coop packets are received in the Success state;
(5) a Fail state: the authentication in the Coop packet does not accord with the authentication set by the local computer, the state of Fail is entered, and the state of Init is entered after the authentication of 3 Coop packets is not accord with the authentication set by the local computer in the state of Fail.
3. The centralized secure transmission and authentication method for routing-oriented packets according to claim 2, wherein: the packet transmission time periods of various packets are as follows: the Discover packet is sent once every 5 seconds in a default mode, the Coop packet is sent once every 10 seconds in a default mode, the Coop packet is sent once every 5 seconds when the routing equipment is in a delete state, and the Coop packet is sent once every 30 seconds when the routing equipment is in a Success state.
4. The centralized secure transmission and authentication method for routing-oriented packets according to claim 2, wherein: the Discover packet format is: source address, destination address, time to live.
5. The centralized secure transmission and authentication method for routing-oriented packets according to claim 2, wherein: the format of the Coop packet in the step is as follows: the routing device comprises a routing device name, a source address, a destination address, a survival time, a sending time and an authentication identifier.
6. The centralized secure transmission and authentication method for routing-oriented packets according to claim 5, wherein: the authentication process in the Coop packet is as follows: after receiving the Coop packet, the routing equipment judges that the authentication identifier in the packet is consistent with the authentication identifier set by the local machine; if the two are not consistent, entering a Fail state, and if the two are not successfully authenticated for 3 times continuously, entering an Init state; and if the routing device name and the source address are consistent, recording the routing device name and the source address into the neighbor table.
7. The centralized secure transmission and authentication method for routing-oriented packets according to claim 1, wherein: the newly added routing equipment carries out equipment authentication through the centralized authentication center, if the authentication is successful, the newly added routing equipment is included in the authentication table, and if the authentication is failed, the newly added routing equipment is required to carry out authentication again; the centralized authentication process of the routing equipment is as follows:
(1) in the same domain, when a routing device is added, a pair of public key and private key is distributed for the routing device, and a unique device-id is distributed;
(2) sending a data packet to a centralized authentication center by using a newly added route, wherein the field of the data packet comprises device-id, a public key and own IP;
(3) after receiving a data packet sent by a newly added route, the centralized authentication center records device-id, a public key and IP of the route equipment;
(4) the centralized authentication center returns the public key to the newly added routing equipment;
(5) after receiving the public key, the newly added routing equipment encrypts the authentication key by using the public key and returns the encrypted authentication key to the centralized authentication center;
(6) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(7) if the comparison is consistent, the device-id, the public key and the IP are recorded in an authentication table, authentication success information is returned to the newly added routing equipment, and if the comparison is inconsistent, authentication failure information is sent to the newly added routing equipment for re-authentication.
8. The centralized secure transmission and authentication method for routing-oriented packets according to claim 1, wherein: after the neighbor routing equipment completes authentication confirmation, the message is encrypted and sent to the neighbor routing equipment by using an asymmetric encryption technology, and after the neighbor routing equipment receives the encrypted message, the message is decrypted by using the asymmetric encryption technology to obtain an original message for service requirement; the message encryption transmission flow is as follows:
(1) after the routing equipment generates a message and the neighbor routing equipment authenticates and confirms, obtaining the device-id of the neighbor routing equipment;
(2) inquiring in a public key storage table by using the neighbor routing equipment device-id to obtain a public key corresponding to the neighbor routing equipment;
(3) encrypting the original message by using a public key of the neighbor routing equipment, and sending the original message to the neighbor routing equipment;
(4) and after receiving the encrypted message, the neighbor routing equipment decrypts the encrypted message by using the private key to obtain an original message and processes the original message by using the routing engine.
CN202010123451.XA 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message Active CN111431858B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010123451.XA CN111431858B (en) 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010123451.XA CN111431858B (en) 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message

Publications (2)

Publication Number Publication Date
CN111431858A CN111431858A (en) 2020-07-17
CN111431858B true CN111431858B (en) 2022-07-12

Family

ID=71547305

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010123451.XA Active CN111431858B (en) 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message

Country Status (1)

Country Link
CN (1) CN111431858B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060479A (en) * 2007-05-28 2007-10-24 广州杰赛科技股份有限公司 Wireless self-organized network distribution authentication multi-layer tree route method
CN102594706A (en) * 2012-03-20 2012-07-18 南京邮电大学 Wireless broadband secure routing method for smart home control
CN104486082A (en) * 2014-12-15 2015-04-01 中电长城网际系统应用有限公司 Authentication method and router
CN105763517A (en) * 2014-12-17 2016-07-13 联芯科技有限公司 Router security access and control method and system
CN107249003A (en) * 2017-07-20 2017-10-13 电子科技大学 The access authentication method of Batman adv agreements

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161283B2 (en) * 2007-02-28 2012-04-17 Motorola Solutions, Inc. Method and device for establishing a secure route in a wireless network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060479A (en) * 2007-05-28 2007-10-24 广州杰赛科技股份有限公司 Wireless self-organized network distribution authentication multi-layer tree route method
CN102594706A (en) * 2012-03-20 2012-07-18 南京邮电大学 Wireless broadband secure routing method for smart home control
CN104486082A (en) * 2014-12-15 2015-04-01 中电长城网际系统应用有限公司 Authentication method and router
CN105763517A (en) * 2014-12-17 2016-07-13 联芯科技有限公司 Router security access and control method and system
CN107249003A (en) * 2017-07-20 2017-10-13 电子科技大学 The access authentication method of Batman adv agreements

Also Published As

Publication number Publication date
CN111431858A (en) 2020-07-17

Similar Documents

Publication Publication Date Title
US7813509B2 (en) Key distribution method
US8205074B2 (en) Data communication method and data communication system
JP5143125B2 (en) Authentication method, system and apparatus for inter-domain information communication
US20070198837A1 (en) Establishment of a secure communication
EP1374533B1 (en) Facilitating legal interception of ip connections
US20060248337A1 (en) Establishment of a secure communication
JP4962117B2 (en) Encryption communication processing method and encryption communication processing apparatus
JP6345816B2 (en) Network communication system and method
CA2419853A1 (en) Location-independent packet routing and secure access in a short-range wireless networking environment
JP2002082907A (en) Security function substitution method in data communication and its system, and recording medium
JP6067651B2 (en) Method and apparatus for incorporating dual-stack operation authorization
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
WO2011041962A1 (en) Method and system for end-to-end session key negotiation which support lawful interception
US20080267395A1 (en) Apparatus and method for encrypted communication processing
WO2009082950A1 (en) Key distribution method, device and system
CN111614596B (en) Remote equipment control method and system based on IPv6 tunnel technology
CN115567205A (en) Method and system for realizing encryption and decryption of network session data stream by quantum key distribution
CN112887278B (en) Interconnection system and method of private cloud and public cloud
EP3340530B1 (en) Transport layer security (tls) based method to generate and use a unique persistent node identity, and corresponding client and server
GB2411086A (en) Secure communication between terminals over a local channel using encryption keys exchanged over a different network
CN111431858B (en) Centralized safe transmission and authentication method for routing message
JP2009260847A (en) Vpn connection method, and communication device
JP3911697B2 (en) Network connection device, network connection method, network connection program, and storage medium storing the program
CN109756487B (en) Authentication method, device, equipment and storage medium
CN117395059A (en) NAT penetration method based on TLS protocol of negotiation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant