CN102469173A - IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm - Google Patents

IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm Download PDF

Info

Publication number
CN102469173A
CN102469173A CN2010105457960A CN201010545796A CN102469173A CN 102469173 A CN102469173 A CN 102469173A CN 2010105457960 A CN2010105457960 A CN 2010105457960A CN 201010545796 A CN201010545796 A CN 201010545796A CN 102469173 A CN102469173 A CN 102469173A
Authority
CN
China
Prior art keywords
data
key
terminal
digital signature
receiving terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010105457960A
Other languages
Chinese (zh)
Inventor
任远
徐启建
吴作顺
张国卿
杜飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
No61 Inst Headquarters Of General Staff Pla
Original Assignee
No61 Inst Headquarters Of General Staff Pla
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by No61 Inst Headquarters Of General Staff Pla filed Critical No61 Inst Headquarters Of General Staff Pla
Priority to CN2010105457960A priority Critical patent/CN102469173A/en
Publication of CN102469173A publication Critical patent/CN102469173A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an IPv6 (Internet Protocol Version 6) network layer credible transmission method and a system based on a combined public key algorithm. The method comprises the following steps that: a secret key management center distributes a unique IPv6 address and a private key generated by the IPv6 address to each terminal, and issues a public key algorithm computing a public key by the IPv6 address; a sending terminal utilizes the private key and sending data to generate digital signature data, the digital signature data, the sending data, a source address and a target address are packaged into a data packet to be sent to a receiving terminal; and the receiving terminal computes the public key of the sending terminal according to the source address of the data packet and the public key algorithm, and then the public key of the sending terminal and the sending data in the data packet are utilized to generate digital signature comparison data to verify the digital signature data and determine whether the data packet is credible or not according to the verification result. The invention realizes the credible authentication of the IPv6 address as well as safe and timely data transmission.

Description

Method and system based on the credible transmission of IPv6 network layer of Conbined public or double key algorithm
Technical field
The invention belongs to network communications technology field, especially a kind of credible transmission technology that relates to the IPv6 network layer.
Background technology
(Internet Protocol be the basis that most of networks are rely and made up IP), yet the defective of IP agreement itself makes internet security, service quality, reliability and network management be difficult to be guaranteed to interconnection protocol between network.To full spectrum of threats ubiquities such as the data eavesdropping of network layer, Replay Attack, man-in-the-middle attacks, be that the network security on basis faces serious challenge with IP.In order effectively to solve the safety problem of IP layer; Since nineteen ninety-five Internet engineering duty group (Internet Engineering Task Force; IETF) set about formulating one and overlapped the agreement that is used to protect the IP communication security---and IP security protocol (IP Security, IPSec).Defined the architecture of IPSec among the RFC2401: authentication header (AH, AuthenticationHeader) integrality, original authentication and the limited preventing playback attack service of realization data; ESP (Encapsulating Security Payload, ESP) security services such as integrality of the confidentiality of realization data, data source authentication, anti-playback and partial data.
In IPSec; Internet key exchange (Internet Key Exchange; IKE) be its important component part, in the initial period of IPSec work, IKE is used for dynamically setting up a security association (Security Association; And the foundation of SA is content the most complicated among the IPSec SA).Said SA is the basis that constitutes IPSec; It is a kind of agreements through consulting to set up of two communication entities, is used for defining IPsec agreement, pattern, algorithm and key, life cycle, anti replay window, the counter of protected data etc., promptly no matter is to use authentication header (Authentication Header; AH) still encapsulate charge of surety (Encapsulated Secure Payload; ESP), select transmission mode or tunnel mode, these are all decided by SA.Said IKE agreement is used for dynamically setting up said SA, and two stage IKE comprises under the wildcard authentication mode: set up a tunnel through authentication and safeguard protection between the phase I communicating pair, i.e. IKE SA; Second stage utilizes this SA to consult concrete IPSec SA for IPSec.Find through analyzing; IKE realizes complicacy very, and it has comprised a lot of options, has brought very strong flexibility; It is very difficult when but this not only makes the systems analyst understand its performance; The Project Realization difficulty is bigger, and some option itself is exactly unsafe, attacked and reflection attack etc. by Denial of Service attack, transformation load.In addition, set up through IKE in the process of SA, the work that at first will accomplish is exactly the key change that realizes that between two entities entity identities can authentication.IKE is in the phase I, and the Key Tpe according to using has three kinds of modes to accomplish the key change of authentication: share symmetric key, public key encryption key and public key verifications signature key in advance.The IKE phase I is used the session key of sharing symmetric key foundation in advance, and this mode requires communicating pair obtaining shared symmetric key through other approach outside the network before the communication, and this mode is proper under the little situation of size of the organization.After size of the organization expands to a certain degree, all need share a symmetric key between the pair of IP Sec entity arbitrarily, this brings very big burden for the distribution and the issue of symmetric key.As a same reason; Other the two kinds key change modes that use public-key; When scale expands to a certain degree, also can not distribute public affairs, private key right through the mode of maintaining secrecy, must introduce certain Verification System and realize authentication; IPSec uses be PKIX (Public Key Infrastructure, PKI).
Summary of the invention
The object of the present invention is to provide method, solved the problem of the authenticity of IP layer data integrality, data encryption and IPv6 source address based on the credible transmission of IPv6 network layer of Conbined public or double key algorithm.
According to an aspect of the present invention, the method for the credible transmission of IPv6 network layer based on the Conbined public or double key algorithm provided by the invention comprises:
KMC is to unique IPv6 address of each terminal distribution and the private key that utilizes the IPv6 address to generate, and issues the public key algorithm that utilizes IPv6 address computation PKI;
Send the terminal and utilize its private key and send data, generate digital signature data, and said digital signature data, transmission data, source address and destination address are packaged into packet, send to receiving terminal;
Receiving terminal is calculated the transmission terminal public key according to the source address and the said public key algorithm that receive packet; Utilize the transmission data in said transmission terminal public key and the said packet to generate digital signature comparison data then; Verify said digital signature data, and whether the specified data bag is credible as a result according to checking.
The generation step of said digital signature data is specially:
It is fixed-length data that transmission terminal hash function safe in utilization will send data transaction, and uses its private key that said fixed-length data is encrypted, and obtains digital signature data.
The verification step of said digital signature data is specially:
Receiving terminal hash function safe in utilization is a fixed-length data with the transmission data transaction in the packet;
Utilize the said transmission terminal public key and the said fixed-length data that generate to generate digital signature comparison data;
Digital signature data in said digital signature comparison data and the packet is compared, if coupling, the packet that then receives is credible, otherwise, abandon said packet.
Further, said transmission data are expressly.
Further, said transmission data comprise key change data and ciphertext, and the generation step of said key change data is specially:
Send the terminal and utilize the IPv6 address of receiving terminal and said public key algorithm to obtain the receiving terminal PKI, the random number of said receiving terminal PKI and its generation is multiplied each other obtains the key change data;
The generation step of said ciphertext is specially:
Send the terminal and the basic point of said random number and elliptic curve group is multiplied each other obtain being used for the symmetric key of encrypting plaintext, and utilize said symmetric key encryption expressly to obtain ciphertext.
Further, after receiving terminal specified data bag is credible, ciphertext is deciphered, decryption step is specially:
Receiving terminal carries out its private key behind the inversion operation and sends said key change data in the data and multiply each other and obtain said symmetric key, and utilizes said symmetric key decrypting ciphertext with restoring data.
Further, the step of the said IPv6 of utilization address and public key algorithm generation transmission terminal public key or receiving terminal PKI comprises:
Sending terminal or receiving terminal and utilize hash function, is hash data with the receiving terminal or the IPv6 address transition of sending the terminal;
With said hash data block encryption, block encryption is exported the result convert row-coordinate to, and generate the row-coordinate indicator sequence according to said row-coordinate;
With said hash data block encryption, block encryption is exported the result convert the displacement indication code to, utilize said displacement indication code, convert its 32 yuan of unit displacements into row coordinate indicator sequence;
Utilize said row-coordinate indicator sequence and said row coordinate indicator sequence, extract the element in the PKI matrix, and the element that extracts is carried out generating the receiving terminal PKI or sending terminal public key after the elliptic curve operations;
Said PKI matrix is handed down to the terminal by said KMC, and its element is times point of the basic point of elliptic curve group.
According to another aspect of the present invention, the credible system for transmitting of IPv6 network layer based on the Conbined public or double key algorithm provided by the invention comprises KMC, sends terminal and receiving terminal.Wherein:
Said KMC is used for to each terminal distribution unique IPv6 address and the private key that utilizes the IPv6 address to generate, and issues the public key algorithm that utilizes IPv6 address computation PKI;
Said transmission terminal comprises:
The digital signature generation module is used to utilize its private key and sends data, generates digital signature data;
Sending module is used for said digital signature data, transmission data, source address and destination address are packaged into packet, sends to receiving terminal;
Said receiving terminal comprises:
The PKI generation module is used for calculating the transmission terminal public key according to the source address and the said public key algorithm that receive packet;
The digital signature authentication module is used for utilizing the transmission data of said transmission terminal public key and said packet to generate digital signature comparison data, verify said digital signature data, and whether the specified data bag is credible as a result according to checking.
Further, said transmission terminal also comprises:
The PKI generation module is used to utilize the IPv6 address of receiving terminal and public key algorithm that said KMC issues to calculate the receiving terminal PKI;
The random number generation module is used to generate random number;
The key change data generation module, being used for said random number and said receiving terminal PKI multiplied each other obtains the key change data, and said key change data are sent into said sending module and said digital signature generation module;
The symmetric key generation module is used to utilize the basic point of said random number and elliptic curve group to multiply each other and obtains being used for the symmetric key of encrypting plaintext;
Encrypting module, the symmetric key encryption that is used to utilize said symmetric key generation module to generate expressly obtains ciphertext, and said ciphertext is sent into said sending module and said digital signature generation module.
Further, said receiving terminal also comprises:
The symmetric key generation module is used for utilizing the said key change data computation symmetric key of receiving terminal private key and packet;
Deciphering module is used to utilize said symmetric key decrypting ciphertext with reduction expressly.
Compared with prior art, beneficial effect of the present invention is:
1, the present invention makes and need not carry out any as offered between the terminal and shake hands, and the safe lane between any two terminals is available at any time, has promptly guaranteed safety of data transmission, has guaranteed the promptness of transfer of data again;
2, the present invention has not only realized the production that ultra-large public, private key is right through utilizing the IPv6 address as terminal iidentification, and has saved third party certification authority, has realized the authentic authentication of IPv6 address;
3, the present invention is through using key center, makes all terminals all among unified management, is convenient to unified plan and supervision, prevents out of controlly, relatively is suitably for dedicated networks such as government affairs or military network the trust data transmission is provided.
Description of drawings
Fig. 1 is the credible transmission method flow chart of IPv6 network layer that the present invention is based on the Conbined public or double key algorithm;
The form of the address validation head that Fig. 2 provides for the embodiment of the invention;
The transmission flow chart of data processing that Fig. 3 provides for the embodiment of the invention based on the credible transmission method of IPv6 network layer of Conbined public or double key algorithm;
The reception flow chart of data processing that Fig. 4 provides for the embodiment of the invention based on the credible transmission method of IPv6 network layer of Conbined public or double key algorithm;
The credible transmission system theory diagram of the IPv6 network layer based on the Conbined public or double key algorithm that Fig. 5 provides for the embodiment of the invention;
The digital signature generation module internal structure sketch map that Fig. 6 provides for the embodiment of the invention;
The digital signature authentication inside modules structural representation that Fig. 7 provides for the embodiment of the invention;
The PKI generation module internal structure sketch map that Fig. 8 provides for the embodiment of the invention.
Embodiment
To a preferred embodiment of the present invention will be described in detail, should be appreciated that following illustrated preferred embodiment only is used for explanation and explains the present invention, is not limited to the present invention below in conjunction with accompanying drawing.
Fig. 1 has shown the credible transmission method flow chart of the IPv6 network layer that the present invention is based on the Conbined public or double key algorithm, and is as shown in Figure 1:
Step 101: KMC is to unique IPv6 address of each terminal distribution and the private key that utilizes the IPv6 address to generate, and issues the public key algorithm that utilizes IPv6 address computation PKI;
Step 102: send the terminal and utilize its private key and send data, generate digital signature data, and said digital signature data, transmission data, source address and destination address are packaged into packet, send to receiving terminal;
Step 103: receiving terminal is calculated the transmission terminal public key according to the source address and the said public key algorithm that receive packet; Utilize the transmission data in said transmission terminal public key and the said packet to generate digital signature comparison data then; Verify said digital signature data, and whether the specified data bag is credible as a result according to checking.
Before the execution in step 101; Application adds the terminal of network and submits the identity of oneself and the geographical position of access network to KMC; After KMC examines terminal identity; According to the access network under the terminal is the unique IPv6 address of terminal distribution, and so just the geographical position with identity, address and terminal is mapped, and has realized the real nameization of IPv6 address;
Further; Said KMC also is used to generate private key; With delivering the terminal behind the physical protections such as private key process USB card that obtains or phy chip; Prevent to carry out collusion attack after the terminal from knowing private key itself, and will utilize the PKI matrix and the public key algorithm of IPv6 address computation terminal public key to be handed down to the terminal, make the terminal can calculate the corresponding PKI in any IPv6 address as required.Wherein, utilize the corresponding PKI of IPv6 address computation and the step of private key to comprise:
The 1st step: said KMC sets up PKI matrix and private key matrix, is specially:
Confirm elliptic curve group E p(a b), and chooses the some G=(x on the elliptic curve group 1, y 1) as basic point, put the subgroup S that constitutes elliptic curve group by all times of G, that is:
S={G,2G,...,nG}={(x 1,y 1),(x 2,y 2),...,(x n,y n)}(1)
Said elliptic curve group E p(a is b) by satisfying cubic equation y 2=(x 3+ ax+b) nonnegative integer less than p of modp is separated all that constitute and is added that an O point constitutes, and n said basic point G adds up to the O point.Said p is not equal to 2 and 3 big prime number, said a, and b is the 4a that satisfies condition 3+ 27b 2≠ 0 nonnegative integer less than p.
If PKI matrix PSK is m * h matrix, the element in the matrix is the element among the S of subgroup, and note is made X Ij(1≤i≤m, 1≤j≤h), i.e. X Ij=(x Ij, y Ij), then the PSK note is done:
PSK = ( x 11 , y 11 ) ( x 12 , y 12 ) L ( x 1 h , y 1 h ) ( x 21 , y 21 ) ( x 22 , y 22 ) L ( x 2 h , y 2 h ) M M M ( x m 1 , y m 1 ) ( x m 2 , y m 2 ) L ( x mh , y mh ) - - - ( 2 )
Private key matrix S SK is m * h matrix, the element r in the matrix IjBe X IjFor the multiple value of basic point G, i.e. r IjG=X Ij=(x Ij, y Ij), then SSK note conduct:
SSK = r 11 r 12 L r 1 h r 21 r 22 L r 2 h M M M r m 1 r m 2 L r mh - - - ( 3 )
In the present embodiment, m is decided to be 256, and h is decided to be 32, when key length is decided to be 192, optional set of parameter p, and a, b, G, n} is following, adopts hexadecimal representation:
p:BDB6F4FE3E8B1D9E0DA8C0D46F4C318CEFE4AFE3B6B8551F
a:BB8E5E8FBC115E139FE6A814FE48AAA6F0ADA1AA5DF91985
b:1854BEBDC31B21B7AEFC80AB0ECD10D5B1B3308E6DBF11C1
x 1:4AD5F7048DE709AD51236DE65E4D4B482C836DC6E4106640
y 1:02BB3A02D4AAADACAE24817A4CA3A1B014B5270432DB27D2
n:BDB6F4FE3E8B1D9E0DA8C0D40FC962195DFAE76F56564677
Also can select other parameter for use.
The 2nd step: utilize the IPv6 address computation PKI at terminal and the step of private key to be specially:
A). the HASH computing is carried out in 128 IPv6 address to binary representation, obtains 256 HASH operation result, i.e. 256 hash data data;
B). it is 64 4 groups that 256 data are divided into block length, and to adopt key be that the block cipher of ROWKEY is encrypted, and obtains 256 bit encryptions MAP as a result;
With MAP is that unit converts row-coordinate to the byte, is about to MAP and is divided into 32 byte B0|B1| ... | B31, establish m=2 k, random number sequence (B0) m of mould m is formed in the low k position of getting each byte, (B1) m ..., (B31) m is as row-coordinate indicator sequence (i 0, i 1..., i 31);
C). it is that the said block cipher of COLKEY is encrypted that 256 data are adopted keys, obtains 256 bit encryptions PTMKEY as a result, and PTMKEY is divided into 64 4; Obtain length and be 64 mould 16 random number sequence (C0, C1 ... C63), promptly replace indication code;
Utilize said displacement indication code, convert 32 yuan of units displacements importing into 32 yuan of random permutations, promptly obtain row coordinate indicator sequence (j 0, j 1..., j 31).
The generation of said 32 yuan of random permutations needs 16 * 16 permutation matrixes, and each of said 16 * 16 permutation matrixes is classified 16 yuan of displacements as, and is separate between row and the row.The present invention chooses the displacement of 16 * 16 permutation matrixes through using the displacement indication code, and 32 yuan of units that import are replaced the iterated transform of doing transposition and displacement, exports one 32 yuan random permutation at last, as the row coordinate indicator sequence of key generation.For example: in the present embodiment; 32 yuan of random permutations generate altogether through 16 round transformations, and every round transformation needs 4 displacement indication codes, and per two displacement indication codes are selected a displacement from 16 * 16 permutation matrixes; Selecting two displacements altogether, is that 32 input divides two sections conversion that replace to length; After transposition was accomplished, if need the input as next round, then the complete sequence ring shift left was 8, if last round transformation, then directly output.The process of 16 round transformations is following:
When carry out i (i=0,1 ..., 15) during round transformation, be input as (q I, 0, q I, 1..., q I, 31), the displacement indication code that needs is (C 4i, C 4i+1, C 4i+2, C 4i+3)=(a, b, c, d);
From 16 * 16 permutation matrixes, selecting a row starting point is the displacement of b, and to (q I, 0, q I, 1..., q I, 15) do the transposition conversion obtain (q ' I, 0, q ' I, 1..., q ' I, 15), selecting c row starting point is the displacement of d, and to (q I, 16, q I, 17..., q I, 31) do the transposition conversion obtain (q ' I, 16, q ' I, 17..., q ' I, 31), promptly i round transformation output result be (q ' I, 0, q ' I, 1..., q ' I, 15, q ' I, 16, q ' I, 17..., q ' I, 31); Being replaced into of a row (0,13,15,5,4,8,1,3,11,14,2,7,12,6,9,10) for example, choosing starting point b is 4 o'clock, and 16 yuan that select are replaced into (4,8,1,3,11,14,2,7,12,6,9,10,0,13,15,5), and at this moment, 16 yuan of displacements are 16 input (q to length 0, q 1... q 15) make the transposition conversion after, the result is (q 12, q 2, q 6, q 3, q 0, q 15, q 9, q 7, q 1, q 10, q 11, q 4, q 8, q 13, q 5, q 14);
If i<15, then incite somebody to action (q ' I, 0, q ' I, 1..., q ' I, 15, q ' I, 16, q ' I, 17..., q ' I, 31) 8 of ring shift lefts obtain (q ' I, 8, q ' I, 9..., q ' I, 31, q ' I, 0, q ' I, 1..., q ' I, 7) as the input of next round conversion;
If i=15, then (q ' I, 0, q ' I, 1..., q ' I, 15, q ' I, 16, q ' I, 17..., q ' I, 31) be 32 yuan of random permutations, i.e. row coordinate indicator sequence (j 0, j 1..., j 31);
D). utilize said row-coordinate indicator sequence (i 0, i 1..., i 31) and said row coordinate indicator sequence (j 0, j 1..., j 31), extract the element in the PKI matrix
Figure BDA0000032297800000081
Element in (0≤k≤31) and the private key matrix
Figure BDA0000032297800000082
(0≤k≤31), and it is right to carry out the public, private key that satisfies PK=SK * G that additive combination in the elliptic curve obtains producing based on the IPv6 address according to the element that extracts:
PK = X i 0 , j 0 + X i 1 , j 1 + L + X i 31 , j 31 = ( x i 0 , j 0 , y i 0 , j 0 ) + ( x i 1 , j 1 , y i 0 , j 0 ) + L + ( x i 31 , j 31 ) SK = ( r i 0 , j 0 + r i 1 , j 1 + L + r i 31 , j 31 ) mod n
Before carrying out said step 102, do not use cryptographic services if send the terminal, then said transmission data are expressly, otherwise said transmission data comprise key change data and ciphertext, and the generation step of said key change data is specially:
Send the terminal and utilize the IPv6 address of receiving terminal and said public key algorithm to obtain the receiving terminal PKI, the random number of said receiving terminal PKI and its generation is multiplied each other obtains the key change data;
The generation step of said ciphertext is specially:
Send the terminal and the basic point of said random number and elliptic curve group is multiplied each other obtain being used for the symmetric key of encrypting plaintext, and utilize said symmetric key encryption expressly to obtain ciphertext.
In the said step 102, the generation step of said digital signature data is specially:
It is fixed-length data that transmission terminal hash function safe in utilization will send data transaction, and uses its private key that said fixed-length data is encrypted, and obtains digital signature data.
More specifically, the setting long data is m, and the transmission terminal public key is pkA, and the transmission terminal secret key is skA, the elliptic curve parameter be T=(a, b, G, n, p), the generation of said digital signature data may further comprise the steps:
(1) generate random integers k, said k satisfies k ∈ [1, n-1];
(2) calculate kG=(x k, y k), make r=x k(modn), if r=0 then carries out again (1), otherwise carries out (3);
(3) calculate s=k -1(m+r * skA) (modn) is if s=0 then carries out (1) again;
(4) said digital signature data be (r, s).
In the said step 103, the verification step of said digital signature data is specially:
Receiving terminal hash function safe in utilization is a fixed-length data with the transmission data transaction in the packet;
Utilize the said transmission terminal public key and the said fixed-length data that generate to generate digital signature comparison data;
Digital signature data in said digital signature comparison data and the packet is compared, if coupling, the packet that then receives is credible, otherwise, abandon said packet.
More specifically, establishing said fixed-length data is m1, and said digital signature data checking may further comprise the steps:
(1) if
Figure BDA0000032297800000092
then digital signature is invalid carries out following steps otherwise calculate successively;
(2) calculate w=s -1(modn);
(3) calculate u1=m1 * w (modn), u2=r * w (modn);
(4) calculate (x, y)=u1 * G+u2 * pkA;
(5) if x=r (modn), then digital signature is effective, the packet that promptly receives is credible, otherwise digital signature is invalid, abandons said packet.
After carrying out said step 103, receiving terminal judgment data bag is credible, if said transmission data are expressly, then plaintext is submitted high-rise the processing; If comprise key change data and ciphertext in the said transmission data, then ciphertext to be deciphered, decryption step is specially:
Receiving terminal carries out its private key behind the inversion operation and sends said key change data in the data and multiply each other and obtain said symmetric key, and utilizes said symmetric key decrypting ciphertext with restoring data.
In the above-mentioned steps, the said IPv6 of utilization address and public key algorithm generate the step of sending terminal public key or receiving terminal PKI and comprise:
Sending terminal or receiving terminal and utilize hash function, is hash data with the receiving terminal or the IPv6 address transition of sending the terminal;
With said hash data block encryption, block encryption is exported the result convert row-coordinate to, and generate the row-coordinate indicator sequence according to said row-coordinate;
With said hash data block encryption, block encryption is exported the result convert the displacement indication code to, utilize said displacement indication code, convert its 32 yuan of unit displacements into row coordinate indicator sequence;
Utilize said row-coordinate indicator sequence and said row coordinate indicator sequence, extract the element in the PKI matrix, and the element that extracts is carried out generating the receiving terminal PKI or sending terminal public key after the elliptic curve operations;
Said PKI matrix is handed down to the terminal by said KMC, and its element is times point of the basic point of elliptic curve group.
This mechanism works provides authenticity, data integrity and the data encryption service of IPv6 source address at the IP layer.
Fig. 2 has shown the form of the address validation head that the embodiment of the invention provides, and is as shown in Figure 2.
Message status indication code field; Be used to deposit 16 message status indication codes; 16 complete representes that said address validation head provides the data encryption service during for " 1 "; Promptly send data and comprise key change data and ciphertext, represent that said address validation head does not provide the data encryption service during entirely for " 0 ", promptly sending data is expressly;
1 key change data field is used to deposit 1 key change data, when said address validation head provides cryptographic services, realizes the transmission of symmetric key, and therefore, this field is only effective when said message status indication code is " 1 " entirely;
The key change data field is used to deposit 192 key change data, realizes the transmission of symmetric key with said 1 key change data, and therefore, this field only occurs when said message status indication code is " 1 " entirely;
The load data field is used for the upper layer data that storage address checking head obtains from high level, and the length in this territory is by the length decision of upper layer data;
The padding data field is used for the padding data of storage length scope 0~255 byte, so that load data finishes in place;
The padding data length field, be used to deposit 8 be the padding data length data of unit with the byte;
Next header fields is used to deposit next header type data of 8;
Authentication data field is used to deposit 384 digital signature data.
As shown in Figure 2, the field of encrypting coverage comprises load data field, padding data field, padding data length field and next header fields; The field of authentication coverage comprises message status indication code field, 1 key change data field, key change data field, load data field, padding data field, padding data length field and next header fields.
Said key change data are points on the elliptic curve group, and point coordinates is that (x, y), wherein, x and y are respectively 192 data.Because (x y) is point on the elliptic curve group, as long as know value and the value of x at 1 at the end of y; Just can calculate y; Therefore in order to reduce the expense of data communication, only need to transmit 1 at the end of y and whole 192 bit data of x, receiving terminal can calculate the integrity value of y.Therefore; When address checking head provided the data encryption service, message status indication code complete " 1 ", 1 key change data field were deposited 1 at the end of y; The x value that the key change storage is 192; Same, 1 key change data field also can be deposited 1 at the end of x, and the key change data field is deposited 192 y value.
When using the key of different length, the length of key change data and verify data will change in the address validation head, and present embodiment is an example definition address validation head with the key of 192 of length only.
Said address validation head is self-defining IPv6 extension header, so that the essential source address service for checking credentials, data integrity sex service and optional data encryption service to be provided.Below through Fig. 3 and Fig. 4 specify based on the credible transmission method of IPv6 network layer of Conbined public or double key algorithm transmission flow chart of data processing and reception flow chart of data processing, and the use of address validation head.
The transmission flow chart of data processing that Fig. 3 has shown that the embodiment of the invention provides based on the credible transmission method of IPv6 network layer of Conbined public or double key algorithm, as shown in Figure 3.
Step 301: send the terminal and obtain upper layer data (UDP or TCP message), and interpolation needs the IPv6 extension header of terminal processes from high level;
Step 302: judge whether upper layer data need carry out encryption,, then carry out step 303, otherwise carry out step 304 if need encryption;
Step 303: the computation key swap data be used for the symmetric key of enciphered data, and put into the key change data field of address validation head to said key change data;
Step 304: upper layer data is directly put into the load data field of said address validation head, and after filling the padding data field, padding data length field, next header fields of said address validation head, carry out step 306;
Step 305: insert padding data, padding data length data and next header type data; Use said symmetric key that said upper layer data, padding data, padding data length data and next header type data are encrypted, and leave encrypted result load data field, padding data field, padding data length field and next header fields of address validation head in successively.
Step 306: send the terminal input of the data in the field of authentication coverage in address validation head secure hash function SHA-1 is obtained 160 fixed-length datas; Then; Use the transmission terminal secret key that 160 fixed-length data is encrypted the generation digital signature data, and said digital signature data is put into the authentication data field of said address validation head; Said digital signature data is a pair of integer, and their length all is 192;
Step 307: send the terminal said address validation head, the basic header of IPv6 that comprises source address and destination address and other extension header of needs are packaged into packet, and said packet is sent to receiving terminal.
In the above-mentioned steps, when the address validation head provides the data encryption service, need to send terminal computation key swap data and the symmetric key that is used for data encryption.Said key change data multiply each other the random number of its generation and said receiving terminal PKI and obtain by sending the terminal.Wherein, said receiving terminal PKI obtains through the IPv6 address and the said public key algorithm of receiving terminal, is specially:
128 IPv6 address of binary representation is input among the hash function SHA-256, obtains 256 operation result, i.e. 256 hash data;
With said hash data block encryption, block encryption is exported the result convert row-coordinate to, and generate the row-coordinate indicator sequence according to said row-coordinate;
With said hash data block encryption, block encryption is exported the result convert the displacement indication code to, utilize said displacement indication code, convert its 32 yuan of unit displacements into row coordinate indicator sequence;
Utilize said row-coordinate indicator sequence and said row coordinate indicator sequence, extract the element in the PKI matrix, and the element that extracts is carried out generating the receiving terminal PKI after the elliptic curve operations.
Said symmetric key is to multiply each other and obtain a point on the elliptic curve group by sending basic point that the terminal utilizes random number and the elliptic curve group of its generation; The coordinate of point is made up of 2 192 data, these data of two 192 is carried out xor operation obtain 192 required keys of AES AES.
If the address validation head does not provide the data encryption service, above-mentioned steps 303 can be omitted with step 305.
The reception flow chart of data processing that Fig. 4 has shown that the embodiment of the invention provides based on the credible transmission method of IPv6 network layer of Conbined public or double key algorithm, as shown in Figure 4.
Step 401: receiving terminal receives the packet that comprises the address validation head;
Step 402: calculate the transmission terminal public key according to the source address of the packet that receives and the public key algorithm that KMC issues;
Step 403: the digital signature at terminal is sent in checking, if the digital signature authentication failure then carry out step 404, otherwise carry out step 405;
Step 404: with the data packet discarding that receives;
Step 405: judge according to the message status indication code field of address validation head whether said address validation head provides cryptographic services, if then carry out step 407, otherwise carry out step 406;
Step 406: according to the key change data computation symmetric key in the address validation head, decrypting ciphertext is with restoring data;
Step 407: expressly (decrypt ciphertext result) submits high-rise the processing.
In the above-mentioned steps 402, IPv6 address and said public key algorithm that said transmission terminal public key sends the terminal by the receiving terminal utilization obtain, and are specially:
128 IPv6 address of binary representation is input to hash function SHA-256, obtains 256 operation result, i.e. 256 hash data;
With said hash data block encryption, block encryption is exported the result convert row-coordinate to, and generate the row-coordinate indicator sequence according to said row-coordinate;
With said hash data block encryption, block encryption is exported the result convert the displacement indication code to, utilize said displacement indication code, convert its 32 yuan of unit displacements into row coordinate indicator sequence;
Utilize said row-coordinate indicator sequence and said row coordinate indicator sequence, extract the element in the PKI matrix, and the element that extracts is carried out generating the receiving terminal PKI after the elliptic curve operations.
In the above-mentioned steps 403; Receiving terminal is with among the input of the data in the field of the authentication coverage of the said address validation head secure hash function SHA-1; Obtain 160 fixed-length data; And utilize the receiving terminal PKI that calculates in the step 402, and use the true and false of digital signature verification algorithm certifying signature, said digital signature verification algorithm is the digital signature of elliptic curve verification algorithm.The reason of digital signature authentication failure has two kinds of possibilities, and the one, the integrality of data is destroyed, and promptly data have been distorted in the process of transmission; The 2nd, source address is forged, and the transmission terminal public key that obtains according to the IPv6 address computation is not that a pair of public, private key is right with signature use transmission terminal secret key.Therefore, the digital signature authentication success both can guarantee the integrality of data, can guarantee that again source address is genuine and believable.
In the above-mentioned steps 406, symmetric key is 192 required keys of AES decipherment algorithm, and in the present embodiment, receiving terminal adopts AES decipherment algorithm decrypting ciphertext to obtain expressly.
Fig. 5 has shown the credible transmission system theory diagram of the IPv6 network layer based on the Conbined public or double key algorithm that the embodiment of the invention provides; Fig. 6 has shown the digital signature generation module internal structure sketch map that the embodiment of the invention provides; Fig. 7 has shown the digital signature authentication inside modules structural representation that the embodiment of the invention provides; Fig. 8 has shown the PKI generation module internal structure sketch map that the embodiment of the invention provides, and below in conjunction with Fig. 5-Fig. 8 system according to the invention is further specified.
As shown in Figure 5, comprise KMC, send terminal and receiving terminal based on the credible system for transmitting of IPv6 network layer of Conbined public or double key algorithm.
Said KMC is used for to each terminal distribution unique IPv6 address and the private key that utilizes the IPv6 address to generate, and issues the public key algorithm that utilizes IPv6 address computation PKI;
Said transmission terminal comprises:
The digital signature generation module is used to utilize its private key and sends data, generates digital signature data;
The PKI generation module is used to utilize the IPv6 address of receiving terminal and public key algorithm that said KMC issues to calculate the receiving terminal PKI;
The random number generation module is used to generate random number;
The key change data generation module, being used for said random number and said receiving terminal PKI multiplied each other obtains the key change data, and said key change data are sent into said sending module and said digital signature generation module;
The symmetric key generation module is used to utilize the basic point of said random number and elliptic curve group to multiply each other and obtains being used for the symmetric key of encrypting plaintext;
Encrypting module, the symmetric key encryption that is used to utilize said symmetric key generation module to generate expressly obtains ciphertext, and said ciphertext is sent into said sending module and said digital signature generation module;
Sending module is used for said digital signature data, transmission data, source address and destination address are packaged into packet, sends to receiving terminal; Said packet can also encapsulate other ipv6 header.
Said receiving terminal comprises:
The PKI generation module is used for calculating the transmission terminal public key according to the source address and the said public key algorithm that receive packet;
The digital signature authentication module is used for utilizing the transmission data of said transmission terminal public key and said packet to generate digital signature comparison data, is used to verify said digital signature data, and according to checking result treatment packet;
The symmetric key generation module is used for utilizing the said key change data computation symmetric key of receiving terminal private key and packet;
Deciphering module is used to utilize said symmetric key decrypting ciphertext with reduction expressly.
Above-mentioned digital signature generation module comprises and is used for hash function safe in utilization will to send data transaction be that the converting unit of fixed-length data is sent terminal secret key said fixed-length data is encrypted the signature unit that obtains digital signature data with being used to use, and is as shown in Figure 6.
Above-mentioned digital signature authentication module comprise be used for hash function safe in utilization with the transmission data transaction of packet be fixed-length data converting unit, be used to utilize said transmission terminal public key and said fixed-length data to generate the compilation unit of digital signature comparison data; And be used for said digital signature comparison data and said digital signature data compares and according to comparative result judgment data bag believable authentication unit whether, as shown in Figure 7.
Above-mentioned PKI generation module comprise be used to utilize hash function with the IPv6 address transition at terminal for the hash data generation unit of hash data, be used to utilize the block encryption result of said hash data generate the row-coordinate indicator sequence row-coordinate indicator sequence generation unit, be used to utilize the block encryption result of said hash data its 32 yuan of units displacements to be converted into the row coordinate indicator sequence generation unit of row coordinate indicator sequence; And utilize said row-coordinate indicator sequence and said row coordinate indicator sequence to extract the element in the PKI matrix and generate the PKI computing unit of terminal public key, as shown in Figure 8.
When data were carried out encryption, the operation principle of the said credible system for transmitting of IPv6 network layer based on the Conbined public or double key algorithm was following:
KMC is to each terminal distribution unique IPv6 address and private key, and issues the public key algorithm that utilizes IPv6 address computation PKI, and the PKI matrix;
At first, the said random number generation unit that sends the terminal generates random number, and said random number is sent into respectively in said symmetric key generation module and the said key change data generation module; Said PKI generation module utilizes the IPv6 address of receiving terminal and said public key algorithm to generate the receiving terminal PKI, and said receiving terminal PKI is sent into said key change data generation module; Then; Said symmetric key generation module multiplies each other through the basic point with said random number and elliptic curve group; Obtain symmetric key; And said symmetric key sent in the said encrypting module, utilize said symmetric key to expressly encrypting by said encrypting module, and the ciphertext that obtains is sent into said digital signature generation module and said sending module respectively; Said receiving terminal PKI and said random number that said key change data generation module will receive multiply each other, and obtain the key change data, and said key change data are sent into said digital signature generation module and said sending module respectively.Then; Said digital signature generation module utilizes secure hash function will send data (data in the authentication coverage) and converts fixed-length data into; And use the transmission terminal secret key that said fixed-length data is encrypted, obtain digital signature data, and digital signature data is sent into said sending module; At last; Said sending module is put into the address validation head with said digital signature data, transmission data; Said address validation head, the basic header of IPv6 that comprises source address and destination address and other extension header of needs are packaged into packet, send to receiving terminal; Wherein, said transmission data comprise said ciphertext and said key change data, and message status indication code and 1 key change data.
The hash data generation unit of said PKI generation module utilizes hash function; With 128 receiving terminal IPv6 address transition is 256 bit hash, and said hash data is sent into respectively in said row-coordinate indicator sequence generation unit and the said row coordinate indicator sequence generation unit; Said row-coordinate indicator sequence generation unit with 256 hash data block encryption after; With the result after encrypting is that unit converts row-coordinate into the byte; And, said row-coordinate indicator sequence is sent into said PKI computing unit according to said row-coordinate generation row-coordinate indicator sequence; After said row coordinate indicator sequence generation unit carries out similar block encryption with 256 hash data; Convert the result after encrypting to the displacement indication code; And utilize 32 yuan of units displacements that said displacement indication code will import to convert row coordinate indicator sequence into, said row coordinate indicator sequence is sent into said PKI computing unit; Said row-coordinate indicator sequence and said row coordinate indicator sequence that said PKI computing unit utilization receives; Extract the element in the PKI matrix; And the element that extracts carried out generating the receiving terminal PKI after the elliptic curve operations, said receiving terminal PKI is sent into said key change data generation module.
The said modular converter of said digital signature generation module is used to utilize secure hash function will send data transaction to be fixed-length data, and said fixed-length data is sent into said signature unit; Said signature unit is used and is sent the said fixed-length data encryption of terminal secret key to receiving, and obtains digital signature data, and said digital signature data is sent into sending module.
After receiving terminal was received packet, at first, said PKI generation module calculated the transmission terminal public key according to the source address and the public key algorithm of packet; And the said transmission terminal public key that will generate is sent into said digital signature authentication module; By said digital signature authentication module digital signature data is verified,, then validation signal is sent to said symmetric key generation module and said deciphering module if verify successfully; Otherwise, abandon said packet; After said symmetric key generation module is received validation signal; Judge that according to the message status indication code field in the said address validation head said address validation head provides cryptographic services; Utilize the receiving terminal private key to carry out behind the inversion operation multiplying each other and obtain symmetric key, and said symmetric key is sent to said deciphering module with said key change data; Then, after said deciphering module is received validation signal and judged that the address validation head provides cryptographic services, utilize said symmetric key that the ciphertext in the packet is deciphered and obtain expressly.
Wherein, the principle of said PKI generation module generation transmission terminal public key is identical with the transmission terminal, and the transmission terminal public key that generates is at last sent into the said compilation unit of said digital signature authentication module.
Wherein, the converting unit of said digital signature authentication module utilizes secure hash function that the transmission data transaction in the said packet is fixed-length data, and fixed-length data is sent into said compilation unit; Said transmission terminal public key that said compilation unit utilization receives and said fixed-length data generate digital signature comparison data, and said digital signature comparison data are sent into said authentication unit; Said authentication unit compares said digital signature comparison data and digital signature data, if coupling then sends to deciphering module and said symmetric key generation module with validation signal, otherwise, abandon said packet.
In the data transmission procedure, the principle of key change is following:
If the elliptic curve swarm parameter be T=(a, b, G, n, p), the transmission terminal secret key of sending terminal A is skA, the transmission terminal public key is pkA, the receiving terminal private key of receiving terminal B is skB, the receiving terminal PKI is pkB.
Send terminal A generation random number k and be used for key change, calculate k * pkB, and calculate k * G as the symmetric key key that is used for enciphered data as the key change data;
After receiving terminal B received key change data k * pkB, skB calculated skB with the receiving terminal private key -1, according to the key change data computation symmetric key key that receives, Calculation Method is following then:
skB -1×k×pkB=skB -1×k×skB×G=k×G=Key
Only relate to a data transfer in above-mentioned key exchange process; Do not need receiving terminal to reply any information and just realize key change; Because send among the key change data k * pkB that sends at the terminal and used the receiving terminal PKI, this just makes the terminal that only has respective private keys could obtain the symmetric key of decrypting ciphertext needs.
When data not being carried out encryption, the operation principle of the said credible system for transmitting of IPv6 network layer based on the Conbined public or double key algorithm is following:
KMC is to each terminal distribution unique IPv6 address and private key, and issues the public key algorithm that utilizes IPv6 address computation PKI, and the PKI matrix;
At first, the said encrypting module at transmission terminal directly will send data and send into said digital signature generation module and said sending module respectively; Then, it is fixed-length data that said digital signature generation module will send data transaction, and said fixed-length data is sent into said signature unit; Said signature unit is used and is sent the said fixed-length data encryption of terminal secret key to receiving, and obtains digital signature data, and said digital signature data is sent into sending module; At last; Said sending module is put into the address validation head with said digital signature data and said transmission data; And said address validation head, the basic header of IPv6 that comprises source address and destination address and other extension header of needs be packaged into packet, send to receiving terminal; Wherein, said transmission data comprise the data in the field of all authentication coverages of unencrypted.
Receive the packet of not encrypted processing when receiving terminal after, at first, said PKI generation module calculates the transmission terminal public key according to the source address and the public key algorithm of packet; And the said transmission terminal public key that will generate is sent into said digital signature authentication module; By said digital signature authentication module digital signature is verified,, then validation signal is sent to said deciphering module and said symmetric key generation module if verify successfully; Otherwise, with said data packet discarding; Then, after deciphering module is received validation signal, judge that according to the message status indication code field in the said address validation head said address validation head does not provide cryptographic services after, directly said plaintext is submitted high level.
In sum, the present invention has following technique effect:
1, the present invention as the unique sign in terminal, has not only realized large-scale key production and management with the IPv6 address, and has realized the authentic authentication of IPv6 address;
2, the transmission of symmetric key according to the invention can make each message use symmetric key encryption at random, and only has the terminal ability data decryption of respective private keys, has guaranteed the promptness and the fail safe of transfer of data;
3, the present invention can realize the reliable communication between any two terminals, and need not third party certification authority on-line operation, has simplified the expense of system's construction and maintenance widely;
4, the present invention is fit to the dedicated network under the unified management system with the authoritative institution of KMC as key production and management, is particularly suitable for the government affairs or the military communication network of the high safety grade under China's centralized management.
Although preceding text specify the present invention, the invention is not restricted to this, those skilled in the art of the present technique can carry out various modifications according to principle of the present invention.Therefore, all modifications of making according to the principle of the invention all are to be understood that to falling into protection scope of the present invention.

Claims (10)

1. based on the method for the credible transmission of IPv6 network layer of Conbined public or double key algorithm, it is characterized in that, comprising:
A) KMC is to unique IPv6 address of each terminal distribution and the private key that utilizes the IPv6 address to generate, and issues the public key algorithm that utilizes IPv6 address computation PKI;
B) send the terminal and utilize its private key and send data, generate digital signature data, and said digital signature data, transmission data, source address and destination address are packaged into packet, send to receiving terminal;
C) receiving terminal is calculated the transmission terminal public key according to the source address and the said public key algorithm that receive packet; Utilize the transmission data in said transmission terminal public key and the said packet to generate digital signature comparison data then; Verify said digital signature data, and whether the specified data bag is credible as a result according to checking.
2. method according to claim 1 is characterized in that, said step B) in, the generation step of said digital signature data is specially:
It is fixed-length data that transmission terminal hash function safe in utilization will send data transaction, and uses its private key that said fixed-length data is encrypted, and obtains digital signature data.
3. method according to claim 1 is characterized in that, said step C) in, the verification step of said digital signature data is specially:
Receiving terminal hash function safe in utilization is a fixed-length data with the transmission data transaction in the packet;
Utilize the said transmission terminal public key and the said fixed-length data that generate to generate digital signature comparison data;
Digital signature data in said digital signature comparison data and the packet is compared, if coupling, the packet that then receives is credible, otherwise, abandon said packet.
4. method according to claim 1 is characterized in that, said transmission data are expressly.
5. method according to claim 1 is characterized in that, said transmission data comprise key change data and ciphertext;
The generation step of said key change data is specially:
Send the terminal and utilize the IPv6 address of receiving terminal and said public key algorithm to obtain the receiving terminal PKI, the random number of said receiving terminal PKI and its generation is multiplied each other obtains said key change data then;
The generation step of said ciphertext is specially:
Send the terminal and the basic point of said random number and elliptic curve group is multiplied each other obtain being used for the symmetric key of encrypting plaintext, and utilize said symmetric key encryption expressly to obtain ciphertext.
6. method according to claim 1 is characterized in that, after receiving terminal specified data bag is credible, ciphertext is deciphered, and decryption step is specially:
Receiving terminal carries out its private key behind the inversion operation and sends said key change data in the data and multiply each other and obtain said symmetric key, and utilizes said symmetric key decrypting ciphertext with restoring data.
7. according to any described method of claim 1-6, it is characterized in that the said IPv6 of utilization address and public key algorithm generate the step of sending terminal public key or receiving terminal PKI and comprise:
Sending terminal or receiving terminal and utilize hash function, is hash data with the receiving terminal or the IPv6 address transition of sending the terminal;
With said hash data block encryption, block encryption is exported the result convert row-coordinate to, and generate the row-coordinate indicator sequence according to said row-coordinate;
With said hash data block encryption, block encryption is exported the result convert the displacement indication code to, utilize said displacement indication code, convert its 32 yuan of unit displacements into row coordinate indicator sequence;
Utilize said row-coordinate indicator sequence and said row coordinate indicator sequence, extract the element in the PKI matrix, and the element that extracts is carried out generating the receiving terminal PKI or sending terminal public key after the elliptic curve operations;
Said PKI matrix is handed down to the terminal by said KMC, and its element is times point of the basic point of elliptic curve group.
8. based on the credible system for transmitting of IPv6 network layer of Conbined public or double key algorithm, comprise KMC, send terminal and receiving terminal, it is characterized in that,
Said KMC is used for to each terminal distribution unique IPv6 address and the private key that utilizes the IPv6 address to generate, and issues the public key algorithm that utilizes IPv6 address computation PKI;
Said transmission terminal comprises:
The digital signature generation module is used to utilize its private key and sends data, generates digital signature data;
Sending module is used for said digital signature data, transmission data, source address and destination address are packaged into packet, sends to receiving terminal;
Said receiving terminal comprises:
The PKI generation module is used for calculating the transmission terminal public key according to the source address and the said public key algorithm that receive packet;
The digital signature authentication module is used for utilizing the transmission data of said transmission terminal public key and said packet to generate digital signature comparison data, verify said digital signature data, and whether the specified data bag is credible as a result according to checking.
9. system according to claim 8 is characterized in that, said transmission terminal also comprises:
The PKI generation module is used to utilize the IPv6 address of receiving terminal and public key algorithm that said KMC issues to calculate the receiving terminal PKI;
The random number generation module is used to generate random number;
The key change data generation module, being used for said random number and said receiving terminal PKI multiplied each other obtains the key change data, and said key change data are sent into said sending module and said digital signature generation module;
The symmetric key generation module is used to utilize the basic point of said random number and elliptic curve group to multiply each other and obtains being used for the symmetric key of encrypting plaintext;
Encrypting module, the symmetric key encryption that is used to utilize said symmetric key generation module to generate expressly obtains ciphertext, and said ciphertext is sent into said sending module and said digital signature generation module.
10. system according to claim 8 is characterized in that, said receiving terminal also comprises:
The symmetric key generation module is used for utilizing the said key change data computation symmetric key of receiving terminal private key and packet;
Deciphering module is used to utilize said symmetric key decrypting ciphertext with reduction expressly.
CN2010105457960A 2010-11-15 2010-11-15 IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm Pending CN102469173A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105457960A CN102469173A (en) 2010-11-15 2010-11-15 IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105457960A CN102469173A (en) 2010-11-15 2010-11-15 IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm

Publications (1)

Publication Number Publication Date
CN102469173A true CN102469173A (en) 2012-05-23

Family

ID=46072324

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105457960A Pending CN102469173A (en) 2010-11-15 2010-11-15 IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm

Country Status (1)

Country Link
CN (1) CN102469173A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991673A (en) * 2015-01-29 2016-10-05 国家电网公司 IPv6 application layer data transmission method possessing protection mechanism
CN106209360A (en) * 2016-07-22 2016-12-07 安徽皖通邮电股份有限公司 A kind of authentication identifying method of wildcard based on the close algorithm of state
CN108270567A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 Informed source verification method, device and system and message method and device
CN108391266A (en) * 2018-01-03 2018-08-10 广州杰赛科技股份有限公司 Safe checking method, system and storage medium
CN108512848A (en) * 2018-03-31 2018-09-07 深圳大普微电子科技有限公司 The method and relevant apparatus of anti-replay-attack
CN108702371A (en) * 2016-03-08 2018-10-23 高通股份有限公司 System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification
CN112543103A (en) * 2019-09-23 2021-03-23 百度在线网络技术(北京)有限公司 Account address generation method and verification method, device, equipment and medium
CN113285934A (en) * 2021-05-14 2021-08-20 鼎铉商用密码测评技术(深圳)有限公司 Server cipher machine client IP detection method and device based on digital signature
CN114666099A (en) * 2022-02-28 2022-06-24 广西柳钢东信科技有限公司 Method for realizing cross-domain trusted data communication of webpage based on signature adding and release and middleware
CN114978519A (en) * 2021-02-22 2022-08-30 中国移动通信有限公司研究院 Message sending method, signature information generation method and device
CN118157990A (en) * 2024-05-09 2024-06-07 成都清科西南科技有限公司 Petroleum engineering operation and maintenance data transmission management method and system based on Internet of things
CN118157990B (en) * 2024-05-09 2024-07-05 成都清科西南科技有限公司 Petroleum engineering operation and maintenance data transmission management method and system based on Internet of things

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102315935A (en) * 2010-07-02 2012-01-11 中国人民解放军总参谋部第六十一研究所 Wireless sensor network and computer network fused network secret key management method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102315935A (en) * 2010-07-02 2012-01-11 中国人民解放军总参谋部第六十一研究所 Wireless sensor network and computer network fused network secret key management method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
20080709 Yujun Zhang et al CPK-based fast authentication method in Mobile IPv6 networks 234-239页 1-10 , *
YUJUN ZHANG ET AL: "CPK-based fast authentication method in Mobile IPv6 networks", <COMPUTERS AND COMMUNICATIONS,2008. ISCC 2008>, 9 July 2008 (2008-07-09), pages 234 - 239, XP031321339 *
任远等: "一种基于CPK技术的认证方案", 《信息安全与通信保密》, no. 08, 31 August 2007 (2007-08-31) *
邢海龙等: "组合公钥CPK关键技术研究与应用", <中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑>, no. 05, 15 May 2010 (2010-05-15), pages 139 - 113 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991673B (en) * 2015-01-29 2019-04-19 国家电网公司 A kind of IPv6 application-layer data transmission method with protection mechanism
CN105991673A (en) * 2015-01-29 2016-10-05 国家电网公司 IPv6 application layer data transmission method possessing protection mechanism
CN108702371A (en) * 2016-03-08 2018-10-23 高通股份有限公司 System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification
CN106209360A (en) * 2016-07-22 2016-12-07 安徽皖通邮电股份有限公司 A kind of authentication identifying method of wildcard based on the close algorithm of state
CN108270567B (en) * 2016-12-30 2021-09-28 阿里巴巴集团控股有限公司 Message source verification method, device and system and message sending method and device
CN108270567A (en) * 2016-12-30 2018-07-10 阿里巴巴集团控股有限公司 Informed source verification method, device and system and message method and device
CN108391266A (en) * 2018-01-03 2018-08-10 广州杰赛科技股份有限公司 Safe checking method, system and storage medium
CN108391266B (en) * 2018-01-03 2021-09-17 广州杰赛科技股份有限公司 Security verification method, system and storage medium
CN108512848A (en) * 2018-03-31 2018-09-07 深圳大普微电子科技有限公司 The method and relevant apparatus of anti-replay-attack
CN112543103A (en) * 2019-09-23 2021-03-23 百度在线网络技术(北京)有限公司 Account address generation method and verification method, device, equipment and medium
CN114978519A (en) * 2021-02-22 2022-08-30 中国移动通信有限公司研究院 Message sending method, signature information generation method and device
CN113285934A (en) * 2021-05-14 2021-08-20 鼎铉商用密码测评技术(深圳)有限公司 Server cipher machine client IP detection method and device based on digital signature
CN114666099A (en) * 2022-02-28 2022-06-24 广西柳钢东信科技有限公司 Method for realizing cross-domain trusted data communication of webpage based on signature adding and release and middleware
CN114666099B (en) * 2022-02-28 2023-10-13 广西柳钢东信科技有限公司 Method for realizing webpage cross-domain trusted data communication based on encryption and decryption labels and middleware
CN118157990A (en) * 2024-05-09 2024-06-07 成都清科西南科技有限公司 Petroleum engineering operation and maintenance data transmission management method and system based on Internet of things
CN118157990B (en) * 2024-05-09 2024-07-05 成都清科西南科技有限公司 Petroleum engineering operation and maintenance data transmission management method and system based on Internet of things

Similar Documents

Publication Publication Date Title
CN102469173A (en) IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm
US6052466A (en) Encryption of data packets using a sequence of private keys generated from a public key exchange
EP0998799B1 (en) Security method and system for transmissions in telecommunication networks
US9172529B2 (en) Hybrid encryption schemes
CN101980558B (en) Method for encryption authentication on Ad hoc network transmission layer protocol
CN101442522B (en) Identification authentication method for communication entity based on combined public key
CN111416706B (en) Quantum secret communication system based on secret sharing and communication method thereof
CN105049401A (en) Secure communication method based on intelligent vehicle
CN102111273B (en) Pre-sharing-based secure data transmission method for electric load management system
CN110113150A (en) The encryption method and system of deniable authentication based on no certificate environment
CN105610773A (en) Communication encryption method of electric energy meter remote meter reading
CN102065016A (en) Message sending and receiving method and device, message processing method and system
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission
CN113285959A (en) Mail encryption method, decryption method and encryption and decryption system
KR20200067265A (en) Apparatus and Method for Patterned Cipher Block for Real-Time Data Communication
Murtaza et al. A lightweight authentication and key sharing protocol for satellite communication
Hwang et al. Robust stream‐cipher mode of authenticated encryption for secure communication in wireless sensor network
WO2013039659A1 (en) Hybrid encryption schemes
CN212115340U (en) Anti-quantum computation encryption device and anti-quantum computation encryption communication system
CN114070549A (en) Key generation method, device, equipment and storage medium
US7343011B2 (en) Secure telecommunications system for wireless local area networks
Jharbade et al. Network based Security model using Symmetric Key Cryptography (AES 256–Rijndael Algorithm) with Public Key Exchange Protocol (Diffie-Hellman Key Exchange Protocol)
CN212660188U (en) Client, server quantum computation-resistant intranet access device and intranet access system
CN114553420B (en) Digital envelope packaging method based on quantum key and data secret communication network
CN114070550B (en) Information processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120523