CN113014382A - Service chain integrity detection method, device and medium based on ordered aggregation digital signature - Google Patents

Service chain integrity detection method, device and medium based on ordered aggregation digital signature Download PDF

Info

Publication number
CN113014382A
CN113014382A CN202110226172.0A CN202110226172A CN113014382A CN 113014382 A CN113014382 A CN 113014382A CN 202110226172 A CN202110226172 A CN 202110226172A CN 113014382 A CN113014382 A CN 113014382A
Authority
CN
China
Prior art keywords
service
service chain
digital signature
data packet
service node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110226172.0A
Other languages
Chinese (zh)
Inventor
宋祁朋
李玥
李晖
吕敏杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202110226172.0A priority Critical patent/CN113014382A/en
Publication of CN113014382A publication Critical patent/CN113014382A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The embodiment of the invention discloses a service chain integrity detection method, a device and a medium based on an ordered aggregation digital signature; the method comprises the following steps: generating identity-based encryption parameters; generating a private key and a signature construction parameter corresponding to each service node by using the identity-based encryption parameter according to the identity information of each service node in the service chain; distributing the private key and the signature construction parameters corresponding to each service node to the corresponding service node; generating a probe data packet containing an initial digital signature, and sending the probe data packet to an entry classifier of the service chain; receiving a probe data packet which is returned by an exit classifier of the service chain and contains a renewed digital signature; and verifying the probe data packet containing the updated digital signature according to preset verification parameters, and determining the integrity of the service chain based on a verification result.

Description

Service chain integrity detection method, device and medium based on ordered aggregation digital signature
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a service chain integrity detection method, a device and a medium based on ordered aggregation digital signatures.
Background
A service chain is a technology that guarantees traffic flow of a network service, and passes through a series of virtual network elements in order according to a traffic class and a traffic logic requirement of a user. Under the energization of technologies such as Software Defined Networking (SDN) and Network Function Virtualization (NFV), a service chain greatly simplifies the creation, deployment and management of Network services in a cloud computing infrastructure, and greatly reduces capital expenditure (CAPEX) and operational expenditure (OPEX) of Network service providers, so that the service chain has recently received wide attention from academia and industry.
There are various ways to implement a service chain in a cloud computing infrastructure, for example: the implementation is based on a multi-Protocol Label switching (MPLS) Protocol, a Segment Routing (Segment Routing) Protocol, a Network Service Header (NSH) Protocol, and so on.
Although the application of various service chain implementation schemes can greatly facilitate the creation and management of network services, due to the introduction of various virtualization technologies such as SDN and NFV, the network attack surface of future network infrastructure becomes larger than before, so that the service chain running on the infrastructure is full of various security threats. Current attackers can exploit potential vulnerabilities of service chaining orchestration systems, bypassing relevant security mechanisms to break the integrity of the service chain, such as: and replacing legal service nodes on the service chain with malicious service nodes, or bypassing certain nodes performing security functions, and the like.
Disclosure of Invention
In view of this, embodiments of the present invention are to provide a method, an apparatus, and a medium for detecting integrity of a service chain based on an ordered aggregated digital signature; the integrity of the service chain can be detected, and the information safety of the service chain is guaranteed.
The technical scheme of the embodiment of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a method for detecting integrity of a service chain based on an ordered aggregated digital signature, where the method is applied to a service chain control entity in a service network providing the service chain, and the method includes:
generating identity-based encryption parameters;
generating a private key and a signature construction parameter corresponding to each service node by using the identity-based encryption parameter according to the identity information of each service node in the service chain;
distributing the private key and the signature construction parameters corresponding to each service node to the corresponding service node;
generating a probe data packet containing an initial digital signature, and sending the probe data packet to an entry classifier of the service chain, so that each service node experienced by the probe data packet in the service chain sequentially updates the digital signature in the probe data packet by using a corresponding private key and signature construction parameters;
receiving a probe data packet which is returned by an exit classifier of the service chain and contains a renewed digital signature;
and verifying the probe data packet containing the updated digital signature according to preset verification parameters, and determining the integrity of the service chain based on a verification result.
In a second aspect, an embodiment of the present invention provides a service chain integrity detection method based on an ordered aggregated digital signature, where the method is applied to a service node in a service network providing a service chain, and the method includes:
receiving a private key and signature construction parameters sent by a service chaining control entity in the service network;
receiving a probe data packet sent by an upper-level network element in the service chain;
and updating the digital signature in the probe data packet according to the private key and the signature construction parameters, and sending the probe data packet containing the updated digital signature to a next-level network element in the service chain.
In a third aspect, an embodiment of the present invention provides a service chain control entity in a service network providing a service chain, where the service chain control entity includes: a generation section, a distribution section, a first transmission section, a first reception section, and a verification section; wherein the content of the first and second substances,
the generation part is configured to generate identity-based encryption parameters; generating a private key and a signature construction parameter corresponding to each service node by using the identity-based encryption parameter according to the identity information of each service node in the service chain;
the distribution part is configured to distribute the private key and the signature construction parameter corresponding to each service node to the corresponding service node;
the generation portion further configured to generate a probe data packet containing an initial digital signature;
the first sending part is configured to send the probe data packet to an entry classifier of the service chain, so that each service node which the probe data packet passes through in the service chain updates the digital signature in the probe data packet by using a corresponding private key and signature construction parameters in sequence;
the first receiving part is configured to receive a probe data packet which is returned by an exit classifier of the service chain and contains a renewed digital signature;
the verification part is configured to verify the probe data packet containing the updated digital signature according to preset verification parameters, and determine the integrity of the service chain based on a verification result.
In a fourth aspect, an embodiment of the present invention provides a service node in a service network providing a service chain, where the service node includes: a second receiving section, an updating section, and a second transmitting section; wherein the content of the first and second substances,
the second receiving part is configured to receive a private key and a signature construction parameter sent by a service chaining control entity in the service network; receiving a probe data packet sent by an upper-level network element in the service chain;
the updating part is configured to update the digital signature in the probe data packet according to the private key and the signature construction parameters;
the second sending part is configured to send the probe data packet containing the updated digital signature to a next-level network element in the service chain.
In a fifth aspect, an embodiment of the present invention provides a computer storage medium, where the computer storage medium stores a service chain integrity detection program based on ordered aggregation digital signature, and the service chain integrity detection program based on ordered aggregation digital signature, when executed by at least one processor, implements the steps of the service chain integrity detection method based on ordered aggregation digital signature according to the first aspect or the second aspect.
In a sixth aspect, an embodiment of the present invention provides a service network for providing a service chain, where the service network includes: a service chain control entity and a service node; wherein the service chain control entity is configured to perform the steps of the method for detecting the integrity of the service chain based on the ordered aggregated digital signature according to the first aspect; the service node is configured to perform the steps of the ordered aggregated digital signature based service chain integrity detection method of the second aspect.
The embodiment of the invention provides a service chain integrity detection method, a device and a medium based on an ordered aggregation digital signature; a service chain control entity in a service chain sends a probe data packet containing an initial digital signature to a service chain to be detected, and then each service node on the service chain to be detected updates the digital signature of the probe data packet by using a pre-allocated private key; after the signatures of all the service nodes are updated, the probe data packet is finally transmitted back to the service chain control entity for inspection, and whether the integrity of the service chain is damaged or not is judged according to the inspection result. Therefore, the integrity of the service chain is detected, and the information safety of the service chain is guaranteed.
Drawings
Fig. 1 is a schematic diagram of a network architecture for providing a service chain according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a service chain integrity detection method based on ordered aggregated digital signatures according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of another service chain integrity detection method based on ordered aggregated digital signatures according to an embodiment of the present invention;
fig. 4 is a processing flow after a service node receives a data packet according to an embodiment of the present invention;
fig. 5 is a schematic view of a service chain architecture and a process for detecting the integrity of the service chain according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating a service chain control entity according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a specific hardware structure of a service chaining control entity according to an embodiment of the present invention;
fig. 8 is a schematic diagram illustrating a service node according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a specific hardware structure of a service node according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
It should be noted that, because the protocol schemes for implementing the service chain include many kinds, in order to clearly describe the technical scheme of the embodiment of the present invention, the present application takes an NSH-based service chain network architecture as an example for carrying out the scheme description, it can be understood that the technical scheme described in the embodiment of the present invention does not exclude the protocol scheme applied to other service chains, and a person skilled in the art may apply the technical scheme described in the present application to other protocol schemes capable of implementing the service chain, and the embodiment of the present invention is not described herein again.
Referring to fig. 1, which shows a network architecture for providing a service chain that can be applied to the technical solution set forth in the embodiment of the present invention, taking an NSH-based service chain network architecture as an example, the architecture shown in fig. 1 may include: a service chain controller, an ingress/egress classifier, a repeater, a service node, and the like. The service chain controller serving as a service chain control entity is responsible for the creation and life cycle management of the service chain; the inlet/outlet classifier carries out NSH encapsulation/decapsulation operation according to the inlet/outlet flow of the internal flow table; the forwarder in the Service network where the Service chain is located may specifically include an OpenFlow-supporting hardware switch, an Open Vswitch virtual switch, and the like, and may perform a forwarding operation on the packet according to parameters such as a Service Path Indicator (SPI) and a Service node indicator (SI) defined in the NSH header, so that the packet passes through a Service node defined by the Service chain. The ingress/egress classifier and the forwarder support the OpenFlow protocol. Based on the architecture shown in fig. 1, a conventional workflow is described by taking client and server communication as an example, and may include: after the service traffic is sent from the client, before the service traffic reaches the server, the service traffic needs to sequentially pass through two service nodes, namely, a Deep Packet Inspection (DPI) service node and a Firewall (Firewall), at this time, the service chain controller numbers the service chain and a first node on the service chain in advance according to a description file corresponding to the service chain (in this example, SPI is 10, and SI is 255), generates a corresponding OpenFlow table, and sends the corresponding OpenFlow table to an ingress/egress classifier, a repeater, and other devices as indicated by a dot-dash arrow. Based on this, when the regular network packet (as indicated by the white square) of the client is transmitted to the ingress classifier as indicated by the solid arrow, the ingress classifier performs NSH encapsulation on the packet, resulting in an NSH packet, where SPI is 10 and SI is 255. The ingress classifier forwards the NSH packet to the repeater 1 according to the dotted arrow according to SPI being 10, the repeater 1 forwards the NSH packet to the DPI service node connected to the repeater 1 according to its internal flow table according to the dotted arrow, and after the DPI process is completed, the SI in the NSH header is subjected to a minus 1 process and is returned to the repeater 1 according to the dotted arrow. Then, the repeater 1 transmits the NSH data packet to the repeater 2 according to the dotted arrow, the repeater 2 forwards the NSH data packet to the Firewall service node connected to the repeater 2 according to the internal flow table thereof, and reaches the egress classifier 2 after finishing the Firewall processing, and the egress classifier removes the NSH protocol header in the NSH data packet, thereby forming a normal network data packet and forwards the normal network data packet to the server.
Based on the conventional workflow of the service chain and the risk that the integrity of the current service chain is damaged, the embodiment of the invention detects the integrity of the service chain by using an ordered aggregation digital signature mode. Specifically, the ordered aggregation of digital signatures refers to a technical scheme that multiple digital signatures involved in information integrity verification are aggregated into a single signature, so that the ordered aggregation of digital signatures is suitable for verifying whether information to be verified is sequentially signed by the involved multiple parties. The technical scheme is highly consistent with the appeal of service chain security detection in the implementation process. However, since the digital signature is based on the asymmetric encryption technology, there are problems that the computation overhead is large and it is difficult to deploy in the network layer, so the embodiments of the present invention expect to be able to implement a lightweight service chain integrity detection mechanism and reduce the influence on the service carried by the protected service chain. For example, a probe packet including an initial digital signature may be sent to a service chain to be detected by a service chain integrity check application program running inside a service chain control entity, such as the service chain controller shown in fig. 1, each service node on the service chain performs signature processing on the probe packet by using a pre-assigned private key, the probe packet subjected to signature processing by all the service nodes is finally returned to the service chain integrity check application program, and the latter performs final check to determine whether the integrity of the service chain is damaged according to a check result. Based on the foregoing example content, referring to fig. 2, it shows a method for detecting integrity of a service chain based on an ordered aggregation digital signature according to an embodiment of the present invention, where the method may be applied to a service chain control entity in a service network providing the service chain, and specifically may be implemented by a service chain integrity detection application program running inside the service chain control entity, and the method may include:
s210: generating identity-based encryption parameters;
s220: generating a private key and a signature construction parameter corresponding to each service node by using the identity-based encryption parameter according to the identity information of each service node in the service chain;
s230: distributing the private key and the signature construction parameters corresponding to each service node to the corresponding service node;
s240: generating a probe data packet containing an initial digital signature, and sending the probe data packet to an entry classifier of the service chain, so that each service node experienced by the probe data packet in the service chain sequentially updates the digital signature in the probe data packet by using a corresponding private key and signature construction parameters;
s250: receiving a probe data packet which is returned by an exit classifier of the service chain and contains a renewed digital signature;
s260: and verifying the probe data packet containing the updated digital signature according to preset verification parameters, and determining the integrity of the service chain based on a verification result.
For the technical scheme shown in fig. 2, a probe data packet including an initial digital signature is sent to a service chain to be detected by a service chain control entity in the service chain, and then each service node on the service chain to be detected updates the digital signature of the probe data packet by using a pre-allocated private key; after the signatures of all the service nodes are updated, the probe data packet is finally transmitted back to the service chain control entity for inspection, and whether the integrity of the service chain is damaged or not is judged according to the inspection result. Therefore, the integrity of the service chain is detected, and the information safety of the service chain is guaranteed.
It should be noted that the scheme shown in fig. 2 may be divided into two stages in the implementation process, an initialization stage and an operation stage, for example, S210 to S230 are initialization stages, and the stages are used to generate secure distribution of relevant parameters and secret parameters required by the service chain control entity and the service node in the operation stage; s240 to S260 are operation stages for performing integrity verification by constructing and transmitting a probe packet and then recovering the probe packet.
For the technical solution shown in fig. 2, in some possible implementations, the generating the identity-based encryption parameter includes:
according to a pre-selectionAddition cyclic group G of prime order p and multiplication cyclic group G of prime order pTDetermining that G.times.G → G is satisfiedTE is selected;
large integer field according to a pre-selected prime order p
Figure BDA0002956327890000071
Determining a first hash function H1:{0,1}*→ G and a second hash function
Figure BDA0002956327890000072
By and in the large integer domain
Figure BDA0002956327890000073
Calculating the public key g of the service chain control entity from the randomly selected master key alphaα
For the above implementation, in the implementation process, the master key α should be securely stored; in addition to the master key α, other parameters appearing in the above implementation all belong to publicly available parameters, and can be publicly obtained by other network elements in the service chain, such as an ingress/egress classifier, a repeater, and a service node; specifically, the other network elements may acquire the above-mentioned public parameters through a channel shown by a dotted line shown in fig. 1.
Based on the foregoing implementation manner, in some examples, the generating, according to the identity information of each service node in the service chain, a private key and a signature configuration parameter corresponding to each service node by using the identity-based encryption parameter includes:
traversing each service node in the service chain, and executing the following operations on the traversed ith service node in the traversing process:
according to the identity information id of the ith service nodeiThe first hash function H1And the master key alpha is used for determining the private key of the ith service node according to the following formula
Figure BDA0002956327890000081
Figure BDA0002956327890000082
According to the identity information id of the ith service nodeiThe second hash function H2Determining an intermediate parameter s of said ith serving node according toj
sj=H2(id1||id2…||idj)
Wherein j is 1,2, …, n represents each service node, and the operator | | | represents the splicing operation of the character string;
according to the intermediate parameter s of the ith service nodejAnd determining a signature construction parameter s of the ith service node by(i)
Figure BDA0002956327890000083
Wherein i is more than or equal to 1 and less than or equal to n, and n represents the number of service nodes in the service chain.
For the above example, specifically, a service chain L consisting of n service nodes is set (id ═ g1,id2,…,idi,…,idn) Wherein idiAnd i is 1,2, …, n represents the identifier of the service node i. The identifier may in some examples be information that the serving node IP address, MAC address, etc. can uniquely identify. The service chain integrity detection application program can generate a private key and signature construction parameters corresponding to each service node according to the identifier of each service node. Understandably, due to the private key corresponding to each service node
Figure BDA0002956327890000084
Each corresponding service node is exclusive and should be safely stored to avoid leakage; based on this, for the step of distributing the private key and the signature construction parameter corresponding to each service node to the corresponding service node set forth in S230, except for the private key
Figure BDA0002956327890000091
The service chain control entity distributes the signature configuration parameters to other service nodes through a secure channel, and other signature configuration parameters can be disclosed and each service node can publicly acquire the signature configuration parameters corresponding to each service node, such as the channel acquisition signature configuration parameters shown by the dotted line shown in fig. 1. In some examples, the secure channel may be a TLS encrypted channel between the service chain control entity and each service node. In some examples, if the service node is represented in the form of a virtual machine or container, etc., the private key and signature construction parameters described above may also be added to the image used to create the service node, followed by re-instantiation of the service node.
For the above example, after traversing each service node to generate the private key and the signature construction parameter corresponding to each service node, the service chain control entity may also generate the verification parameter adopted in step S260 in the running phase in advance, and specifically, the verification parameter may be obtained by the following equation:
first verification parameter
Figure BDA0002956327890000092
Second verification parameter
Figure BDA0002956327890000093
Third verification parameter
Figure BDA0002956327890000094
Wherein s isj=H2(id1||id2…||idj)
Based on the above implementation and examples thereof, the service chain control entity completes the initialization phase; subsequently, the service chain control entity may perform the integrity verification operation by constructing and sending the probe packet, and then recovering the probe packet.
Based on this, in some examples, the specific implementation process of step S240 may include: the service chain integrity check program run by the service chain control entity may be based on the service chain number to be checked,and searching a corresponding service node in an internal database of the service chain control entity, constructing a probe data packet m and sending the probe data packet m to an entrance classifier for managing the service chain to be detected. In detail, the probe packet m may include a current time stamp to prevent replay attacks. The probe packet m contains a digital signature to be verified, and is specifically composed of three parts, and may be referred to as σ ═ X, Y, Z. The digital signature may be initialized to (1)G,1G,1G) In which 1 isGAre the unitary of the group. In some examples, the sending frequency of the probe data packets is a customizable parameter, and can be selected according to specific application and scenarios, and of course, the selection criterion is based on reducing the influence on the network service as much as possible.
It should be noted that, after receiving the probe data packet sent by the service chain integrity detection program run by the service chain control entity, the ingress classifier performs corresponding NSH encapsulation on the probe data packet, so that the encapsulated probe data packet can sequentially pass through each service node on the service chain along the path defined by the service chain to be detected.
In some examples, after the probe packet sequentially passes through each service node on the service chain to be detected to update the digital signature thereof, the probe packet will finally reach the egress classifier on the service chain to be detected, and at this time, the egress classifier will transmit the probe packet containing the updated digital signature back to the service chain control entity according to the stored flow table rule thereof, so that the service chain integrity detection program run by the service chain control entity verifies the transmitted probe packet. Specifically, the verifying the probe packet including the updated digital signature according to the preset verification parameters and determining the integrity of the service chain based on the verification result in S260 may include:
setting the updated digital signature σ included in the received probe packet mn=(Xn,Yn,Zn);
Judging whether the following two groups of equations are simultaneously established; if so, determining that the integrity of the service chain is normal; otherwise determining that the integrity of the service chain is broken:
Figure BDA0002956327890000101
wherein the first verification parameter
Figure BDA0002956327890000102
Second verification parameter
Figure BDA0002956327890000103
Third verification parameter
Figure BDA0002956327890000104
For the above specific example, if the integrity of the service chain is normal, it indicates that the service chain is safe to operate; if the integrity of the service chain is damaged, the unknown security threat activity exists in the whole service chain system, and the security threat can be eliminated by alarming the intervention of a security administrator.
The foregoing technical solutions describe in detail solutions and examples that a service chain control entity needs to execute in an ordered aggregated digital signature-based service chain integrity detection process. Based on the same inventive concept of the foregoing technical solution, for each service node in a service chain, in a service chain integrity detection process based on an ordered aggregation digital signature, it needs to update a digital signature in a received probe data packet, so as to implement the ordered aggregation digital signature, based on which, referring to fig. 3, it shows a service chain integrity detection method based on an ordered aggregation digital signature, which is applied to a service node in a service network providing the service chain, and the method includes:
s310: receiving a private key and signature construction parameters sent by a service chaining control entity in the service network;
s320: receiving a probe data packet sent by an upper-level network element in the service chain;
s330: and updating the digital signature in the probe data packet according to the private key and the signature construction parameters, and sending the probe data packet containing the updated digital signature to a next-level network element in the service chain.
For step S310 in the technical solution shown in fig. 3, in some examples, the private key corresponding to each service node is used as a key
Figure BDA0002956327890000111
Each corresponding service node is exclusive and should be safely stored to avoid leakage, so that the receiving can be performed from the service chain control entity through a safety channel, such as a TLS encrypted channel between the service chain control entity and each service node; the signature structure parameters can be publicly obtained, and thus, the signature structure parameters can be obtained through a channel as shown by a dotted line in fig. 1.
After receiving the corresponding private key and signature configuration parameters, each service node may update the digital signature in the probe packet sent by the service chain control entity to the ingress classifier of the service chain. In some examples, in order to enable each service node to process a normal packet and a probe packet at the same time, the embodiment of the present invention is modified based on the form of the NSH packet header defined in RFC8300, for example, a third idle bit of a first byte in the header is designed as a signature bit, and a value of 1 indicates that the NSH packet is a probe packet; if 0, the packet is a regular packet. As shown in fig. 4, after the network card of the service node receives the data packet, it first analyzes and determines whether the value of the signature bit S in the NSH protocol header is 1, if so, it indicates that the data packet is a normal data packet, and sends the data packet to a service node processing process for normal processing, such as load balancing, firewall and other services provided by the service node; if the number is 1, the probe data packet is indicated to be one, and the service node updates the digital signature in the probe data packet.
For a probe packet received by a service node, in some examples, when the service node is a first service node in the service chain, the upper-level network element is of the service chainAn entry classifier, wherein the digital signature in the probe data packet sent by the upper-level network element is sigma0=(1G,1G,1G) (ii) a Wherein 1 isGIs a unitary of a group; when the service node is the last service node in the service chain, the next-stage network element is an exit classifier of the service chain, and the updated digital signature is the updated digital signature sigman=(Xn,Yn,Zn) (ii) a Wherein n represents the number of service nodes in the service chain.
For the digital signature update process within a probe data packet set forth at S330, in some examples, the updating the digital signature in the probe data packet according to the private key and signature construction parameters includes:
selecting a random number
Figure BDA0002956327890000121
Wherein the content of the first and second substances,
Figure BDA0002956327890000122
a large integer field representing a prime order p selected by the service chain control entity;
digital signature sigma in received probe data packet mi-1=(Xi-1,Yi-1,Zi-1) Updating according to the following formula to obtain the updated digital signature sigmai=(Xi,Yi,Zi):
Figure BDA0002956327890000123
Wherein i represents a sequence number of the service node in the service chain; i-1 represents the sequence number of the upper-level network element of the service node in the service chain; s(i)A signature construction parameter representing the serving node; skidA private key representing the service node; h1() Representing a first hash function determined by the service chaining control entity; si=H2(id1||id2…||idi) The operator | | | represents the splicing operation of the character string; h2() Representing a second hash function determined by the service chaining control entity; mod represents the remainder operation; p represents a prime order selected by the service chaining control entity; g denotes a generator randomly selected by the service chain control entity in a preselected prime order p group of addition cycles G.
Based on the above explanation, after the digital signature is updated or the conventional processing is completed, the NSH packet is sent to the corresponding repeater for forwarding.
Referring to the service chain architecture shown in fig. 5, the process of detecting the integrity of the service chain is described with reference to the operation stage in the technical scheme shown in fig. 2 and the technical scheme shown in fig. 3, where the process may include:
s51: a service chain integrity detection program operated by a service chain control entity constructs a probe data packet containing an initialized digital signature and sends the probe data packet to an entrance classifier;
s52: the entrance classifier carries out NSH encapsulation on the probe data packet and sends the encapsulated probe data packet to a repeater 1 of a service chain;
s53: the transponder 1 forwards the probe data packet to the service node 1 connected with the transponder;
s54: the service node updates the digital signature of the probe data packet and transmits the probe data packet containing the updated digital signature back to the repeater 1 to be forwarded to a subsequent repeater;
s55: the subsequent repeaters and the service nodes connected with the subsequent repeaters complete the updating of the digital signature and the forwarding of the probe data packet according to the steps S53 and S54;
s56: the exit classifier receives the probe data packet forwarded by the last repeater in the service chain;
s57: the exit classifier carries out NSH (non-subsampled) decapsulation on the probe data packet and transmits the decapsulated probe data packet back to the service chain control entity;
s58: a service chain integrity detection program run by the service chain control entity verifies the digital signature in the probe data packet received from the egress classifier and detects the integrity of the service chain based on the verification result.
For each step shown in fig. 5, reference may be made to the corresponding description of the foregoing technical solutions for specific implementation examples and implementation schemes thereof, which are not described in detail in the embodiments of the present invention.
Based on the same inventive concept of the foregoing technical solution, referring to fig. 6, a service chain control entity 60 in a service network providing a service chain according to an embodiment of the present invention is shown, where the service chain control entity 60 includes: a generation section 601, a distribution section 602, a first transmission section 603, a first reception section 604, and a verification section 605; wherein the content of the first and second substances,
the generating part 601 configured to generate an identity based encryption parameter; generating a private key and a signature construction parameter corresponding to each service node by using the identity-based encryption parameter according to the identity information of each service node in the service chain;
the distribution part 602 is configured to distribute the private key and the signature construction parameter corresponding to each service node to the corresponding service node;
the generating portion 601 is further configured to generate a probe data packet containing an initial digital signature;
the first sending part 603 is configured to send the probe packet to an ingress classifier of the service chain, so that each service node experienced by the probe packet in the service chain sequentially updates a digital signature in the probe packet by using a corresponding private key and signature construction parameters;
the first receiving portion 604 is configured to receive a probe packet including an updated digital signature returned by an egress classifier of the service chain;
the verification section 605 is configured to verify the probe packet containing the updated digital signature according to preset verification parameters, and determine the integrity of the service chain based on the verification result.
In some examples, the generating portion 601 is configured to:
according to a pre-selected addition cyclic group G of prime order p and a multiplication cyclic group G of prime order pTDetermining that G.times.G → G is satisfiedTE is selected;
large integer field according to a pre-selected prime order p
Figure BDA0002956327890000141
Determining a first hash function H1:{0,1}*→ G and a second hash function
Figure BDA0002956327890000142
By and in the large integer domain
Figure BDA0002956327890000143
Calculating the public key g of the service chain control entity from the randomly selected master key alphaα
In some examples, the generating portion 601 is configured to:
traversing each service node in the service chain, and executing the following operations on the traversed ith service node in the traversing process:
according to the identity information id of the ith service nodeiThe first hash function H1And the master key alpha is used for determining the private key of the ith service node according to the following formula
Figure BDA0002956327890000144
Figure BDA0002956327890000145
According to the identity information id of the ith service nodeiThe second hash function H2Determining an intermediate parameter s of said ith serving node according toj
sj=H2(id1||id2…||idj)
Wherein j is 1,2, …, n represents each service node, and the operator | | | represents the splicing operation of the character string;
according to the intermediate parameter s of the ith service nodejAnd determining a signature construction parameter s of the ith service node by(i)
Figure BDA0002956327890000146
Wherein i is more than or equal to 1 and less than or equal to n, and n represents the number of service nodes in the service chain.
In some examples, the verification portion 605 is configured to:
setting the updated digital signature σ included in the received probe packet mn=(Xn,Yn,Zn);
Judging whether the following two groups of equations are simultaneously established; if so, determining that the integrity of the service chain is normal; otherwise determining that the integrity of the service chain is broken:
Figure BDA0002956327890000151
wherein the first verification parameter
Figure BDA0002956327890000152
Second verification parameter
Figure BDA0002956327890000153
Third verification parameter
Figure BDA0002956327890000154
It is understood that in this embodiment, "part" may be part of a circuit, part of a processor, part of a program or software, etc., and may also be a unit, and may also be a module or a non-modular.
In addition, each component in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit. The integrated unit can be realized in a form of hardware or a form of a software functional module.
Based on the understanding that the technical solution of the present embodiment essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the method of the present embodiment. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Therefore, the present embodiment provides a computer storage medium, where the computer storage medium stores a service chain integrity detection program based on ordered aggregation digital signature, and when the service chain integrity detection program based on ordered aggregation digital signature is executed by at least one processor, the service chain integrity detection program based on ordered aggregation digital signature implements the technical solution shown in fig. 2 and the implementation manner and the example of the service chain integrity detection method based on ordered aggregation digital signature described above.
Referring to fig. 7, a specific hardware structure capable of implementing the service chain control entity 60 is shown, wherein the service chain control entity 60 can be a wireless device, a mobile or cellular phone (including a so-called smart phone), a Personal Digital Assistant (PDA), a video game console (including a video display, a mobile video game device, a mobile video conference unit), a laptop computer, a desktop computer, a television set-top box, a tablet computing device, an e-book reader, a fixed or mobile media player, and the like, according to the service chain control entity 60 and a computer storage medium. The service chaining control entity 60 comprises: a first communication interface 701, a first memory 702, and a first processor 703; the various components are coupled together by a first bus system 704. It is understood that the first bus system 704 is used to enable connection communications between these components. The first bus system 704 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as a first bus system 704 in fig. 7. Wherein the content of the first and second substances,
the first communication interface 701 is configured to receive and transmit signals in a process of receiving and transmitting information with other external network elements;
the first memory 702 for storing a computer program operable on the first processor 703;
the first processor 703 is configured to, when running the computer program, execute the steps of the method for detecting the integrity of the service chain based on the ordered aggregation digital signature in the technical solution shown in fig. 2 and the implementation manner and example thereof.
It is to be appreciated that the first memory 702 in embodiments of the present invention can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (ddr Data Rate SDRAM, ddr SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The first memory 702 of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
The first processor 703 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the first processor 703. The first Processor 703 may be a general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the first memory 702, and the first processor 703 reads the information in the first memory 702, and completes the steps of the method in combination with the hardware thereof.
It is to be understood that the embodiments described herein may be implemented in hardware, software, firmware, middleware, microcode, or any combination thereof. For a hardware implementation, the Processing units may be implemented within one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units configured to perform the functions described herein, or a combination thereof.
For a software implementation, the techniques described herein may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described herein. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.
It will be appreciated that the above provides an illustrative approach to the service chaining control entity 60 for embodiments of the present invention. It should be noted that the technical solution of the service chain control entity 60 and the technical solution of the service chain integrity detection method based on ordered aggregation digital signature shown in fig. 2 belong to the same concept, and details of the technical solution of the service chain control entity 60, which are not described in detail, can be referred to the description of the technical solution of the service chain integrity detection method based on ordered aggregation digital signature shown in fig. 2, and are not described herein again.
Based on the same inventive concept of the foregoing technical solution, referring to fig. 8, a service node 80 in a service network providing a service chain according to an embodiment of the present invention is shown, where the service node 80 includes: second receiving section 801, updating section 802, and second transmitting section 803; wherein the content of the first and second substances,
the second receiving part 801 is configured to receive a private key and a signature construction parameter sent by a service chaining control entity in the service network; receiving a probe data packet sent by an upper-level network element in the service chain;
the updating part 802 is configured to update the digital signature in the probe data packet according to the private key and the signature construction parameter;
the second sending part 803 is configured to send the probe packet containing the updated digital signature to a next level network element in the service chain.
In some examples, when the service node is a first service node in the service chain, the upper-level network element is an ingress classifier of the service chainThe digital signature in the probe data packet sent by the upper-level network element is sigma0=(1G,1G,1G) (ii) a Wherein 1 isGIs a unitary of a group;
when the service node is the last service node in the service chain, the next-stage network element is an exit classifier of the service chain, and the updated digital signature is the updated digital signature sigman=(Xn,Yn,Zn) (ii) a Wherein n represents the number of service nodes in the service chain.
In some examples, the update portion 802 is configured to:
selecting a random number
Figure BDA0002956327890000181
Wherein the content of the first and second substances,
Figure BDA0002956327890000182
a large integer field representing a prime order p selected by the service chain control entity;
digital signature sigma in received probe data packet mi-1=(Xi-1,Yi-1,Zi-1) Updating according to the following formula to obtain the updated digital signature sigmai=(Xi,Yi,Zi):
Figure BDA0002956327890000191
Wherein i represents a sequence number of the service node in the service chain; i-1 represents the sequence number of the upper-level network element of the service node in the service chain; s(i)A signature construction parameter representing the serving node; skidA private key representing the service node; h1() Representing a first hash function determined by the service chaining control entity; si=H2(id1||id2…||idi) The operator | | | represents the splicing operation of the character string; h2() Representing a second hash determined by the service chaining control entityA function; mod represents the remainder operation; p represents a prime order selected by the service chaining control entity; g denotes a generator randomly selected by the service chain control entity in a preselected prime order p group of addition cycles G.
In addition, this embodiment provides a computer storage medium, where the computer storage medium stores a service chain integrity detection program based on ordered aggregation digital signature, and when the service chain integrity detection program based on ordered aggregation digital signature is executed by at least one processor, the steps of the service chain integrity detection method based on ordered aggregation digital signature in the technical solution and implementation manner shown in fig. 3 above are implemented. For a detailed description of the computer storage medium, reference is made to the description in the foregoing related contents, which are not repeated herein.
Based on the service node 80 and the computer storage medium, referring to fig. 9, a specific hardware structure capable of implementing the service node 80 according to an embodiment of the present invention is shown, which includes: a second network interface 901, a second memory 902, and a second processor 903; the various components are coupled together by a bus system 904. It is understood that the bus system 904 is used to enable communications among the components. The bus system 904 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various buses are labeled as bus system 904 in figure 9. Wherein the content of the first and second substances,
the second network interface 901 is configured to receive and send signals in a process of receiving and sending information with other external network elements;
a second memory 902 for storing a computer program capable of running on the second processor 903;
the second processor 903 is configured to, when running the computer program, execute the steps of the service chain integrity detection method based on the ordered aggregation digital signature in the technical solution shown in fig. 3 and the implementation manner and example thereof.
It can be understood that the components in the specific hardware structure in this embodiment are similar to the corresponding components in the foregoing technical solution, and are not described herein again. The foregoing is an illustrative scenario of the service node 80 provided in the embodiment of the present invention. It should be noted that the technical solution of the service node 80 and the technical solution of the service chain integrity detection method based on the ordered aggregation digital signature shown in fig. 3 belong to the same concept, and details of the technical solution of the service node 80, which are not described in detail, can be referred to the description of the technical solution of the service chain integrity detection method based on the ordered aggregation digital signature shown in fig. 3, and are not described again here.
It should be noted that: the technical schemes described in the embodiments of the present invention can be combined arbitrarily without conflict.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (10)

1. A service chaining integrity detection method based on ordered aggregation digital signatures, the method being applied to a service chaining control entity in a service network providing service chaining, the method comprising:
generating identity-based encryption parameters;
generating a private key and an updating parameter corresponding to each service node by using the identity-based encryption parameter according to the identity information of each service node in the service chain;
distributing the private key and the signature construction parameters corresponding to each service node to the corresponding service node;
generating a probe data packet containing an initial digital signature, and sending the probe data packet to an entry classifier of the service chain, so that each service node experienced by the probe data packet in the service chain sequentially updates the digital signature in the probe data packet by using a corresponding private key and signature construction parameters;
receiving a probe data packet which is returned by an exit classifier of the service chain and contains a renewed digital signature;
and verifying the probe data packet containing the updated digital signature according to preset verification parameters, and determining the integrity of the service chain based on a verification result.
2. The method of claim 1, wherein generating identity-based encryption parameters comprises:
according to a pre-selected addition cyclic group G of prime order p and a multiplication cyclic group G of prime order pTDetermining that G.times.G → G is satisfiedTE is selected;
large integer field according to a pre-selected prime order p
Figure FDA0002956327880000011
Determining a first hash function H1:{0,1}*→ G and a second hash function
Figure FDA0002956327880000012
By and in the large integer domain
Figure FDA0002956327880000013
Calculating the public key g of the service chain control entity from the randomly selected master key alphaα
3. The method according to claim 2, wherein the generating a private key and a signature construction parameter corresponding to each service node according to the identity information of each service node in the service chain by using the identity-based encryption parameter comprises:
traversing each service node in the service chain, and executing the following operations on the traversed ith service node in the traversing process:
according to the identity information id of the ith service nodeiThe first hash function H1And the master key alpha,determining the private key of the ith service node according to the following formula
Figure FDA0002956327880000021
Figure FDA0002956327880000022
According to the identity information id of the ith service nodeiThe second hash function H2Determining an intermediate parameter s of said ith serving node according toj
sj=H2(id1||id2...||idj)
Wherein j 1,2, n represents each service node, and the operator | | represents the splicing operation of the character string;
according to the intermediate parameter s of the ith service nodejAnd determining a signature construction parameter s of the ith service node by(i)
Figure FDA0002956327880000023
Wherein i is more than or equal to 1 and less than or equal to n, and n represents the number of service nodes in the service chain.
4. The method of claim 3, wherein the verifying the probe packet with the updated digital signature according to the predetermined verification parameters and determining the integrity of the service chain based on the verification comprises:
setting the updated digital signature σ included in the received probe packet mn=(Xn,Yn,Zn);
Judging whether the following two groups of equations are simultaneously established; if so, determining that the integrity of the service chain is normal; otherwise determining that the integrity of the service chain is broken:
Figure FDA0002956327880000024
wherein the first verification parameter
Figure FDA0002956327880000025
Second verification parameter
Figure FDA0002956327880000026
Third verification parameter
Figure FDA0002956327880000027
5. A service chain integrity detection method based on ordered aggregation digital signatures, the method being applied to a service node in a service network providing a service chain, the method comprising:
receiving a private key and signature construction parameters sent by a service chaining control entity in the service network;
receiving a probe data packet sent by an upper-level network element in the service chain;
and updating the digital signature in the probe data packet according to the private key and the signature construction parameters, and sending the probe data packet containing the updated digital signature to a next-level network element in the service chain.
6. The method of claim 5, wherein when the service node is a first service node in the service chain, the upper level network element is an ingress classifier of the service chain, and a digital signature in a probe packet sent by the upper level network element is σ0=(1G,1G,1G) (ii) a Wherein 1 isGIs a unitary of a group;
when the service node is the last service node in the service chain, the next-level network element is the service chainAn egress classifier of the service chain, the updated digital signature being an updated digital signature σn=(Xn,Yn,Zn) (ii) a Wherein n represents the number of service nodes in the service chain.
7. The method of claim 5, wherein updating the digital signature in the probe packet according to the private key and signature construction parameters comprises:
selecting a random number
Figure FDA0002956327880000031
Wherein the content of the first and second substances,
Figure FDA0002956327880000032
a large integer field representing a prime order p selected by the service chain control entity;
digital signature sigma in received probe data packet mi-1=(Xi-1,Yi-1,Zi-1) Updating according to the following formula to obtain the updated digital signature sigmai=(Xi,Yi,Zi):
Figure FDA0002956327880000033
Wherein i represents a sequence number of the service node in the service chain; i-1 represents the sequence number of the upper-level network element of the service node in the service chain; s(i)A signature construction parameter representing the serving node; skidA private key representing the service node; h1() Representing a first hash function determined by the service chaining control entity; si=H2(id1||id2...||idi) The operator | | | represents the splicing operation of the character string; h2() Representing a second hash function determined by the service chaining control entity; mod represents the remainder operation; p represents a prime order selected by the service chaining control entity; g is represented byThe service chain control entity randomly selects one generator in a pre-selected addition cyclic group G of prime order p.
8. A service chaining control entity in a service network providing service chaining, the service chaining control entity comprising: a generation section, a distribution section, a first transmission section, a first reception section, and a verification section; wherein the content of the first and second substances,
the generation part is configured to generate identity-based encryption parameters; generating a private key and a signature construction parameter corresponding to each service node by using the identity-based encryption parameter according to the identity information of each service node in the service chain;
the distribution part is configured to distribute the private key and the signature construction parameter corresponding to each service node to the corresponding service node;
the generation portion further configured to generate a probe data packet containing an initial digital signature;
the first sending part is configured to send the probe data packet to an entry classifier of the service chain, so that each service node which the probe data packet passes through in the service chain updates the digital signature in the probe data packet by using a corresponding private key and signature construction parameters in sequence;
the first receiving part is configured to receive a probe data packet which is returned by an exit classifier of the service chain and contains a renewed digital signature;
the verification part is configured to verify the probe data packet containing the updated digital signature according to preset verification parameters, and determine the integrity of the service chain based on a verification result.
9. A service node in a service network providing a service chain, the service node comprising: a second receiving section, an updating section, and a second transmitting section; wherein the content of the first and second substances,
the second receiving part is configured to receive a private key and a signature construction parameter sent by a service chaining control entity in the service network; receiving a probe data packet sent by an upper-level network element in the service chain;
the updating part is configured to update the digital signature in the probe data packet according to the private key and the signature construction parameters;
the second sending part is configured to send the probe data packet containing the updated digital signature to a next-level network element in the service chain.
10. A computer storage medium, characterized in that the computer storage medium stores a service chain integrity detection program based on ordered aggregated digital signatures, which when executed by at least one processor implements the steps of the service chain integrity detection method based on ordered aggregated digital signatures of any one of claims 1 to 4 or any one of claims 5 to 7.
CN202110226172.0A 2021-03-01 2021-03-01 Service chain integrity detection method, device and medium based on ordered aggregation digital signature Pending CN113014382A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110226172.0A CN113014382A (en) 2021-03-01 2021-03-01 Service chain integrity detection method, device and medium based on ordered aggregation digital signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110226172.0A CN113014382A (en) 2021-03-01 2021-03-01 Service chain integrity detection method, device and medium based on ordered aggregation digital signature

Publications (1)

Publication Number Publication Date
CN113014382A true CN113014382A (en) 2021-06-22

Family

ID=76387255

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110226172.0A Pending CN113014382A (en) 2021-03-01 2021-03-01 Service chain integrity detection method, device and medium based on ordered aggregation digital signature

Country Status (1)

Country Link
CN (1) CN113014382A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170295021A1 (en) * 2016-04-07 2017-10-12 Telefonica, S.A. Method to assure correct data packet traversal through a particular path of a network
CN108989050A (en) * 2018-08-23 2018-12-11 电子科技大学 A kind of certificateless digital signature method
CN109905247A (en) * 2019-03-28 2019-06-18 郑州师范学院 Digital signature method, device, equipment and storage medium based on block chain
CN111597590A (en) * 2020-05-12 2020-08-28 重庆邮电大学 Block chain-based data integrity rapid inspection method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170295021A1 (en) * 2016-04-07 2017-10-12 Telefonica, S.A. Method to assure correct data packet traversal through a particular path of a network
CN108989050A (en) * 2018-08-23 2018-12-11 电子科技大学 A kind of certificateless digital signature method
CN109905247A (en) * 2019-03-28 2019-06-18 郑州师范学院 Digital signature method, device, equipment and storage medium based on block chain
CN111597590A (en) * 2020-05-12 2020-08-28 重庆邮电大学 Block chain-based data integrity rapid inspection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PATTARANANTAKUL M., SONG Q., TIAN Y., ET AL.: "《Security and Privacy in Communication Networks》", 11 December 2019 *

Similar Documents

Publication Publication Date Title
CN107567704B (en) Network path pass authentication using in-band metadata
US11804967B2 (en) Systems and methods for verifying a route taken by a communication
CN111585890B (en) SRv 6-based network path verification method and system
US10277564B2 (en) Light-weight key update mechanism with blacklisting based on secret sharing algorithm in wireless sensor networks
US8843751B2 (en) IP address delegation
US11362837B2 (en) Generating trustable RPL messages having root-signed rank values
CN113411190B (en) Key deployment, data communication, key exchange and security reinforcement method and system
EP3442195B1 (en) Reliable and secure parsing of packets
Hu et al. Gatekeeper: A gateway-based broadcast authentication protocol for the in-vehicle Ethernet
CN111556075B (en) Data transmission path restoration method and system based on non-interactive key negotiation
US20200322168A1 (en) Privacy preserving ip traceback using group signature
US11451560B2 (en) Systems and methods for pre-configuration attestation of network devices
CN116827651A (en) Communication security protection method, device, computer equipment and storage medium
CN108055285B (en) Intrusion protection method and device based on OSPF routing protocol
WO2022174739A1 (en) Message sending method, signature information generating method, and device
CN113014382A (en) Service chain integrity detection method, device and medium based on ordered aggregation digital signature
Eltaief Flex-CC: A flexible connected chains scheme for multicast source authentication in dynamic SDN environment
US20180316504A1 (en) Efficient calculation of message authentication codes for related data
US20230283588A1 (en) Packet processing method and apparatus
Chen Infrastructure-based anonymous communication protocols in future internet architectures
Li et al. StealthPath: Privacy-preserving Path Validation in the Data Plane of Path-Aware Networks
Toledo Secure IT-SDN: a secure implementation of software defined wireless sensor network.
CN113810290A (en) Message processing method and device
CN117749356A (en) Virtual machine communication method, device, computer equipment and storage medium
CN116266793A (en) Access control method and related device thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210622

WD01 Invention patent application deemed withdrawn after publication