CN111431889A - Communication protection method for lightweight control channel in OpenFlow network - Google Patents
Communication protection method for lightweight control channel in OpenFlow network Download PDFInfo
- Publication number
- CN111431889A CN111431889A CN202010197174.7A CN202010197174A CN111431889A CN 111431889 A CN111431889 A CN 111431889A CN 202010197174 A CN202010197174 A CN 202010197174A CN 111431889 A CN111431889 A CN 111431889A
- Authority
- CN
- China
- Prior art keywords
- message
- openflow
- encrypted
- restored
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/64—Routing or path finding of packets in data switching networks using an overlay routing layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2212/00—Encapsulation of packets
Abstract
The invention provides a communication protection method for a lightweight control channel in an OpenFlow network, and relates to the field of communication. A communication protection method of a lightweight control channel in an OpenFlow network is applied to communication between OpenFlow devices, and comprises the following steps: (1) presetting a unique seed value for the OpenFlow device; (2) hashing the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; (3) the device public key is hashed to generate a device identity; (4) packaging the content sent by the OpenFlow device through the device identity for encryption; (5) and restoring the content of the OpenFlow device through the device identity so as to decrypt the content. The invention solves the problems of low communication safety and high energy consumption of the OpenFlow network.
Description
Technical Field
The invention relates to the field of communication, in particular to a communication protection method for a lightweight control channel in an OpenFlow network.
Background
In conventional networks, a control plane integrating multiple network functions and a data plane responsible for forwarding data packets are tightly coupled and often embedded in a proprietary device, which severely limits the flexibility of network management and the potential for network service innovation. As a promising network architecture, a Software-Defined Networking (SDN) provides a method for implementing a programmable network by decoupling a control plane and a data plane. SDN enables network operators to flexibly, quickly manage, configure, and optimize network resources using dynamic, automated, and device-independent applications.
In SDN, many communication protocols are widely proposed, such as OpenFlow, Netconf, and ovsdb, where OpenFlow, as a de facto standard protocol, has been successfully applied to many commercial deployments, such as Google B4. in OpenFlow, where a logically centralized control plane (controller) establishes connections with multiple OpenFlow switches and exchanges control messages with each other to achieve network management.
For example, SDN controllers in modern data centers typically need to respond to millions of flow requests from hundreds of switches per second, and due to the addition of security operations (such as encryption and decryption), a large amount of computing resources in the controllers are consumed, thereby reducing the throughput of the controllers to process the flow requests.
Disclosure of Invention
The invention aims to provide a communication protection method for a lightweight control channel in an OpenFlow network, which can solve the problems of low security, high performance consumption and incapability of wide use of the conventional control channel.
The embodiment of the invention is realized by the following steps:
a communication protection method of a lightweight control channel in an OpenFlow network is applied to communication between OpenFlow devices, and comprises the following steps: (1) presetting a unique seed value for the OpenFlow device; (2) hashing the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; (3) the device public key is hashed to generate a device identity; (4) packaging the content sent by the OpenFlow device through the device identity for encryption; (5) and restoring the content of the OpenFlow device through the device identity so as to decrypt the content.
In some embodiments of the invention, the OpenFlow device comprises an OpenFlow controller and an OpenFlow switch; the OpenFlow controller is used for receiving an administrator request so as to convert the administrator request into a control message; in the step (4), the step of encapsulating the control message into a secure message through the device identity of the OpenFlow controller, and sending the secure message to the OpenFlow switch is included.
In some embodiments of the present invention, the step (5) includes intercepting the secure message, restoring the secure message through the device identity of the OpenFlow controller, and determining whether the secure message can be restored to the control message; and when the control message can be restored, the safety message is sent to the OpenFlow switch, and when the control message cannot be restored, the safety message is discarded.
In some embodiments of the present invention, the method further includes step (6), after the OpenFlow switch executes the security message, sending a security response message to the OpenFlow controller.
In some embodiments of the present invention, the security response message is encapsulated by the device identity of the OpenFlow switch; the step (6) further includes restoring the security response message through the device identity of the OpenFlow switch, determining whether the security response message can be restored to the security message, sending the security response message to the OpenFlow controller when the security response message can be restored to the security message, and discarding the security response message when the security response message cannot be restored to the security message.
In some embodiments of the present invention, in the step (3), the OpenFlow controller and the device public key and the device private key of the OpenFlow switch are further included, and a shared key is generated by using a key agreement algorithm; the step (4) further includes intercepting the secure message, and encapsulating the secure message into an encrypted message through the shared public key of the OpenFlow controller; and sending to the OpenFlow switch.
In some embodiments of the present invention, the step (5) includes intercepting the secure message, restoring the encrypted message through the device identity of the OpenFlow controller and the shared key, and determining whether the encrypted message can be restored to the control message; and sending the encrypted message to the OpenFlow switch when the encrypted message can be restored to the control message, and discarding the encrypted message when the encrypted message cannot be restored to the control message.
In some embodiments of the present invention, the method further includes step (6), after the OpenFlow switch executes the encryption message, sending an encryption response message to the OpenFlow controller.
In some embodiments of the present invention, the encrypted response message is encapsulated by the device identity of the OpenFlow switch; the step (6) further includes restoring the encrypted response message by using the device identity of the OpenFlow switch, determining whether the encrypted response message can be restored to the encrypted message, sending the encrypted response message to the OpenFlow controller when the encrypted response message can be restored to the encrypted message, and discarding the encrypted response message when the encrypted response message cannot be restored to the encrypted message.
The embodiment of the invention at least has the following advantages or beneficial effects:
1. the device private key is generated through the seed value preset by the OpenFlow device, so that the content from the OpenFlow device can be authenticated through the device private key, the communication safety is improved, and the device private key can be widely used;
the device private key of the OpenFlow device generates a device public key through an asymmetric cryptographic algorithm, so that the content of device private key authentication is conveniently analyzed through the device public key of the OpenFlow device, and the communication security between the OpenFlow devices is improved;
3. the device public key is hashed to generate the device identity, so that the device identity is conveniently sent to verify the sent message during communication between OpenFlow devices, the message is prevented from being tampered after other devices invade, the integrity of the message in the communication process is protected, and the communication safety is improved;
4. all messages sent by the OpenFlow equipment are identified through the equipment identity identification so as to execute encryption operation, all messages after the OpenFlow equipment receives the identification are restored through the equipment identity identification so as to execute decryption operation, the safety of communication among different OpenFlow equipment is improved, and compared with the operation of respectively encrypting and decrypting each message, the energy consumption is reduced, the communication performance of the OpenFlow network is improved, and the OpenFlow network can be widely used.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic flow diagram of a communication protection method for a lightweight control channel in an OpenFlow network according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the embodiments of the present invention, it should be noted that, if the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings or the orientations or positional relationships that the products of the present invention are usually placed in when used, the orientations or positional relationships are only used for convenience of describing the present invention and simplifying the description, but the terms do not indicate or imply that the devices or elements indicated must have specific orientations, be constructed in specific orientations, and operate, and therefore, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
Furthermore, the terms "horizontal", "vertical", "overhang" and the like do not require that the components be absolutely horizontal or overhang, but may be slightly inclined. For example, "horizontal" merely means that the direction is more horizontal than "vertical" and does not mean that the structure must be perfectly horizontal, but may be slightly inclined.
In the description of the embodiments of the present invention, "a plurality" represents at least 2.
In the description of the embodiments of the present invention, it should be further noted that unless otherwise explicitly stated or limited, the terms "disposed," "mounted," "connected," and "connected" should be interpreted broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Examples
Referring to fig. 1 in this embodiment, fig. 1 shows a communication protection method for a lightweight control channel in an OpenFlow network, which is applied to communication between OpenFlow devices, and includes the following steps: (1) presetting a unique seed value for the OpenFlow device; (2) hashing the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; (3) the device public key is hashed to generate a device identity; (4) packaging the content sent by the OpenFlow equipment through the equipment identity identification for encryption; (5) and restoring the content of the OpenFlow device through the device identity for decryption.
In detail, in the step (1), the device identities of different OpenFlow devices are distinguished by presetting a unique seed value, so that the secure communication between the multiple OpenFlow devices is facilitated. Optionally, the unique seed value is built in when the OpenFlow device leaves the factory. Optionally, a pseudo-random number generator is used to obtain an initial seed value for the device.
In detail, step (2) hashes various sub-values to generate a device private key, which facilitates verification of a message sent by a device. The device private key calculates a device public key corresponding to the device private key using an asymmetric algorithm. And (4) carrying out hash on the equipment public key in the step (3) to generate the equipment identity. In the step (4), the sent content is uniformly identified through the equipment identity identifier of the OpenFlow equipment so as to be encrypted, and the content from different equipment after the identification is authenticated by the OpenFlow equipment is convenient to decrypt in the step (4), so that light-weight safe communication is realized. And selecting an SHA256 hash algorithm to set a unique device private key and a device identity for different penFlow devices respectively.
As a preferred embodiment, the OpenFlow device includes an OpenFlow controller and an OpenFlow switch; the OpenFlow controller is used for receiving the administrator request and converting the administrator request into a control message. And (4) encapsulating the control message into a safety message through the equipment identity of the OpenFlow controller, and sending the safety message to the OpenFlow switch.
In detail, the OpenFlow controller converts the received administrator request into a control message, which belongs to the prior art and is not described herein again. And (4) encapsulating the control message through the equipment identity, thereby generating a safety message to be sent to the OpenFlow switch. Therefore, the source of the control message is authenticated through the equipment identity, and the integrity of the control message is protected.
As a preferred embodiment, the step (5) includes intercepting the security message, restoring the security message by using the device identity identifier of the OpenFlow controller, and determining whether the security message can be restored to the control message; and when the control message can be restored, the safety message is sent to the OpenFlow switch, and when the control message cannot be restored, the safety message is discarded.
In detail, the secure message generated after the control message is encrypted by the device identifier of the OpenFlow controller is intercepted before being sent to the OpenFlow switch, and the secure message is restored by using the device identifier of the OpenFlow controller to execute the decryption operation. Therefore, the result of whether the safety message is invaded by other equipment to tamper or steal the content is obtained by judging whether the safety message can be restored into the control message. And obtaining the equipment identity identification and the control message through the OpenFlow controller and equipment for encapsulating the control message to judge. When the safety message can be restored into the control message, the source of the equipment is determined to be legal and the control message is complete, and the safety message is continuously sent to the OpenFlow switch, so that the communication safety is improved. If the safety message cannot be analyzed through the equipment identity identification or is different from the control message after being analyzed, the safety message is maliciously tampered in the transmission process or is forged by other illegal equipment. At this time, the illegal security message is discarded, and the OpenFlow switch does not receive the security message without the execution permission.
As a preferred embodiment, the method further includes step (6), that is, after the OpenFlow switch executes the security message, sending a security response message to the OpenFlow controller.
As a preferred embodiment, the security response message is formed by encapsulating the security message by an identification identifier of the OpenFlow switch; and (6) restoring the security response message through the device identity identifier of the OpenFlow switch, judging whether the security response message can be restored into the security message, sending the security response message to the OpenFlow controller when the security response message can be restored into the security message, and discarding the security response message when the security response message cannot be restored into the security message.
In detail, after the OpenFlow switch executes the security message, the security message is encapsulated by the device identity of the OpenFlow switch to generate a security response message, so as to send a signal that the execution of the security message is successful to the OpenFlow controller. And acquiring the equipment identity identifier and the safety message of the OpenFlow switch through the OpenFlow switch and the equipment for encapsulating the control message so as to judge. When the security response message is restored to the security message through the device identity of the OpenFlow switch, it indicates that the security response message is not invaded or tampered by other illegal devices, that is, the OpenFlow switch successfully executes the security message. When the security response message cannot be restored to the security message through the device identity of the OpenFlow switch, it indicates that the security response message is invaded or tampered by other illegal devices, and it cannot be guaranteed that the OpenFlow switch successfully executes the security message.
As a preferred embodiment, in step (3), the device public key and the device private key of the OpenFlow controller and the OpenFlow switch are further included, and a shared key is generated by using a key agreement algorithm; step (4), intercepting the security message, and encapsulating the security message into an encrypted message through a shared public key of the OpenFlow controller; and sent to the OpenFlow switch.
In detail, an elliptic curve Diffie-Hellman algorithm is adopted as a key agreement algorithm to calculate the shared key. The shared key may be composed of a device public key of the OpenFlow controller and a device private key of the OpenFlow switch, or composed of a device private key of the OpenFlow controller and a device public key of the OpenFlow switch. Namely, the shared key is ECDH (controller private key, switch public key). Optionally, the shared secret key may include a combination of the above two ways to set the security policy or randomly select one of the ways. The security message is encapsulated by the shared key, thereby improving the confidentiality of the control message.
As a preferred embodiment, the step (5) includes intercepting the security message, restoring the encrypted message through the device identity of the OpenFlow controller and the shared key, and determining whether the encrypted message can be restored to the control message; and sending the encrypted message to the OpenFlow switch when the control message can be restored, and discarding the encrypted message when the control message cannot be restored.
In detail, the control message is intercepted before being sent to the OpenFlow switch through the device identity of the OpenFlow controller and the encrypted message generated after the control message is encrypted by the shared key, and the encrypted message is restored by using the device identity of the OpenFlow controller and the shared key to execute the decryption operation. Therefore, the result of whether the encrypted message is invaded by other equipment to tamper or steal the content is obtained by judging whether the encrypted message can be restored into the control message. And acquiring the equipment identity identifier and the control message through an OpenFlow controller or equipment for encapsulating the control message to judge. When the encrypted message can be restored into the control message, the source of the device is determined to be legal and the control message is complete, and the encrypted message is continuously sent to the OpenFlow switch, so that the communication safety is improved. If the encrypted message cannot be analyzed through the shared key and the device identity of the OpenFlow controller or is different from the control message after the analysis, the encrypted message is maliciously tampered in the transmission process or is forged by other illegal devices. At this time, the illegal encrypted message is discarded, and the OpenFlow switch does not receive the encrypted message without the execution permission.
As a preferred embodiment, the method further includes step (6), that is, after the OpenFlow switch executes the encryption message, sending an encryption response message to the OpenFlow controller.
As a preferred embodiment, the encryption response message is formed by encapsulating the encryption message by a device identity of the OpenFlow switch; in the step (6), the method further includes restoring the encrypted response message through the device identity identifier of the OpenFlow switch, determining whether the encrypted response message can be restored to the encrypted message, and sending the encrypted response message to the OpenFlow controller when the encrypted response message can be restored to the encrypted message, and discarding the encrypted response message when the encrypted response message cannot be restored to the encrypted message.
In detail, after the OpenFlow switch executes the encryption message, the secure message is encapsulated by the device identity of the OpenFlow switch to generate an encryption response message, so as to send a signal that the execution of the encryption message is successful to the OpenFlow controller. The device identity of the OpenFlow switch and the encrypted message are acquired through the OpenFlow switch and the device for encapsulating the control message so as to perform judgment. When the encrypted response message is restored to the encrypted message through the device identity of the OpenFlow switch, it indicates that the encrypted response message is not invaded or tampered by other illegal devices, that is, the OpenFlow switch successfully executes the encrypted message. When the encrypted response message cannot be restored to the encrypted message through the device identity of the OpenFlow switch, it indicates that the encrypted response message is invaded or tampered by other illegal devices, and it cannot be guaranteed that the OpenFlow switch successfully executes the encrypted message, so that the encrypted response message is discarded in order to guarantee the security of the communication network and the devices.
As a preferred embodiment, the device id processes a hash value generated by a device public key of the OpenFlow device through a hash function.
In detail, the device identity includes a controller authentication code of the OpenFlow controller and a switch authentication code of the OpenFlow switch. The device public key of the OpenFlow controller is used as a controller authentication code by a hash value obtained through hash function processing, and the device public key of the OpenFlow switch is used as a switch authentication code by a hash value obtained through hash function processing.
In the communication protection method for the lightweight control channel in the OpenFlow network according to the embodiment of the present invention, the seed values of the OpenFlow controller and the OpenFlow switch are respectively hashed to generate the device private key, and the device public key is generated by an asymmetric algorithm, so that each device is provided with the corresponding device private key and device public key. The device public key of the OpenFlow controller is hashed to obtain a hash value serving as a controller authentication code, so that illegal device malicious tampering is prevented, and the integrity of a control message sent by authentication is facilitated. The shared key is generated by hashing the device public key and the device private key, and the control message sent by the OpenFlow controller is packaged through the shared key, so that the confidentiality of the control message is authenticated conveniently. Through the switch authentication code of the OpenFlow switch, the execution process of the control message encrypted through the safety message is conveniently authenticated and executed, illegal equipment is prevented from being maliciously tampered, and the communication safety is ensured.
In summary, the unique seed value is preset for the OpenFlow device, so that the identities of different OpenFlow devices can be distinguished conveniently when a plurality of OpenFlow devices communicate with each other, and the OpenFlow device is convenient to be widely used; the seed value is hashed to generate a device private key of the OpenFlow device, so that the sent message can be conveniently verified, and the communication security is improved; the device private key calculates a device public key by using an asymmetric cryptographic algorithm, so that the communication security of the device is improved, the device public key is hashed to generate a device identity, and the message sent by the OpenFlow device is uniformly identified by the device identity, so that compared with the operation of identifying different messages respectively to encrypt, the communication performance of the OpenFlow network is improved, and the communication security between devices is improved; compared with the operation of respectively decrypting different messages, the method improves the communication performance of the OpenFlow network and improves the communication safety between devices through the message received by the device identity identification reduction device.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A communication protection method of a lightweight control channel in an OpenFlow network is applied to communication between OpenFlow devices, and is characterized by comprising the following steps: (1) presetting a unique seed value for the OpenFlow device; (2) hashing the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; (3) the device public key is hashed to generate a device identity; (4) packaging the content sent by the OpenFlow device through the device identity for encryption; (5) and restoring the content of the OpenFlow device through the device identity so as to decrypt the content.
2. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 1, wherein the OpenFlow device includes an OpenFlow controller and an OpenFlow switch; the OpenFlow controller is used for receiving an administrator request so as to convert the administrator request into a control message; in the step (4), the step of encapsulating the control message into a secure message through the device identity of the OpenFlow controller, and sending the secure message to the OpenFlow switch is included.
3. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 2, wherein the step (5) includes intercepting the secure message, restoring the secure message by using the device identity of the OpenFlow controller, and determining whether the secure message can be restored to the control message; and when the control message can be restored, the safety message is sent to the OpenFlow switch, and when the control message cannot be restored, the safety message is discarded.
4. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 3, further comprising a step (6) of sending a security response message to the OpenFlow controller after the OpenFlow switch executes the security message.
5. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 4, wherein the security response message is encapsulated by the device identity of the OpenFlow switch; the step (6) further includes restoring the security response message through the device identity of the OpenFlow switch, determining whether the security response message can be restored to the security message, sending the security response message to the OpenFlow controller when the security response message can be restored to the security message, and discarding the security response message when the security response message cannot be restored to the security message.
6. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 2, wherein in the step (3), the method further includes generating a shared key by using a key agreement algorithm with the device public key and the device private key of the OpenFlow controller and the OpenFlow switch; the step (4) further includes intercepting the secure message, and encapsulating the secure message into an encrypted message through the shared public key of the OpenFlow controller; and sending to the OpenFlow switch.
7. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 6, wherein the step (5) includes intercepting the secure message, restoring the encrypted message by using the device identity of the OpenFlow controller and the shared key, and determining whether the encrypted message can be restored to the control message; and sending the encrypted message to the OpenFlow switch when the encrypted message can be restored to the control message, and discarding the encrypted message when the encrypted message cannot be restored to the control message.
8. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 7, further comprising a step (6) of sending an encryption response message to the OpenFlow controller after the OpenFlow switch executes the encryption message.
9. The communication protection method for the lightweight control channel in the OpenFlow network according to claim 8, wherein the encrypted response message is encapsulated by the device identity of the OpenFlow switch; the step (6) further includes restoring the encrypted response message by using the device identity of the OpenFlow switch, determining whether the encrypted response message can be restored to the encrypted message, sending the encrypted response message to the OpenFlow controller when the encrypted response message can be restored to the encrypted message, and discarding the encrypted response message when the encrypted response message cannot be restored to the encrypted message.
10. The method for protecting communication of a lightweight control channel in an OpenFlow network according to any one of claims 1 to 9, wherein the device identity processes a hash value generated by the device public key of the OpenFlow device through a hash function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010197174.7A CN111431889B (en) | 2020-03-19 | 2020-03-19 | Communication protection method for lightweight control channel in OpenFlow network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010197174.7A CN111431889B (en) | 2020-03-19 | 2020-03-19 | Communication protection method for lightweight control channel in OpenFlow network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111431889A true CN111431889A (en) | 2020-07-17 |
| CN111431889B CN111431889B (en) | 2023-08-08 |
Family
ID=71547475
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010197174.7A Active CN111431889B (en) | 2020-03-19 | 2020-03-19 | Communication protection method for lightweight control channel in OpenFlow network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111431889B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060212928A1 (en) * | 2005-03-17 | 2006-09-21 | Fabio Maino | Method and apparatus to secure AAA protocol messages |
| CN104780069A (en) * | 2015-04-16 | 2015-07-15 | 中国科学院计算技术研究所 | SDN-oriented self-configuration method and system for communication channel between control layer and data layer |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN106790250A (en) * | 2017-01-24 | 2017-05-31 | 郝孟 | Data processing, encryption, integrity checking method and authentication identifying method and system |
| CN109428712A (en) * | 2017-08-24 | 2019-03-05 | 上海复旦微电子集团股份有限公司 | Data Encrypt and Decrypt method and data Encrypt and Decrypt system |
| CN109921996A (en) * | 2018-12-29 | 2019-06-21 | 长沙理工大学 | A kind of virtual flow stream searching method of high performance OpenFlow |
| CN110830236A (en) * | 2019-11-14 | 2020-02-21 | 湖南盾神科技有限公司 | Identity-based encryption method based on global hash |
| CN110839036A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack detection method and system for SDN (software defined network) |
-
2020
- 2020-03-19 CN CN202010197174.7A patent/CN111431889B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060212928A1 (en) * | 2005-03-17 | 2006-09-21 | Fabio Maino | Method and apparatus to secure AAA protocol messages |
| CN104780069A (en) * | 2015-04-16 | 2015-07-15 | 中国科学院计算技术研究所 | SDN-oriented self-configuration method and system for communication channel between control layer and data layer |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN106790250A (en) * | 2017-01-24 | 2017-05-31 | 郝孟 | Data processing, encryption, integrity checking method and authentication identifying method and system |
| CN109428712A (en) * | 2017-08-24 | 2019-03-05 | 上海复旦微电子集团股份有限公司 | Data Encrypt and Decrypt method and data Encrypt and Decrypt system |
| CN109921996A (en) * | 2018-12-29 | 2019-06-21 | 长沙理工大学 | A kind of virtual flow stream searching method of high performance OpenFlow |
| CN110830236A (en) * | 2019-11-14 | 2020-02-21 | 湖南盾神科技有限公司 | Identity-based encryption method based on global hash |
| CN110839036A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack detection method and system for SDN (software defined network) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111431889B (en) | 2023-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2018214719A1 (en) | Dynamic safety method and system based on multi-fusion linked responses | |
| Mektoubi et al. | New approach for securing communication over MQTT protocol A comparaison between RSA and Elliptic Curve | |
| CN111245862A (en) | System for safely receiving and sending terminal data of Internet of things | |
| US20200162434A1 (en) | Secure and encrypted heartbeat protocol | |
| CN113824705B (en) | Safety reinforcement method for Modbus TCP (transmission control protocol) | |
| EP1493243B1 (en) | Secure file transfer | |
| CN115549932B (en) | Security access system and access method for massive heterogeneous Internet of things terminals | |
| CN110839036B (en) | Attack detection method and system for SDN (software defined network) | |
| Park et al. | Session management for security systems in 5g standalone network | |
| CN112118568B (en) | Method and equipment for authenticating equipment identity | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| Rizzetti et al. | Cyber security and communications network on scada systems in the context of smart grids | |
| CN110892695A (en) | Method, device and computer program product for checking connection parameters of a password-protected communication connection during the establishment of a connection | |
| CN111490874A (en) | Distribution network safety protection method, system, device and storage medium | |
| CN112995119A (en) | Data monitoring method and device | |
| CN112995120A (en) | Data monitoring method and device | |
| CN111431889B (en) | Communication protection method for lightweight control channel in OpenFlow network | |
| CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things | |
| CN111404947B (en) | Lightweight control channel communication protection method and system in OpenFlow network | |
| Abare et al. | A proposed model for enhanced security against key reinstallation attack on wireless networks | |
| CN113572755A (en) | Intelligent media terminal data secure transmission method | |
| Zuo et al. | A novel software-defined network packet security tunnel forwarding mechanism | |
| CN111147529A (en) | Network attack data processing method and system and early warning platform | |
| Bozkurt et al. | Exploring the Vulnerabilities and Countermeasures of SSL/TLS Protocols in Secure Data Transmission Over Computer Networks | |
| CN111212018A (en) | Multi-link transmission method and system based on link selection and fragmentation recombination |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |