CN101808142A - Method and device for realizing trusted network connection through router or switch - Google Patents
Method and device for realizing trusted network connection through router or switch Download PDFInfo
- Publication number
- CN101808142A CN101808142A CN201010120869.1A CN201010120869A CN101808142A CN 101808142 A CN101808142 A CN 101808142A CN 201010120869 A CN201010120869 A CN 201010120869A CN 101808142 A CN101808142 A CN 101808142A
- Authority
- CN
- China
- Prior art keywords
- router
- address
- switch
- signature
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 230000009545 invasion Effects 0.000 claims abstract description 13
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims abstract description 6
- 238000012795 verification Methods 0.000 claims description 40
- 230000008569 process Effects 0.000 claims description 11
- 238000013461 design Methods 0.000 claims description 10
- 238000005516 engineering process Methods 0.000 description 13
- 230000002155 anti-virotic effect Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 238000012550 audit Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 5
- 230000009191 jumping Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000011160 research Methods 0.000 description 4
- 210000000056 organ Anatomy 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 101100274486 Mus musculus Cited2 gene Proteins 0.000 description 2
- 101100533725 Mus musculus Smr3a gene Proteins 0.000 description 2
- 102000015925 Proto-oncogene Mas Human genes 0.000 description 2
- 108050004181 Proto-oncogene Mas Proteins 0.000 description 2
- 101150096622 Smr2 gene Proteins 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000001066 destructive effect Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241001460053 Laides Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000011109 contamination Methods 0.000 description 1
- 238000013496 data integrity verification Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for realizing trusted network connection through a router or a switch, which prevent invalid access of DOS attack, prevent replay attack and invasion of Trojan horse and other malicious software and can guarantee routing privacy. The technical scheme of the invention is that: through extending the conventional IP header on the router, a primary address and a destination address are verified, so address authenticity certification and address lifetime certification are provided, and the invalid access of the DOS attack is prevented; the connecting freshness certification is provided, and the replay attack on the router is prevented; the credibility of the routing operating environment is provided, and the invasion of the Trojan horse and other malicious software on the router is prevented; and the decryption function on the router is increased, and the routing privacy is guaranteed. The method and the device are used for units, organizations and departments with privacy and safety requirements.
Description
Technical field
The present invention relates to a kind of technology that communicates to connect, relate in particular to a kind of communication means and device of realizing the trustable network connection by router or switch.
Background technology
Implementing the internet information network security technology is that each computer internet information unit and networking unit protect the Internet and inherently safe production conscientiously, prevents the important measures that the lawless person utilizes the internet to carry out destructive activity, propagate harmful information.Traditional internet information network security technology generally has daily record audit and anti-virus, anti-hacking technology two big classes.
The Internet daily record audit measure is a foundation stone of safeguarding internet and information security, is the important evidence that computer crime is hit by public security organ.The Internet inserts unit and network topology structure and IP address should be provided and distribute operating position.On main frame, gateway and fire compartment wall, set up complete daily record record of the audit.Daily record audit emphasis taking into account system clock and operating system daily record, its technical indicator mainly comprises: the start-up time of system, user land operation that account number, landing time, user carry out, unused time etc.Network is each time connected the source IP address that should write down connection, purpose machine IP address, the time of connection, the information such as agreement of use.The daily record auditing system uses in principle through public security organ and detects qualified product, and the ISP that technical strength is stronger, ICP unit can oneself develop corresponding product.
Anti-virus, anti-hacking technical measures are to prevent that the lawless person from utilizing the internet to carry out destructive activity, the needs of the information security of protection internet and our unit.Constituent parts should be formulated the technical safety measures of following anti-virus, anti-hacking:
1, the computer of all access the Internets should use through public security organ and detect qualified anti-virus product and regularly download virus signature to upgrading antivirus software, guarantees the attack of the virus that computer can not be subjected to having found.
2, guarantee physical network safety, take precautions against the security risk that causes because of physical medium, signal radiation etc.
3, adopt the network security control technology, the networking unit should adopt equipment such as fire compartment wall, IDS that network security is protected.
4, vulnerability scanning software scans system vulnerability is used in brakstaff technical safety measures, closes unnecessary serve port.
5, work out the password management system, prevent that system password from revealing and by Brute Force.
6, formulate the management system of system mend, determine renewal, installation, the issue measure of system mend, in time block system vulnerability.
To sum up, present existing network security technology is to use the fire compartment wall of hardware and software class or the safe practice of antivirus software and routine to guarantee network security mostly, can not play basic control action and increase cost.A lot of anti-trojan horse softwares extremely and fire compartment wall are based upon on the equipment such as switch, terminal computer, can not control the attack of wooden horse and the fail safe of information from the source.
And router is in the past only paid attention to the route of next jumping, and is indifferent to the notebook data bag what comes also not pay close attention to the life cycle and the freshness of packet from.Therefore if do not solve packet the set out checking of address and the life cycle and the freshness of packet, just can't overcome the illegal access and the attack of hacker or trojan horse, cause the network of individual, enterprise, secret unit etc. dangerous.
Summary of the invention
The objective of the invention is to address the above problem, provide a kind of and realized the method that trustable network connects, can prevent illegal access by router or switch.
Another object of the present invention is to provide a kind of device of realizing that trustable network connects, can prevent the illegal access of dos attack, prevented multi-sending attack, prevent the invasion of Malwares such as wooden horse and the privacy that can guarantee route.
Technical scheme of the present invention is: the present invention has disclosed a kind of method that realizes the trustable network connection by router or switch, realize between the network equipment of router or switch and the trustable network between the network terminal connects, between the network equipment of router or switch with source IP address in the header or purpose IP address, source hardware address or purpose hardware address, the all or part of of numeral of specifying or defining at random and character carries out parallel or the mutual signature authentication of stack conduct sign, between Net-connected computer with source IP address in the header or purpose IP address, source hardware address or purpose hardware address, the all or part of of numeral of specifying or defining at random and character carries out parallel or the mutual signature authentication of stack conduct sign, and this method comprises:
Source computer and purpose computer, router or switch are all to the numeral and the router or the exchange hardware address of character definition, the IP address, the numeral and the character of specifying or defining at random, the hardware address of computer, the IP address, the numeral of specifying or defining at random and all or part of correct time that provides of character prove, and verify that its time does not prove and be modified, and combined with hardware address, the IP address, numeral of specifying or producing at random and character data whole or partly carry out digital signature and the rise time proves, lifetime certification signature and hardware address, the IP address, the numeral of specifying or producing at random and carry out parallel or stack mixes signature by all or part of data of character, gives next hop router or switch with it together with data;
Router or switch are checked time-proven, lifetime certification signature and hardware address, IP address, appointment or the numeral that produces at random of Net-connected computer and the data signature of character, then receive and transmit data if the verification passes, otherwise abandon or data are buried in oblivion;
Router or switch to all or part of correct time, lifetime certification and the encryption of the numeral of source hardware address, IP address, appointment or the definition at random of the numeral of hardware address, IP address, appointment or definition at random and character, Net-connected computer and character or unencrypted verification and, the verification verify data of CPK verification verify data, ca authentication carries out digital signature, rise time proves, the attestation-signatures of the term of validity and verification with, CPK signature, ca authentication is carried out parallel or stack mixes signature, and gives next hop router together with transmitting data;
The related signature of router or switch last hop router of checking or switch, wherein signature verification launches step by step, each layer all carries out signature verification to the upper strata, router or switch need be signed to this layer corresponding object simultaneously, also purpose router or switch are delivered in signature verification by the protocol tunnel route of different IP version or the protocol conversion software or the computer of different IP version, guarantee the authenticity of oneself, if the verification passes, then will transmit data and give next hop router or switchboard direct to purpose router or switch;
After transmitting data arrival purpose router or switch, to carry out signature verification work, purpose router or switch will be through carrying out of passing through of checking after the parallel or stack data decryption that mixes signature becomes to meet the reception data of design, transmit packet to the purpose computer.
According to an embodiment who passes through the method for router or the connection of switch realization trustable network of the present invention, this IP address is the address of a plurality of version IP agreements.
According to an embodiment who passes through the method for router or the connection of switch realization trustable network of the present invention, the whole or part conduct of numeral of specifying or defining at random and character identifies mutually and authenticates.
According to an embodiment who passes through the method for router or the connection of switch realization trustable network of the present invention, this hardware address is the hardware address of many definition.
According to an embodiment who realizes the method that trustable network connects by router or switch of the present invention, the Net-connected computer of source or destination, router or switch are to the hardware address of numeral and character definition router or switch, the IP address, the numeral and the character of specifying or defining at random, the source hardware address of the Net-connected computer of source or destination, the IP address, specify or the numeral of definition at random and all or part of correct time proof and the term of validity of providing of character, and verify whether its time proof and the term of validity were once revised by the people, correct time proves, and verifies digital signature that whether its time proof and the term of validity once revised by the people and be by specifying or the hardware address of generation at random to the checking of digital signature result, the IP address, data such as the numeral of specifying or producing at random and character whole or partly carry out the parallel or stack of numeral and mix that signature realizes.
According to an embodiment who realizes the method that trustable network connects by router or switch of the present invention, on the IP header, increase the checking content of source address and destination address or additional information, set out router, transit router and purpose router tested to each IP header, thereby provides the authenticity of address or additional information to prove.
According to an embodiment who passes through the method for router or the connection of switch realization trustable network of the present invention, all signatures all deposit in the IP header.
The present invention has also disclosed a kind of device of realizing that trustable network connects, comprising:
Prevent illegal access module, when receiving the forwarding data, judge whether to receive, to prevent illegal access to transmitting data by the checking that the digital parallel or stack in former the IP address header is mixed signature;
Prevent the multi-sending attack module, the freshness of the IP address in signing by the digital parallel or stack mixing that connects and the time term of validity of signature proves and prevents multi-sending attack;
Prevent wooden horse invasion module, the router that trustable network connects carries out the parallel or stack mixing signature of numeral with switch to router and switch, do not obtain signature if carry the network data of trojan horse program, then can't arrive the destination computer, prevent that by routing operations environment credibility the wooden horse of non-forwarding destination computer from invading and harassing;
Take off encrypting module, by the ciphering process that takes off of transmitting data is guaranteed the route privacy.
One embodiment of the device that connects according to realization trustable network of the present invention, this device is the router of IP network or the switch of circuit network.
The present invention contrasts prior art following beneficial effect: the present invention is by expanding existing IP header on router, raw address and destination address are verified, thereby address authenticity proof and address lifetime certification are provided, prevent the illegal access of dos attack; Providing this to connect freshness proves, prevents multi-sending attack on router; The credibility of routing operations environment is provided, on router, prevents the invasion of Malwares such as wooden horse; On router, increase and take off encryption function, guaranteed the privacy of route, be used to have unit, mechanism or the department of secret or security needs.
Description of drawings
Fig. 1 is a schematic flow sheet of realizing an embodiment of the method that trustable network connects by router or switch of the present invention.
Fig. 2 A~2B is the schematic diagram of IPV4 header format of the present invention.
Fig. 3 is the schematic diagram of IPV6 of the present invention, IPV9 header format.
Fig. 4 is the schematic diagram of an embodiment of the device that connects of realization trustable network of the present invention.
Fig. 5 is the schematic diagram that the compatible V4/V6 at present of credible route of the present invention reaches the mode of operation of new from now on agreement.
Embodiment
The invention will be further described below in conjunction with accompanying drawing and following specific embodiment.
Router in the information network is the basic element of character of the Internet.This programme adopts for the first time the sign authentication technique in router design, provide address authenticity proof and life cycle time-proven, prevent illegal access; Providing this to connect freshness proves, prevents multi-sending attack; For the first time adopt software or hardware identifier authentication technique, the credibility of router operation environment is provided, prevent the invasion of Malwares such as wooden horse.The design also provides and adds the DecryptDecryption function, guarantees privacy.This is the demand for security of the key of Technology of New generation of Internet Protocol and future network agreement.The design's method will combine with the novel addressing technique of geographical position addressing, can make up the router of Next Generation Internet.Present technique also is used in the design of the novel switch in the telecommunication network.
Router is operated in the network layer in OSI seven layer protocols, and its major function is that network and network are coupled together, and carries out the forwarding of packet between net.Router has become the most important network equipment, and therefore, the research of router of new generation will become the core technology of following study Internet.Because the IPv4 of the operation of the Internet before, the IPv6 agreement does not satisfy the new demand that Cyber Security (internet safety) trustable network connects.ICP/IP protocol is not considered safety problem, and address authenticity proof and lifetime certification can not be provided, and can not prevent illegal access, can not resist dos attack.At present, walk crosswise various Malwares and junk information on the internet, the environment for use of severe contamination the Internet directly has influence on the existence of the Internet.Therefore, various countries carry out the research of following the Internet one after another.65 scientific research institutions of European Union in 2008 unite and have delivered the Bu Laide declaration, appeal the Development of New Generation the Internet.European Union has raised 9,100,000,000 Euros of research and development of supporting following the Internet.U.S.'s Obama administration just puts forward ID authentication (identity authentication) and address code system (Addressing system) this year as main scientific research mission, and has emphasized international cooperation.The ISO of International Standards Organization proposed the future network plan in 2007.
In the also informal proposition following the Internet plan of China, but every being operated in silently carried out.China IPv9 has realized the geographical position addressing method, has solved the real name address problem that the IP address combines with the geographical position.Korea S also proposed the thinking of geographical position addressing and addressing afterwards, became second country that proposes new addressing system.CPK ID authentication technology is ripe, can be used in the Internet protocol, realizes that trustable network connects.
For realizing the method that trustable network connects by router or switch, Fig. 1 shows the flow process of this method.In order to realize that the trustable network between the router and between the user connects, and makes a check mark and carries out ID authentication in user name (for example pc1 among Fig. 1) and routing address (for example router alfa among Fig. 1).Between router, as identifying authentication mutually, between the user, authenticate mutually as sign with user name with the IP address.Suppose that pc1ID is the user name of a client, AlfaID is the IP address of a router, and PC1, ALFA represent PKI (capitalization) separately respectively so, and pc1 and alfa represent private key (small letter) separately respectively.If inserting the CPK-card that is defined as AlfaID on the router arbitrarily, this router just becomes the router that is designated AlfaID so.In like manner, router inserts the CPK-card that is defined as BetaID arbitrarily, and this router just becomes the router that is designated BetaID.As an example, can suppose AlfaID=" China-Beijing-Haidian-Peking University ", BetaID=" China-Beijing-Haidian-Tsing-Hua University ".
Now the hypothesis address of setting out is AlfaID, destination address is BetaID, its connection procedure such as Fig. 1, the packet data that dotted line has represented to use user Pc1ID arrives the path of user Pc2ID at last via router, and wherein each router all can verify that (former address in the present embodiment is exactly the AlfaID among Fig. 1 in former address.As for the authentication of user Pc2ID to Pc1ID, belong to transaction authentication, can only open packet data and carry out later on, be the task of client layer.
Set out the IP bag of router by a plurality of transit routers (being called transit router again), arrive the purpose router at last, in the intermediate transit router, be easy to take place illegal access.Traditional router is only paid attention to the route of next jumping, and is indifferent to the notebook data bag and from what comes.In order to realize that trustable network connects, the router in the present embodiment must satisfy following four conditions: (1) former address must provide the transmission address and prove, can be verified by any ground; (2) all path routers are all verified former address, as are not inconsistent then refusal forwarding; (3) can prevent illegal access, the opposing dos attack; (4) computing environment of router interior is believable.
For the address of setting out is AlfaID, and destination address is the connection procedure of BetaID, and wherein the dotted line among Fig. 1 is represented to have used CPK-card and carried out former address and differentiated.
Path 1: following steps are all to adopt IPV9 agreement and CPK-card:
At first, client Pc1ID pays router-A lfaID to time and MAC signature with signed data.
Secondly, router-A lfaID checks time signature and the MAC signature of client Pc1ID, then receives if the verification passes, otherwise reject.
Then, router-A lfaID is given to next router to time, checksum signature.
After router-A lfaID, identical with router-A lfaID via routing operations modes such as router GamID, LamID, BetaID.That is: the signature of a former address signature of next router authentication and a last router then is transmitted to next router with data data if the verification passes.
At last, purpose router BetaID transfers to data data and receives user Pc2ID.
Path 2: in the following steps customer end adopted IPV9 agreement but do not use CPK-card:
User Pc3ID does not use CPK-card but becomes the IPV9 agreement to send data to user Pc4ID via router-A lfaID by PT conversion (protocol conversion router).Router-A lfaID obtains the source data packet address as PKI, and the correctness in checking source, finds that illegal address just abandons data.
Path 3: client does not adopt the IPV9 agreement and does not use CPK-card in the following steps:
User Pc3ID does not use CPK-card and adopts the IPV4/IPV6 agreement to send data to user Pc4ID via router-A lfaID.Arrive router BetaID through router DeltaID and SigID, and transmit data and give user Pc4ID.
Path 4: customer end adopted IPV9 agreement in the following steps, and use CPK-card, but middle IPV9 route is not used CPK-card:
(1) user Pc1ID uses this machine address to sign as PKI, sends data to user Pc2ID via router-A lfaID.
(2) router-A lfaID obtains the source data packet address as PKI, and the correctness in checking source, as runs into illegal address and then abandon data.After the source address validation is correct, removed originally and re-used this machine address as public key signature behind the signature.After the signature, carry out normal route data and transmit.
(3) route GamID does not use CPK-card, obtains the source data packet address as PKI, and the correctness in checking source, as runs into illegal address and then abandon data, transmits as normally then carrying out normal route data.
(4) the routing operations mode of router LamID, BetaID etc. is the same.
(5) router BetaID forwards the data to destination user Pc2ID.
The mode of operation of the compatible IPV4/IPV6 agreement of credible route as shown in Figure 5.In order to realize that the trustable network connection request formulates new IP header format, comprise at least in the header source address, transmitting time, address to the signature of time, destination address, address to verification and signature (that is authentication code).The address to verification and signature (being called authentication code) can be included in the header format, also can be placed on after the data.Data encryption only influences data format, does not influence the IP header format.The header format of IPV4 can change, and wherein the insertion point of time and authentication code can change, thereby has two kinds of forms shown in Fig. 2 A and 2B, and the header format of IPV9 as shown in Figure 3.
For the smooth realization of present embodiment method, router wherein need dispose CPK-card (or adopt the signature algorithm and the corresponding hardware of similar mechanism, hereinafter be that example is set forth with CPK), makes it have digital signature and key-switch function.Realize the discriminating of former address by the CPK system, suppose that former ground is AlfaID, next router is GammaID, and AlfaID sends data data, and wherein application format is:
Mas1AlfaID→GammaID:{Alfa,sign1,Beta,time?data,checksum}
Wherein AlfaID is former address, and sign1 is the signature to former address, i.e. sign1=SIG
Alfa(time), BetaID is a destination address, and SIG is a signature function, and alfa is a signature private key, is provided by CPK-card.Wherein data is data, and from application layer, perhaps data is expressly, also may be ciphertext.The task of router is to send data to next router.
The signature on former ground of GammaID checking:
SIG wherein
-1Be the checking function, ALFA is a PKI.If sign1=sign1 ' then allows this connection, transmit Msg1, and audit.Mode with the contrast time is discerned Replay Attack.
Router encryption and DecryptDecryption process are as follows.
The organization definition of data data is as follows: Data={Pc1ID, and Pc2ID, data, mac}, wherein Pc1ID is an originator, Pc2ID is the destination.
When data are plaintext, Data={Pc1ID, Pc2ID, clear-text, mac}, Pc1ID here and Pc2ID are user names, and clear-text is a clear content, and mac is the mac address of router.
When data are ciphertext, Data={Pc1ID, Pc2ID, coded-key, coded-data, mac}, the coded-key here is a password, and coded-data is the content after encrypting, and mac is the mac address of router.
Provide by router if add the DecryptDecryption function, establish Alfa and encrypt, the Beta DecryptDecryption, data encryption can only be carried out with non-online mode so, also can only realize with system key so encrypt.
Add the DecryptDecryption function if router is born, and this secondary data data is an enciphered data, then needs to explain coded-key and coded-data, and carry out series of steps:
1) produce random number R 3, AlfaID computation key: key=R3 * (G); Wherein G is the basic point of elliptic curve, and key will be used for the encryption of data;
2) calculate transmission and use key: R3x (BETA)=coded-key, wherein BETA is the PKI of BetaID, and coded-key is sent to BetaID;
3) data are encrypted: E
Key(data)=cipher-text, wherein E
Key() is the data encryption function.
Ciphertext cipher-text and coded-key are sent to BetaID.
The signal that BetaID receives AlfaID just enters the DecryptDecryption process automatically:
1) BetaID calculates the contrary of private key: beta
-1
2) BetaID session key: beta
-1(coded-key)=key
3) data DecryptDecryption: D
Key(cipher-text)=data, wherein D
Key() is the DecryptDecryption function.
In order to guarantee the credibility of router operation, all run time versions in the router must authenticate (one-level authentication) by producer, by producer all run time versions are signed when promptly appearing on the scene.Identification function (being provided by CPK-card) all is provided each router.
At first be the proof of software code:
Producer has CPK-card, can carry out producer (manufacturer) signature to all systems soft wares in the router.Executive software is divided into software identification (codeID) and software body (codeBD), and producer signs respectively to this:
SIG
manufacturer(codeID)=sign1
SIG
manufacturer(codeBD)=sign2
Wherein, SIG is a signature function, and manufacturer is the private key of producer, and codeID is the run time version name, and codeBD is the HASH value of run time version body.Any one run time version in the router all has proof sign indicating number sign1 and the sign2 of self.
Be the discriminating of software code then:
Router inserts CPK-card, makes it have the CPK authentication function.The verification method of router can be by two kinds: a kind of is unified checking when start, and by the unified deletion of code of checking, the system restoration that guarantees router is not to reset condition; Another kind is when calling software code, and carry out the checking back in advance.
Sign1 and sign2 are verified respectively:
Wherein MANUFACTURER is the PKI of producer, if sign1=sign1 ' and sign2=sign2 ' then allow to carry out, otherwise refusal are carried out.Guarantee that with this code of carrying out is the code that producer authenticates in this router, code is not in addition carried out without exception, avoids the attack of virus, wooden horse.
ICP/IP protocol can not guarantee that trustable network connects, and therefore must be transformed.Present embodiment is on the basis with geographical position addressing and addressing, and proposed three key technologies that trustable network connects: the mechanism that adopts the address to differentiate prevents illegal connection; Adopt question and answer mechanism at random, prevent repeat attack; The mechanism that software code can be differentiated prevents the invasion of virus, wooden horse.
Above method for designing is applicable to that fully the trustable network of physical layer connects.Physical layer has two kinds: a kind of is the physical layer that defines in information network seven layer protocols, and the platform of support information network is application programming interfaces (API).Second kind is the physical layer that defines in the communication network, supports that the platform of communication network is letter reference point (TRP).In information network, if network layer can guarantee the credibility transmitted, the safety of physical layer can be substituted by network layer, need not to remake the work of physical layer.But the physical layer in the communication network if do not transform, just can't realize that trustable network connects, and can't prevent illegal access, and the method and the router of its transformation are identical.
Signature verification by router or switch of the present invention realizes the method that trustable network connects, be to have realized between the network equipment of router or switch and the trustable network between the network terminal connects, between the network equipment of router or switch with source IP address in the header or purpose IP address (source IP address and purpose IP address all are present in the packet), source hardware address or purpose hardware address, specify or the numeral of definition at random and character all or part of carries out parallel or stack as the mutual signature authentication of sign (being also referred to as sign authentication mutually), between Net-connected computer with source IP address in the header or purpose IP address, source hardware address or purpose hardware address, the all or part of of numeral of specifying or defining at random and character carries out parallel or the mutual signature authentication of stack conduct sign.
This method has comprised following step:
(1) source computer and purpose computer, router or switch are all to numeral and the router of character definition or exchange hardware address (hardware address also can be the hardware address that define more), IP address (address of the IP agreement that these IP addresses are a plurality of versions), the numeral and the character of specifying or defining at random, the hardware address of computer, the IP address, specify or the numeral of definition at random and all or part of correct time proof and the lifetime certification of providing of character, and verify whether its time proof and lifetime certification were modified, and combined with hardware address, the IP address, numeral of specifying or producing at random and character data whole or partly carry out digital signature (all in the present invention signatures all deposit in the IP header) and the rise time proves, lifetime certification signature and hardware address, the IP address, the numeral of specifying or producing at random and carry out parallel or stack mixes signature by all or part of data of character, gives next hop router or switch with it together with data.
(2) router or switch are checked time-proven, lifetime certification signature and hardware address, IP address, appointment or the numeral that produces at random of Net-connected computer and the data signature of character, then receive and transmit data if the verification passes, otherwise abandon or data are buried in oblivion.
(3) router or switch are to hardware address, the IP address, the numeral and the character of specifying or defining at random, the source hardware address of Net-connected computer, the IP address, specify or the numeral of definition at random and all or part of correct time of character, lifetime certification and encryption or unencrypted verification and (built-in algorithms by router and client draws), CPK verification verify data, the verification verify data of ca authentication is carried out digital signature, rise time proves, the attestation-signatures of the term of validity and verification and, the CPK signature, ca authentication is carried out parallel or stack mixes signature, and give next hop router together with transmitting data, not by then data being buried in oblivion.
(4) related signature of router or switch last hop router of checking or switch, wherein signature verification launches step by step, each layer all carries out signature verification to the upper strata, router or switch need be signed to this layer corresponding object simultaneously, also purpose router or switch are delivered in signature verification by the protocol tunnel route of different IP version or the protocol conversion software or the computer of different IP version, guarantee the authenticity of oneself, if the verification passes, then will transmit data and give next hop router or switchboard direct to purpose router or switch (router need be signed to this layer corresponding object, guarantees the authenticity of oneself).
(5) after transmitting data arrival purpose router or switch, to carry out signature verification work, purpose router or switch will be through carrying out of passing through of checking after the parallel or stack data decryption that mixes signature becomes to meet the reception data of design, transmit packet to the purpose computer.
Fig. 4 shows the embodiment of the router of realization trustable network connection of the present invention.Router in the information network is the basic element of character of the Internet.This programme adopts the sign authentication technique for the first time in router design, provide the address authenticity to prove, prevents illegal access; Adopt the question and answer technology of " question-signature is answered at random " for the first time, providing this to connect freshness proves, prevents Replay Attack; For the first time adopt the software identification authentication technique, the credibility of router operation environment is provided, prevent the invasion of Malwares such as wooden horse.The design also provides and adds the DecryptDecryption function, guarantees privacy.This is the demand for security of the key of Technology of New generation of Internet Protocol or following the Internet.The design's method will combine with the novel addressing technique of geographical position addressing, can make up the router of Next Generation Internet or following the Internet.
Router is accepted the packet from a network interface, and is forwarded to next destination address.Destination address is provided by routing table.If found destination address, just before the frame lattice of packet, add next MAC Address, TTL (the time to live) territory in IP packet header begins subtrahend simultaneously, and again calculation check and.When packet is sent to output port, need to wait in order, so that be sent on the output link.Router is pressed pre-defined rule bigger data decomposition is become the suitably packet of size, these packets is sent by identical and different paths respectively again.After these packets arrive the destination sequentially, revert to the legacy data form more in sequence.
The storage repeating process of its packet is as follows:
1) when packet arrival router, according to the network physical interface type, router operation corresponding link layer function module, the link layer protocol header of decryption bag, the line data integrity verification of going forward side by side comprises CRC check and frame length inspection.
2) according to the purpose IP address in IP packet header in the frame, in routing table, search the IP address of next jumping, simultaneously the TTL territory of IP data packet head begins subtrahend, and calculation check and (chechsum) again.
3) according to next-hop ip address, the IP packet is sent to corresponding output link layer, be packaged into corresponding link layer packet header, send by the network physical interface.
More than be the simple course of work of router, other additional functions are not described, for example access control, network address translation, queuing priority etc.Because some work is irrelevant with Verification System, will comprise that perhaps the router trustable network based on ID that is discussed below connects in (trusted connecting).
In the present embodiment, the router one of realizing the trustable network connection is made up of four modules: prevent illegal access module 10, prevent multi-sending attack module 12, prevent wooden horse invasion module 14 and take off encrypting module 16.Prevent that illegal access module 10 from judging whether to receive transmitting data by the checking that the digital parallel or stack in former the IP address header is mixed signature when receiving the forwarding data, to prevent illegal access.Prevent multi-sending attack module 12 by the digital parallel or stack that connects mix sign in the freshness of the time term of validity of distinctive IP address and signature and IP address life cycle (so-called freshness be exactly packet send the time and the time of advent basically identical) prove and prevent multi-sending attack.Prevent in the wooden horse invasion module 14, prevent wooden horse invasion module, the router that trustable network connects carries out the parallel or stack mixing signature of numeral with switch to router and switch, do not obtain signature if carry the network data of trojan horse program, then can't arrive the destination computer, prevent that by routing operations environment credibility the wooden horse of non-forwarding destination computer from invading and harassing.Take off encrypting module 16 by encryption (deciphering just) process of taking off of transmitting data is guaranteed the route privacy.
The internal structure of the router of the foregoing description also can be the internal structure of switch.
In order to realize that the trustable network between the router connects,, and guarantee the device uniqueness with the sign of IP address as router.If Alfa is the IP address of a router, Beta is the IP address of another router.If inserting the CPK-card that is defined as Alfa on the router arbitrarily, this router just becomes the router that is designated Alfa so.In like manner, any router inserts the CPK-card that is defined as Beta, and this router just becomes the router that is designated Beta.As an example, suppose Alfa=" China-Beijing-Haidian-Peking University ", Beta=" China-Beijing-Haidian-Tsing-Hua University ".
Set out the IP bag of router by a plurality of transit routers, arrive the purpose router at last, be easy to take place illegal access in the intermediate transit router, Beta does not know probably the packet that is inserted is from what to come, and has just produced the proof of the address of setting out and the problem on transmission ground thus.Departure place proof can be verified on any forwarding address, but this authentication is unnecessary, and on the purpose router, finish simultaneously during deal with data data just passable because authenticity that must the proof transmitting-receiving two-end in each redirect is sent out.Can find out that from the operation principle of top router router is in the past only paid attention to the route of next jumping, and be indifferent to the notebook data bag and come from what.If therefore do not solve the checking that sends the address, just can't overcome illegal access.
Can some people attempt and solve illegal access problem with method of encrypting, but under the public key system condition, this is futile.Such as Beta is reciever, and its PKI is disclosed, and anyone can encrypt to Beta, so whom the Beta originating party that still has no way of finding out about it is.
For preventing illegal access module 10, router must satisfy: (1) former address must provide the transmission address and prove, can be verified by any ground; (2) all path routers are all verified former address, as are not inconsistent then refusal forwarding; (3) can prevent illegal access, the opposing dos attack; (4) computing environment of router interior is believable.
Prevent that illegal access module 10 from having realized following step:
At first, client Pc1ID pays router-A lfaID to time and MAC signature with signed data.
Secondly, router-A lfaID checks time signature and the MAC signature of client Pc1ID, then receives if the verification passes, otherwise reject.
Then, router-A lfaID is given to next router to time, checksum signature.
After router-A lfaID, identical with router-A lfaID via routing operations modes such as router GamID, LamID, BetaID.That is: the signature of a former address signature of next router authentication and a last router then is transmitted to next router with data data if the verification passes.
At last, purpose router BetaID transfers to data data and receives user Pc2ID.
Used the CPK cryptographic system in the middle of this.In the CPK cryptographic system, entity identification EentityID is mapped to T={a, b, and G, n, p} are the elliptic curve E:y of parameter
2=x
3Some ENTITY on the+ax+b (mod p), and have integer to satisfy ENTITY=(entity) G, ENTITY is a PKI so, and eintity is a private key, and PKI can be calculated by anyone, and private key is then provided by ID-card.Therefore, usually, any IdentityID is mapped to public private key pair IDENTITY and identity:
Signature can SIG
Identity(time)=sign represents;
Checking can
Expression.
Configuration of routers CPK-card, make it have digital signature and key-switch function, CPK-card thes contents are as follows: the IP address of establishing router be alfa (Alfa may be a China. Beijing. Haidian. real names such as Peking University become the executable code of machine behind unified translated name).ID-card with router alfa is an example, and it thes contents are as follows:
| ??1 | Z1: certificate parameter | ??16B | ??E PWD(R 1)=Z 1 |
| ??2 | Z2: certificate parameter | ??16B | ??E R1(R 1)⊕R 1=Z 2 |
| ??3 | The sign definition | ??25B | ??alfa |
| ??4 | Role's level | ??16B | ??5 |
| ??5 | Private key 1 | ??32B | ??E R1(csk 1)=Y 1 |
| ??6 | Private key 2 | ??32B | ??E R1(csk 2)=Y 2 |
| ??7 | Role's 5 keys | ??48B | ??E R1(key 1)=Y 3 |
| ??8 | Follow PKI | ??50B | ??APK,sign |
| ??9 | Provide unit | ??25B | ??KMC |
| ??10 | Granting unit's signature | ??48B | ??SIG kmc(MAC) |
Differentiate this part about the address, suppose that sending the address is Alfa, receiver address is Gamma, and the PKI of AlfaID is ALFA, and private key is alfa, is sent by Alfa to connect application, its application format such as Msg1:
Mas1:Alfa→Gamma,{AlfaID,BetaID,T,sign1}
Wherein AlfaID sends the address, and destination address during BetaID, T are the time, and sign1 is transmit leg Alfa to the signature of time, that is: SIG
Alfa(T)=and sign1, wherein SIG is a signature function.Recipient Gamma is via the address, the signature of checking transmit leg:
SIG
-1It is the checking function.If sign1=sign1 ', Gamma think that transmit leg is Alfa,, then send a random number r and to the signature of (T-1): SIG if Alfa is validated user (tabling look-up)
Gamma(T-1)=and sign2, sign2 is sent to Alfa:
Msg2:Gamma→Alfa,{r,sign2}
Alfa verifies sign2:
If it is via address Gamma that sign2=sign2 ', Alfa determine the recipient,,, send data data simultaneously and to the signature of verification checksum then to r and (T+1) signature if the recipient is legal (tabling look-up):
SIG
alfa(r)=sign3
SIG
alfa(T+1)=sign4
SIG
alfa(checksum)=sign5
Msg3:Alfa→Gamma,{sign3,data,sign4,sign5}
Gamma checks signature:
If sign3=sign3 ' proves that then transmit leg is Alfa, allow this connection, if sign4=sign4 ' has proved that then this secondary data is from Alfa, and receive errorlessly, send acknowledgement information, promptly Gamma is to the signature of check code:
SIG
gamma(checksum)=sign6,
Mag4:Gamma→Alfa,{sign6}
Alfa verifies sign5:
If sign6=sign6 ' proves that data data has delivered to Gamma.
Data may be divided into plurality of sections: data=data under many circumstances
0//data
1//data
2// ... data
n, two kinds of situations may appear in the transmission of segment data: the one, between the two ends router that has connected, take place, and the 2nd, take place between the two ends router that does not connect.Suppose data
1Walk Alfa → Gamma, and data
2Walk Alfa → Delta.But second kind of situation is impossible take place, because also do not set up the trustable network connection procedure.If walk the second road, at first must set up trustable network and connect.Therefore all problems all is grouped into first kind of situation, under the situation about promptly having connected, how to send the problem of segment data.
When connecting, application sent data
1, how to send data
2If will send data
2Process as self-contained process, it is also passable to cover application process, but now situation is to carry out on the basis all assert mutually of Alafa and Gamma, therefore, except that the phase I, just only above-mentioned Msg3 and Msg4 be repeated can:
First section: Mas1:Alfa → Gamma, { Alfa, Beta, T, sign1}
Msg2:Gamma→Alfa,{r,sign2}
Msg3
1:Alfa→Gamma,{sign3
1,data
1,sign4
1,sign5
1}
Mag4
1:Gamma→Alfa,{sign6
1}
Second section: Msg3
2: Alfa → Gamma, { data
2, sign4
2Sign5
2, }
Mag4
2:Gamma→Alfa,{sign6
2};
The 3rd section: Msg3
3: Alfa → Gamma, { data
3, sign4
3, sign5
3}
Mag4
3:Gamma→Alfa,{sign6
3};
……
Wherein, sign4
i=SIG
Alfa(T+i), (i=1,2 ...), because (T+i) be factor in changing, and Alfa and Gamma signed name, can continue to keep the connection status of mutual trust.
This connection procedure finishes, and then enters next and jumps connection procedure, then becomes transmit leg via address Gamma, and Lamda becomes reciever via the address.Analogize, router one is transmitted with jumping, arrives end router at last.So far, all connections in each path have all obtained proof.Destination address Beta handles data at last.
In taking off encrypting module 16, the organization definition of data data is as follows: Data={Alfa, and Beta, time, sign, data}, wherein Alfa is an originator, Beta is the destination, sign=SIG
Alfa(time).
When data are plaintext, Data={Alfa, Beta, time, sign, clear-text}
When data are ciphertext, Data={Alfa, Beta, time, sign, coded-key, coded-data}
The purpose router at first authenticates the authenticity of originator:
If sign=sign ', Beta think that originator is Alfa, then enters the DecryptDecryption process.
Provided by router if add the DecryptDecryption function, establish Alfa and encrypt, the Beta DecryptDecryption because the communication between Alfa and the Beta is multi-hop communication, is therefore encrypted and can only be realized that its pool of keys size depends on the circumstances with the Split Key of CPK.
If this secondary data data needs ciphered data:
1) produce random number r, Alfa calculates key=r (G); Wherein G is the basic point of elliptic curve;
2) with the other side's PKI key is encrypted: ENC
BETA(key)=coded-key;
3) role's key role-key exclusive-OR of key and user obtains new-key, and wherein role-key is provided by ID-card.key⊕role-key=new-key;
4) data are encrypted: E
New-key(data)=coded-data;
Ciphertext cipher=text and coded-key are sent to Beta.
The signal that Beta receives Alfa just enters the DecryptDecryption process automatically.
1) Beta calculates private key DecryptDecryption: DEC
Beta(coded-key)=key wherein private key beta provide by ID-card
2) new-key that adds of key K ey and role's key mould 2:
key⊕role-key=new-key;
3) data DecryptDecryption: D
New-key(coded-data)=data;
Based on above-mentioned embodiment, the present invention verifies raw address and destination address, thereby address authenticity and lifetime certification is provided by on router existing IP header being expanded, prevents the illegal access of dos attack; Provide this to connect freshness and lifetime certification, on router, prevent multi-sending attack; The credibility of routing operations environment is provided, on router, prevents the invasion of Malwares such as wooden horse; On router, increase and take off encryption function, guaranteed the privacy of route, be used to have unit, mechanism or the department of secret or security needs.
The foregoing description provides to those of ordinary skills and realizes or use of the present invention; those of ordinary skills can be under the situation that does not break away from invention thought of the present invention; the foregoing description is made various modifications or variation; thereby protection scope of the present invention do not limit by the foregoing description, and should be the maximum magnitude that meets the inventive features that claims mention.
Claims (9)
1. realize the method that trustable network connects by router or switch for one kind, realize between the network equipment of router or switch and the trustable network between the network terminal connects, between the network equipment of router or switch with source IP address in the header or purpose IP address, source hardware address or purpose hardware address, the all or part of of numeral of specifying or defining at random and character carries out parallel or the mutual signature authentication of stack conduct sign, between Net-connected computer with source IP address in the header or purpose IP address, source hardware address or purpose hardware address, the all or part of of numeral of specifying or defining at random and character carries out parallel or the mutual signature authentication of stack conduct sign, and this method comprises:
Source computer and purpose computer, router or switch are all to the numeral and the router or the exchange hardware address of character definition, the IP address, the numeral and the character of specifying or defining at random, the hardware address of computer, the IP address, the numeral of specifying or defining at random and all or part of correct time that provides of character prove, and verify that its time does not prove and be modified, and combined with hardware address, the IP address, numeral of specifying or producing at random and character data whole or partly carry out digital signature and the rise time proves, lifetime certification signature and hardware address, the IP address, the numeral of specifying or producing at random and carry out parallel or stack mixes signature by all or part of data of character, gives next hop router or switch with it together with data;
Router or switch are checked time-proven, lifetime certification signature and hardware address, IP address, appointment or the numeral that produces at random of Net-connected computer and the data signature of character, then receive and transmit data if the verification passes, otherwise abandon or data are buried in oblivion;
Router or switch to all or part of correct time, lifetime certification and the encryption of the numeral of source hardware address, IP address, appointment or the definition at random of the numeral of hardware address, IP address, appointment or definition at random and character, Net-connected computer and character or unencrypted verification and, the verification verify data of CPK verification verify data, ca authentication carries out digital signature, rise time proves, the attestation-signatures of the term of validity and verification with, CPK signature, ca authentication is carried out parallel or stack mixes signature, and gives next hop router together with transmitting data;
The related signature of router or switch last hop router of checking or switch, wherein signature verification launches step by step, each layer all carries out signature verification to the upper strata, router or switch need be signed to this layer corresponding object simultaneously, also purpose router or switch are delivered in signature verification by the protocol tunnel route of different IP version or the protocol conversion software or the computer of different IP version, guarantee the authenticity of oneself, if the verification passes, then will transmit data and give next hop router or switchboard direct to purpose router or switch;
After transmitting data arrival purpose router or switch, to carry out signature verification work, purpose router or switch will be through carrying out of passing through of checking after the parallel or stack data decryption that mixes signature becomes to meet the reception data of design, transmit packet to the purpose computer.
2. the method that connects by router or switch realization trustable network according to claim 1 is characterized in that this IP address is the address of a plurality of version IP agreements.
3. the method that connects by router or switch realization trustable network according to claim 1 is characterized in that, specifies or the numeral of definition at random and the whole or partly conduct sign authentication mutually of character.
4. the method that connects by router or switch realization trustable network according to claim 1 is characterized in that this hardware address is the hardware address of many definition.
5. the method that realizes the trustable network connection by router or switch according to claim 1, it is characterized in that, the Net-connected computer of source or destination, router or switch are to the hardware address of numeral and character definition router or switch, the IP address, the numeral and the character of specifying or defining at random, the source hardware address of the Net-connected computer of source or destination, the IP address, specify or the numeral of definition at random and all or part of correct time proof and the term of validity of providing of character, and verify whether its time proof and the term of validity were once revised by the people, correct time proves, and verifies digital signature that whether its time proof and the term of validity once revised by the people and be by specifying or the hardware address of generation at random to the checking of digital signature result, the IP address, data such as the numeral of specifying or producing at random and character whole or partly carry out the parallel or stack of numeral and mix that signature realizes.
6. the method that realizes the trustable network connection by router or switch according to claim 1, it is characterized in that, on the IP header, increase the checking content of source address and destination address or additional information, set out router, transit router and purpose router tested to each IP header, thereby provides the authenticity of address or additional information to prove.
7. the method that connects by router or switch realization trustable network according to claim 1 is characterized in that all signatures all deposit in the IP header.
8. device of realizing that trustable network connects comprises:
Prevent illegal access module, when receiving the forwarding data, judge whether to receive, to prevent illegal access to transmitting data by the checking that the digital parallel or stack in former the IP address header is mixed signature;
Prevent the multi-sending attack module, the freshness of the IP address in signing by the digital parallel or stack mixing that connects and the time term of validity of signature proves and prevents multi-sending attack;
Prevent wooden horse invasion module, the router that trustable network connects carries out the parallel or stack mixing signature of numeral with switch to router and switch, do not obtain signature if carry the network data of trojan horse program, then can't arrive the destination computer, prevent that by routing operations environment credibility the wooden horse of non-forwarding destination computer from invading and harassing;
Take off encrypting module, by the ciphering process that takes off of transmitting data is guaranteed the route privacy.
9. the device that realization trustable network according to claim 8 connects is characterized in that this device is the router of IP network or the switch of circuit network.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010120869.1A CN101808142B (en) | 2010-03-10 | 2010-03-10 | Method and device for realizing trusted network connection through router or switch |
| PCT/CN2011/071679 WO2011110096A1 (en) | 2010-03-10 | 2011-03-10 | Method and device for realizing trusted network connection through router or switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010120869.1A CN101808142B (en) | 2010-03-10 | 2010-03-10 | Method and device for realizing trusted network connection through router or switch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101808142A true CN101808142A (en) | 2010-08-18 |
| CN101808142B CN101808142B (en) | 2013-03-27 |
Family
ID=42609761
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010120869.1A Expired - Fee Related CN101808142B (en) | 2010-03-10 | 2010-03-10 | Method and device for realizing trusted network connection through router or switch |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101808142B (en) |
| WO (1) | WO2011110096A1 (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011110096A1 (en) * | 2010-03-10 | 2011-09-15 | 上海通用化工技术研究所 | Method and device for realizing trusted network connection through router or switch |
| CN105812137A (en) * | 2014-12-29 | 2016-07-27 | 中兴通讯股份有限公司 | Signature method and signature device |
| CN106534070A (en) * | 2016-10-09 | 2017-03-22 | 清华大学 | Counterfeiting-resisting low-overhead router marking generation method |
| CN106911428A (en) * | 2017-02-23 | 2017-06-30 | 北京龙鼎源科技股份有限公司 | The transmission method and device of information |
| CN107241339A (en) * | 2017-06-29 | 2017-10-10 | 北京小米移动软件有限公司 | Auth method, device and storage medium |
| CN111133701A (en) * | 2017-07-31 | 2020-05-08 | 三菱电机株式会社 | Reliable cut-through switching for time sensitive networks |
| CN112910882A (en) * | 2021-01-28 | 2021-06-04 | 山东有人物联网股份有限公司 | Network management method, device, system and computer readable storage medium |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103618607B (en) * | 2013-11-29 | 2016-07-06 | 北京信长城技术研究院 | A kind of Security Data Transmission and key exchange method |
| CN106341396A (en) * | 2016-08-24 | 2017-01-18 | 北京匡恩网络科技有限责任公司 | Industrial control system with intrusion tolerance and security protection method |
| CN110381299A (en) * | 2019-08-22 | 2019-10-25 | 湖州米欧康电子科技有限公司 | A kind of web camera |
| CN116614315B (en) * | 2023-07-19 | 2023-10-27 | 国家计算机网络与信息安全管理中心江西分中心 | IPv6 security protection method for realizing application cloud security hosting |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006077701A1 (en) * | 2005-01-21 | 2006-07-27 | Nec Corporation | Signing device, verifying device, certifying device, encrypting device, and decrypting device |
| CN1921488A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Method for preventing forgery of source address based on signature authentication inside IPv6 sub network |
| CN1921487A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Identifying method for IPv6 actual source address between autonomy systems based on signature |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1231847C (en) * | 2002-09-09 | 2005-12-14 | 中国科学院研究生院 | Identity authentication device and method for network equipment |
| CN1260927C (en) * | 2002-11-26 | 2006-06-21 | 华为技术有限公司 | IP network system for realizing safety verification and method thereof |
| CA2534919C (en) * | 2003-08-08 | 2011-04-05 | T.T.T. Kabushikikaisha | Transport layer encryption for extra-security ip networks |
| CN101808142B (en) * | 2010-03-10 | 2013-03-27 | 上海十进制网络信息技术有限公司 | Method and device for realizing trusted network connection through router or switch |
-
2010
- 2010-03-10 CN CN201010120869.1A patent/CN101808142B/en not_active Expired - Fee Related
-
2011
- 2011-03-10 WO PCT/CN2011/071679 patent/WO2011110096A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006077701A1 (en) * | 2005-01-21 | 2006-07-27 | Nec Corporation | Signing device, verifying device, certifying device, encrypting device, and decrypting device |
| CN1921488A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Method for preventing forgery of source address based on signature authentication inside IPv6 sub network |
| CN1921487A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Identifying method for IPv6 actual source address between autonomy systems based on signature |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011110096A1 (en) * | 2010-03-10 | 2011-09-15 | 上海通用化工技术研究所 | Method and device for realizing trusted network connection through router or switch |
| CN105812137A (en) * | 2014-12-29 | 2016-07-27 | 中兴通讯股份有限公司 | Signature method and signature device |
| CN106534070A (en) * | 2016-10-09 | 2017-03-22 | 清华大学 | Counterfeiting-resisting low-overhead router marking generation method |
| CN106534070B (en) * | 2016-10-09 | 2019-06-28 | 清华大学 | It is a kind of to resist counterfeit low overhead Router Distinguisher generation method |
| CN106911428A (en) * | 2017-02-23 | 2017-06-30 | 北京龙鼎源科技股份有限公司 | The transmission method and device of information |
| CN107241339A (en) * | 2017-06-29 | 2017-10-10 | 北京小米移动软件有限公司 | Auth method, device and storage medium |
| CN107241339B (en) * | 2017-06-29 | 2020-03-03 | 北京小米移动软件有限公司 | Identity authentication method, identity authentication device and storage medium |
| CN111133701A (en) * | 2017-07-31 | 2020-05-08 | 三菱电机株式会社 | Reliable cut-through switching for time sensitive networks |
| CN111133701B (en) * | 2017-07-31 | 2022-06-07 | 三菱电机株式会社 | Reliable cut-through switching for time sensitive networks |
| CN112910882A (en) * | 2021-01-28 | 2021-06-04 | 山东有人物联网股份有限公司 | Network management method, device, system and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011110096A1 (en) | 2011-09-15 |
| CN101808142B (en) | 2013-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101808142B (en) | Method and device for realizing trusted network connection through router or switch | |
| JP4833489B2 (en) | System, method and software for remote password authentication using multiple servers | |
| US8533806B2 (en) | Method for authenticating a trusted platform based on the tri-element peer authentication(TEPA) | |
| CN102164033B (en) | Method, device and system for preventing services from being attacked | |
| Obert et al. | Recommendations for trust and encryption in DER interoperability standards | |
| CN105187405A (en) | Reputation-based cloud computing identity management method | |
| Alzuwaini et al. | An Efficient Mechanism to Prevent the Phishing Attacks. | |
| Rongyu et al. | A PK-SIM card based end-to-end security framework for SMS | |
| JP4783340B2 (en) | Protecting data traffic in a mobile network environment | |
| Ibrahim et al. | Jamming resistant non‐interactive anonymous and unlinkable authentication scheme for mobile satellite networks | |
| CN102340487B (en) | Integrity report transferring method and system among multiple trust domains | |
| CN1829150B (en) | Gateway identification device and method based on CPK | |
| CN104270756A (en) | Intra-domain mapping updating authenticating method in identity and position separation network | |
| You et al. | 5G-AKA-FS: A 5G Authentication and Key Agreement Protocol for Forward Secrecy | |
| Kumar et al. | Multi-TA model-based conditional privacy-preserving authentication protocol for fog-enabled VANET | |
| CN113630244A (en) | End-to-end safety guarantee method facing communication sensor network and edge server | |
| Chang et al. | On making U2F protocol leakage-resilient via re-keying | |
| Joshi | Network security: know it all | |
| CN101668009B (en) | Method and system for safely processing routing address | |
| JP2015516616A (en) | Authentication method, apparatus and system | |
| Singh et al. | Analysis of cryptographically replay attacks and its mitigation mechanism | |
| Kwon et al. | Certificate transparency with enhanced privacy | |
| Diaz et al. | On securing online registration protocols: Formal verification of a new proposal | |
| GB2395304A (en) | A digital locking system for physical and digital items using a location based indication for unlocking | |
| KR102086739B1 (en) | Electronic re-signing method to support various digital signature algorithms in secure sockets layer decryption device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1147363 Country of ref document: HK |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: WD Ref document number: 1147363 Country of ref document: HK |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130327 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |