CN101997681B - Authentication method and system for multi-node path and relevant node equipment - Google Patents

Authentication method and system for multi-node path and relevant node equipment Download PDF

Info

Publication number
CN101997681B
CN101997681B CN2009100912285A CN200910091228A CN101997681B CN 101997681 B CN101997681 B CN 101997681B CN 2009100912285 A CN2009100912285 A CN 2009100912285A CN 200910091228 A CN200910091228 A CN 200910091228A CN 101997681 B CN101997681 B CN 101997681B
Authority
CN
China
Prior art keywords
node
random
task processing
authentication
message
Prior art date
Application number
CN2009100912285A
Other languages
Chinese (zh)
Other versions
CN101997681A (en
Inventor
任晓明
乐祖晖
朱本洁
Original Assignee
中国移动通信集团公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信集团公司 filed Critical 中国移动通信集团公司
Priority to CN2009100912285A priority Critical patent/CN101997681B/en
Publication of CN101997681A publication Critical patent/CN101997681A/en
Application granted granted Critical
Publication of CN101997681B publication Critical patent/CN101997681B/en

Links

Abstract

The invention discloses an authentication method and an authentication system for a multi-node path and relevant node equipment, which are used for reducing implementation complexity and improving authentication efficiency. The authentication method for the multi-node path comprises the following steps that: a source end node initiates a task processing request message which carries a first random number generated by the source end node randomly; after receiving the task processing request message, a destination end node returns a task processing response message which carries a second random number determined according to the received first random message and an operational rule; each legal intermediate node updates the received first random number by using the operational rule; and the source end node determines the transmission times of the task processing request message according to the second random number, the first random number generated by the source end node and the operational rule and determines that the multi-node path is a legal path when the determined transmission times are consistent with the number of the preset intermediate nodes.

Description

The authentication method in a kind of multinode path, system and interdependent node equipment
Technical field
The present invention relates to the end-to-end communication field, relate in particular to authentication method, system and the interdependent node equipment in a kind of multinode path.
Background technology
In the end-to-end communication system, if the path of communicating by letter between two end nodes is commonly referred to as the multinode path via one or more intermediate nodes.Authentication mode is end to end adopted in the multinode path, and end node misaligns intermediate node and carries out the legitimacy authentication, thereby can't guarantee the fail safe of communicating by letter between the end node.But, under some application scenarios, effective certificate scheme need be provided, guarantee the legitimacy of all intermediate nodes in the end-to-end communication system, thus the fail safe of communicating by letter between the assurance end node.In order to guarantee the legitimacy of all intermediate nodes in the end-to-end communication system, the general mode of authentication each other that adopts between the adjacent node in the prior art also can adopt end node to the intermediate node mode of authentication one by one.The certificate scheme in multinode path in the existing end-to-end communication system adopts between the adjacent node authentication each other or end node to the intermediate node mode of authentication one by one, and system deployment is high with management cost, realizes complicacy, and authentication efficient is low.
Summary of the invention
Problems such as the present invention provides the authentication method and the system in a kind of multinode path, and is high in order to system deployment and the management cost that exists in the certificate scheme that solves existing multinode path, realizes complicacy, and authentication efficient is low.
Accordingly, the present invention provides source end node devices, the destination node device in a kind of multinode path.
The present invention provides the authentication method in a kind of multinode path, comprising:
Source end node in the multinode path is initiated the task processing request message, wherein carries first random number that this node generates at random;
Destination node in the said multinode path receives after the task processing request message that transmits via each intermediate node; Return task processing response message to said source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and pre-configured operation rule; Wherein, The task processing request message via each legal intermediate node use said operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
The set the tasks transmission number of times of processing request message of first random number that said source end node generates according to second random number, this node of carrying in the said task processing response message at random and said operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path.
The present invention provides the Verification System in a kind of multinode path, comprises source end node and destination node in the said multinode path, wherein:
Said source end node; Be used to initiate the task processing request message; Wherein carry first random number that this node generates at random; And the set the tasks transmission number of times of processing request message of first random number that generates at random of second random number, this node of carrying in the task processing response message that returns according to said destination node and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path;
Said destination node; Be used for after receiving the task processing request message that transmits via each intermediate node; Return task processing response message to said source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and said operation rule; Wherein, the task processing request message via each legal intermediate node use said operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result.
The present invention provides the source end node devices in a kind of multinode path, comprising:
The task management module is used to initiate the task processing request message, wherein carries first random number that this node generates at random;
Receiver module; The destination node that is used for receiving said multinode path is after receiving the task processing request message that transmits via each intermediate node; The task processing response message that carries second random number that returns; Said second random number is to confirm according to first random number of carrying in the task processing request message and pre-configured operation rule; Wherein, the task processing request message via each legal intermediate node use said operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
The path authentication module; Be used for according to the set the tasks transmission number of times of processing request message of said second random number, first random number that this node generates at random and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path.
The present invention provides the destination node device in a kind of multinode path, comprising:
Receiver module; Be used to receive the task processing request message of initiating and transmitting via each intermediate node by the source end node; Wherein, Carry first random number that this node generates at random in the task processing request message that the source end node is initiated, the task processing request message via each legal intermediate node use pre-configured operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
Sending module; Be used for returning task processing response message to said source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and said operation rule; The set the tasks transmission number of times of processing request message of first random number that said source end node generates according to second random number, this node of carrying in the task processing response message at random and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path.
The authentication method and the system in multinode provided by the invention path; Characteristics to the multinode path propose; Carry first random number that this node generates at random in the task processing request message that the source end node is initiated; The task processing request message via each legal intermediate node use predefined operation rule that first random number is upgraded; The destination node receives after the task processing request message; In the task processing response message that the source end node returns, carry second random number of confirming according to this operation rule and first random number that receives; The transmission number of times that first random number that the source end node generates according to second random number, this node of carrying in the task processing response message at random and operation rule can be determined the task processing request message if it is consistent with the quantity of intermediate node to transmit number of times, confirms that then the multinode path is legal path; This scheme has realized the accurate authentication to the multinode route validity, has reduced the realization complexity, has improved authentication efficient, has effectively controlled system deployment and management cost.
Description of drawings
Fig. 1 is the configuration diagram in multinode path in the embodiment of the invention;
Fig. 2 is the authentication method flow chart in multinode path in the embodiment of the invention;
Fig. 3 is the identifying procedure sketch map in multinode path in the embodiment of the invention;
Fig. 4 is the multinode path sketch map of portable terminal on-site payment system in the embodiment of the invention;
Fig. 5 is the Verification System block diagram in multinode path in the embodiment of the invention;
Fig. 6 is the structured flowchart of source end node devices in the embodiment of the invention;
Fig. 7 is the structured flowchart of destination node device in the embodiment of the invention.
Embodiment
At first define several basic conceptions.In the end-to-end communication system; If the path of communicating by letter between two end nodes is via one or more intermediate nodes; In the embodiment of the invention path of communicating by letter between these two end nodes is called the multinode path; The interdependent node in multinode path comprises two end nodes and at least one intermediate node, and two end nodes can be divided into source end node and destination node again according to the direction of transfer of message, and source end node and destination node can be changed each other.The framework in multinode path is as shown in Figure 1; Between two end nodes (node 1 as shown in fig. 1 and node N), have at least one intermediate node (node 2 as shown in fig. 1 is to node N-1), the communication between two end nodes must be via each intermediate node.In the multinode path, the message that the source end node is initiated could finally arrive the destination node via the transmission of a plurality of intermediate nodes, if wherein arbitrary intermediate node is illegal, possibly cause the insincere of whole communication process even failure.
Based on this; The embodiment of the invention provides the certificate scheme in a kind of multinode path; Employing source end node is to the whole authentication mechanism in multinode path; Need in advance in source end node, destination node and intermediate node that each is legal, to dispose operation rule, be used for random number is carried out computing.In the practical implementation, operation rule can be set flexibly, for example be set at the fixed numbers addition, subtract each other, multiply each other, be divided by, perhaps with the numerical value addition that changes by rule, subtract each other, multiply each other, be divided by, perhaps exponent arithmetic or the like.Easy for computing, generally operation rule is set at " add-one operation ".
The authentication method in the multinode path that the embodiment of the invention provides, as shown in Figure 2, comprise the steps:
Source end node in S201, the multinode path is initiated the task processing request message, wherein carries first random number that this node generates at random.
Destination node in S202, the multinode path receives after the task processing request message that transmits via each intermediate node; Return task processing response message to the source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and pre-configured operation rule; Wherein, The task processing request message via each legal intermediate node use this operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
If the task processing request message that the source end node is initiated via intermediate node be legal intermediate node; Then each legal intermediate node can upgrade first random number of carrying in the task processing request message according to pre-configured operation rule; If the task processing request message that the source end node is initiated via intermediate node in have illegal intermediate node; Owing to do not have pre-configured this operation rule in the illegal intermediate node, just can't upgrade yet to first random number of carrying in the task processing request message.
The set the tasks transmission number of times of processing request message of first random number that S203, source end node generate according to second random number, this node of carrying in the task processing response message at random and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that the multinode path is legal path;
Second random number is that first random number of repeatedly using same operation rule that the source end node is generated at random carries out obtaining after the computing; Can confirm first random number to be carried out the number of times of computing according to first random number, second random number and this operation rule according to this operation rule, and then the transmission number of times of the processing request message that sets the tasks.Suppose that operation rule is " add-one operation "; First random number is 123; Second random number is 126; Can confirm that according to " add-one operation " three computings being carried out in " 123 " can obtain " 126 ", this three computings are carried out by each intermediate node and destination node respectively, and then the transmission number of times of the processing request message that sets the tasks is twice.
In order to promote the authentication accuracy in multinode path; Authentication mechanism between the adjacent node is further proposed in the embodiment of the invention; Need to share same key between source end node, destination node and the intermediate node that each is legal, can be called shared key in the embodiment of the invention; Simultaneously in order to guarantee key safety, also need to share same random number between source end node, destination node and the intermediate node that each is legal, can be called shared random number in the embodiment of the invention.
On the basis of sharing key and shared random number; In the task processing request message that the source end node is initiated except carrying first random number that this node generates at random; Also portably use first authentication code that obtains after the current session key of this node is encrypted message content, end node current session key in source obtains with first random number encryption that this node generates at random sharing random number through sharing key;
Accordingly; Each legal intermediate node receives after the task processing request message of node transmission; First random number of carrying in the task processing request message that use receives and shared key and shared random number are carried out authentication to first authentication code that carries in the task processing request message that receives;
If authentication is passed through; Then use the current session key of this node that message content is encrypted; And upgrading first authentication code according to encrypted result, the current session key of legal intermediate node obtains first random number encryption of sharing after random number and this node updates through sharing key;
If authentication is not passed through, then return mission failure notice message to the source end node, indicating a last node is illegal node.
Wherein, The form of task processing request message is as shown in table 1; Comprise that this node address, next node address, source address are address, type of message, message body, sequence number and MAC (the Message Authentication Code of source end node; Message authentication code) byte such as; Wherein need carry out the encrypted messages content and can be the part message content of this node address with the message body composition, can certainly be whole message contents that this node address, next node address, source address, type of message, message body and sequence number are formed.
Table 1
This node address The next node address Source address Type of message Message body Sequence number MAC
Task is handled request First random number First authentication code
Authentication mechanism between the adjacent node that the embodiment of the invention provides is applicable to the situation that illegal intermediate node is made amendment to bytes such as this node address in the task processing request message, next node addresses.
Wherein, The form of mission failure notice message is as shown in table 2, comprises that this node address, next node address, source address promptly initiate bytes such as the address (this intermediate node is legal intermediate node) of the intermediate node of this mission failure notice message, address that destination address is the source end node, type of message, message body.In the practical implementation, can also comprise sequence number and MAC byte in the mission failure notice message that intermediate node returns, so that the source end node carries out the legitimacy authentication to this intermediate node, concrete authentication method repeats no more.Task processing response message via each intermediate node only need to carry out transparent transmission and get final product task processing response message.
Table 2
This node address The next node address Source address Destination address Type of message Message body
The mission failure notice The information of illegal node
On the basis of sharing key and shared random number; In the task processing response message that the destination node returns except carrying second random number; Also carry second authentication code that obtains after according to the current session key of this node message content being encrypted, the current session key of destination node obtains sharing the random number and second random number encryption through sharing key;
Accordingly; The source end node is before confirming that the multinode path is legal path; Also need use second random number and shared key and shared random number, second authentication code that carries in the task processing response message is carried out authentication, and confirm the authentication of second authentication code is passed through.
Wherein, The form of task processing response message is as shown in table 3; Comprise that this node address, next node address, source address are that destination address of node, destination address are the bytes such as address, type of message, message body, sequence number and MAC of source end node; Wherein need carry out the encrypted messages content and can be the part message content of this node address with the message body composition, can certainly be whole message contents that this node address, next node address, source address, destination address, type of message, message body and sequence number are formed.Task processing response message via each intermediate node only need to carry out transparent transmission and get final product task processing response message.
Table 3
The identifying procedure in the multinode path that the embodiment of the invention provides sees also Fig. 3.Source end node in the multinode path is initiated the task processing request message; Each legal intermediate node carries out the legitimacy authentication based on the task processing request message that receives to a last node, if authentication through first random number and first authentication code that carries in the task processing request message upgraded; The destination node receives after the task processing request message that transmits via each intermediate node, returns task processing response message to the source end node, wherein carries second random number and second authentication code, and task processing response message is by each intermediate node transparent transmission; The source end node carries out the legitimacy authentication based on the task processing response message that receives to the multinode path.
Preferable, the authentication method in the multinode path that the embodiment of the invention provides also comprises the steps:
A, source end node when the quantity of transmission number of times of determining and pre-configured intermediate node is inconsistent, or when confirming the multinode path to the transmission generation abnormal conditions (for example overtime) of message, the source end node is each the intermediate node sending node probe messages in the multinode path successively;
B, source end node receive after the node detection response message that carries the 3rd random number and the 3rd authentication code that each intermediate node returns according to the node probe messages that receives; According to the 3rd random number of carrying in the node detection response message that receives; And shared key and shared random number; The 3rd authentication code to carrying in the node detection response message that receives carries out authentication, and confirms the legitimacy of this intermediate node according to authentication result;
Because each legal intermediate node is in the node detection response message that returns; The 3rd authentication code that obtains after carrying the 3rd random number that this node generates at random and using the current session key of this node that message content is encrypted; The current session key of each legal intermediate node obtains with the 3rd random number encryption that this node generates at random sharing random number through sharing key; So in the practical implementation,, confirm that then this intermediate node is legal intermediate node if the source end node passes through the authentication of the 3rd authentication code; If the source end node does not pass through the authentication of the 3rd authentication code, confirm that then this intermediate node is illegal intermediate node.
Wherein, The form of node probe messages is as shown in table 4; Comprise that this node address, next node address, source address are bytes such as the address of source end node, address that destination address is intermediate node to be detected, type of message, message body, the node probe messages via each intermediate node only need to carry out transparent transmission and get final product the node probe messages.
Table 4
This node address The next node address Source address Destination address Type of message Message body
Node is surveyed
Wherein, The form of node detection response message is as shown in table 5; Comprise that this node address, next node address, source address promptly initiate bytes such as address that address, the destination address of the intermediate node of this node detection response message are the source end node, type of message, message body, sequence number, MAC, the node detection response message via each intermediate node only need to carry out transparent transmission and get final product the node detection response message.
Table 5
Below, the distribution flow of sharing key is described.Can adopt manual type in advance in source end node, destination node and intermediate node that each is legal configuration share key, will share key through key delivery medium (being generally IC-card) and import in each node.
Can also adopt the asymmetric encryption mode to distribute shared key, need in source end node, destination node and intermediate node that each is legal, dispose PKI digital certificate and private key, share the distribution method of key, comprise the steps: in advance
Step 1, source end node generate shares key;
Step 2, source end node adopt the PKI of disposing in advance to encrypt sharing key, and the shared key after encrypting is carried at other node that sends in the key distribution message in the multinode path;
Destination node in step 3, the multinode path and the intermediate node that each is legal receive after the key distribution message, adopt the private key of disposing in advance that the shared key after encrypting is deciphered, and obtain this shared key;
In the practical implementation; If there is illegal intermediate node in the multinode path, owing to do not dispose PKI digital certificate and private key on the illegal intermediate node, so even receive the key distribution message; Also can't decipher and obtain shared key, thereby guarantee the fail safe of shared key.
In order further to guarantee to share the fail safe of key, can also regularly or as required upgrade sharing key, comprise the steps:
Step 1, source end node generate new shared key; And adopt old shared key that new shared key is encrypted; New shared key after encrypting is carried at other node that sends in the key updating message in the multinode path; Wherein, The 4th authentication code that obtains after also carrying the 4th random number that this node generates at random in the key updating message and using the current session key of this node that message content is encrypted, end node current session key in source obtains with the 4th random number encryption that this node generates at random sharing random number through sharing key;
Destination node in step 2, the multinode path and the intermediate node that each is legal receive after the key updating message; The 4th random number of carrying in the key updating message that use receives and shared key and shared random number are carried out authentication to the 4th authentication code that carries in the key updating message that receives;
Destination node in step 3, the multinode path and the intermediate node that each is legal are when passing through the authentication of the 4th authentication code; Adopt old shared key that the new shared key after encrypting is deciphered, and use the old shared key of the new local storage of shared key updating; If authentication is not passed through, can not carry out any processing.
Wherein, the form of key updating message is as shown in table 6, comprises bytes such as this node address, next node address, type of message, message body, sequence number, MAC.
Table 6
Below, the distribution flow of sharing random number is described.Can adopt manual type in advance in source end node, destination node and intermediate node that each is legal configuration share random number.
The mode that can also adopt random number initialization or random number to upgrade is distributed shared random number, comprises the steps:
Step 1, source end node generate shared random number at random, and will share random number and be carried at the random number initialization or upgrade in the request message and send to other node in the multinode path;
Destination node in step 2, the multinode path and the intermediate node that each is legal receive the random number initialization or upgrade after the request message; Extract the shared random number of wherein carrying and return the random number initialization or the renewal response message; The 5th authentication code that obtains after wherein carrying the 5th random number that this node generates at random and using the current session key of this node that message content is encrypted, the current session key of destination node and the intermediate node that each is legal obtains with the 5th random number encryption that this node generates at random sharing random number through sharing key;
Step 3, source end node receive the random number initialization that other node returns or upgrade after the response message; According to the verification random number of carrying in random number initialization or the renewal response message; And shared key and shared random number; The 5th authentication code to carrying in random number initialization or the renewal response message carries out authentication, and confirms the legitimacy of this other node according to authentication result.
Need to prove; " random number initialization or renewal request message " expression random number initialization requests message or random number are upgraded request message; " random number initialization or renewal response message " expression random number initialization response message or random number are upgraded response message; Wherein random number initialization requests message is corresponding with random number initialization response message, and it is corresponding with random number renewal response message that random number is upgraded request message.
Random number initialization or to upgrade the form of request message as shown in table 7 comprises that this node address, next node address, source address are bytes such as the address, type of message, message body of source end node, and wherein message body is the shared random number that source node generates at random.
Table 7
This node address The next node address Source address Type of message Message body
Random number initialization or renewal request Share random number
Wherein, The form of random number initialization or renewal response message is as shown in table 8; Comprise that this node address, next node address, source address, destination address are the bytes such as address, type of message, message body, sequence number and MAC of source end node; Wherein need carry out the encrypted messages content and can be the part message content of this node address with the message body composition, can certainly be whole message contents that this node address, next node address, source address, destination address, type of message, message body and sequence number are formed.The random number initialization or upgrade response message institute via each intermediate node only need that random number initialization or renewal response message are carried out transparent transmission and get final product.
Table 8
Specify the authentication method in multinode path below in conjunction with concrete application scenarios.In portable terminal on-site payment system; Generally comprise PSAM (terminal security control module) card, POS (point-of-transaction) machine, read head, be arranged at the nodes such as SIM (subscriber identification module) card of portable terminal; Wherein PSAM card and SIM are end node, and POS machine and read head are intermediate node.Suppose the PSAM calorie requirement to operations such as SIM read, deducts fees, then the PSAM card is the source end node, and SIM is the destination node, and the task processing request message is specially the operation requests of SIM.In this concrete application scenarios, the PSAM calorie requirement carries out the legitimacy authentication to POS machine, read head, avoid since illegal POS machine, illegal read head cause to the illegal operation of SIM.The multinode path of portable terminal on-site payment system is as shown in Figure 4.
The authentication method in multinode path in the portable terminal on-site payment system; Suppose that configuration is shared random number, shared key in PSAM card, SIM and legal POS machine and read head; And operation rule is " add-one operation ", comprises following handling process:
The PSAM card is initiated the operation requests of SIM; Wherein carry first random number (specifically in the sequence number byte) and first authentication code (specifically in the MAC byte) that generate at random; The operation requests of this SIM is sent to SIM via POS machine, read head; If POS machine and read head are legal node, then first random number in the sequence number byte is added 1 and upgrade first authentication code in the MAC byte; SIM receives after the operation requests of SIM; Return the operation response of SIM to the PSAM card; Wherein carry second random number (specifically in the sequence number byte) and second authentication code (specifically in the MAC byte), first random number of carrying in the operation requests of second random number according to the SIM that receives adds 1 and confirms; If there is illegal node in POS machine, the read head; Can not carry out add-one operation to first random number that receives; Then SIM second random number of in the operation of the SIM that the PSAM card returns response, carrying can't meet the demands, and based on this PSAM card security credential is carried out in the multinode path.
Table 9 has provided the concrete message content that identifying procedure relates to, and can find out, first random number that the PSAM card generates at random is 12345, and to calculate first authentication code be 0x7123ac; Each intermediate node of process (POS machine and read head) all carries out authentication to first authentication code that carries in the operation requests that receives afterwards, if authentication is passed through, then first random number is added 1, and upgrades first authentication code; The PSAM card adds 1 with first random number and obtains second random number 12348, and generate the second authentication code 0x712323 to the response of SIM return after the operation requests that the PSAM clamping is received; The PSAM clamping is received after the operation response; At first second authentication code is carried out authentication; After authentication was passed through, according to first random number 12345, second random number 12348 and the operation rule " add-one operation " that generate at random, the transmission number of times that can determine operation requests was twice; Consistent with the quantity 2 (POS machine and read head) of pre-configured intermediate node, confirm that then this multinode path is legal path.
Table 9
Message identification This node Next node Type of message Message content Sequence number MAC
1 The PSAM card The POS machine Operation requests ABCDEF 12345 0x7123ac
2 The POS machine Read head Operation requests sasdf 12346 0x7123aA
3 Read head SIM Operation requests 34234 12347 0x7123ac
4 SIM The PSAM card The operation response asdf 12348 0x712323
Based on same technical conceive, the embodiment of the invention provides the Verification System in a kind of multinode path, and is as shown in Figure 5, comprises source end node 501 and destination node 502 in the multinode path, wherein:
Source end node 501; Be used to initiate the task processing request message; Wherein carry first random number that this node generates at random; And the set the tasks transmission number of times of processing request message of first random number that generates at random of second random number, this node of carrying in the task processing response message that returns according to said destination node and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path;
Destination node 502; Be used for after receiving the task processing request message that transmits via each intermediate node; Return task processing response message to said source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and said operation rule; Wherein, the task processing request message via each legal intermediate node use said operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result.
Preferable, this Verification System also comprises each legal intermediate node 503, wherein:
Source end node 501; Be further used in the task processing request message of initiating, also portably using first authentication code that obtains after the current session key of this node is encrypted message content, end node current session key in source obtains with first random number encryption that this node generates at random sharing random number through sharing key;
Legal intermediate node 503; Be used for after the task processing request message of node transmission on receiving; First random number of carrying in the task processing request message that use receives and shared key and shared random number; First authentication code to carrying in the task processing request message that receives carries out authentication, if authentication is passed through, then uses the current session key of this node that message content is encrypted; And upgrading first authentication code according to encrypted result, the current session key of legal intermediate node obtains first random number encryption of sharing after random number and this node updates through sharing key; If authentication is not passed through, then return mission failure notice message to source end node 501, indicating a last node is illegal node.
In the practical implementation; Destination node 502; Be further used in the task processing response message that returns, also carrying second authentication code that obtains after the session key current according to this node encrypted message content, the current session key of destination node obtains sharing the random number and second random number encryption through sharing key;
Source end node 501; Be further used for before confirming that the multinode path is legal path; Use second random number and shared key and shared random number, second authentication code that carries in the task processing response message is carried out authentication, and confirm the authentication of second authentication code is passed through.
In the practical implementation; Source end node 501; Also be used for when the quantity of transmission number of times of determining and pre-configured intermediate node is inconsistent, or when confirming the multinode path to the transmission generation abnormal conditions of message, each intermediate node sending node probe messages in the multinode path successively; Receive after the node detection response message that carries the 3rd random number and the 3rd authentication code that each intermediate node returns according to the node probe messages that receives; According to the 3rd random number of carrying in the node detection response message that receives; And shared key and shared random number; The 3rd authentication code to carrying in the node detection response message that receives carries out authentication; And confirm the legitimacy of this intermediate node according to authentication result; Wherein, Each legal intermediate node in the node detection response message that returns, the 3rd authentication code that obtains after carrying the 3rd random number that this node generates at random and using the current session key of this node that message content is encrypted, the current session key of each legal intermediate node obtains with the 3rd random number encryption that this node generates at random sharing random number through sharing key.
The embodiment of the invention provides the source end node devices in a kind of multinode path simultaneously, and is as shown in Figure 6, comprising:
Task management module 601 is used to initiate the task processing request message, wherein carries first random number that this node generates at random;
Receiver module 602, the destination node that is used for receiving the multinode path after receiving the task processing request message that transmits via each intermediate node, the task processing response message that carries second random number that returns;
Path authentication module 603; The set the tasks transmission number of times of processing request message of first random number that is used for generating at random and pre-configured operation rule according to second random number, this node; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that the multinode path is legal path.
Preferable, this source end node devices also comprises memory module 604, wherein:
Memory module 604 is used to store shared key and shared random number;
Task management module 601; Be further used in the task processing request message of initiating, also portably using first authentication code that obtains after the current session key of this node is encrypted message content, end node current session key in source obtains with first random number encryption that this node generates at random sharing random number through sharing key.
Preferable; Also carry second authentication code that obtains after according to the current session key of this node message content being encrypted in the task processing response message that the destination node returns, the current session key of destination node obtains sharing the random number and second random number encryption through sharing key; And
Path authentication module 603; Be further used for before confirming that the multinode path is legal path; Use second random number and shared key and shared random number, second authentication code that carries in the task processing response message is carried out authentication, and confirm the authentication of second authentication code is passed through.
Preferable, this source end node devices also comprises entity authentication module 605, wherein:
Path authentication module 603 also is used for when the quantity of transmission number of times of determining and pre-configured intermediate node is inconsistent, or when confirming the multinode path to the transmission generation abnormal conditions of message, triggers task management module 601;
Task management module 601 also is used under the triggering of path authentication module, successively each the intermediate node sending node probe messages in the multinode path;
Receiver module 602 also is used to receive the node detection response message that carries the 3rd random number and the 3rd authentication code that each intermediate node returns according to the node probe messages that receives;
Entity authentication module 605; Be used for the 3rd random number of carrying according to the node detection response message that receives; And shared key and shared random number; The 3rd authentication code to carrying in the node detection response message that receives carries out authentication; And confirm the legitimacy of this intermediate node according to authentication result, wherein, each legal intermediate node is in the node detection response message that returns; The 3rd authentication code that obtains after carrying the 3rd random number that this node generates at random and using the current session key of this node that message content is encrypted, the current session key of each legal intermediate node obtains with the 3rd random number encryption that this node generates at random sharing random number through sharing key.
The embodiment of the invention provides the destination node device in a kind of multinode path simultaneously, and is as shown in Figure 7, comprising:
Receiver module 701; Be used to receive the task processing request message of initiating and transmitting via each intermediate node by the source end node; Wherein, Carry first random number that this node generates at random in the task processing request message that the source end node is initiated, the task processing request message via each legal intermediate node use pre-configured operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
Sending module 702; Be used for after receiving the task processing request message that transmits via each intermediate node; Return task processing response message to the source end node, wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and operation rule.
The authentication method in the multinode path that the embodiment of the invention provides; Characteristics to the multinode path propose, and have realized the accurate authentication to the multinode route validity, have reduced the realization complexity; Improve authentication efficient, and effectively controlled system deployment and management cost; This scheme goes for various multi-node collaboration scenes in the end-to-end communication system, has a extensive future.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (17)

1. the authentication method in a multinode path is characterized in that, comprising:
Source end node in the multinode path is initiated the task processing request message, wherein carries first random number that this node generates at random;
Destination node in the said multinode path receives after the task processing request message that transmits via each intermediate node; Return task processing response message to said source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and pre-configured operation rule; Wherein, The task processing request message via each legal intermediate node use said operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
The set the tasks transmission number of times of processing request message of first random number that said source end node generates according to second random number, this node of carrying in the said task processing response message at random and said operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path.
2. the method for claim 1; It is characterized in that; Also portably use first authentication code that obtains after the current session key of this node is encrypted message content in the task processing request message that said source end node is initiated, end node current session key in said source obtains with first random number encryption that this node generates at random sharing random number through sharing key; And
Said method also comprises:
Each legal intermediate node receives after the task processing request message of node transmission; First random number of carrying in the task processing request message that use receives and shared key and shared random number are carried out authentication to first authentication code that carries in the task processing request message that receives;
If authentication is passed through; Then use the current session key of this node that message content is encrypted; And upgrading first authentication code according to encrypted result, the current session key of said legal intermediate node obtains first random number encryption of sharing after random number and this node updates through sharing key;
If authentication is not passed through, then return mission failure notice message to the source end node, indicating a last node is illegal node.
3. according to claim 1 or claim 2 method; It is characterized in that; Also carry second authentication code that obtains after according to the current session key of this node message content being encrypted in the task processing response message that said destination node returns, the current session key of said destination node obtains sharing the random number and second random number encryption through sharing key; And
Said source end node also comprised before confirming that said multinode path is legal path:
Use said second random number and shared key and shared random number, second authentication code that carries in the task processing response message is carried out authentication, and confirm the authentication of said second authentication code is passed through.
4. method as claimed in claim 3 is characterized in that, also comprises:
Said source end node when the quantity of transmission number of times of determining and pre-configured intermediate node is inconsistent, or when confirming the multinode path to the transmission generation abnormal conditions of message, said source end node is each the intermediate node sending node probe messages in said multinode path successively;
Said source end node receives after the node detection response message that carries the 3rd random number and the 3rd authentication code that each intermediate node returns according to the node probe messages that receives; According to the 3rd random number of carrying in the node detection response message that receives; And said shared key and shared random number; The 3rd authentication code to carrying in the node detection response message that receives carries out authentication; And confirm the legitimacy of this intermediate node according to authentication result; Wherein, Each legal intermediate node in the node detection response message that returns, the 3rd authentication code that obtains after carrying the 3rd random number that this node generates at random and using the current session key of this node that message content is encrypted, the current session key of said each legal intermediate node obtains with the 3rd random number encryption that this node generates at random sharing random number through sharing key.
5. method as claimed in claim 4 is characterized in that, in advance the said shared key of configuration in said source end node, destination node and intermediate node that each is legal.
6. method as claimed in claim 4 is characterized in that, shares the distribution method of key, specifically comprises:
Said source end node generates shares key, and adopts the PKI of disposing in advance that said shared key is encrypted, and the shared key after encrypting is carried at other node that sends in the key distribution message in the multinode path;
Destination node in the said multinode path and the intermediate node that each is legal receive after the said key distribution message, adopt the private key of disposing in advance that the shared key after encrypting is deciphered, and obtain said shared key.
7. like claim 5 or 6 described methods, it is characterized in that, in advance the said shared random number of configuration in said source end node, destination node and intermediate node that each is legal.
8. like claim 5 or 6 described methods, it is characterized in that, share the distribution method of random number, specifically comprise:
Said source end node generates shared random number at random, and said shared random number is carried at the random number initialization or upgrades in the request message sends to other node in the multinode path;
Destination node in the said multinode path and the intermediate node that each is legal receive said random number initialization or upgrade after the request message; Extract the shared random number of wherein carrying and return the random number initialization or the renewal response message; The 5th authentication code that obtains after wherein carrying the 5th random number that this node generates at random and using the current session key of this node that message content is encrypted, the current session key of said destination node and the intermediate node that each is legal obtains with the 5th random number encryption that this node generates at random sharing random number through sharing key;
Said source end node receives the random number initialization that other node returns or upgrades after the response message; According to the 5th random number of carrying in said random number initialization or the renewal response message; And said shared key and shared random number; The 5th authentication code to carrying in said random number initialization or the renewal response message carries out authentication, and confirms the legitimacy of this other node according to authentication result.
9. the Verification System in a multinode path is characterized in that, comprises source end node and destination node in the said multinode path, wherein:
Said source end node; Be used to initiate the task processing request message; Wherein carry first random number that this node generates at random; And the set the tasks transmission number of times of processing request message of first random number that generates at random of second random number, this node of carrying in the task processing response message that returns according to said destination node and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path;
Said destination node; Be used for after receiving the task processing request message that transmits via each intermediate node; Return task processing response message to said source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and said operation rule; Wherein, the task processing request message via each legal intermediate node use said operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result.
10. system as claimed in claim 9 is characterized in that, also comprises the intermediate node that each is legal, wherein:
Said source end node; Be further used in the task processing request message of initiating, also portably using first authentication code that obtains after the current session key of this node is encrypted message content, end node current session key in said source obtains with first random number encryption that this node generates at random sharing random number through sharing key;
Said legal intermediate node; Be used for after the task processing request message of node transmission on receiving; First random number of carrying in the task processing request message that use receives and shared key and shared random number; First authentication code to carrying in the task processing request message that receives carries out authentication, if authentication is passed through, then uses the current session key of this node that message content is encrypted; And upgrading first authentication code according to encrypted result, the current session key of said legal intermediate node obtains first random number encryption of sharing after random number and this node updates through sharing key; If authentication is not passed through, then return mission failure notice message to the source end node, indicating a last node is illegal node.
11. like claim 9 or 10 described systems, it is characterized in that,
Said destination node; Be further used in the task processing response message that returns, also carrying second authentication code that obtains after the session key current according to this node encrypted message content, the current session key of said destination node obtains sharing the random number and second random number encryption through sharing key;
Said source end node; Be further used for before confirming that said multinode path is legal path; Use said second random number and shared key and shared random number; Second authentication code to carrying in the task processing response message carries out authentication, and confirms the authentication of said second authentication code is passed through.
12. system as claimed in claim 11 is characterized in that,
Said source end node; Also be used for when the quantity of transmission number of times of determining and pre-configured intermediate node is inconsistent, or when confirming the multinode path to the transmission generation abnormal conditions of message, each intermediate node sending node probe messages in said multinode path successively; Receive after the node detection response message that carries the 3rd random number and the 3rd authentication code that each intermediate node returns according to the node probe messages that receives; According to the 3rd random number of carrying in the node detection response message that receives; And said shared key and shared random number; The 3rd authentication code to carrying in the node detection response message that receives carries out authentication; And confirm the legitimacy of this intermediate node according to authentication result; Wherein, Each legal intermediate node in the node detection response message that returns, the 3rd authentication code that obtains after carrying the 3rd random number that this node generates at random and using the current session key of this node that message content is encrypted, the current session key of said each legal intermediate node obtains with the 3rd random number encryption that this node generates at random sharing random number through sharing key.
13. the source end node devices in the multinode path is characterized in that, comprising:
The task management module is used to initiate the task processing request message, wherein carries first random number that this node generates at random;
Receiver module; The destination node that is used for receiving said multinode path is after receiving the task processing request message that transmits via each intermediate node; The task processing response message that carries second random number that returns; Said second random number is to confirm according to first random number of carrying in the task processing request message and pre-configured operation rule; Wherein, the task processing request message via each legal intermediate node use said operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
The path authentication module; Be used for according to the set the tasks transmission number of times of processing request message of said second random number, first random number that this node generates at random and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path.
14. source as claimed in claim 13 end node devices is characterized in that, also comprises memory module, wherein:
Said memory module is used to store shared key and shared random number;
Said task management module; Be further used in the task processing request message of initiating, also portably using first authentication code that obtains after the current session key of this node is encrypted message content, end node current session key in said source obtains with first random number encryption that this node generates at random sharing random number through sharing key.
15. source as claimed in claim 14 end node devices; It is characterized in that; Also carry second authentication code that obtains after according to the current session key of this node message content being encrypted in the task processing response message that said destination node returns, the current session key of said destination node obtains sharing the random number and second random number encryption through sharing key; And
Said path authentication module; Be further used for before confirming that said multinode path is legal path; Use said second random number and shared key and shared random number; Second authentication code to carrying in the task processing response message carries out authentication, and confirms the authentication of said second authentication code is passed through.
16. source as claimed in claim 15 end node devices is characterized in that, also comprises the entity authentication module, wherein:
Said path authentication module also is used for when the quantity of transmission number of times of determining and pre-configured intermediate node is inconsistent, or when confirming the multinode path to the transmission generation abnormal conditions of message, triggers said task management module;
Said task management module: also be used under the triggering of said path authentication module, successively each the intermediate node sending node probe messages in said multinode path;
Said receiver module also is used to receive the node detection response message that carries the 3rd random number and the 3rd authentication code that each intermediate node returns according to the node probe messages that receives;
Said entity authentication module; Be used for the 3rd random number of carrying according to the node detection response message that receives; And said shared key and shared random number; The 3rd authentication code to carrying in the node detection response message that receives carries out authentication; And confirm the legitimacy of this intermediate node according to authentication result, wherein, each legal intermediate node is in the node detection response message that returns; The 3rd authentication code that obtains after carrying the 3rd random number that this node generates at random and using the current session key of this node that message content is encrypted, the current session key of said each legal intermediate node obtains with the 3rd random number encryption that this node generates at random sharing random number through sharing key.
17. the destination node device in the multinode path is characterized in that, comprising:
Receiver module; Be used to receive the task processing request message of initiating and transmitting via each intermediate node by the source end node; Wherein, Carry first random number that this node generates at random in the task processing request message that the source end node is initiated, the task processing request message via each legal intermediate node use pre-configured operation rule that first random number of carrying in the task processing request message that receives is carried out computing, and upgrade first random number according to operation result;
Sending module; Be used for after receiving the task processing request message that transmits via each intermediate node; Return task processing response message to said source end node; Wherein carry second random number of determining according to first random number of carrying in the task processing request message that receives and said operation rule; The set the tasks transmission number of times of processing request message of first random number that said source end node generates according to second random number, this node of carrying in the task processing response message at random and pre-configured operation rule; And when the quantity of the transmission number of times of determining and pre-configured intermediate node is consistent, confirm that said multinode path is legal path.
CN2009100912285A 2009-08-14 2009-08-14 Authentication method and system for multi-node path and relevant node equipment CN101997681B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100912285A CN101997681B (en) 2009-08-14 2009-08-14 Authentication method and system for multi-node path and relevant node equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100912285A CN101997681B (en) 2009-08-14 2009-08-14 Authentication method and system for multi-node path and relevant node equipment

Publications (2)

Publication Number Publication Date
CN101997681A CN101997681A (en) 2011-03-30
CN101997681B true CN101997681B (en) 2012-08-22

Family

ID=43787329

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100912285A CN101997681B (en) 2009-08-14 2009-08-14 Authentication method and system for multi-node path and relevant node equipment

Country Status (1)

Country Link
CN (1) CN101997681B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404171A (en) * 2011-11-24 2012-04-04 中兴通讯股份有限公司 Method and device for detecting Ethernet links
CN103580863B (en) * 2012-08-01 2017-09-08 中国移动通信集团公司 Communication safety control method, device and Internet of things node
CN103929299B (en) * 2014-04-28 2017-05-10 王小峰 Self-securing lightweight network message transmitting method with address as public key
CN104580207B (en) * 2015-01-04 2019-03-19 华为技术有限公司 Retransmission method, device and the transponder of authentication information in Internet of Things
CN107342970B (en) * 2016-05-03 2020-08-07 华为技术有限公司 Encryption mode determination method, calling device, called device and VoIP system
CN108933763B (en) * 2017-05-25 2020-01-03 华为技术有限公司 Data message sending method, network equipment, control equipment and network system
CN108964886A (en) * 2018-05-04 2018-12-07 霍尼韦尔环境自控产品(天津)有限公司 Communication means comprising Encryption Algorithm, the communication means comprising decipherment algorithm and equipment
CN111343207B (en) * 2020-05-19 2020-09-11 北京华云安信息技术有限公司 Multi-node joint encryption data transmission method, equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1668136A (en) * 2005-01-18 2005-09-14 中国电子科技集团公司第三十研究所 A method for implementing security communication between mobile self-organized network nodes

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1668136A (en) * 2005-01-18 2005-09-14 中国电子科技集团公司第三十研究所 A method for implementing security communication between mobile self-organized network nodes

Also Published As

Publication number Publication date
CN101997681A (en) 2011-03-30

Similar Documents

Publication Publication Date Title
KR101974060B1 (en) Method and system for validating ownership of digital assets using distributed hash tables and peer-to-peer distributed decoys
EP3318043B1 (en) Mutual authentication of confidential communication
US9166972B2 (en) Shared information distributing device, holding device, certificate authority device, and system
CN107888562B (en) Data verification and transceiving method, node and system for parallel link access to interconnection chain
US8667288B2 (en) System and method for message verification in broadcast and multicast networks
CN107078910B (en) Method, device, node, signature device and system for generating block chain block
CN103714642B (en) Key downloading method, management method, downloading management method and device and system
US9800416B2 (en) Distributed validation of digitally signed electronic documents
CN101535845B (en) Authenticated radio frequency identification and key distribution system therefor
CN102970679B (en) The secure signing method of identity-based
CN103490901B (en) Key based on combination key system generates and distribution method
US20160028548A1 (en) Key downloading method, management method, downloading management method, device and system
US8112626B1 (en) Method and apparatus to provide public key authentication with low complexity devices
EP1582024B1 (en) System, apparatus and method for replacing a cryptographic key
CN103714637B (en) A kind of transmission security key sending method and system, operating terminal
US8938074B2 (en) Systems and methods for secure communication using a communication encryption bios based upon a message specific identifier
CN105007577B (en) A kind of virtual SIM card parameter management method, mobile terminal and server
US10193700B2 (en) Trust-zone-based end-to-end security
CN101605137B (en) Safe distribution file system
CN1985466B (en) Method of delivering direct proof private keys in signed groups to devices using a distribution CD
US9553719B2 (en) Transmitting terminal, receiving terminal, ID numbering device, and key transmission method
CN101978675B (en) System and method for securely issuing subscription credentials to communication devices
CN103095460B (en) Intelligent card safety communication method
US8472621B2 (en) Protection of a prime number generation for an RSA algorithm
CN101286840B (en) Key distributing method and system using public key cryptographic technique

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant