CN101515933A - Method and system for detecting the completeness of network equipment software and hardware - Google Patents
Method and system for detecting the completeness of network equipment software and hardware Download PDFInfo
- Publication number
- CN101515933A CN101515933A CNA2009101187902A CN200910118790A CN101515933A CN 101515933 A CN101515933 A CN 101515933A CN A2009101187902 A CNA2009101187902 A CN A2009101187902A CN 200910118790 A CN200910118790 A CN 200910118790A CN 101515933 A CN101515933 A CN 101515933A
- Authority
- CN
- China
- Prior art keywords
- network equipment
- software
- hardware
- key
- management center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
A method and a system for detecting the completeness of network equipment software and hardware are disclosed. The method comprises: extracting a safety characteristic information H of the method and system for detecting the completeness of network equipment software and hardware information Info to be detected from the local area by a network management center, and sending H to an equipment completeness management center; the management center performing cryptography computation on H by cipher key K1 and cryptographic algorithm S1 to obtain a cryptography computation result Sr=S1(K1, H), and sending Sr to the network equipment via the network management center; after the trusted environment of the network equipment extracts safety characteristic information H' of the software and hardware information Info' to be detected from the network equipment, carrying out the following processes: generating cryptography computation result Sr'=S1(K1, H'), and detecting the completeness of network equipment software and hardware according to whether the Sr' and Sr' are the same; or generating cryptography computation result H''=S1<-1>(K1, Sr), and detecting the completeness of network equipment software and hardware according to whether the H' and H'' are the same.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of network equipment software and hardware integrality detection method and system.
Background technology
In the communications field, for safe and reliable communication environment is provided to the user, the network equipment software and hardware of the information such as safe context that requirement can the access user is safe.Usually, this network equipment software and hardware safety all is to lean on the fail safe of its riding position to guarantee.For example at UMTS (Universal Mobile Telecommunications System, universal mobile telecommunications system) in, HLR (Home Location Register, attaching position register), VLR (Visiting LocationRegister, VLR Visitor Location Register), RNC (Radio Network Controller, radio network controller) is the relevant network equipment of safety, they are placed in the machine room of operator, guaranteeing its equipment physical security, thereby guaranteed the fail safe of its hardware device.
Yet, in some communication environment, there are some not possess safe arrangement environment by the contextual network equipment of access user security, such as LTE/SAE (Long Term Evolution/SystemArchitecture Evolution, Long Term Evolution/System Architecture Evolution) eNB in (evolved Node B), HNB (Home NodeB, Home eNodeB) etc., because it is deployment scenario flexibly, in most cases be not placed in the machine room inside of operator, do not possess safe arrangement environment, therefore be difficult to guarantee the fail safe of its equipment.
In this case, how detecting these network equipment software and hardware integralities effectively is the problems that need solution, because in unsafe arrangement environment, the possibility that the network equipment exists software and hardware to be replaced at any time, will destroy the fail safe of this link in the information system like this, even the fail safe of entail dangers to whole system.
In addition, for some network equipment, often need to download information such as software or configuration file from network management center by network when it starts or in its use, how detecting the information integrity that obtains by network effectively also is the problem that needs solution.
Summary of the invention
Technical problem to be solved by this invention is, overcomes the deficiencies in the prior art, and a kind of method that can detect the network equipment software and hardware integrality effectively is provided.
In order to address the above problem, the invention provides a kind of network equipment software and hardware integrality detection method, comprising:
Network management center extracts the security feature information H of software and hardware information Info to be detected in this locality, and H is sent to appliance integrality administrative center;
Appliance integrality administrative center uses key K 1 and cryptographic algorithm S1 that H is carried out crypto-operation, obtain crypto-operation as a result Sr=S1 (K1 H), and sends to the network equipment with Sr by network management center;
The trusted context of the network equipment extracts the security feature information H ' of software and hardware information Info ' to be detected in the network equipment after, carry out following processing: use key K 1 and cryptographic algorithm S1 that H ' is carried out crypto-operation, obtain crypto-operation Sr '=S1 (K1 as a result, H '), and according to Sr ' and Sr whether whether identical to detect network equipment software and hardware complete; Or the inverse operation S1 of use key K 1 and cryptographic algorithm S1
-1Sr is carried out crypto-operation, obtains crypto-operation H as a result "=S1
-1(K1, Sr), and according to H ' and H " whether whether identical to detect network equipment software and hardware complete.
In addition, store the root key K of described trusted context correspondence in described trusted context and the equipment attribution server respectively;
Described equipment attribution server adopts described root key K, key derived parameter R and key to derive algorithm F1 and derives described key K 1, and described key derived parameter R is sent to the trusted context of the described network equipment by described appliance integrality administrative center and network management center;
The trusted context of the described network equipment adopts described root key K, key to derive algorithm F1 and the key derived parameter R that receives derives described key K 1.
In addition, described network management center also sends to the described network equipment with described security feature information H;
Also whether whether identical to detect described network equipment software and hardware complete according to described H ' and H for the trusted context of the described network equipment.
In addition, described software and hardware information Info is: the hardware configuration information that is stored in network management center and storage or is about to be stored in the software information in the described network equipment and/or is stored in the described network equipment of network management center;
Described software and hardware information Info ' is: be stored in the software information in the described network equipment and/or the hardware configuration information of the described network equipment.
In addition, network management center adopts identical hash algorithm to extract described security feature information respectively from described software and hardware information Info and described software and hardware information Info ' with described trusted context.
In addition, described network management center sends to the described network equipment with described software and hardware information Info, and the described software and hardware information Info that the described network equipment will receive is as described software and hardware information Info '; Or
Described network management center sends to the described network equipment with the corresponding supplementary of described software and hardware information Info, and the described network equipment uses described supplementary to extract in this locality and generates described software and hardware information Info '; Or
Described network management center sends to the described network equipment with the identification information of described software and hardware information Info, and the described network equipment uses described identification information to obtain described software and hardware information Info ' in the network equipment.
The present invention also provides a kind of network equipment software and hardware integrity detection system, comprising: the network equipment, network management center, and this system also comprises appliance integrality administrative center; Wherein:
Described network management center is used for extracting in this locality the security feature information H of software and hardware information Info to be detected, and H is sent to described appliance integrality administrative center;
Described appliance integrality administrative center is used to use key K 1 and cryptographic algorithm S1 that H is carried out crypto-operation, obtain crypto-operation as a result Sr=S1 (K1 H), and sends to the described network equipment with Sr by described network management center;
Be provided with trusted context in the described network equipment, described trusted context is used for after the described network equipment extracts the security feature information H ' of software and hardware information Info ' to be detected, carry out following processing: use key K 1 and cryptographic algorithm S1 that H ' is carried out crypto-operation, obtain crypto-operation Sr '=S1 (K1 as a result, H '), and according to Sr ' and Sr whether whether identical to detect described network equipment software and hardware complete; Or the inverse operation S1 of use key K 1 and cryptographic algorithm S1
-1Sr is carried out crypto-operation, obtains crypto-operation H as a result "=S1
-1(k1, Sr), and according to H ' and H " whether whether identical to detect described network equipment software and hardware complete.
In addition, also be provided with the equipment attribution server in the described system;
Store the root key K of described trusted context correspondence in described trusted context and the equipment attribution server respectively;
Described equipment attribution server is used to adopt described root key K, key derived parameter R and key to derive algorithm F1 derives described key K 1, and described key derived parameter R is sent to the trusted context of the described network equipment by described appliance integrality administrative center and network management center;
The trusted context of the described network equipment also is used to adopt described root key K, key to derive algorithm F1 and the key derived parameter R that receives derives described key K 1.
In addition, described software and hardware information Info is: the hardware configuration information that is stored in described network management center and storage or is about to be stored in the software information in the described network equipment and/or is stored in the described network equipment of described network management center;
Described software and hardware information Info ' is: be stored in the software information in the described network equipment and/or the hardware configuration information of the described network equipment.
In addition, described network management center also is used for described software and hardware information Info is sent to the described network equipment, and the described software and hardware information Info that the described network equipment will receive is as described software and hardware information Info '; Or
Described network management center also is used for the corresponding supplementary of described software and hardware information Info is sent to the described network equipment, and the described network equipment uses described supplementary to extract in this locality and generates described software and hardware information Info ';
Described network management center also is used for the identification information of described software and hardware information Info is sent to the described network equipment, and the described network equipment uses described identification information to obtain described software and hardware information Info ' in the network equipment.
In sum, adopt method and system of the present invention, can make the network equipment quickly and reliably carry out soft hardware integrality detects, comprise: detect whether local software is distorted illegally, detects whether software is illegally distorted in downloading process, detection hardware is whether by illegal replacement etc., improved the reliability of the network equipment, and then improved the reliability of whole communication system, reduced the maintenance cost of the equipment and the network of common carrier.
Description of drawings
Fig. 1 is an embodiment of the invention network equipment soft hardware integrality detection system structural representation;
Fig. 2 is the first embodiment flow chart of network equipment soft hardware integrality detection method of the present invention;
Fig. 3 is the second embodiment flow chart of network equipment soft hardware integrality detection method of the present invention.
Embodiment
Core concept of the present invention is, (the Operation andMaintenance Center of the operation maintenance center of the network equipment, be called for short OMC, or be called network management center) be extracted in the security feature information of the software and hardware of local this equipment of preserving, and send it to appliance integrality administrative center (EquipmentIntegrity Management Center, be called for short EIMC), by the EIMC method that accesses to your password this security feature information is handled; Security feature information after network management center's method that will access to your password is handled sends to the network equipment; The network equipment extracts the security feature information of software and hardware to be detected in this locality, and by (the Trust Environment of the trusted context in the network equipment, be called for short TRE) adopt identical key to carry out identical cryptographic methods processing to the security feature information of extracting, with utilizing the result after cryptographic methods is handled to compare, determine the integrality of software and hardware according to result relatively with the security feature information that it receives through the cryptographic methods processing.
Describe the present invention below in conjunction with drawings and Examples.
Fig. 1 is an embodiment of the invention network equipment soft hardware integrality detection system structural representation; As shown in Figure 1, this system comprises: the network equipment (NE), network management center (OMC), appliance integrality administrative center (EIMC), attaching position register (Home Location Register, be called for short HLR) and/or home subscribed services device (Home Subscriber Server is called for short HSS), HLR and HSS can be referred to as the equipment attribution server.
In said system, the network equipment, network management center, appliance integrality administrative center and equipment attribution server link to each other successively; Adopt the Eo interface communication between network management center and the appliance integrality administrative center, adopt the Eh interface communication between appliance integrality administrative center and the equipment attribution server.
Be provided with trusted context (TRE) in the network equipment, TRE is used to provide safe storage and safe computing function.TRE can be the circuit that is solidificated in the network equipment, also can be pluggable card.
Comprise among the TRE following security information: TRE sign (IDc), with the shared root key K of network equipment attribution server (HLR/HSS), with the HLR/HSS cipher key shared derive algorithm F1, with the shared Digital Signature Algorithm S1 of appliance integrality administrative center (EIMC), with the shared HASH algorithm H1 of network management center (OMC).
Network management center is used for extracting in this locality the security feature information H of software and hardware information Info to be detected, and H is sent to appliance integrality administrative center.
Appliance integrality administrative center is used to use key K 1 and cryptographic algorithm S1 that H is carried out crypto-operation, obtain crypto-operation as a result Sr=S1 (K1 H), and sends to the network equipment with Sr by network management center.
TRE extracts the security feature information H ' of software and hardware information Info ' to be detected in the network equipment after, carry out following processing: use key K 1 and cryptographic algorithm S1 that H ' is carried out crypto-operation, obtain crypto-operation Sr '=S1 (K1 as a result, H '), and according to Sr ' and Sr whether whether identical to detect network equipment software and hardware complete; Or the inverse operation S1 of use key K 1 and cryptographic algorithm S1
-1Sr is carried out crypto-operation, obtains crypto-operation H as a result "=S1
-1(K1, Sr), and according to H ' and H " whether whether identical to detect network equipment software and hardware complete.
The equipment attribution server is used to adopt root key K, key derived parameter R and key to derive algorithm F1 key derivation K1, and key derived parameter R is sent to the trusted context of the network equipment by appliance integrality administrative center and network management center;
The key derived parameter R key derivation K1 that the trusted context of the network equipment also is used to adopt root key K, key to derive algorithm F1 and receive.
In to the explanation of each method embodiment of the present invention, also will describe the function of above-mentioned each network element/module below in detail, and the message interaction process between each network element/module.
The first method embodiment
Fig. 2 is the first embodiment flow chart of network equipment soft hardware integrality detection method of the present invention; In the present embodiment, the network equipment need be downloaded software (that is to say this software as software and hardware information to be detected) from network management center, and the integrality to this software detects after software download; As shown in Figure 2, this method comprises the steps:
201: on the network equipment (NE) of needs management, trusted context (TRE) is set, comprises following security information among the TRE:
TRE sign (IDc), with the shared root key K of network equipment attribution server (HLR/HSS), with the HLR/HSS cipher key shared derive algorithm F1, with the shared Digital Signature Algorithm S1 of appliance integrality administrative center (EIMC), with the shared HASH algorithm H1 of network management center (OMC).
Above-mentioned Digital Signature Algorithm can be HMAC (Hashed Message Authentication Code, a hash information authentication code) algorithm, for example, and HMAC-SHA1, HMAC-SHA256 etc.
In addition, be provided with the identify label IDi of this NE among the OMC, and the corresponding relation of IDi and IDc.
202: when the network equipment was downloaded software (note is made file) to the OMC request, OMC used H1 that this software is carried out HASH and calculates, and generates security feature information H=H1 (file);
Certainly, if OMC has had the security feature information H of this software, OMC can directly use this value, need not to carry out once more HASH and calculates.
203: network management center sends to EIMC with the IDc of the IDi correspondence of hashed value H and this network equipment;
204:EIMC sends to HLR/HSS with the IDc that receives;
205:HLR/HSS obtains the root key K of this TRE according to IDc, generates random number R, utilize F1, K and R derive digital signature keys Ks=F1 (K, R);
Above-mentioned digital signature keys Ks also can be called the sub-key of root key K.
206:HLR/HSS sends to EIMC with IDc, Ks and R;
207:EIMC uses Digital Signature Algorithm S1 and digital signature keys Ks that H is carried out digital signature, obtain digital signature result Sr=S1 (Ks, H);
208:EIMC sends to OMC with IDc, R, H and Sr;
209:OMC sends to the network equipment with file, R, H, Sr, and the network equipment sends to TRE with above-mentioned information again;
210: the TRE of the network equipment uses H1 that file is carried out HASH and calculates, generate security feature information H '=H1 (file), use F1, K and R to generate digital signature keys Ks '=F1 (K, R), use Digital Signature Algorithm S1, digital signature keys Ks ' that H ' is carried out digital signature, obtain digital signature result Sr '=S1 (Ks ', H ');
211: the TRE of the network equipment judges according to the value of Sr and Sr ' whether the software file that receives is complete: if the value of Sr and Sr ' is equal, thinks that then file is complete, otherwise think that file is imperfect;
In addition, the TRE of the network equipment also can judge whether the software file that receives is complete according to the value of value, H and the H ' of Sr and Sr ': if the value of Sr and Sr ' equates and the value of H and H ' equates, think that then file is complete, otherwise think that file is imperfect.
So far, the network equipment has been downloaded software from network management center, and the integrality of this software is detected, and confirms that this software is not distorted and replaced in transmission course.
After this, the network equipment can be preserved file f ile and R, Sr and the H value that receives, so that when needed (for example, restart the back, maybe need to use this document before), once more according to the method for step 210, use R value to generate Ks ', and the H ' and the Sr ' of generation this document, detect according to the method for step 211 integrality then this document.
The second method embodiment
Fig. 3 is the second embodiment flow chart of network equipment soft hardware integrality detection method of the present invention; In the present embodiment, the network equipment need detect the integrality of hardware, judges whether the hardware in the network equipment is replaced, and that is to say hardware configuration information as software and hardware information to be detected; As shown in Figure 3, this method comprises the steps:
301: on the network equipment (NE) of needs management, trusted context (TRE) is set, comprises following security information among the TRE:
TRE sign (IDc), with the shared root key K of network equipment attribution server (HLR/HSS), with the HLR/HSS cipher key shared derive algorithm F1, with the shared signature algorithm S1 of appliance integrality administrative center (EIMC), the HASH algorithm H1 shared the HASH algorithm of key (not with) with network management center (OMC).
Above-mentioned Digital Signature Algorithm can be a hmac algorithm, for example, and HMAC-SHA1, HMAC-SHA256 etc.
In addition, be provided with the identify label IDi of this NE among the OMC, and the corresponding relation of IDi and IDc.
302: the network equipment is when OMC request hardware integrity protection information, and OMC uses H1 to carry out HASH calculating to needing the hardware configuration information Hinfo that carries out integrity protection in this network equipment, generates security feature information H=H1 (Hinfo);
In addition, OMC also needs to generate the hardware information sequence list (or being called hardware information HASH sequence list) of hardware configuration information Hinfo, has comprised the title and the order information of each hardware when generating security feature information of hardware in the hardware information sequence list.For example, comprise following character string in the hardware information sequence list: " processor flag, memory size "; Comprise processor flag and memory size among this string representation hardware configuration information Hinfo, and according to processor flag preceding, memory size after order carry out HASH and calculate, generate security feature information H.
Above-mentioned hardware information sequence list will send to the network equipment in subsequent step, so that the network equipment extracts the information of the hardware of same type, and carry out HASH according to identical order and calculate.Certainly, if the network equipment and OMC have set in advance type of hardware and the order that comprises among the hardware configuration information Hinfo, then OMC need not to generate above-mentioned hardware information sequence list and sends to the network equipment.
303: network management center sends to EIMC with the IDc of the IDi correspondence of security feature information H and this network equipment;
304:EIMC sends to HLR/HSS with the IDc that receives;
305:HLR/HSS obtains the root key K of this TRE according to IDc, generates random number R, utilize F1, K and R derive digital signature keys Ki=F1 (K, R);
Above-mentioned digital signature keys Ki also can be called the sub-key of root key K.
306:HLR/HSS sends to EIMC with IDc, Ki and R;
307:EIMC uses Digital Signature Algorithm S1, digital signature keys Ki that H is carried out digital signature, obtain digital signature result Sr=S1 (Ki, H);
308:EIMC sends to OMC with IDc, R, H and Sr;
309:OMC sends to the network equipment with the pairing hardware information sequence list of hardware configuration information Hinfo and R, H, Sr, and the network equipment sends to TRE with above-mentioned information again;
310: the network equipment collects and generates in regular turn hardware configuration information Hinfo ' according to the hardware information sequence list in this locality, and indication TRE uses H1 that Hinfo ' is carried out HASH calculating, generation security feature information H '=H1 (Hinfo '), use F1, K and R to generate integrity protection key K i '=F1 (K, R), use Digital Signature Algorithm S1, integrity protection key K i ' that H ' is encrypted, obtain digital signature result Sr '=S1 (Ki ', H ');
311: the TRE of the network equipment judges according to the value of Sr and Sr ' whether the hardware of the network equipment is complete: if the value of Sr and Sr ' is equal, thinks that then hardware is complete, otherwise think that hardware is imperfect;
In addition, the TRE of the network equipment also can judge whether hardware is complete according to the value of value, H and the H ' of Sr and Sr ': if the value of Sr and Sr ' equates and the value of H and H ' equates, think that then hardware is complete, otherwise think that hardware is imperfect.
It should be noted that hardware imperfect may be because the hardware of the network equipment is replaced, or hardware information sequence list, R, H, Sr is distorted in transmission course causes.
After this, the network equipment can be preserved hardware information sequence list, R, H, the Sr that receives, so that during follow-up the needs (for example, before restarting back, use specific hardware), according to the method in the step 310, generate hardware configuration information Hinfo ' once more, use the R value to generate Ki ' according to the hardware information sequence list, and generate H ' and Sr ', detect according to the method for step 311 integrality then hardware.
According to basic principle of the present invention, the foregoing description can also have multiple mapping mode, for example:
(1) network management center (OMC) can a storage device identification IDi, and the corresponding relation between IDi and the TRE sign IDc is set in EIMC;
In this case, in step 203/303, OMC sends to appliance integrality administrative center (EIMC) with the sign IDi of security feature information H and this network equipment; In step 204/304, EIMC obtains corresponding IDc according to IDi with the corresponding relation of IDc, and the IDc of correspondence is sent to HLR/HSS; In step 208/308, EIMC obtains corresponding IDi according to IDi with the corresponding relation of IDc once more, and IDi, R, H, Sr are sent to the OMC of network management center.
(2) if EIMC stores the digital signature keys and the key derived parameter (being random number R) of IDc correspondence, then need not to obtain from HLR, promptly step 204~206/304~306 can be omitted.
Equally, the TRE of the network equipment also can store the digital signature keys of previous generation, and need not all to derive again at every turn; In this case, network management center also need not the R value is sent to the network equipment.
In addition, HLR/HSS sends to the negotiation that the network equipment is realized digital signature keys by the key derived parameter R that will generate digital signature keys in the above-described embodiments; In other embodiments of the invention, the negotiation of digital signature keys also can be used as an independently flow process, adopts safer mechanism to carry out.For example, before step 202/302, the network equipment can be consulted with the secret that HLR/HSS adopts the Diffie-Hellman Diffie-Hellman to carry out key, negotiates current digital signature keys.If adopt the Diffie-Hellman Diffie-Hellman, all need not storage root key K among the network equipment and the HLR/HSS.
(3) in step 210/310, because HASH algorithm H1 need not to use key, therefore use H1 that file/Hinfo ' is carried out the operation that HASH calculates, can in TRE, not carry out, and carrying out in other modules in the network equipment.
Certainly, in TRE, carry out HASH calculating and can greatly improve fail safe.
(4) can use cryptographic algorithm (for example, AES (Advanced Encryption Standard, Advanced Encryption Standard) algorithm) to replace Digital Signature Algorithm S1 in the foregoing description; In this case, can security feature information H not sent to the network equipment in the step 209/309.
Digital Signature Algorithm and cryptographic algorithm can be referred to as cryptographic algorithm, and digital signature and cryptographic operation can be referred to as crypto-operation.
(5) network management center (OMC) can extract software information to be detected (for example software file among the configuration information of the network equipment and/or first embodiment) and hardware configuration information (for example Hinfo among second embodiment) operation (for example carrying out HASH calculates) of security feature information together, and security feature information is sent to EIMC carry out digital signature and generate digital signature result, the digital signature result that will comprise software information and hardware configuration information then sends to the network equipment and carries out integrity detection.
(6) network management center (OMC) is except directly sending to software and hardware information to be detected the network equipment (as the software file among first embodiment), the supplementary that maybe will generate software and hardware information to be detected (or is called summary info, as the hardware information sequence list among second embodiment) send to the network equipment, so that the network equipment is outside the security feature information H ' of software and hardware information to be detected is extracted in this locality, OMC can also send to the network equipment with the identification information of software and hardware information to be detected, so that the network equipment obtains software and hardware information to be detected according to this identification information in this locality.
For example, the identification information of above-mentioned software and hardware information to be detected can be a dbase.
(7) in step 210/310, the TRE of the network equipment also can use the inverse operation S1 of key K 1 and cryptographic algorithm S1 after calculating security feature information H '
-1Sr is carried out crypto-operation, obtains crypto-operation H as a result "=S1
-1(K1, Sr), and in step 211/311, according to H ' and H " whether whether identical to detect network equipment software and hardware complete.
Claims (10)
1, a kind of network equipment software and hardware integrality detection method is characterized in that, this method comprises:
Network management center extracts the security feature information H of software and hardware information Info to be detected in this locality, and H is sent to appliance integrality administrative center;
Appliance integrality administrative center uses key K 1 and cryptographic algorithm S1 that H is carried out crypto-operation, obtain crypto-operation as a result Sr=S1 (K1 H), and sends to the network equipment with Sr by network management center;
The trusted context of the network equipment extracts the security feature information H ' of software and hardware information Info ' to be detected in the network equipment after, carry out following processing: use key K 1 and cryptographic algorithm S1 that H ' is carried out crypto-operation, obtain crypto-operation Sr '=S1 (K1 as a result, H '), and according to Sr ' and Sr whether whether identical to detect network equipment software and hardware complete; Or the inverse operation S1 of use key K 1 and cryptographic algorithm S1
-1Sr is carried out crypto-operation, obtains crypto-operation H as a result "=S1
-1(K1, Sr), and according to H ' and H " whether whether identical to detect network equipment software and hardware complete.
2, the method for claim 1 is characterized in that,
Store the root key K of described trusted context correspondence in described trusted context and the equipment attribution server respectively;
Described equipment attribution server adopts described root key K, key derived parameter R and key to derive algorithm F1 and derives described key K 1, and described key derived parameter R is sent to the trusted context of the described network equipment by described appliance integrality administrative center and network management center;
The trusted context of the described network equipment adopts described root key K, key to derive algorithm F1 and the key derived parameter R that receives derives described key K 1.
3, the method described in claim 1 is characterized in that,
Described network management center also sends to the described network equipment with described security feature information H;
Also whether whether identical to detect described network equipment software and hardware complete according to described H ' and H for the trusted context of the described network equipment.
4, the method described in claim 1 is characterized in that,
Described software and hardware information Info is: the hardware configuration information that is stored in network management center and storage or is about to be stored in the software information in the described network equipment and/or is stored in the described network equipment of network management center;
Described software and hardware information Info ' is: be stored in the software information in the described network equipment and/or the hardware configuration information of the described network equipment.
5, method as claimed in claim 4 is characterized in that,
Network management center adopts identical hash algorithm to extract described security feature information respectively from described software and hardware information Info and described software and hardware information Info ' with described trusted context.
6, method as claimed in claim 4 is characterized in that,
Described network management center sends to the described network equipment with described software and hardware information Info, and the described software and hardware information Info that the described network equipment will receive is as described software and hardware information Info '; Or
Described network management center sends to the described network equipment with the corresponding supplementary of described software and hardware information Info, and the described network equipment uses described supplementary to extract in this locality and generates described software and hardware information Info '; Or
Described network management center sends to the described network equipment with the identification information of described software and hardware information Info, and the described network equipment uses described identification information to obtain described software and hardware information Info ' in the network equipment.
7, a kind of network equipment software and hardware integrity detection system comprises: the network equipment, network management center is characterized in that this system also comprises appliance integrality administrative center; Wherein:
Described network management center is used for extracting in this locality the security feature information H of software and hardware information Info to be detected, and H is sent to described appliance integrality administrative center;
Described appliance integrality administrative center is used to use key K 1 and cryptographic algorithm S1 that H is carried out crypto-operation, obtain crypto-operation as a result Sr=S1 (K1 H), and sends to the described network equipment with Sr by described network management center;
Be provided with trusted context in the described network equipment, described trusted context is used for after the described network equipment extracts the security feature information H ' of software and hardware information Info ' to be detected, carry out following processing: use key K 1 and cryptographic algorithm S1 that H ' is carried out crypto-operation, obtain crypto-operation Sr '=S1 (K1 as a result, H '), and according to Sr ' and Sr whether whether identical to detect described network equipment software and hardware complete; Or the inverse operation S1 of use key K 1 and cryptographic algorithm S1
-1Sr is carried out crypto-operation, obtains crypto-operation H as a result "=S1
-1(K1, Sr), and according to H ' and H " whether whether identical to detect described network equipment software and hardware complete.
8, system as claimed in claim 7 is characterized in that,
Also be provided with the equipment attribution server in the described system;
Store the root key K of described trusted context correspondence in described trusted context and the equipment attribution server respectively;
Described equipment attribution server is used to adopt described root key K, key derived parameter R and key to derive algorithm F1 derives described key K 1, and described key derived parameter R is sent to the trusted context of the described network equipment by described appliance integrality administrative center and network management center;
The trusted context of the described network equipment also is used to adopt described root key K, key to derive algorithm F1 and the key derived parameter R that receives derives described key K 1.
9, system as claimed in claim 7 is characterized in that,
Described software and hardware information Info is: the hardware configuration information that is stored in described network management center and storage or is about to be stored in the software information in the described network equipment and/or is stored in the described network equipment of described network management center;
Described software and hardware information Info ' is: be stored in the software information in the described network equipment and/or the hardware configuration information of the described network equipment.
10, system as claimed in claim 9 is characterized in that,
Described network management center also is used for described software and hardware information Info is sent to the described network equipment, and is described
The described software and hardware information Info that the network equipment will receive is as described software and hardware information Info '; Or
Described network management center also is used for the corresponding supplementary of described software and hardware information Info is sent to the described network equipment, and the described network equipment uses described supplementary to extract in this locality and generates described software and hardware information Info ';
Described network management center also is used for the identification information of described software and hardware information Info is sent to the described network equipment, and the described network equipment uses described identification information to obtain described software and hardware information Info ' in the network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101187902A CN101515933A (en) | 2009-03-16 | 2009-03-16 | Method and system for detecting the completeness of network equipment software and hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101187902A CN101515933A (en) | 2009-03-16 | 2009-03-16 | Method and system for detecting the completeness of network equipment software and hardware |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101515933A true CN101515933A (en) | 2009-08-26 |
Family
ID=41040226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009101187902A Pending CN101515933A (en) | 2009-03-16 | 2009-03-16 | Method and system for detecting the completeness of network equipment software and hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101515933A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588374A (en) * | 2009-06-08 | 2009-11-25 | 中兴通讯股份有限公司 | Soft hardware integrality detection method and system for network appliance |
| CN103425118A (en) * | 2012-05-16 | 2013-12-04 | 费希尔-罗斯蒙特系统公司 | Methods and apparatus to identify a degradation of integrity of a process control system |
| CN105389615A (en) * | 2015-12-09 | 2016-03-09 | 天津大学 | Nested dynamic environment change detection method |
| CN111737081A (en) * | 2020-06-16 | 2020-10-02 | 平安科技(深圳)有限公司 | Cloud server monitoring method, device, equipment and storage medium |
| WO2020207343A1 (en) * | 2019-04-12 | 2020-10-15 | 阿里巴巴集团控股有限公司 | Computing processing method, system and device, and memory, processor and computer device |
-
2009
- 2009-03-16 CN CNA2009101187902A patent/CN101515933A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588374A (en) * | 2009-06-08 | 2009-11-25 | 中兴通讯股份有限公司 | Soft hardware integrality detection method and system for network appliance |
| CN101588374B (en) * | 2009-06-08 | 2015-01-28 | 中兴通讯股份有限公司 | Soft hardware integrality detection method and system for network appliance |
| CN103425118A (en) * | 2012-05-16 | 2013-12-04 | 费希尔-罗斯蒙特系统公司 | Methods and apparatus to identify a degradation of integrity of a process control system |
| CN103425118B (en) * | 2012-05-16 | 2018-07-03 | 费希尔-罗斯蒙特系统公司 | The method and apparatus to degrade for the integrality of identification process control system |
| CN105389615A (en) * | 2015-12-09 | 2016-03-09 | 天津大学 | Nested dynamic environment change detection method |
| CN105389615B (en) * | 2015-12-09 | 2018-01-09 | 天津大学 | A kind of dynamic hardware-software partition environmental change detection method of nested type |
| WO2020207343A1 (en) * | 2019-04-12 | 2020-10-15 | 阿里巴巴集团控股有限公司 | Computing processing method, system and device, and memory, processor and computer device |
| CN111737081A (en) * | 2020-06-16 | 2020-10-02 | 平安科技(深圳)有限公司 | Cloud server monitoring method, device, equipment and storage medium |
| CN111737081B (en) * | 2020-06-16 | 2022-05-17 | 平安科技(深圳)有限公司 | Cloud server monitoring method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111133731B (en) | Private key and message authentication code | |
| JP6492115B2 (en) | Encryption key generation | |
| EP2868029B1 (en) | Key agreement for wireless communication | |
| US9189632B2 (en) | Method for protecting security of data, network entity and communication terminal | |
| US9094823B2 (en) | Data processing for securing local resources in a mobile device | |
| CN101588244A (en) | Method and system for authenticating network device | |
| US20130170643A1 (en) | Method and system for transmitting subscriber identity information, user equipment, network device | |
| EP3337088B1 (en) | Data encryption method, decryption method, apparatus, and system | |
| Liu et al. | Toward a secure access to 5G network | |
| WO2011092138A1 (en) | Efficient terminal authentication in telecommunication networks | |
| CN101515933A (en) | Method and system for detecting the completeness of network equipment software and hardware | |
| CN104410580A (en) | Trusted security WiFi (Wireless Fidelity) router and data processing method thereof | |
| EP3550765A1 (en) | Service provisioning | |
| CN110830421B (en) | Data transmission method and device | |
| Hu et al. | A vulnerability in 5G authentication protocols and its Countermeasure | |
| US20230023665A1 (en) | Privacy information transmission method, apparatus, computer device and computer-readable medium | |
| CN101588374B (en) | Soft hardware integrality detection method and system for network appliance | |
| EP2442519A1 (en) | Method and system for authenticating network device | |
| Liu et al. | Security enhancements to subscriber privacy protection scheme in 5G systems | |
| CN111194031B (en) | Wireless hotspot connection method and device, electronic equipment and system | |
| CN101489220B (en) | Method and system for software safety management | |
| CN101483554B (en) | Method and system for hardware safety management | |
| CN111432404B (en) | Information processing method and device | |
| Liu et al. | Enhancing Security of LTE using a Double Masking Technique | |
| CN114040387A (en) | Method, device and equipment for determining attack message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090826 |