WO2017219886A1 - Simple network protocol authentication method and device - Google Patents

Simple network protocol authentication method and device Download PDF

Info

Publication number
WO2017219886A1
WO2017219886A1 PCT/CN2017/087893 CN2017087893W WO2017219886A1 WO 2017219886 A1 WO2017219886 A1 WO 2017219886A1 CN 2017087893 W CN2017087893 W CN 2017087893W WO 2017219886 A1 WO2017219886 A1 WO 2017219886A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
management server
network device
authentication data
random number
Prior art date
Application number
PCT/CN2017/087893
Other languages
French (fr)
Chinese (zh)
Inventor
阚江涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017219886A1 publication Critical patent/WO2017219886A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to optical communication technologies, and in particular, to a simple network protocol authentication method and apparatus.
  • the Simple Network Management Protocol is a network management standard based on the Transmission Control Protocol/Internet Protocol (TCP/IP). That is, the network administrator can also receive notification messages from network nodes through SNMP.
  • the alarm event report determines a problem with the network, where the management network node can be a server, workstation, router, or switch.
  • the network management server can be connected to multiple network nodes, that is, network devices, and the SNMP authentication key is configured on the network device during the initial configuration of each network device, and the SNMP authentication secret is configured on the network management server.
  • the key then, when the network management server communicates with the network device, the network management server can manage the network device when the two keys are matched.
  • the disclosure of the present disclosure finds that the SNMP authentication key is transmitted in plain text during the configuration process and may be stolen, resulting in lower security of the network device.
  • the present disclosure provides a simple network protocol authentication method and apparatus for solving the problem of low security of a network device.
  • the present disclosure provides a simple network protocol authentication method, including:
  • the network management server determines the identity of the network device and the first authentication data according to the obtained authentication data request information sent by the network device, where the first authentication data includes the network management server and the network determined by the network management server.
  • the network management server Sending, by the network management server, authentication data request response information to the network device, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determining second authentication data, the second authentication data And including authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
  • the network management server before determining the identity of the network device and the first authentication data, according to the obtained authentication data request information sent by the network device, further includes:
  • the second authentication request information Sending, by the network management server, the second authentication request information to the network device, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter is used for verification
  • the parameter of the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set on the network management server.
  • the network management server determines the network according to the authentication data request information sent by the obtained network device. Before the identity of the device and the first authentication data, it also includes:
  • the network management server determines that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: the network management server determines, before the network management server determines the identity of the network device and the first authentication data, Authentication data for performing SNMP operations between the network management server and the network device; or
  • the network management server obtains the first authentication request information sent by the network device, where the first authentication request information is used to request authentication between the network management server and the network device.
  • the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
  • the network management server is configured according to Determining the identity of the network device and the first authentication data, including:
  • the second random number is a random number that is sent by the network management server to the network device and carried in the authentication request response information, according to the second random number
  • the network management server Determining, by the network management server, that the network device is a device that can perform SNMP operations according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier;
  • the network management server determines the first authentication data according to the third random number and the first public key.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, and the second entity number a certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a verification The parameter of the legality of the second entity digital certificate.
  • the present disclosure also provides a simple network protocol authentication method, including:
  • the network device sends the authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management server determines Authenticating data of a simple network protocol SNMP operation between the network management server and the network device;
  • the second authentication The data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
  • the method before the sending, by the network device, the authentication data request information to the network management server, the method further includes:
  • the network device sends the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request authentication between the network management server and the network device.
  • the method before the sending, by the network device, the authentication data request information to the network management server, the method further includes:
  • the network device receives the second authentication request information sent by the network management server, where the second authentication request response information carries the second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter includes And a parameter for verifying the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set in the network management server.
  • the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, a network device identifier, and a second entity digital certificate parameter a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a second entity for verifying The parameter of the validity of the digital certificate.
  • the determining, by the network device, the second authentication data according to the authentication data request response information including:
  • the network management server Determining, by the network device, that the network management server is operable according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random number, and the network device identifier SNMP operated device;
  • the network device determines the authentication data according to the third random number and the second public key, where the third random number includes a random number generated by the network device to generate the first random number.
  • the method further includes:
  • Determining, by the network device, the first according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter The signature value of the entity digital certificate.
  • the present disclosure also provides a simple network protocol authentication apparatus, including:
  • a determining module configured to determine an identity of the network device and first authentication data according to the authentication data request information sent by the obtained network device, where the first authentication data includes the network management server determined by the network management server Authentication data of a simple network protocol SNMP operation between the network devices;
  • a sending module configured to send, to the network device, authentication data request response information, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data, the second identification
  • the certificate data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
  • the sending module is further configured to send, to the network device, second authentication request information, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second The entity digital certificate parameter includes a parameter for verifying the legality of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set on the network management server.
  • the method further includes: a processing module
  • the processing module is configured to determine that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: determining, by the network management server, the identity of the network device and the first authentication data, the network management server determines Authenticating data for performing an SNMP operation between the network management server and the network device; or acquiring first authentication request information sent by the network device, where the first authentication request information is used to request the network management server Authentication with the network device.
  • the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
  • the processing module is further configured to determine, according to the second random number, that the second random number is a random number that is sent by the network management server to the network device to be carried in the authentication request response information; Determining, according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier, that the network device is a device that can perform SNMP operations; according to the third random number and the The first public key determines the first authentication data.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, and the second entity number a certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a verification The parameter of the legality of the second entity digital certificate.
  • the present disclosure also provides a simple network protocol authentication apparatus, including:
  • a sending module configured to send, to the network management server, the authentication data request information, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management server Determining authentication data for performing an SNMP operation between the network management server and the network device;
  • a receiving module configured to receive authentication data request response information sent by the network management server, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data of the second authentication data.
  • the data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
  • a determining module configured to determine, according to the authentication data request response information, an identity and a location of the network management server The second authentication data is described.
  • the receiving module is further configured to obtain a second entity digital certificate
  • the sending module is further configured to send the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request the network management server and the network device Certification.
  • the receiving module is further configured to receive second authentication request information sent by the network management server, where the second authentication request response information carries a second entity digital certificate parameter and the second random number,
  • the second entity digital certificate parameter includes a parameter for verifying the legitimacy of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set at the network management server.
  • the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, a network device identifier, and a second entity digital certificate parameter a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a second entity for verifying The parameter of the validity of the digital certificate.
  • the determining module is further configured to: according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random number, and the network device identifier, Determining that the network management server is a device that can perform an SNMP operation; the network device determines the authentication data according to a third random number and the second public key, where the third random number includes the network device generating the A random number generated simultaneously with the first random number.
  • the determining module is further configured to determine, according to the second entity digital certificate parameter, that the second entity digital certificate is a legal certificate; determining the first according to the third random number and a curve base point. a public key; determining, according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter, the first entity The signature value of the digital certificate.
  • the network management server obtains the authentication data request information sent by the network device, where the authentication data request information is used to verify the identity of the network device, and obtain information of the authentication data, where the authentication data is used by the network management system. And the authentication data of the SNMP operation performed between the server and the network device; the network management server determines the identity of the network device and the authentication data according to the authentication data request information; and the network management server sends the network device to the network device.
  • the authentication data request response information is used by the network device to verify the identity of the network management server and determine information of the authentication data.
  • the authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
  • the present disclosure also provides a storage medium configured to store program code for performing the simple network protocol authentication method of any of the above embodiments.
  • FIG. 1 is a schematic flowchart of an embodiment of a method for authenticating a simple network protocol according to the present disclosure
  • FIG. 2 is a schematic flowchart of a second embodiment of a method for authenticating a simple network protocol according to the present disclosure
  • FIG. 3 is a schematic flowchart of a third embodiment of a simple network protocol authentication method according to the present disclosure
  • FIG. 4 is a schematic structural diagram of an embodiment of a simple network protocol authentication apparatus according to the present disclosure.
  • FIG. 5 is a schematic structural diagram of a second embodiment of a simple network protocol authentication apparatus according to the present disclosure
  • FIG. 6 is a schematic structural diagram of a third embodiment of a simple network protocol authentication apparatus according to the present disclosure.
  • the simple network protocol authentication method provided by the embodiment of the present disclosure can be applied to the SNMP authentication process.
  • the simple network protocol authentication method provided by this embodiment may be implemented by a simple network protocol authentication device, which may be integrated in a network management server or separately set, wherein the simple network protocol authentication device may adopt software and/or Hardware way to achieve.
  • the simple network protocol authentication method and apparatus provided in this embodiment are described in detail below.
  • FIG. 1 is a schematic flowchart of a simple network protocol authentication method according to an embodiment of the present disclosure. As shown in FIG. 1 , the simple network protocol authentication method provided by the present disclosure includes:
  • Step 101 The network management server determines the identity of the network device and the first authentication data according to the obtained authentication data request information sent by the network device.
  • the authentication data request information is used to verify the identity of the network device, and obtain information of the authentication data, where the first authentication data includes the network management server and the server determined by the network management server.
  • the network management server determines that the usage duration of the authentication data is greater than a threshold.
  • the network management server obtains the authentication request information sent by the network device, where the authentication request information is used to request authentication between the network management server and the network device.
  • the network management server first determines, according to the authentication data request information, that the network device is a device that can perform an SNMP operation; and then, according to the authentication data request information, determines the first authentication data.
  • Step 102 The network management server sends authentication data request response information to the network device.
  • the authentication data request response information is used by the network device to verify the identity of the network management server, and determine the second authentication data.
  • the second authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device, and the network management server sends the network data according to the acquired network device.
  • the first authentication data includes authentication data for performing a simple network protocol SNMP operation between the network management server and the network device;
  • the network management server sends the authentication data request response information to the network device, where the authentication data request response information is used by the network device to verify the identity of the network management server, and determine the second authentication data.
  • the authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
  • the method before the network management server determines the identity of the network device and the first authentication data, the method further includes:
  • the second authentication request information Sending, by the network management server, the second authentication request information to the network device, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter is used for verification
  • the parameter of the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set in the network management server.
  • the first authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, where the first random number includes a random number randomly generated by the network device, where The first entity digital certificate parameter includes a parameter for verifying the legitimacy of the first entity digital certificate, and the first entity digital certificate includes a digital certificate set in the network device.
  • the first authentication data request information includes the second random number, the first entity digital certificate parameter, a signature value of the first entity digital certificate, and the network management server.
  • the network management server determines the identity of the network device and the first authentication data according to the authentication data request information, including:
  • the second random number is a random number that is sent by the network management server to the network device and carried in the authentication request response information, according to the second random number
  • the network management server Determining, by the network management server, that the network device is a device that can perform SNMP operations according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier;
  • the network management server determines the first authentication data according to the third random number and the first public key.
  • the second authentication data request information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, and a second entity a digital certificate parameter, a signature value of the second entity digital certificate, where the second public key includes a publicity generated by the network management server according to the second random number And the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate.
  • the simple network protocol authentication method provided by the present disclosure includes:
  • Step 201 The network device sends the authentication data request information to the network management server.
  • the authentication data request information is used to verify the identity of the network device, and obtain the first authentication data, where the first authentication data includes the network management server and the server determined by the network management server.
  • the network management server determines that the usage duration of the third authentication data is greater than a threshold, and the third authentication data includes: before the network management server determines the identity of the network device and the first authentication data, Authentication data for SNMP operations between the network management server and the network device.
  • the network management server obtains the first authentication request information sent by the network device, where the first authentication request information is used to request authentication between the network management server and the network device.
  • Step 202 The network device receives the authentication data request response information sent by the network management server.
  • the authentication data request response information is used by the network device to verify the identity of the network management server, and determine second authentication data, where the second authentication data includes a location determined by the network device.
  • the authentication data of the simple network protocol SNMP operation between the network management server and the network device is described.
  • Step 203 The network device determines the identity of the network management server and the second authentication data according to the authentication data request response information.
  • the network device first determines, according to the authentication data request information, that the network management server is a device that can perform SNMP operations; and then, according to the authentication data request information, determines the authentication data.
  • the network device sends authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain first authentication data, where the first authentication data is used for the
  • the authentication data of the SNMP operation is performed between the network management server and the network device; the network device receives the authentication data request response information sent by the network management server, and the authentication data request response information is used by the network device to verify the network management The identity of the server, and determining the second authentication data; the network device determining the identity of the network management server and the second authentication data according to the authentication data request response information.
  • the authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
  • the method before the network device sends the authentication data request information to the network management server, the method further includes:
  • Second authentication request information sent by the network management server, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter is included A parameter for verifying the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set in the network management server.
  • the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, a network device identifier, and a second entity digital certificate parameter a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a second entity for verifying The parameter of the validity of the digital certificate.
  • the determining, by the network device, the authentication data according to the authentication data request response information including:
  • the network management server Determining, by the network device, that the network management server is operable according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random number, and the network device identifier SNMP operated device;
  • the network device determines the authentication data according to the third random number and the second public key, where the third random number includes a random number generated by the network device to generate the first random number.
  • the network device after the network device receives the authentication request response information sent by the network management server, the network device further includes:
  • Determining, by the network device, the first according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter The signature value of the entity digital certificate.
  • the simple network protocol authentication method provided by the present disclosure includes:
  • Step 301 The network device receives the second authentication request information sent by the network management server.
  • the second authentication request information carries a second entity digital certificate parameter and the second random number
  • the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate.
  • the second entity digital certificate includes a digital certificate set in the network management server.
  • the network device receives the authentication request response information sent by the network management server and carries the ZX_MDHello message.
  • the ZX_MDHello message is a UDP packet carrying a second random number Nm and a second entity digital certificate parameter MDCert.
  • the network device acquires the second entity digital certificate; the network device sends the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used Request Authentication between the network management server and the network device.
  • the network device detects that the entity discriminator is inserted on the USB port of the network device, and the entity discriminator is provided with the first entity digital certificate. Then, the network device sends a trap packet to the network management server, where the trap packet carries the authentication request information. At the same time, the network device starts the authentication mode and waits for the network management server to perform authentication.
  • the trap message sent by the network device to the network management server needs to have a specific oid identifier, indicating that the device has enabled the authentication mode and needs to be authenticated. After the network management server obtains the authentication request information, it needs to initiate the authentication process.
  • the network management server determines that the usage duration of the authentication data is greater than a threshold.
  • the third authentication data includes: authentication data for performing an SNMP operation between the network management server and the network device before the network management server determines the identity of the network device and the first authentication data.
  • Step 302 The network device determines, according to the authentication request response information, a signature value of the first entity digital certificate.
  • the network device determines, according to the second entity digital certificate parameter, that the second entity digital certificate is a legal certificate; and the network device determines the first according to the third random number and a curve base point. a public key; the network device, according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter, Determine the signature value of the first entity digital certificate.
  • the certificate verification function of the entity discriminator is invoked to verify the validity of the MDCert certificate.
  • the first entity digital certificate random number function is called to generate a random number fourth random number Rn and Nn;
  • the point multiplication function is called to calculate the temporary public key TempPKn;
  • the signature function is called to generate the signature value NDSign; and the ZX_NDHello message is sent to the network management server.
  • the first public key TempPKn, the first random number Nn, the second random number Nm, the identifier IDm of the network management server identifier MD (using the IP address of the MD), the certificate of the ND, the first entity digital certificate parameter NDCert, and the first entity number The signature value of the certificate NDSign, where
  • NDSign ECC_Sign (SKn: TempPKn, Nn, Nm, IDm, NDCert), SKn is the private key of ND.
  • Step 303 The network device sends the authentication data request information to the network management server.
  • the authentication data request information is used to verify an identity of the network device, and obtain information of authentication data, where the authentication data is used for authentication data of an SNMP operation between the network management server and the network device. .
  • the authentication data request information is carried in the ZX_NDHello packet, where the authentication data request information includes the first public key TempPKn, the first random number Nn, the second random number Nm, and the identifier IDm of the network management server identifier MD (using the IP of the MD) Address), ND certificate first entity digital certificate parameter NDCert and first entity digital certificate signature value NDSign.
  • the authentication data request information includes the first public key TempPKn, the first random number Nn, the second random number Nm, and the identifier IDm of the network management server identifier MD (using the IP of the MD) Address), ND certificate first entity digital certificate parameter NDCert and first entity digital certificate signature value NDSign.
  • Step 304 The network management server determines the identity of the network device and the first authentication data according to the authentication data request information.
  • the network management server determines, according to the second random number, that the second random number is a random number that is sent by the network management server to the network device to carry the authentication request response information; the network management server And according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier, Determining that the network device is a device that can perform SNMP operations; and the network management server determines the first authentication data according to the third random number and the first public key.
  • Nm random number For example, first verify that the Nm random number is correct. Then verify the validity of the NDCert certificate body and the validity of the certificate, and then use the public key in the certificate to verify the validity of the signature value NDSign, and finally verify Nm and IDm. After passing, the ND is considered to be true. At the same time, a random number Rm is generated, a temporary public key TempPKm, a signature value MDSign are calculated, and the shared data AuthData is calculated and saved, wherein
  • MDSign ECC_Sign(SKm:TempPKm,Nm,Nn,IDn,MDCert), SKm is the private key of the MD;
  • Step 305 The network management server sends the authentication data request response information to the network device.
  • the authentication data request response information is used by the network device to verify the identity of the network management server and determine information of the second authentication data.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, a second entity digital certificate parameter, and a a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a digital certificate for verifying the second entity The parameter of legality.
  • the authentication data request response information is carried in a ZX_MDAuth message, and the authentication data request response information may include a second public key TempPKm, a second random number Nm, a first random number Nn, a network device identification device identifier IDn, and a certificate of the MD.
  • the second entity digital certificate parameter MDCert and the signature value MDSign of the second entity digital certificate are carried in a ZX_MDAuth message, and the authentication data request response information may include a second public key TempPKm, a second random number Nm, a first random number Nn, a network device identification device identifier IDn, and a certificate of the MD.
  • the second entity digital certificate parameter MDCert and the signature value MDSign of the second entity digital certificate may include a second public key TempPKm, a second random number Nm, a first random number Nn, a network device identification device identifier IDn, and a certificate of the MD.
  • Step 306 The network device determines the identity of the network management server and the second authentication data according to the authentication data request response information.
  • the network management server uses the public key of the CA preset in the entity discriminator, verify the validity of the MDCert certificate body and the validity of the certificate, and then call the signature verification function to verify the validity of the signature value MDSign, and verify Nm, Nn, IDn After the verification is passed, the network management server is considered to be authentic. Calculate and save AuthData at the same time, where
  • the network management server needs to carry the authentication information AuthData in the SNMP message for the SNMP operation of the device, including the write command such as set/setNex and the read command of get/getNext/getBulk/walk. .
  • the device receives an SNMP request packet from the network management server.
  • the AuthData data is taken out and the validity of the packet is verified through the interface of the entity discriminator. If the packet is valid, the SNMP request result of the network management server will be returned to the network management server, and the authentication information AuthData will be carried.
  • the network management server receives the SNMP returned by the device.
  • the AuthData data is taken out and the validity of the packet is verified through the interface of the entity discriminator. If the message is legal, the data returned by the device is read. The SNMP operation was successful. Otherwise, the SNMP operation is considered to have failed.
  • FIG. 4 is a schematic structural diagram of an embodiment of a simple network protocol authentication apparatus according to the present disclosure.
  • the simple network protocol authentication apparatus provided by the present disclosure includes: a determining module 41 and a sending module 42.
  • a determining module 41 configured to determine an identity of the network device and first authentication data according to the obtained authentication data request information sent by the network device, where the first authentication data includes the network management server determined by the network management server Authentication data for performing a simple network protocol SNMP operation with the network device;
  • the sending module 42 is configured to send, to the network device, authentication data request response information, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data, where the second The authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
  • the second authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device, and the network management server sends the network data according to the acquired network device.
  • the first authentication data includes authentication data for performing a simple network protocol SNMP operation between the network management server and the network device;
  • the network management server sends the authentication data request response information to the network device, where the authentication data request response information is used by the network device to verify the identity of the network management server, and determine the second authentication data.
  • the authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
  • the sending module 42 is further configured to send, to the network device, second authentication request information, where the second authentication request information carries a second entity digital certificate parameter and the second random number.
  • the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate
  • the second entity digital certificate includes a digital certificate set on the network management server.
  • FIG. 5 is a schematic structural diagram of a second embodiment of a simple network protocol authentication apparatus, as shown in FIG. 5, the simple network protocol authentication apparatus provided by the present disclosure further includes: a processing module 43;
  • the processing module 43 is configured to determine that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: before the network management server determines the identity of the network device and the first authentication data, the network management server Determining the authentication data for performing the SNMP operation between the network management server and the network device; or acquiring the first authentication request information sent by the network device, where the first authentication request information is used to request the network management Authentication between the server and the network device.
  • the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
  • the processing module 43 is further configured to determine, according to the second random number, that the second random number is sent by the network management server to the network device.
  • Authentication request response letter a random number of the information; determining, according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier, that the network device is a device capable of performing SNMP operations;
  • the first authentication data is determined by a random number and the first public key.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, and the second random number, a network device identifier, a second entity digital certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate
  • the parameters include parameters for verifying the legitimacy of the second entity digital certificate.
  • FIG. 6 is a schematic structural diagram of a third embodiment of a simple network protocol authentication apparatus according to the present disclosure.
  • the simple network protocol authentication apparatus provided by the present disclosure includes: a sending module 61, a receiving module 62, and a determining module 63. among them,
  • the sending module 61 is configured to send, to the network management server, the authentication data request information, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management Authentication data determined by the server for performing an SNMP operation between the network management server and the network device;
  • the receiving module 62 is configured to receive authentication data request response information sent by the network management server, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second information of the second authentication data.
  • the authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
  • the determining module 63 is configured to determine an identity of the network management server and the second authentication data according to the authentication data request response information.
  • the network device sends authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain first authentication data, where the first authentication data is used for the
  • the authentication data of the SNMP operation is performed between the network management server and the network device; the network device receives the authentication data request response information sent by the network management server, and the authentication data request response information is used by the network device to verify the network management The identity of the server, and determining the second authentication data; the network device determining the identity of the network management server and the second authentication data according to the authentication data request response information.
  • the authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
  • the receiving module 62 is further configured to obtain a second entity digital certificate
  • the sending module is further configured to send the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request the network management server and the network device Certification.
  • the receiving module 62 is further configured to receive second authentication request information sent by the network management server, where the second authentication request response information carries a second entity digital certificate parameter and The second random number, the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set in the network management server.
  • the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, and a second random number, the network management server identifier, An entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes the network device randomly The generated random number, the first entity digital certificate parameter includes a parameter for verifying the validity of the first entity digital certificate, and the first entity digital certificate includes a digital certificate set in the network device.
  • the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, and a network device
  • the identifier, the second entity digital certificate parameter, and the signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number
  • the second entity digital certificate parameter includes A parameter for verifying the legality of the second entity digital certificate.
  • the determining module 63 is further configured to: according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random And determining, by the network device identifier, the network management server as a device capable of performing an SNMP operation; the network device determining the authentication data according to the third random number and the second public key, the third random The number includes a random number generated by the network device while generating the first random number.
  • the determining module 63 is further configured to determine, according to the second entity digital certificate parameter, that the second entity digital certificate is a legal certificate; according to the third random number And a curve base point, determining the first public key; and according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first The entity digital certificate parameter determines the signature value of the first entity digital certificate.
  • the simple network protocol authentication method provided by the embodiment of the present disclosure may be applied to a network management server, where the network management server acquires authentication data request information sent by the network device, and determines the identity of the network device and the authentication data according to the authentication data request information, and then connects to the network device.
  • the network device sends the authentication data request response information for the network device to verify the identity of the network management server, and is determined to be used between the network device and the network management server by using the encryption key and the first entity digital certificate and the second entity digital certificate.
  • the authentication data of the SNMP operation improves the security of the network device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided in the present disclosure are a simple network protocol authentication method and device. The method comprises: a network management server acquiring authentication data request information sent by a network device, the authentication data request information being used for verifying the identity of the network device and acquiring information of authentication data, the authentication data being used for performing an SNMP operation between the network management server and the network device; the network management server determining, according to the authentication data request information, the identity of the network device and the authentication data; and the network management server sending authentication data request response information to the network device. By means of an encryption key, a first entity digital certificate and a second entity digital certificate, the invention realizes the determination of authentication data for performing an SNMP operation between a network device and a network management server, thereby improving the security of the network device.

Description

一种简单网络协议认证方法及装置Simple network protocol authentication method and device 技术领域Technical field
本公开涉及光通信技术,尤指一种简单网络协议认证方法及装置。The present disclosure relates to optical communication technologies, and in particular, to a simple network protocol authentication method and apparatus.
背景技术Background technique
简单网络管理协议SNMP是基于传输控制协议/因特网互联协议(Transmission Control Protocol/Internet Protocol,简称TCP/IP)的网络管理标准,也就是说,网络管理员还可以通过SNMP接收网络节点的通知消息以及告警事件报告确定网络出现的问题,其中,该管理网络节点可以是服务器、工作站、路由器或者交换机。The Simple Network Management Protocol (SNMP) is a network management standard based on the Transmission Control Protocol/Internet Protocol (TCP/IP). That is, the network administrator can also receive notification messages from network nodes through SNMP. The alarm event report determines a problem with the network, where the management network node can be a server, workstation, router, or switch.
通常,网管服务器可以与多个网络节点,即网络设备连接,并在将每个网络设备进行初始配置的过程中,在网络设备上配置SNMP认证秘钥,并且,在网管服务器上配置SNMP认证秘钥,接着,在网管服务器与网络设备之间通信时,在两个秘钥匹配时,网管服务器才可以对网络设备进行管理。Generally, the network management server can be connected to multiple network nodes, that is, network devices, and the SNMP authentication key is configured on the network device during the initial configuration of each network device, and the SNMP authentication secret is configured on the network management server. The key, then, when the network management server communicates with the network device, the network management server can manage the network device when the two keys are matched.
然而,本公开的公开人在实现上述现有技术的过程中发现,SNMP认证秘钥在配置过程中是明文传输,可能被窃取,从而导致网络设备的安全性较低。However, in the process of implementing the foregoing prior art, the disclosure of the present disclosure finds that the SNMP authentication key is transmitted in plain text during the configuration process and may be stolen, resulting in lower security of the network device.
发明内容Summary of the invention
为了解决上述技术问题,本公开提供了一种简单网络协议认证方法及装置,用以解决网络设备的安全性较低的问题。In order to solve the above technical problem, the present disclosure provides a simple network protocol authentication method and apparatus for solving the problem of low security of a network device.
为了达到本公开目的,本公开提供了一种简单网络协议认证方法,包括:In order to achieve the objectives of the present disclosure, the present disclosure provides a simple network protocol authentication method, including:
网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;The network management server determines the identity of the network device and the first authentication data according to the obtained authentication data request information sent by the network device, where the first authentication data includes the network management server and the network determined by the network management server. Authentication data for simple network protocol SNMP operations between devices;
所述网管服务器向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据。Sending, by the network management server, authentication data request response information to the network device, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determining second authentication data, the second authentication data And including authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
可选的,所述网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据之前,还包括:Optionally, the network management server, before determining the identity of the network device and the first authentication data, according to the obtained authentication data request information sent by the network device, further includes:
所述网管服务器向所述网络设备发送第二认证请求信息,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器上的数字证书。Sending, by the network management server, the second authentication request information to the network device, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter is used for verification The parameter of the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set on the network management server.
可选的,所述网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网 络设备的身份以及第一认证数据之前,还包括:Optionally, the network management server determines the network according to the authentication data request information sent by the obtained network device. Before the identity of the device and the first authentication data, it also includes:
所述网管服务器确定第三认证数据的使用时长大于阈值,所述第三认证数据包括:在所述网管服务器确定所述网络设备的身份以及第一认证数据之前,所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;或者The network management server determines that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: the network management server determines, before the network management server determines the identity of the network device and the first authentication data, Authentication data for performing SNMP operations between the network management server and the network device; or
所述网管服务器获取所述网络设备发送的第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The network management server obtains the first authentication request information sent by the network device, where the first authentication request information is used to request authentication between the network management server and the network device.
可选的,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、所述第二随机数,网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Optionally, the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
可选的,在所述认证数据请求信息包括所述第二随机数、第一实体数字证书参数、第一实体数字证书的签名值、和所述网管服务器标识的情况下,所述网管服务器根据所述认证数据请求信息,确定所述网络设备的身份以及所述第一认证数据,包括:Optionally, in the case that the authentication data request information includes the second random number, the first entity digital certificate parameter, the signature value of the first entity digital certificate, and the network management server identifier, the network management server is configured according to Determining the identity of the network device and the first authentication data, including:
所述网管服务器根据所述第二随机数,确定所述第二随机数为所述网管服务器发送给所述网络设备携带在所述认证请求响应信息的随机数;Determining, by the network management server, that the second random number is a random number that is sent by the network management server to the network device and carried in the authentication request response information, according to the second random number;
所述网管服务器根据第一实体数字证书参数、第一实体数字证书的签名值、第二随机数,和所述网管服务器标识,确定所述网络设备为可进行SNMP操作的设备;Determining, by the network management server, that the network device is a device that can perform SNMP operations according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier;
所述网管服务器根据第三随机数和所述第一公钥,确定所述第一认证数据。The network management server determines the first authentication data according to the third random number and the first public key.
可选的,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,所述网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Optionally, the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, and the second entity number a certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a verification The parameter of the legality of the second entity digital certificate.
本公开还提供了一种简单网络协议认证方法,包括:The present disclosure also provides a simple network protocol authentication method, including:
网络设备向网管服务器发送认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据的信息,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;The network device sends the authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management server determines Authenticating data of a simple network protocol SNMP operation between the network management server and the network device;
所述网络设备接收所述网管服务器发送的认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;Receiving, by the network device, authentication data request response information sent by the network management server, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determining second authentication data, the second authentication The data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
所述网络设备根据所述认证数据请求响应信息,确定所述网管服务器的身份以及所述第二认证数据。And determining, by the network device, the identity of the network management server and the second authentication data according to the authentication data request response information.
可选的,所述网络设备向网管服务器发送认证数据请求信息之前,还包括: Optionally, before the sending, by the network device, the authentication data request information to the network management server, the method further includes:
所述网络设备获取到第二实体数字证书;Obtaining, by the network device, a second entity digital certificate;
所述网络设备根据所述第二实体数字证书,向所述网管服务器发送第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The network device sends the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request authentication between the network management server and the network device.
可选的,所述网络设备向网管服务器发送认证数据请求信息之前,还包括:Optionally, before the sending, by the network device, the authentication data request information to the network management server, the method further includes:
所述网络设备接收所述网管服务器发送的第二认证请求信息,所述第二认证请求响应信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。The network device receives the second authentication request information sent by the network management server, where the second authentication request response information carries the second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter includes And a parameter for verifying the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set in the network management server.
可选的,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、第二随机数,所述网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Optionally, the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
可选的,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Optionally, the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, a network device identifier, and a second entity digital certificate parameter a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a second entity for verifying The parameter of the validity of the digital certificate.
可选的,所述网络设备根据所述认证数据请求响应信息,确定第二认证数据,包括:Optionally, the determining, by the network device, the second authentication data according to the authentication data request response information, including:
所述网络设备根据第二实体数字证书参数、第二实体数字证书的签名值、所述第一随机数、所述第二随机数,和所述网络设备标识,确定所述网管服务器为可进行SNMP操作的设备;Determining, by the network device, that the network management server is operable according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random number, and the network device identifier SNMP operated device;
所述网络设备根据第三随机数和所述第二公钥,确定所述认证数据,所述第三随机数包括所述网络设备生成所述第一随机数的同时生成的随机数。The network device determines the authentication data according to the third random number and the second public key, where the third random number includes a random number generated by the network device to generate the first random number.
可选的,所述网络设备接收所述网管服务器发送的第二认证请求信息之后,还包括:Optionally, after the network device receives the second authentication request information sent by the network management server, the method further includes:
所述网络设备根据所述第二实体数字证书参数,确定所述第二实体数字证书为合法证书;Determining, by the network device, that the second entity digital certificate is a legal certificate according to the second entity digital certificate parameter;
所述网络设备根据所述第三随机数和曲线基点,确定所述第一公钥;Determining, by the network device, the first public key according to the third random number and a curve base point;
所述网络设备根据所述网络设备私钥、所述第一公钥、所述第一随机数、所述第二随机数、所述网管服务器标识,和第一实体数字证书参数,确定第一实体数字证书的签名值。Determining, by the network device, the first according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter The signature value of the entity digital certificate.
本公开还提供了一种简单网络协议认证装置,包括:The present disclosure also provides a simple network protocol authentication apparatus, including:
确定模块,用于根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;a determining module, configured to determine an identity of the network device and first authentication data according to the authentication data request information sent by the obtained network device, where the first authentication data includes the network management server determined by the network management server Authentication data of a simple network protocol SNMP operation between the network devices;
发送模块,用于向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认 证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据。a sending module, configured to send, to the network device, authentication data request response information, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data, the second identification The certificate data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
可选的,所述发送模块,还用于向所述网络设备发送第二认证请求信息,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器上的数字证书。Optionally, the sending module is further configured to send, to the network device, second authentication request information, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second The entity digital certificate parameter includes a parameter for verifying the legality of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set on the network management server.
可选的,还包括:处理模块;Optionally, the method further includes: a processing module;
所述处理模块,用于确定第三认证数据的使用时长大于阈值,所述第三认证数据包括:在所述网管服务器确定所述网络设备的身份以及第一认证数据之前,所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;或者,获取所述网络设备发送的第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The processing module is configured to determine that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: determining, by the network management server, the identity of the network device and the first authentication data, the network management server determines Authenticating data for performing an SNMP operation between the network management server and the network device; or acquiring first authentication request information sent by the network device, where the first authentication request information is used to request the network management server Authentication with the network device.
可选的,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、所述第二随机数,网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Optionally, the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
可选的,所述处理模块,还用于根据所述第二随机数,确定所述第二随机数为所述网管服务器发送给所述网络设备携带在所述认证请求响应信息的随机数;根据第一实体数字证书参数、第一实体数字证书的签名值、第二随机数,和所述网管服务器标识,确定所述网络设备为可进行SNMP操作的设备;根据第三随机数和所述第一公钥,确定所述第一认证数据。Optionally, the processing module is further configured to determine, according to the second random number, that the second random number is a random number that is sent by the network management server to the network device to be carried in the authentication request response information; Determining, according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier, that the network device is a device that can perform SNMP operations; according to the third random number and the The first public key determines the first authentication data.
可选的,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,所述网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Optionally, the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, and the second entity number a certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a verification The parameter of the legality of the second entity digital certificate.
本公开还提供了一种简单网络协议认证装置,包括:The present disclosure also provides a simple network protocol authentication apparatus, including:
发送模块,用于向网管服务器发送认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据的信息,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;a sending module, configured to send, to the network management server, the authentication data request information, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management server Determining authentication data for performing an SNMP operation between the network management server and the network device;
接收模块,用于接收所述网管服务器发送的认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;a receiving module, configured to receive authentication data request response information sent by the network management server, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data of the second authentication data. The data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
确定模块,用于根据所述认证数据请求响应信息,确定所述网管服务器的身份以及所 述第二认证数据。a determining module, configured to determine, according to the authentication data request response information, an identity and a location of the network management server The second authentication data is described.
可选的,所述接收模块,还用于获取到第二实体数字证书;Optionally, the receiving module is further configured to obtain a second entity digital certificate;
所述发送模块,还用于根据所述第二实体数字证书,向所述网管服务器发送第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The sending module is further configured to send the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request the network management server and the network device Certification.
可选的,所述接收模块,还用于接收所述网管服务器发送的第二认证请求信息,所述第二认证请求响应信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。Optionally, the receiving module is further configured to receive second authentication request information sent by the network management server, where the second authentication request response information carries a second entity digital certificate parameter and the second random number, The second entity digital certificate parameter includes a parameter for verifying the legitimacy of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set at the network management server.
可选的,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、第二随机数,所述网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Optionally, the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
可选的,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Optionally, the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, a network device identifier, and a second entity digital certificate parameter a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a second entity for verifying The parameter of the validity of the digital certificate.
可选的,所述确定模块,还用于根据第二实体数字证书参数、第二实体数字证书的签名值、所述第一随机数、所述第二随机数,和所述网络设备标识,确定所述网管服务器为可进行SNMP操作的设备;所述网络设备根据第三随机数和所述第二公钥,确定所述认证数据,所述第三随机数包括所述网络设备生成所述第一随机数的同时生成的随机数。Optionally, the determining module is further configured to: according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random number, and the network device identifier, Determining that the network management server is a device that can perform an SNMP operation; the network device determines the authentication data according to a third random number and the second public key, where the third random number includes the network device generating the A random number generated simultaneously with the first random number.
可选的,所述确定模块,还用于根据所述第二实体数字证书参数,确定所述第二实体数字证书为合法证书;根据所述第三随机数和曲线基点,确定所述第一公钥;根据所述网络设备私钥、所述第一公钥、所述第一随机数、所述第二随机数、所述网管服务器标识,和第一实体数字证书参数,确定第一实体数字证书的签名值。Optionally, the determining module is further configured to determine, according to the second entity digital certificate parameter, that the second entity digital certificate is a legal certificate; determining the first according to the third random number and a curve base point. a public key; determining, according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter, the first entity The signature value of the digital certificate.
在本实施例中,网管服务器获取网络设备发送的认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取认证数据的信息,所述认证数据用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;所述网管服务器根据所述认证数据请求信息,确定所述网络设备的身份以及所述认证数据;所述网管服务器向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定所述认证数据的信息。实现了通过加密密钥以及第一实体数字证书和第二实体数字证书,确定用于网络设备与网管服务器之间进行SNMP操作的认证数据,从而提高了网络设备的安全性。In this embodiment, the network management server obtains the authentication data request information sent by the network device, where the authentication data request information is used to verify the identity of the network device, and obtain information of the authentication data, where the authentication data is used by the network management system. And the authentication data of the SNMP operation performed between the server and the network device; the network management server determines the identity of the network device and the authentication data according to the authentication data request information; and the network management server sends the network device to the network device The authentication data request response information is used by the network device to verify the identity of the network management server and determine information of the authentication data. The authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
本公开还提供了一种存储介质,设置为存储程序代码,所述程序代码用于执行上述实施例中任一项所述的简单网络协议认证方法。 The present disclosure also provides a storage medium configured to store program code for performing the simple network protocol authentication method of any of the above embodiments.
本公开的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本公开而了解。本公开的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Other features and advantages of the present disclosure will be set forth in the description which follows. The objectives and other advantages of the present disclosure can be realized and obtained by the structure particularly pointed out in the appended claims.
附图说明DRAWINGS
附图用来提供对本公开技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本公开的技术方案,并不构成对本公开技术方案的限制。The drawings are used to provide a further understanding of the technical solutions of the present disclosure, and constitute a part of the specification, and the embodiments of the present application are used to explain the technical solutions of the present disclosure, and do not constitute a limitation of the technical solutions of the present disclosure.
图1为本公开简单网络协议认证方法一实施例的流程示意图;1 is a schematic flowchart of an embodiment of a method for authenticating a simple network protocol according to the present disclosure;
图2为本公开简单网络协议认证方法二实施例的流程示意图;2 is a schematic flowchart of a second embodiment of a method for authenticating a simple network protocol according to the present disclosure;
图3为本公开简单网络协议认证方法三实施例的流程示意图;3 is a schematic flowchart of a third embodiment of a simple network protocol authentication method according to the present disclosure;
图4为本公开简单网络协议认证装置一实施例的结构示意图;4 is a schematic structural diagram of an embodiment of a simple network protocol authentication apparatus according to the present disclosure;
图5为本公开简单网络协议认证装置二实施例的结构示意图FIG. 5 is a schematic structural diagram of a second embodiment of a simple network protocol authentication apparatus according to the present disclosure
图6为本公开简单网络协议认证装置三实施例的结构示意图。FIG. 6 is a schematic structural diagram of a third embodiment of a simple network protocol authentication apparatus according to the present disclosure.
具体实施方式detailed description
为使本公开的目的、技术方案和优点更加清楚明白,下文中将结合附图对本公开的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。The embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
本公开实施例提供的简单网络协议认证方法可以应用于SNMP认证过程时。本实施例提供的简单网络协议认证方法可以通过简单网络协议认证装置来执行,该简单网络协议认证装置可以集成在网管服务器,或者单独设置,其中,该简单网络协议认证装置可以采用软件和/或硬件的方式来实现。以下对本实施例提供的简单网络协议认证方法及其装置进行详细地说明。The simple network protocol authentication method provided by the embodiment of the present disclosure can be applied to the SNMP authentication process. The simple network protocol authentication method provided by this embodiment may be implemented by a simple network protocol authentication device, which may be integrated in a network management server or separately set, wherein the simple network protocol authentication device may adopt software and/or Hardware way to achieve. The simple network protocol authentication method and apparatus provided in this embodiment are described in detail below.
图1为本公开简单网络协议认证方法一实施例的流程示意图,如图1所示,本公开提供的简单网络协议认证方法,包括:FIG. 1 is a schematic flowchart of a simple network protocol authentication method according to an embodiment of the present disclosure. As shown in FIG. 1 , the simple network protocol authentication method provided by the present disclosure includes:
步骤101、网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据。在本实施例中,所述认证数据请求信息用于验证所述网络设备的身份,以及获取认证数据的信息,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据。Step 101: The network management server determines the identity of the network device and the first authentication data according to the obtained authentication data request information sent by the network device. In this embodiment, the authentication data request information is used to verify the identity of the network device, and obtain information of the authentication data, where the first authentication data includes the network management server and the server determined by the network management server. The authentication data of the simple network protocol SNMP operation between the network devices.
对于网管服务器获取网络设备发送的认证数据请求信息至少包括以下两种适用场景:For the network management server to obtain the authentication data request information sent by the network device, the following two applicable scenarios are included:
第一种适用场景、所述网管服务器确定所述认证数据的使用时长大于阈值。In a first applicable scenario, the network management server determines that the usage duration of the authentication data is greater than a threshold.
第二种适用场景、所述网管服务器获取所述网络设备发送的认证请求信息,所述认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。In a second applicable scenario, the network management server obtains the authentication request information sent by the network device, where the authentication request information is used to request authentication between the network management server and the network device.
示意性的,网管服务器根据所述认证数据请求信息,首先确定网络设备为可进行SNMP操作的设备;接着,根据所述认证数据请求信息,确定第一认证数据。 Illustratively, the network management server first determines, according to the authentication data request information, that the network device is a device that can perform an SNMP operation; and then, according to the authentication data request information, determines the first authentication data.
步骤102、所述网管服务器向所述网络设备发送认证数据请求响应信息。Step 102: The network management server sends authentication data request response information to the network device.
在本实施例中,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据。In this embodiment, the authentication data request response information is used by the network device to verify the identity of the network management server, and determine the second authentication data.
在本实施例中,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据,网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据,所述第一认证数据包括用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;所述网管服务器向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据。实现了通过加密密钥以及第一实体数字证书和第二实体数字证书,确定用于网络设备与网管服务器之间进行SNMP操作的认证数据,从而提高了网络设备的安全性。In this embodiment, the second authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device, and the network management server sends the network data according to the acquired network device. And the first authentication data includes authentication data for performing a simple network protocol SNMP operation between the network management server and the network device; The network management server sends the authentication data request response information to the network device, where the authentication data request response information is used by the network device to verify the identity of the network management server, and determine the second authentication data. The authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
在上述实施例的基础上,所述网管服务器确定所述网络设备的身份以及第一认证数据之前,还包括:On the basis of the foregoing embodiment, before the network management server determines the identity of the network device and the first authentication data, the method further includes:
所述网管服务器向所述网络设备发送第二认证请求信息,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。Sending, by the network management server, the second authentication request information to the network device, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter is used for verification The parameter of the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set in the network management server.
示意性的,所述第一认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、所述第二随机数,网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Illustratively, the first authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, where the first random number includes a random number randomly generated by the network device, where The first entity digital certificate parameter includes a parameter for verifying the legitimacy of the first entity digital certificate, and the first entity digital certificate includes a digital certificate set in the network device.
可选的,在上述实施例的基础上,在所述第一认证数据请求信息包括所述第二随机数、第一实体数字证书参数、第一实体数字证书的签名值、和所述网管服务器标识的情况下,所述网管服务器根据所述认证数据请求信息,确定所述网络设备的身份以及第一认证数据,包括:Optionally, on the basis of the foregoing embodiment, the first authentication data request information includes the second random number, the first entity digital certificate parameter, a signature value of the first entity digital certificate, and the network management server. In the case of the identifier, the network management server determines the identity of the network device and the first authentication data according to the authentication data request information, including:
所述网管服务器根据所述第二随机数,确定所述第二随机数为所述网管服务器发送给所述网络设备携带在所述认证请求响应信息的随机数;Determining, by the network management server, that the second random number is a random number that is sent by the network management server to the network device and carried in the authentication request response information, according to the second random number;
所述网管服务器根据第一实体数字证书参数、第一实体数字证书的签名值、第二随机数,和所述网管服务器标识,确定所述网络设备为可进行SNMP操作的设备;Determining, by the network management server, that the network device is a device that can perform SNMP operations according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier;
所述网管服务器根据第三随机数和所述第一公钥,确定所述第一认证数据。The network management server determines the first authentication data according to the third random number and the first public key.
示意性的,所述第二认证数据请求信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,所述网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公 钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Illustratively, the second authentication data request information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, and a second entity a digital certificate parameter, a signature value of the second entity digital certificate, where the second public key includes a publicity generated by the network management server according to the second random number And the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate.
图2为本公开简单网络协议认证方法二实施例的流程示意图,如图2所示,本公开提供的简单网络协议认证方法,包括:2 is a schematic flowchart of a second embodiment of a simple network protocol authentication method according to the present disclosure. As shown in FIG. 2, the simple network protocol authentication method provided by the present disclosure includes:
步骤201、网络设备向网管服务器发送认证数据请求信息。Step 201: The network device sends the authentication data request information to the network management server.
在本实施例中,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据。In this embodiment, the authentication data request information is used to verify the identity of the network device, and obtain the first authentication data, where the first authentication data includes the network management server and the server determined by the network management server. The authentication data for SNMP operations between network devices.
对于网络设备向网管服务器发送认证数据请求信息至少包括以下两种适用场景:For the network device to send authentication data request information to the network management server, the following two applicable scenarios are included:
第一种适用场景、所述网管服务器确定第三认证数据的使用时长大于阈值,所述第三认证数据包括:在所述网管服务器确定所述网络设备的身份以及第一认证数据之前,所述网管服务器与所述网络设备之间进行SNMP操作的认证数据。The first applicable scenario, the network management server determines that the usage duration of the third authentication data is greater than a threshold, and the third authentication data includes: before the network management server determines the identity of the network device and the first authentication data, Authentication data for SNMP operations between the network management server and the network device.
第二种适用场景、网管服务器获取所述网络设备发送的第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The second applicable scenario, the network management server obtains the first authentication request information sent by the network device, where the first authentication request information is used to request authentication between the network management server and the network device.
步骤202、所述网络设备接收所述网管服务器发送的认证数据请求响应信息。Step 202: The network device receives the authentication data request response information sent by the network management server.
在本实施例中,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据。In this embodiment, the authentication data request response information is used by the network device to verify the identity of the network management server, and determine second authentication data, where the second authentication data includes a location determined by the network device. The authentication data of the simple network protocol SNMP operation between the network management server and the network device is described.
步骤203、所述网络设备根据所述认证数据请求响应信息,确定所述网管服务器的身份以及第二认证数据。Step 203: The network device determines the identity of the network management server and the second authentication data according to the authentication data request response information.
示意性的,网络设备根据所述认证数据请求信息,首先确定网管服务器为可进行SNMP操作的设备;接着,根据所述认证数据请求信息,确定认证数据。Illustratively, the network device first determines, according to the authentication data request information, that the network management server is a device that can perform SNMP operations; and then, according to the authentication data request information, determines the authentication data.
在本实施例中,网络设备向网管服务器发送认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据,所述第一认证数据用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;所述网络设备接收所述网管服务器发送的认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据;所述网络设备根据所述认证数据请求响应信息,确定所述网管服务器的身份以及第二认证数据。实现了通过加密密钥以及第一实体数字证书和第二实体数字证书,确定用于网络设备与网管服务器之间进行SNMP操作的认证数据,从而提高了网络设备的安全性。In this embodiment, the network device sends authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain first authentication data, where the first authentication data is used for the The authentication data of the SNMP operation is performed between the network management server and the network device; the network device receives the authentication data request response information sent by the network management server, and the authentication data request response information is used by the network device to verify the network management The identity of the server, and determining the second authentication data; the network device determining the identity of the network management server and the second authentication data according to the authentication data request response information. The authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
在上述实施例的基础上,所述网络设备向网管服务器发送认证数据请求信息之前,还包括:On the basis of the foregoing embodiment, before the network device sends the authentication data request information to the network management server, the method further includes:
所述网络设备接收所述网管服务器发送的第二认证请求信息,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。 Receiving, by the network device, second authentication request information sent by the network management server, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter is included A parameter for verifying the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set in the network management server.
示意性的,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、第二随机数,所述网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Illustratively, the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
示意性的,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Illustratively, the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, a network device identifier, and a second entity digital certificate parameter a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a second entity for verifying The parameter of the validity of the digital certificate.
可选的,在上述实施例的基础上,所述网络设备根据所述认证数据请求响应信息,确定所述认证数据,包括:Optionally, on the basis of the foregoing embodiment, the determining, by the network device, the authentication data according to the authentication data request response information, including:
所述网络设备根据第二实体数字证书参数、第二实体数字证书的签名值、所述第一随机数、所述第二随机数,和所述网络设备标识,确定所述网管服务器为可进行SNMP操作的设备;Determining, by the network device, that the network management server is operable according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random number, and the network device identifier SNMP operated device;
所述网络设备根据第三随机数和所述第二公钥,确定所述认证数据,所述第三随机数包括所述网络设备生成所述第一随机数的同时生成的随机数。The network device determines the authentication data according to the third random number and the second public key, where the third random number includes a random number generated by the network device to generate the first random number.
可选的,在上述实施例的基础上,所述网络设备接收所述网管服务器发送的认证请求响应信息之后,还包括:Optionally, after the network device receives the authentication request response information sent by the network management server, the network device further includes:
所述网络设备根据所述第二实体数字证书参数,确定所述第二实体数字证书为合法证书;Determining, by the network device, that the second entity digital certificate is a legal certificate according to the second entity digital certificate parameter;
所述网络设备根据所述第三随机数和曲线基点,确定所述第一公钥;Determining, by the network device, the first public key according to the third random number and a curve base point;
所述网络设备根据所述网络设备私钥、所述第一公钥、所述第一随机数、所述第二随机数、所述网管服务器标识,和第一实体数字证书参数,确定第一实体数字证书的签名值。Determining, by the network device, the first according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter The signature value of the entity digital certificate.
图3为本公开简单网络协议认证方法三实施例的流程示意图,如图3所示,本公开提供的简单网络协议认证方法,包括:3 is a schematic flowchart of a third embodiment of a simple network protocol authentication method according to the present disclosure. As shown in FIG. 3, the simple network protocol authentication method provided by the present disclosure includes:
步骤301、网络设备接收所述网管服务器发送的第二认证请求信息。Step 301: The network device receives the second authentication request information sent by the network management server.
在本实施例中,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。举例来讲,网络设备接收所述网管服务器发送的认证请求响应信息携带在ZX_MDHello报文。ZX_MDHello报文为UDP数据包,其中携带了第二随机数Nm,以及第二实体数字证书参数MDCert。In this embodiment, the second authentication request information carries a second entity digital certificate parameter and the second random number, and the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate. The second entity digital certificate includes a digital certificate set in the network management server. For example, the network device receives the authentication request response information sent by the network management server and carries the ZX_MDHello message. The ZX_MDHello message is a UDP packet carrying a second random number Nm and a second entity digital certificate parameter MDCert.
在本实施例适用于以下适用场景:This embodiment applies to the following applicable scenarios:
第一种适用场景、网络设备获取到第二实体数字证书;所述网络设备根据所述第二实体数字证书,向所述网管服务器发送第一认证请求信息,所述第一认证请求信息用于请求 所述网管服务器与所述网络设备之间的认证。The first applicable scenario, the network device acquires the second entity digital certificate; the network device sends the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used Request Authentication between the network management server and the network device.
举例来讲,网络设备检测到实体鉴别器插在网络设备的USB口上,该实体鉴别器设置有第一实体数字证书。接着,网络设备向网管服务器发送trap报文,该trap报文携带认证请求信息。同时网络设备开启认证模式,等待网管服务器进行认证。网络设备向网管服务器发送的trap报文,需要有特定的oid标识,表明设备已经开启认证模式并且需要进行认证。网管服务器获取到认证请求信息之后,则需要发起认证流程。For example, the network device detects that the entity discriminator is inserted on the USB port of the network device, and the entity discriminator is provided with the first entity digital certificate. Then, the network device sends a trap packet to the network management server, where the trap packet carries the authentication request information. At the same time, the network device starts the authentication mode and waits for the network management server to perform authentication. The trap message sent by the network device to the network management server needs to have a specific oid identifier, indicating that the device has enabled the authentication mode and needs to be authenticated. After the network management server obtains the authentication request information, it needs to initiate the authentication process.
第二种适用场景、网管服务器确定所述认证数据的使用时长大于阈值。The second applicable scenario, the network management server determines that the usage duration of the authentication data is greater than a threshold.
所述第三认证数据包括:在所述网管服务器确定所述网络设备的身份以及第一认证数据之前,所述网管服务器与所述网络设备之间进行SNMP操作的认证数据The third authentication data includes: authentication data for performing an SNMP operation between the network management server and the network device before the network management server determines the identity of the network device and the first authentication data.
步骤302、网络设备根据认证请求响应信息,确定第一实体数字证书的签名值。Step 302: The network device determines, according to the authentication request response information, a signature value of the first entity digital certificate.
示意性的,所述网络设备根据所述第二实体数字证书参数,确定所述第二实体数字证书为合法证书;所述网络设备根据所述第三随机数和曲线基点,确定所述第一公钥;所述网络设备根据所述网络设备私钥、所述第一公钥、所述第一随机数、所述第二随机数、所述网管服务器标识,和第一实体数字证书参数,确定第一实体数字证书的签名值。Illustratively, the network device determines, according to the second entity digital certificate parameter, that the second entity digital certificate is a legal certificate; and the network device determines the first according to the third random number and a curve base point. a public key; the network device, according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter, Determine the signature value of the first entity digital certificate.
举例来讲,调用实体鉴别器的证书验证函数验证MDCert证书的有效性。然后调用第一实体数字证书随机数函数,生成随机数第四随机数Rn和Nn;调用点乘运算函数,计算临时公钥TempPKn;调用签名函数生成签名值NDSign;并向网管服务器发送ZX_NDHello报文,包括第一公钥TempPKn、第一随机数Nn、第二随机数Nm、网管服务器标识MD的标识IDm(采用MD的IP地址)、ND的证书第一实体数字证书参数NDCert和第一实体数字证书的签名值NDSign,其中For example, the certificate verification function of the entity discriminator is invoked to verify the validity of the MDCert certificate. Then, the first entity digital certificate random number function is called to generate a random number fourth random number Rn and Nn; the point multiplication function is called to calculate the temporary public key TempPKn; the signature function is called to generate the signature value NDSign; and the ZX_NDHello message is sent to the network management server. The first public key TempPKn, the first random number Nn, the second random number Nm, the identifier IDm of the network management server identifier MD (using the IP address of the MD), the certificate of the ND, the first entity digital certificate parameter NDCert, and the first entity number The signature value of the certificate NDSign, where
TempPKn=Rn×P,P为曲线基点;TempPKn=Rn×P, P is the curve base point;
NDSign=ECC_Sign(SKn:TempPKn,Nn,Nm,IDm,NDCert),SKn为ND的私钥。NDSign = ECC_Sign (SKn: TempPKn, Nn, Nm, IDm, NDCert), SKn is the private key of ND.
步骤303、网络设备向网管服务器发送认证数据请求信息。Step 303: The network device sends the authentication data request information to the network management server.
示意性的,所述认证数据请求信息用于验证所述网络设备的身份,以及获取认证数据的信息,所述认证数据用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据。Illustratively, the authentication data request information is used to verify an identity of the network device, and obtain information of authentication data, where the authentication data is used for authentication data of an SNMP operation between the network management server and the network device. .
举例来讲,认证数据请求信息携带在ZX_NDHello报文,该认证数据请求信息包括第一公钥TempPKn、第一随机数Nn、第二随机数Nm、网管服务器标识MD的标识IDm(采用MD的IP地址)、ND的证书第一实体数字证书参数NDCert和第一实体数字证书的签名值NDSign。For example, the authentication data request information is carried in the ZX_NDHello packet, where the authentication data request information includes the first public key TempPKn, the first random number Nn, the second random number Nm, and the identifier IDm of the network management server identifier MD (using the IP of the MD) Address), ND certificate first entity digital certificate parameter NDCert and first entity digital certificate signature value NDSign.
步骤304、所述网管服务器根据所述认证数据请求信息,确定所述网络设备的身份以及第一认证数据。Step 304: The network management server determines the identity of the network device and the first authentication data according to the authentication data request information.
示意性的,所述网管服务器根据所述第二随机数,确定所述第二随机数为所述网管服务器发送给所述网络设备携带在所述认证请求响应信息的随机数;所述网管服务器根据第一实体数字证书参数、第一实体数字证书的签名值、第二随机数,和所述网管服务器标识, 确定所述网络设备为可进行SNMP操作的设备;所述网管服务器根据第三随机数和所述第一公钥,确定所述第一认证数据。The network management server determines, according to the second random number, that the second random number is a random number that is sent by the network management server to the network device to carry the authentication request response information; the network management server And according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier, Determining that the network device is a device that can perform SNMP operations; and the network management server determines the first authentication data according to the third random number and the first public key.
举例来讲,首先验证Nm随机数是否正确。然后验证NDCert证书主体的合法性及证书的有效性,再利用证书内的公钥验证签名值NDSign的有效性,最后验证Nm、IDm,通过后即认为ND是真实的。同时生成随机数Rm,计算临时公钥TempPKm、签名值MDSign,计算并保存共享数据AuthData,其中For example, first verify that the Nm random number is correct. Then verify the validity of the NDCert certificate body and the validity of the certificate, and then use the public key in the certificate to verify the validity of the signature value NDSign, and finally verify Nm and IDm. After passing, the ND is considered to be true. At the same time, a random number Rm is generated, a temporary public key TempPKm, a signature value MDSign are calculated, and the shared data AuthData is calculated and saved, wherein
TempPKm=Rm×P;TempPKm=Rm×P;
MDSign=ECC_Sign(SKm:TempPKm,Nm,Nn,IDn,MDCert),SKm为MD的私钥;MDSign=ECC_Sign(SKm:TempPKm,Nm,Nn,IDn,MDCert), SKm is the private key of the MD;
AuthData=Rm×TempPKn=Rm×(Rn×P)。AuthData=Rm×TempPKn=Rm×(Rn×P).
步骤305、所述网管服务器向所述网络设备发送认证数据请求响应信息。Step 305: The network management server sends the authentication data request response information to the network device.
示意性的,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据的信息。所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,所述网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Illustratively, the authentication data request response information is used by the network device to verify the identity of the network management server and determine information of the second authentication data. The authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, the network device identifier, a second entity digital certificate parameter, and a a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes a digital certificate for verifying the second entity The parameter of legality.
举例来讲,该认证数据请求响应信息携带在ZX_MDAuth消息,认证数据请求响应信息可以包括第二公钥TempPKm、第二随机数Nm、第一随机数Nn、网络设备标识设备表示IDn、MD的证书第二实体数字证书参数MDCert和第二实体数字证书的签名值MDSign。For example, the authentication data request response information is carried in a ZX_MDAuth message, and the authentication data request response information may include a second public key TempPKm, a second random number Nm, a first random number Nn, a network device identification device identifier IDn, and a certificate of the MD. The second entity digital certificate parameter MDCert and the signature value MDSign of the second entity digital certificate.
步骤306、所述网络设备根据所述认证数据请求响应信息,确定所述网管服务器的身份以及所述第二认证数据。Step 306: The network device determines the identity of the network management server and the second authentication data according to the authentication data request response information.
举例来讲,利用实体鉴别器内预置的CA的公钥,验证MDCert证书主体的合法性及证书的有效性,再调用签名验证函数验证签名值MDSign的有效性,并验证Nm、Nn、IDn,验证通过后即认为网管服务器是真实的。同时计算并保存AuthData,其中For example, using the public key of the CA preset in the entity discriminator, verify the validity of the MDCert certificate body and the validity of the certificate, and then call the signature verification function to verify the validity of the signature value MDSign, and verify Nm, Nn, IDn After the verification is passed, the network management server is considered to be authentic. Calculate and save AuthData at the same time, where
AuthData=Rn×TempPKm=Rn×(Rm×P)。AuthData=Rn×TempPKm=Rn×(Rm×P).
在上述实施例的基础上,网管服务器对设备的SNMP操作,(包括set/setNex等写入指令、get/getNext/getBulk/walk等读取指令)都需要将认证信息AuthData携带在SNMP报文中。On the basis of the foregoing embodiment, the network management server needs to carry the authentication information AuthData in the SNMP message for the SNMP operation of the device, including the write command such as set/setNex and the read command of get/getNext/getBulk/walk. .
设备收到网管服务器发送SNMP请求报文。取出其中的AuthData数据,通过实体鉴别器的接口验证报文的合法性。如果报文合法则通过将将网管服务器的SNMP请求结果返回给网管服务器,并带上将认证信息AuthData。The device receives an SNMP request packet from the network management server. The AuthData data is taken out and the validity of the packet is verified through the interface of the entity discriminator. If the packet is valid, the SNMP request result of the network management server will be returned to the network management server, and the authentication information AuthData will be carried.
网管服务器收到设备返回的SNMP。取出其中的AuthData数据,通过实体鉴别器的接口验证报文的合法性。如果报文合法,则读取设备返回的数据。SNMP操作成功。反之则认为SNMP操作失败。 The network management server receives the SNMP returned by the device. The AuthData data is taken out and the validity of the packet is verified through the interface of the entity discriminator. If the message is legal, the data returned by the device is read. The SNMP operation was successful. Otherwise, the SNMP operation is considered to have failed.
图4为本公开简单网络协议认证装置一实施例的结构示意图,如图4所示,本公开提供的简单网络协议认证装置,包括:确定模块41和发送模块42。FIG. 4 is a schematic structural diagram of an embodiment of a simple network protocol authentication apparatus according to the present disclosure. As shown in FIG. 4, the simple network protocol authentication apparatus provided by the present disclosure includes: a determining module 41 and a sending module 42.
确定模块41,用于根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;a determining module 41, configured to determine an identity of the network device and first authentication data according to the obtained authentication data request information sent by the network device, where the first authentication data includes the network management server determined by the network management server Authentication data for performing a simple network protocol SNMP operation with the network device;
发送模块42,用于向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据。The sending module 42 is configured to send, to the network device, authentication data request response information, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data, where the second The authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
在本实施例中,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据,网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据,所述第一认证数据包括用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;所述网管服务器向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据。实现了通过加密密钥以及第一实体数字证书和第二实体数字证书,确定用于网络设备与网管服务器之间进行SNMP操作的认证数据,从而提高了网络设备的安全性。In this embodiment, the second authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device, and the network management server sends the network data according to the acquired network device. And the first authentication data includes authentication data for performing a simple network protocol SNMP operation between the network management server and the network device; The network management server sends the authentication data request response information to the network device, where the authentication data request response information is used by the network device to verify the identity of the network management server, and determine the second authentication data. The authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
在上述实施例的基础上,所述发送模块42,还用于向所述网络设备发送第二认证请求信息,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器上的数字证书。On the basis of the foregoing embodiment, the sending module 42 is further configured to send, to the network device, second authentication request information, where the second authentication request information carries a second entity digital certificate parameter and the second random number. The second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set on the network management server.
图5为本公开简单网络协议认证装置二实施例的结构示意图,如图5所示,本公开提供的简单网络协议认证装置,还包括:处理模块43;5 is a schematic structural diagram of a second embodiment of a simple network protocol authentication apparatus, as shown in FIG. 5, the simple network protocol authentication apparatus provided by the present disclosure further includes: a processing module 43;
所述处理模块43,用于确定第三认证数据的使用时长大于阈值,所述第三认证数据包括:在所述网管服务器确定所述网络设备的身份以及第一认证数据之前,所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;或者,获取所述网络设备发送的第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The processing module 43 is configured to determine that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: before the network management server determines the identity of the network device and the first authentication data, the network management server Determining the authentication data for performing the SNMP operation between the network management server and the network device; or acquiring the first authentication request information sent by the network device, where the first authentication request information is used to request the network management Authentication between the server and the network device.
可选的,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、所述第二随机数,网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Optionally, the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, a first entity digital certificate parameter, and a first a signature value of the entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes a random number randomly generated by the network device, where the An entity digital certificate parameter includes parameters for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate including a digital certificate disposed at the network device.
可选的,在上述实施例的基础上,所述处理模块43,还用于根据所述第二随机数,确定所述第二随机数为所述网管服务器发送给所述网络设备携带在所述认证请求响应信 息的随机数;根据第一实体数字证书参数、第一实体数字证书的签名值、第二随机数,和所述网管服务器标识,确定所述网络设备为可进行SNMP操作的设备;根据第三随机数和所述第一公钥,确定所述第一认证数据。Optionally, on the basis of the foregoing embodiment, the processing module 43 is further configured to determine, according to the second random number, that the second random number is sent by the network management server to the network device. Authentication request response letter a random number of the information; determining, according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier, that the network device is a device capable of performing SNMP operations; The first authentication data is determined by a random number and the first public key.
可选的,在上述实施例的基础上,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,所述网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Optionally, on the basis of the foregoing embodiment, the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, and the second random number, a network device identifier, a second entity digital certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate The parameters include parameters for verifying the legitimacy of the second entity digital certificate.
图6为本公开简单网络协议认证装置三实施例的结构示意图,如图6所示,本公开提供的简单网络协议认证装置,包括:发送模块61、接收模块62和确定模块63。其中,FIG. 6 is a schematic structural diagram of a third embodiment of a simple network protocol authentication apparatus according to the present disclosure. As shown in FIG. 6, the simple network protocol authentication apparatus provided by the present disclosure includes: a sending module 61, a receiving module 62, and a determining module 63. among them,
发送模块61,用于向网管服务器发送认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据的信息,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;The sending module 61 is configured to send, to the network management server, the authentication data request information, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management Authentication data determined by the server for performing an SNMP operation between the network management server and the network device;
接收模块62,用于接收所述网管服务器发送的认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;The receiving module 62 is configured to receive authentication data request response information sent by the network management server, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second information of the second authentication data. The authentication data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
确定模块63,用于根据所述认证数据请求响应信息,确定所述网管服务器的身份以及所述第二认证数据。The determining module 63 is configured to determine an identity of the network management server and the second authentication data according to the authentication data request response information.
在本实施例中,网络设备向网管服务器发送认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据,所述第一认证数据用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;所述网络设备接收所述网管服务器发送的认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据;所述网络设备根据所述认证数据请求响应信息,确定所述网管服务器的身份以及第二认证数据。实现了通过加密密钥以及第一实体数字证书和第二实体数字证书,确定用于网络设备与网管服务器之间进行SNMP操作的认证数据,从而提高了网络设备的安全性。In this embodiment, the network device sends authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain first authentication data, where the first authentication data is used for the The authentication data of the SNMP operation is performed between the network management server and the network device; the network device receives the authentication data request response information sent by the network management server, and the authentication data request response information is used by the network device to verify the network management The identity of the server, and determining the second authentication data; the network device determining the identity of the network management server and the second authentication data according to the authentication data request response information. The authentication data used for the SNMP operation between the network device and the network management server is determined by using the encryption key and the first entity digital certificate and the second entity digital certificate, thereby improving the security of the network device.
可选的,在上述实施例的基础上,所述接收模块62,还用于获取到第二实体数字证书;Optionally, on the basis of the foregoing embodiment, the receiving module 62 is further configured to obtain a second entity digital certificate;
所述发送模块,还用于根据所述第二实体数字证书,向所述网管服务器发送第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The sending module is further configured to send the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request the network management server and the network device Certification.
可选的,在上述实施例的基础上,所述接收模块62,还用于接收所述网管服务器发送的第二认证请求信息,所述第二认证请求响应信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。 Optionally, on the basis of the foregoing embodiment, the receiving module 62 is further configured to receive second authentication request information sent by the network management server, where the second authentication request response information carries a second entity digital certificate parameter and The second random number, the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set in the network management server.
可选的,在上述实施例的基础上,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、第二随机数,所述网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。Optionally, on the basis of the foregoing embodiment, the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, and a second random number, the network management server identifier, An entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes the network device randomly The generated random number, the first entity digital certificate parameter includes a parameter for verifying the validity of the first entity digital certificate, and the first entity digital certificate includes a digital certificate set in the network device.
可选的,在上述实施例的基础上,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。Optionally, on the basis of the foregoing embodiment, the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random number, and a network device The identifier, the second entity digital certificate parameter, and the signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes A parameter for verifying the legality of the second entity digital certificate.
可选的,在上述实施例的基础上,所述确定模块63,还用于根据第二实体数字证书参数、第二实体数字证书的签名值、所述第一随机数、所述第二随机数,和所述网络设备标识,确定所述网管服务器为可进行SNMP操作的设备;所述网络设备根据第三随机数和所述第二公钥,确定所述认证数据,所述第三随机数包括所述网络设备生成所述第一随机数的同时生成的随机数。Optionally, on the basis of the foregoing embodiment, the determining module 63 is further configured to: according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random And determining, by the network device identifier, the network management server as a device capable of performing an SNMP operation; the network device determining the authentication data according to the third random number and the second public key, the third random The number includes a random number generated by the network device while generating the first random number.
可选的,在上述实施例的基础上,所述确定模块63,还用于根据所述第二实体数字证书参数,确定所述第二实体数字证书为合法证书;根据所述第三随机数和曲线基点,确定所述第一公钥;根据所述网络设备私钥、所述第一公钥、所述第一随机数、所述第二随机数、所述网管服务器标识,和第一实体数字证书参数,确定第一实体数字证书的签名值。Optionally, on the basis of the foregoing embodiment, the determining module 63 is further configured to determine, according to the second entity digital certificate parameter, that the second entity digital certificate is a legal certificate; according to the third random number And a curve base point, determining the first public key; and according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first The entity digital certificate parameter determines the signature value of the first entity digital certificate.
虽然本公开所揭露的实施方式如上,但所述的内容仅为便于理解本公开而采用的实施方式,并非用以限定本公开。任何本公开所属领域内的技术人员,在不脱离本公开所揭露的精神和范围的前提下,可以在实施的形式及细节上进行任何的修改与变化,但本公开的专利保护范围,仍须以所附的权利要求书所界定的范围为准。The embodiments disclosed in the present disclosure are as described above, but are merely used to facilitate the understanding of the present disclosure, and are not intended to limit the present disclosure. Any modification or variation in the form and details of the implementation may be made by those skilled in the art without departing from the spirit and scope of the disclosure. The scope defined by the appended claims shall prevail.
工业实用性Industrial applicability
本公开实施例提供的简单网络协议认证方法,可应用于网管服务器中,该网管服务器获取网络设备发送的认证数据请求信息,并根据认证数据请求信息确定网络设备的身份以及认证数据,接续向该网络设备发送认证数据请求响应信息以用于该网络设备验证网管服务器的身份,实现了通过加密密钥以及第一实体数字证书和第二实体数字证书,确定用于网络设备与网管服务器之间进行SNMP操作的认证数据,从而提高了网络设备的安全性。 The simple network protocol authentication method provided by the embodiment of the present disclosure may be applied to a network management server, where the network management server acquires authentication data request information sent by the network device, and determines the identity of the network device and the authentication data according to the authentication data request information, and then connects to the network device. The network device sends the authentication data request response information for the network device to verify the identity of the network management server, and is determined to be used between the network device and the network management server by using the encryption key and the first entity digital certificate and the second entity digital certificate. The authentication data of the SNMP operation improves the security of the network device.

Claims (26)

  1. 一种简单网络协议认证方法,包括:A simple network protocol authentication method, including:
    网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;The network management server determines the identity of the network device and the first authentication data according to the obtained authentication data request information sent by the network device, where the first authentication data includes the network management server and the network determined by the network management server. Authentication data for simple network protocol SNMP operations between devices;
    所述网管服务器向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据。Sending, by the network management server, authentication data request response information to the network device, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determining second authentication data, the second authentication data And including authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
  2. 根据权利要求1所述的方法,其中,所述网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据之前,还包括:The method of claim 1, wherein the network management server further comprises: before determining the identity of the network device and the first authentication data, according to the obtained authentication data request information sent by the network device,
    所述网管服务器向所述网络设备发送第二认证请求信息,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器上的数字证书。Sending, by the network management server, the second authentication request information to the network device, where the second authentication request information carries a second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter is used for verification The parameter of the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set on the network management server.
  3. 根据权利要求2所述的方法,其中,所述网管服务器根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据之前,还包括:The method of claim 2, wherein the network management server further comprises: before determining the identity of the network device and the first authentication data, according to the obtained authentication data request information sent by the network device,
    所述网管服务器确定第三认证数据的使用时长大于阈值,所述第三认证数据包括:在所述网管服务器确定所述网络设备的身份以及第一认证数据之前,所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;或者The network management server determines that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: the network management server determines, before the network management server determines the identity of the network device and the first authentication data, Authentication data for performing SNMP operations between the network management server and the network device; or
    所述网管服务器获取所述网络设备发送的第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The network management server obtains the first authentication request information sent by the network device, where the first authentication request information is used to request authentication between the network management server and the network device.
  4. 根据权利要求3所述的方法,其中,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、所述第二随机数,网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。The method according to claim 3, wherein the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, and a first An entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes randomly generated by the network device a random number, the first entity digital certificate parameter comprising a parameter for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate comprising a digital certificate set in the network device.
  5. 根据权利要求4所述的方法,其中,在所述认证数据请求信息包括所述第二随机数、第一实体数字证书参数、第一实体数字证书的签名值、和所述网管服务器标识的情况下,所述网管服务器根据所述认证数据请求信息,确定所述网络设备的身份以及所述第一认证数据,包括:The method according to claim 4, wherein said authentication data request information includes said second random number, a first entity digital certificate parameter, a signature value of said first entity digital certificate, and said network server identifier And determining, by the network management server, the identity of the network device and the first authentication data according to the authentication data request information, including:
    所述网管服务器根据所述第二随机数,确定所述第二随机数为所述网管服务器发送给所述网络设备携带在所述认证请求响应信息的随机数;Determining, by the network management server, that the second random number is a random number that is sent by the network management server to the network device and carried in the authentication request response information, according to the second random number;
    所述网管服务器根据第一实体数字证书参数、第一实体数字证书的签名值、第二随机 数,和所述网管服务器标识,确定所述网络设备为可进行SNMP操作的设备;The network management server is configured according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, and the second random number And determining, by the network management server identifier, that the network device is a device that can perform SNMP operations;
    所述网管服务器根据第三随机数和所述第一公钥,确定所述第一认证数据。The network management server determines the first authentication data according to the third random number and the first public key.
  6. 根据权利要求2-5任一项所述的方法,其中,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,所述网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。The method according to any one of claims 2 to 5, wherein the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, and the second random number a number, the network device identifier, a second entity digital certificate parameter, and a signature value of the second entity digital certificate, where the second public key includes a public key generated by the network management server according to the second random number, The two entity digital certificate parameters include parameters for verifying the legitimacy of the second entity digital certificate.
  7. 一种简单网络协议认证方法,包括:A simple network protocol authentication method, including:
    网络设备向网管服务器发送认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据的信息,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;The network device sends the authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management server determines Authenticating data of a simple network protocol SNMP operation between the network management server and the network device;
    所述网络设备接收所述网管服务器发送的认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;Receiving, by the network device, authentication data request response information sent by the network management server, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determining second authentication data, the second authentication The data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
    所述网络设备根据所述认证数据请求响应信息,确定所述网管服务器的身份以及所述第二认证数据。And determining, by the network device, the identity of the network management server and the second authentication data according to the authentication data request response information.
  8. 根据权利要求7所述的方法,其中,所述网络设备向网管服务器发送认证数据请求信息之前,还包括:The method of claim 7, wherein before the network device sends the authentication data request information to the network management server, the method further includes:
    所述网络设备获取到第二实体数字证书;Obtaining, by the network device, a second entity digital certificate;
    所述网络设备根据所述第二实体数字证书,向所述网管服务器发送第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The network device sends the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request authentication between the network management server and the network device.
  9. 根据权利要求7或8所述的方法,其中,所述网络设备向网管服务器发送认证数据请求信息之前,还包括:The method according to claim 7 or 8, wherein before the network device sends the authentication data request information to the network management server, the method further includes:
    所述网络设备接收所述网管服务器发送的第二认证请求信息,所述第二认证请求响应信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。The network device receives the second authentication request information sent by the network management server, where the second authentication request response information carries the second entity digital certificate parameter and the second random number, where the second entity digital certificate parameter includes And a parameter for verifying the legality of the second entity digital certificate, the second entity digital certificate comprising a digital certificate set in the network management server.
  10. 根据权利要求9所述的方法,其中,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、第二随机数,所述网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。 The method according to claim 9, wherein the authentication data request information comprises at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, the first An entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes randomly generated by the network device a random number, the first entity digital certificate parameter comprising a parameter for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate comprising a digital certificate set in the network device.
  11. 根据权利要求10所述的方法,其中,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。The method according to claim 10, wherein the authentication data request response information comprises at least one of the following or a combination thereof: a second public key, the first random number, the second random number, a network device identifier a second entity digital certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes A parameter for verifying the legality of the second entity digital certificate.
  12. 根据权利要求7-11任一项所述的方法,其中,所述网络设备根据所述认证数据请求响应信息,确定第二认证数据,包括:The method according to any one of claims 7 to 11, wherein the network device determines the second authentication data according to the authentication data request response information, including:
    所述网络设备根据第二实体数字证书参数、第二实体数字证书的签名值、所述第一随机数、所述第二随机数,和所述网络设备标识,确定所述网管服务器为可进行SNMP操作的设备;Determining, by the network device, that the network management server is operable according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the second random number, and the network device identifier SNMP operated device;
    所述网络设备根据第三随机数和所述第二公钥,确定所述认证数据,所述第三随机数包括所述网络设备生成所述第一随机数的同时生成的随机数。The network device determines the authentication data according to the third random number and the second public key, where the third random number includes a random number generated by the network device to generate the first random number.
  13. 根据权利要求12所述的方法,其中,所述网络设备接收所述网管服务器发送的第二认证请求信息之后,还包括:The method according to claim 12, wherein after the network device receives the second authentication request information sent by the network management server, the method further includes:
    所述网络设备根据所述第二实体数字证书参数,确定所述第二实体数字证书为合法证书;Determining, by the network device, that the second entity digital certificate is a legal certificate according to the second entity digital certificate parameter;
    所述网络设备根据所述第三随机数和曲线基点,确定所述第一公钥;Determining, by the network device, the first public key according to the third random number and a curve base point;
    所述网络设备根据所述网络设备私钥、所述第一公钥、所述第一随机数、所述第二随机数、所述网管服务器标识,和第一实体数字证书参数,确定第一实体数字证书的签名值。Determining, by the network device, the first according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity digital certificate parameter The signature value of the entity digital certificate.
  14. 一种简单网络协议认证装置,包括:A simple network protocol authentication device, comprising:
    确定模块,设置为根据获取的网络设备发送的认证数据请求信息,确定所述网络设备的身份以及第一认证数据,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;a determining module, configured to determine an identity of the network device and first authentication data according to the authentication data request information sent by the obtained network device, where the first authentication data includes the network management server determined by the network management server Authentication data of a simple network protocol SNMP operation between the network devices;
    发送模块,设置为向所述网络设备发送认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据,所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据。a sending module, configured to send, to the network device, authentication data request response information, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data, the second authentication The data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device.
  15. 根据权利要求14所述的装置,其中,所述发送模块,还设置为向所述网络设备发送第二认证请求信息,所述第二认证请求信息携带第二实体数字证书参数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器上的数字证书。The apparatus according to claim 14, wherein the sending module is further configured to send second authentication request information to the network device, where the second authentication request information carries a second entity digital certificate parameter and the second a random number, the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set on the network management server.
  16. 根据权利要求15所述的装置,其中,还包括:处理模块;The apparatus of claim 15 further comprising: a processing module;
    所述处理模块,设置为确定第三认证数据的使用时长大于阈值,所述第三认证数据包括:在所述网管服务器确定所述网络设备的身份以及第一认证数据之前,所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;或者,获 取所述网络设备发送的第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The processing module is configured to determine that the usage duration of the third authentication data is greater than a threshold, where the third authentication data includes: determining, by the network management server, the identity of the network device and the first authentication data, the network management server determines Authentication data for performing SNMP operations between the network management server and the network device; or The first authentication request information sent by the network device is used, where the first authentication request information is used to request authentication between the network management server and the network device.
  17. 根据权利要求16所述的装置,其中,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、所述第二随机数,网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。The apparatus according to claim 16, wherein the authentication data request information includes at least one of the following or a combination thereof: a first public key, a first random number, the second random number, a network management server identifier, and a first An entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes randomly generated by the network device a random number, the first entity digital certificate parameter comprising a parameter for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate comprising a digital certificate set in the network device.
  18. 根据权利要求17所述的装置,其中,所述处理模块,还设置为根据所述第二随机数,确定所述第二随机数为所述网管服务器发送给所述网络设备携带在所述认证请求响应信息的随机数;根据第一实体数字证书参数、第一实体数字证书的签名值、第二随机数,和所述网管服务器标识,确定所述网络设备为可进行SNMP操作的设备;根据第三随机数和所述第一公钥,确定所述第一认证数据。The apparatus according to claim 17, wherein the processing module is further configured to determine, according to the second random number, the second random number that is sent by the network management server to the network device to be carried in the authentication. Determining a random number of the response information; determining, according to the first entity digital certificate parameter, the signature value of the first entity digital certificate, the second random number, and the network management server identifier, that the network device is a device capable of performing SNMP operations; The third random number and the first public key determine the first authentication data.
  19. 根据权利要求15-18任一项所述的装置,其中,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,所述网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。The apparatus according to any one of claims 15 to 18, wherein the authentication data request response information includes at least one of the following or a combination thereof: a second public key, the first random number, the second random a number, the network device identifier, a second entity digital certificate parameter, and a signature value of the second entity digital certificate, where the second public key includes a public key generated by the network management server according to the second random number, The two entity digital certificate parameters include parameters for verifying the legitimacy of the second entity digital certificate.
  20. 一种简单网络协议认证装置,包括:A simple network protocol authentication device, comprising:
    发送模块,设置为向网管服务器发送认证数据请求信息,所述认证数据请求信息用于验证所述网络设备的身份,以及获取第一认证数据的信息,所述第一认证数据包括所述网管服务器确定的用于所述网管服务器与所述网络设备之间进行SNMP操作的认证数据;a sending module, configured to send authentication data request information to the network management server, where the authentication data request information is used to verify the identity of the network device, and obtain information of the first authentication data, where the first authentication data includes the network management server Determining authentication data for performing an SNMP operation between the network management server and the network device;
    接收模块,设置为接收所述网管服务器发送的认证数据请求响应信息,所述认证数据请求响应信息用于所述网络设备验证所述网管服务器的身份,以及确定第二认证数据所述第二认证数据包括所述网络设备确定的用于所述网管服务器与所述网络设备之间进行简单网络协议SNMP操作的认证数据;a receiving module, configured to receive authentication data request response information sent by the network management server, where the authentication data request response information is used by the network device to verify an identity of the network management server, and determine second authentication data of the second authentication data The data includes authentication data determined by the network device for performing a simple network protocol SNMP operation between the network management server and the network device;
    确定模块,设置为根据所述认证数据请求响应信息,确定所述网管服务器的身份以及所述第二认证数据。And a determining module, configured to determine an identity of the network management server and the second authentication data according to the authentication data request response information.
  21. 根据权利要求20所述的装置,其中,所述接收模块,还设置为获取到第二实体数字证书;The apparatus according to claim 20, wherein the receiving module is further configured to acquire a second entity digital certificate;
    所述发送模块,还设置为根据所述第二实体数字证书,向所述网管服务器发送第一认证请求信息,所述第一认证请求信息用于请求所述网管服务器与所述网络设备之间的认证。The sending module is further configured to send the first authentication request information to the network management server according to the second entity digital certificate, where the first authentication request information is used to request the network management server and the network device Certification.
  22. 根据权利要求20或21所述的装置,其中,所述接收模块,还设置为接收所述网管服务器发送的第二认证请求信息,所述第二认证请求响应信息携带第二实体数字证书参 数和所述第二随机数,所述第二实体数字证书参数包括用于验证第二实体数字证书合法性的参数,所述第二实体数字证书包括设置在所述网管服务器的数字证书。The device according to claim 20 or 21, wherein the receiving module is further configured to receive second authentication request information sent by the network management server, where the second authentication request response information carries a second entity digital certificate And the second random number, the second entity digital certificate parameter includes a parameter for verifying the validity of the second entity digital certificate, and the second entity digital certificate includes a digital certificate set in the network management server.
  23. 根据权利要求22所述的装置,其中,所述认证数据请求信息至少包括以下任意一项或其组合:第一公钥、第一随机数、第二随机数,所述网管服务器标识、第一实体数字证书参数、第一实体数字证书的签名值,所述第一公钥包括所述网络设备根据所述第二随机数生成的公钥,所述第一随机数包括所述网络设备随机生成的随机数,所述第一实体数字证书参数包括用于验证第一实体数字证书合法性的参数,所述第一实体数字证书包括设置在所述网络设备的数字证书。The apparatus according to claim 22, wherein the authentication data request information comprises at least one of the following or a combination thereof: a first public key, a first random number, a second random number, the network management server identifier, the first An entity digital certificate parameter, a signature value of the first entity digital certificate, the first public key includes a public key generated by the network device according to the second random number, and the first random number includes randomly generated by the network device a random number, the first entity digital certificate parameter comprising a parameter for verifying the legitimacy of the first entity digital certificate, the first entity digital certificate comprising a digital certificate set in the network device.
  24. 根据权利要求23所述的装置,其中,所述认证数据请求响应信息至少包括以下任意一项或其组合:第二公钥、所述第一随机数、所述第二随机数,网络设备标识、第二实体数字证书参数、第二实体数字证书的签名值,所述第二公钥包括所述网管服务器根据所述第二随机数生成的公钥,所述第二实体数字证书参数包括用于验证所述第二实体数字证书合法性的参数。The apparatus according to claim 23, wherein said authentication data request response information comprises at least one of the following or a combination thereof: a second public key, said first random number, said second random number, a network device identifier a second entity digital certificate parameter, a signature value of the second entity digital certificate, the second public key includes a public key generated by the network management server according to the second random number, and the second entity digital certificate parameter includes A parameter for verifying the legality of the second entity digital certificate.
  25. 根据权利要求20-24任一项所述的装置,其中,所述确定模块,还设置为根据第二实体数字证书参数、第二实体数字证书的签名值、所述第一随机数、所述第二随机数,和所述网络设备标识,确定所述网管服务器为可进行SNMP操作的设备;所述网络设备根据第三随机数和所述第二公钥,确定所述认证数据,所述第三随机数包括所述网络设备生成所述第一随机数的同时生成的随机数。The apparatus according to any one of claims 20 to 24, wherein the determining module is further configured to: according to the second entity digital certificate parameter, the signature value of the second entity digital certificate, the first random number, the a second random number, and the network device identifier, determining that the network management server is a device that can perform an SNMP operation; and determining, by the network device, the authentication data according to the third random number and the second public key, The third random number includes a random number generated by the network device while generating the first random number.
  26. 根据权利要求25所述的装置,其中,所述确定模块,还设置为根据所述第二实体数字证书参数,确定所述第二实体数字证书为合法证书;根据所述第三随机数和曲线基点,确定所述第一公钥;根据所述网络设备私钥、所述第一公钥、所述第一随机数、所述第二随机数、所述网管服务器标识,和第一实体数字证书参数,确定第一实体数字证书的签名值。 The apparatus according to claim 25, wherein the determining module is further configured to determine, according to the second entity digital certificate parameter, that the second entity digital certificate is a legal certificate; according to the third random number and curve Base point, determining the first public key; and according to the network device private key, the first public key, the first random number, the second random number, the network management server identifier, and the first entity number The certificate parameter determines the signature value of the first entity digital certificate.
PCT/CN2017/087893 2016-06-23 2017-06-12 Simple network protocol authentication method and device WO2017219886A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610465342.XA CN107547466A (en) 2016-06-23 2016-06-23 A kind of simple network protocol authentication method and device
CN201610465342.X 2016-06-23

Publications (1)

Publication Number Publication Date
WO2017219886A1 true WO2017219886A1 (en) 2017-12-28

Family

ID=60783769

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/087893 WO2017219886A1 (en) 2016-06-23 2017-06-12 Simple network protocol authentication method and device

Country Status (2)

Country Link
CN (1) CN107547466A (en)
WO (1) WO2017219886A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839776A (en) * 2021-11-29 2021-12-24 军事科学院系统工程研究院网络信息研究所 Method and system for safety interconnection protocol between network management and router

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11248939B2 (en) * 2018-09-12 2022-02-15 Keysight Technologies, Inc. Methods, systems, and computer readable media for calibration testing and traceability using a distributed ledger

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047493A (en) * 2006-06-02 2007-10-03 华为技术有限公司 Method and system for acquiring simple network management protocol management key
US20080168271A1 (en) * 2007-01-04 2008-07-10 Motorola, Inc. AUTOMATED METHOD FOR SECURELY ESTABLISHING SIMPLE NETWORK MANAGEMENT PROTOCOL VERSION 3 (SNMPv3) AUTHENTICATION AND PRIVACY KEYS
CN101640886A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, re-authentication method and communication device
CN103096307A (en) * 2011-10-27 2013-05-08 中兴通讯股份有限公司 Secret key verification method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040030922A1 (en) * 2002-08-07 2004-02-12 Koss Scott Craig Client-application acquisition of network-entity SNMP community string passwords
US8510558B2 (en) * 2009-02-17 2013-08-13 Alcatel Lucent Identity based authenticated key agreement protocol

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047493A (en) * 2006-06-02 2007-10-03 华为技术有限公司 Method and system for acquiring simple network management protocol management key
US20080168271A1 (en) * 2007-01-04 2008-07-10 Motorola, Inc. AUTOMATED METHOD FOR SECURELY ESTABLISHING SIMPLE NETWORK MANAGEMENT PROTOCOL VERSION 3 (SNMPv3) AUTHENTICATION AND PRIVACY KEYS
CN101640886A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, re-authentication method and communication device
CN103096307A (en) * 2011-10-27 2013-05-08 中兴通讯股份有限公司 Secret key verification method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839776A (en) * 2021-11-29 2021-12-24 军事科学院系统工程研究院网络信息研究所 Method and system for safety interconnection protocol between network management and router

Also Published As

Publication number Publication date
CN107547466A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
EP3661120B1 (en) Method and apparatus for security authentication
CN108768988B (en) Block chain access control method, block chain access control equipment and computer readable storage medium
US8196186B2 (en) Security architecture for peer-to-peer storage system
US11095635B2 (en) Server authentication using multiple authentication chains
US8356179B2 (en) Entity bi-directional identificator method and system based on trustable third party
WO2018076365A1 (en) Key negotiation method and device
US11336641B2 (en) Security enhanced technique of authentication protocol based on trusted execution environment
EP2905719B1 (en) Device and method certificate generation
EP3850510B1 (en) Infrastructure device enrolment
US20100262832A1 (en) Entity bidirectional authentication method and system
CN107612889B (en) Method for preventing user information leakage
CN104125565A (en) Method for realizing terminal authentication based on OMA DM, terminal and server
KR20130084315A (en) A bidirectional entity authentication method based on the credible third party
CN111800378B (en) Login authentication method, device, system and storage medium
US9398024B2 (en) System and method for reliably authenticating an appliance
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
CN111585970A (en) Token verification method and device
WO2023124958A1 (en) Key update method, server, client and storage medium
CN111314269B (en) Address automatic allocation protocol security authentication method and equipment
WO2017219886A1 (en) Simple network protocol authentication method and device
CN109460647B (en) Multi-device secure login method
CN115242471B (en) Information transmission method, information transmission device, electronic equipment and computer readable storage medium
US20210067961A1 (en) Secure simultaneous authentication of equals anti-clogging mechanism
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
WO2017059753A1 (en) Multi-ttp-based method and device for verifying validity of identity of entity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17814624

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17814624

Country of ref document: EP

Kind code of ref document: A1