CN102594842A - Device-fingerprint-based network management message authentication and encryption scheme - Google Patents
Device-fingerprint-based network management message authentication and encryption scheme Download PDFInfo
- Publication number
- CN102594842A CN102594842A CN201210075898XA CN201210075898A CN102594842A CN 102594842 A CN102594842 A CN 102594842A CN 201210075898X A CN201210075898X A CN 201210075898XA CN 201210075898 A CN201210075898 A CN 201210075898A CN 102594842 A CN102594842 A CN 102594842A
- Authority
- CN
- China
- Prior art keywords
- message
- key
- authentication
- new local
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a device-fingerprint-based network management message authentication and encryption scheme, and belongs to the technical field of network security. A user password is protected by utilizing a device fingerprint, a new local key is generated by a message digest algorithm, and the scheme is used for the authentication and encryption of a network management message. In a message authentication process, the new local key is used for calculating a message verification code for the message to finish message signature authentication. In a message encryption process, the new local key is used for encrypting a message data unit to protect communication privacy. By the local key calculated and generated by the scheme, the network management message authentication and encryption processes are safe and reliable, and the requirements of a fusion network on device management and message communication security are met.
Description
Technical field
The present invention is webmaster message authentication and the encipherment scheme based on the equipment fingerprint towards UNE, be mainly used in solve internet message whether from validated user, whether be modified and the secret protection problem, belong to the network security technology field.
Background technology
UNE is meant the open communication network that has merged various heterogeneous networks (mobile network, fixed communication network, the Internet, cable television network and various new network) and technology, and ubiquitous property and open characteristic that it has are really provided personalized service for the user whenever and wherever possible.Increasing of expansion, number of devices and the kind of multiple network fusion back network size, construction has brought very big challenge to network security management.The authentication of terminal equipment and the fail safe of the network information are importances of network security management and the operation of each item service security thereof; Authentication mechanism restriction illegality equipment is usurped Internet resources; The leakage of encryption mechanism control Content of Communication is the basis of other security mechanisms.
Simple Network Management Protocol is since issue in 1988; Because form is simple, conveniently resolve, realize easily and these technological merits of physical difference of maskable distinct device make it become most popular network-management tool in the TCP/IP network, so in UNE, can use it to come managing network device equally.Simple Network Management Protocol adopt based on the user's security model method, authentication and encryption mechanism are provided, strengthened the fail safe of network management widely.Authentication is meant whether agency (management station) at first must acknowledge message not be changed in transmission course from management station that has the right (agency) and message when receiving message; Realize that this functional requirement management station and agency must share same local authentication key; Management station uses this key calculation Message Authentication Code; Then it is added in the message; The agency then uses same key from the information that receives, to calculate new Message Authentication Code, if these two identifying codes match each other, then this message is by authentication.Encrypted process and authentication are similar, also need management station and agency to share the encrypt and decrypt that same local cipher key is realized message.
Traditional local key generation method is; Each user has a password key; Generate unique local authentication key and encryption key for each agency again in the communication process; Detailed process: user's password is handled through Message Digest 5 obtained corresponding user key earlier, handle with the agency's who needs communication engine identification symbol user key through Message Digest 5 again, can obtain needed local key (local key==the local authentication key==the local cipher key).
Agency's engine identification symbol is the important parameter that guarantees secret key safety; It is made up of property parameters such as IP address, MAC Address, disk sequence number and the special algorithm etc. of equipment itself; Consider the complexity of device category and environment in the UNE; Simple device attribute parameter safety property is not high, needs to improve the parameter that is used to generate local key.The equipment fingerprint is the identification code that is made up of through the scrambled mode device attribute parameter, facility environment characteristic and equipment geography information; Physical equipment in can unique in real time identification UNE; So the present invention protects the user password key with it; Produce new local key, be used for the message authentication and the ciphering process of network management protocol.
Summary of the invention
Technical problem:
The purpose of this invention is to provide a kind of webmaster message authentication and encipherment scheme based on the equipment fingerprint towards UNE; Solve illegality equipment and carry out identity spoofing and protection Content of communciation leakage problem; This method is a kind of tactic method, and the method that the application of the invention proposes can effectively be protected the safety of fusion network device communication.
Technical scheme:
Method of the present invention is to utilize equipment fingerprint protection user password key; Produce new local key through Message Digest 5; This this locality key is used for the digital signature identification process of simple network management security protocol, reaches authentication, should be used for CBC-DES (cipher block chaining digital encryption standard) algorithm by this locality key again the informed source identity; Completion reaches the requirement to the communication process secret protection to the encryption of the data cell of message.
Architecture:
The present invention is based on Simple Network Management Protocol and carries out network communication; Fig. 1 has provided the form of webmaster message; Comprise header, security parameters and data three parts, wherein on behalf of the engine identification of equipment, the Engine id field accord with in the security parameters, is used for generating the needed local key of webmaster message authentication and ciphering process; The parameters for authentication of Authentication Parameters field information representing; The Message Authentication Code of using during the authentication authorization and accounting computing, the encryption parameter of Privacy Parameters field information representing, used value parameter when promptly being used for CBC-DES algorithm during cryptographic calculation and forming initialization vector.
Fig. 2 has provided improved security parameters field format, and it is compared with traditional security parameters field does not increase the message field size, but changes the engine identification in field symbol field into equipment fingerprint field, filling be the equipment finger print information.
The equipment fingerprint(DF, Device Fingerprint): be the identification code that has combined device attribute parameter, facility environment characteristic and equipment geography information to generate through the scrambled mode, the physical equipment in can unique in real time identification UNE.Protect the user password key with it; Obtain new local authentication key and encryption key through the Message Digest 5 processing; Management station's use local authentication key process Message Digest 5 processing calculates Message Authentication Code and comes signature information, uses the local cipher key that message data cell is encrypted, and carries out reverse authentication and deciphering after the agency receives message; If authentication success then think that this informed source is legal, deciphering is obtained message expressly again.
The concrete grammar flow process:
1. the local key based on the equipment fingerprint generates scheme
Each user has the password key of oneself, according to the definition of document RFC2274, through Message Digest 5 the password key hash is mapped to 8 bit user keys of one 16 byte, and next step is to be the local key that an agency generates user key.Method is; The two ends of a user key and an agency's equipment fingerprint are coupled together; Handle through a Message Digest 5; Calculate the local key of 8 bits of 16 new bytes, needed local authentication key and local cipher key when this local key is the webmaster message authentication and encrypts, the local authentication key is identical with the local cipher key.
Concrete grammar is described below:
password?<—?GetPassword?(?UserName?)
passwordLen?<—?LengthOf?(?password?)
DF?<—?GetDF?(?addr?)
DFLen?<—?LengthOf?(?DF?)
password_to_key_md5?(?password,?passwordLen,?&DF,?DFLen,?&UserKey?)
// user password password is mapped to 8 bit keys UserKey of 16 bytes
LocaKey?<—?MD5?(UserKey?+?DF?+?UserKey?)
// utilize equipment fingerprint DF to generate agency's local authentication key and encryption key
2. message authentication
The management station that initiates a message uses the equipment fingerprint parameter to generate scheme through above-mentioned key; Produce new local authentication key; With the parameters for authentication field of webmaster message with 12 8 bit 0 character strings populated after; Use this local authentication key webmaster message generation Message Authentication Code for this reason, then it is replaced the blank parameters for authentication field of message at first, message transfer.
The agency who receives message preserves the Message Authentication Code of 12 bytes earlier; The parameters for authentication field is re-set as 12 8 bit 0 character strings; Re-use the equipment finger print information in the management information bank, likewise produce new local authentication key, the reception message of resetting is calculated the Message Authentication Code that makes new advances with this key according to above-mentioned key generation scheme; These two identifying codes are compared; If equate that then the identity of this informed source is not modified in transmission course by authentication and acknowledge message, otherwise this message is dropped.
Message encryption
Cipher mode adopts the CBC-DES symmetrical encryption protocol, and the encryption parameter field in the webmaster message is " salt " value that is used to produce initialization vector.When needs are encrypted the webmaster message data cell; Be similar to message authentication process, management station at first uses the equipment fingerprint parameter to generate scheme through above-mentioned key, produces new local cipher key; This key has 16 byte-sized; Back 8 byte values of local key and " salt " value are carried out XOR obtain CBC-DES and encrypt needed initialization vector, the data cell of message is divided into the data block of 64 bits, with the plain text of each data block and the encryption ciphertext XOR of previous data block; Preceding 8 byte values that re-use the local cipher key are sentenced des encryption to the result of XOR, and this result is as the ciphertext of next data block.
When the agency receives a message after the encryption; Decrypting process is similar to ciphering process; At first the equipment finger print information in the use and management information bank generates computation schemes according to aforementioned local key and obtains local decruption key (identical with the local cipher key); Thereafter 8 byte keys and encryption parameter field " salt " XOR that receives message are obtained initialization vector, again with first ciphertext with local decruption key before 8 byte values sentence DES and decipher, result calculated and initialization vector XOR obtain first plain text data piece; Remaining cipher text data piece is similarly handled, and obtains complete plain text data piece message expressly.
Beneficial effect
The present invention is directed to local key generation problem in UNE webmaster message authentication and the ciphering process, proposed a kind of new solution, expanded the application of equipment fingerprint technique.The local key that calculates generation through the present invention makes webmaster message authentication and ciphering process more safe and reliable, and this has very important meaning in the message communication of UNE and equipment safety management.
Description of drawings
Fig. 1 simple network management message format and security parameters field.
The amended webmaster information security of Fig. 2 parameter field.
Webmaster message authentication and ciphering process in Fig. 3 UNE.
Embodiment
For describing conveniently; Make up the scene of UNE webmaster message communication earlier: management station need initiate to obtain information request like Agent010 to certain agency; Value with the management information bank object sysName.0 that obtains this agency; The user A of management station has user password password0; Storing its equipment fingerprint DF010 in agency's the management information bank, is to calculate the identification code of generation by this agency's device attribute parameter, facility environment characteristic and equipment geography information through the scrambled mode, unique device A gent010 that representing.
Provide the authentication and the ciphering process of following webmaster message according to Fig. 3:
The first step: management station initiates communication request; Owing to be that communication for the first time is not so management station has the equipment finger print information of target proxy; To obtain request message equipment fingerprint field and be changed to NULL, not issue the agency to this with the webmaster message of any authentication and encryption parameter;
Second step: the agency receives such webmaster and obtains request message; Discovering device fingerprint field is NULL, obtains request response so report an error and send to management station, has comprised this agency's equipment fingerprint in this webmaster response message; It is the value of DF010; After management station receives this response message, store this agency's equipment fingerprint DF010 value, so far accomplish carrying out shake communication for the first time;
The 3rd step: management station sends one to this agency once more and obtains request message, and with the value of the management information bank object sysName.0 that obtains this agency, the equipment fingerprint field of this webmaster message is exactly the DF010 value of second step preservation.Through Message Digest 5 user password password0 is mapped to 16 byte user keys; The two ends of user key and equipment fingerprint DF010 are coupled together the local key that calculates 16 bytes through Message Digest 5; Back 8 byte values with this local key obtain initialization vector with " salt " XOR again; Plain text data piece as this webmaster message carries out the initial value that CBC-DES encrypts; Preceding 8 byte values of local key are accomplished this message data cell and are encrypted as the key that des encryption uses.The parameters for authentication field of this message is filled with 12 8 continuous bit 0 character strings earlier; The local key that the front obtains is handled through Message Digest 5 with the webmaster message of having encrypted; Draw one 12 byte message identifying code, with the null field of this Message Authentication Code filling parameters for authentication, so far; This webmaster obtains request message and handles well, sends to the agency;
The 4th step: after the agency receives that webmaster obtains request message, carry out authentication and deciphering to message.The agency preserves its parameters for authentication field Message Authentication Code value earlier; This message authentication parameter field is arranged to 12 8 bit 0 character strings; The password password0 two ends that the equipment fingerprint DF010 that calls in the management information bank agency self then is connected in the user are handled through Message Digest 5 and are obtained the new local key of 16 bytes; Calculate through Message Digest 5 with pretreated webmaster message with this key again and generate a new Message Authentication Code; Two Message Authentication Codes are compared, if equate then confirm this webmaster message from the management station that has the right, and this message is not modified in communication process.Next cipher-text message is partly deciphered; Similar with the ciphering process in the 3rd step; Obtain parameters for authentication field " salt " value earlier, back 8 byte values of the new local key that obtains with the front carry out XOR and obtain initialization vector, with the preceding 8 byte values key that deciphering uses as DES of new local key; Completion is obtained the deciphering of request message encrypt data to this webmaster, obtains complete message clear data;
The 5th step: after acting on behalf of success identity webmaster obtaining request message with deciphering, inquire that the Name1 field is sysName.0 in the variable binding, return to management station new obtain request response; To be filled to the title of equipment be Agent010 to the Value1 field in this message; Other fields of message are complete according to the same filling of the content in the 3rd step of front, send to management station, and management station carries out authentication and deciphering after receiving message once more; Obtained the title of agent equipment; So far, this management station initiates to obtain the communication process end of solicit operation with the management information bank object sysName.0 value that obtains this agency to target proxy, has accomplished the authentication and the encryption of webmaster message.
Claims (3)
1. webmaster message authentication and encipherment scheme based on an equipment fingerprint; It is characterized in that; Utilize equipment fingerprint protection user password, generate the needed new local key of webmaster message authentication and ciphering process, in the communication process of agency and management station; Use new local authentication key to the message signature authentication, use new local cipher key that the data cell of message is encrypted.
2. message authentication according to claim 1 and encipherment scheme; It is characterized in that the method that obtains described new local key is; Device attribute parameter, facility environment characteristic parameter and equipment geography information are obtained the equipment fingerprint through the scrambled mode; User password is hashed to user key through Message Digest 5, couple together the two ends of user key and equipment fingerprint, handle calculating new local authentication key and encryption key again with a Message Digest 5.
3. message authentication according to claim 1 and encipherment scheme is characterized in that the utilization of described equipment fingerprint in message authentication and ciphering process comprises aspect following two:
1) management station uses that security parameters equipment fingerprint field generates local key in the message that receives after the carrying out shake communication for the first time, for Message Authentication Code is partly encrypted and generated to message data;
2) after the agency receives message; The equipment finger print information generates new local key in the use and management information bank, calculates new identifying code also relatively to receiving message, if mate then message authentication success; And then with new local key to the message data decryption, obtain clear-text message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210075898XA CN102594842A (en) | 2012-03-21 | 2012-03-21 | Device-fingerprint-based network management message authentication and encryption scheme |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210075898XA CN102594842A (en) | 2012-03-21 | 2012-03-21 | Device-fingerprint-based network management message authentication and encryption scheme |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102594842A true CN102594842A (en) | 2012-07-18 |
Family
ID=46483043
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210075898XA Pending CN102594842A (en) | 2012-03-21 | 2012-03-21 | Device-fingerprint-based network management message authentication and encryption scheme |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594842A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678334A (en) * | 2012-09-03 | 2014-03-26 | 人人游戏网络科技发展(上海)有限公司 | Method and equipment for calculating digital digests of geographic information |
| CN105550533A (en) * | 2016-02-24 | 2016-05-04 | 成都信汇聚源科技有限公司 | Electrocardiograph information acquisition and management method |
| CN103634113B (en) * | 2013-11-26 | 2017-02-15 | 成都卫士通信息产业股份有限公司 | Encryption and decryption method and device with user/equipment identity authentication |
| CN107229857A (en) * | 2016-03-25 | 2017-10-03 | 宇龙计算机通信科技(深圳)有限公司 | The generation method and device of a kind of identifying code |
| CN107688729A (en) * | 2017-07-27 | 2018-02-13 | 大唐高鸿信安(浙江)信息科技有限公司 | Protection system of application program and method based on trusted host |
| CN109150505A (en) * | 2017-06-16 | 2019-01-04 | 苏宁云商集团股份有限公司 | A kind of information transferring method and device for SAP system |
| CN110175448A (en) * | 2019-04-28 | 2019-08-27 | 众安信息技术服务有限公司 | A kind of credible equipment login authentication method and the application system with authentication function |
| CN110768953A (en) * | 2019-09-15 | 2020-02-07 | 杭州拓深科技有限公司 | Rapid Internet of things data encryption transmission method |
| CN111010268A (en) * | 2019-11-15 | 2020-04-14 | 珠海数字动力科技股份有限公司 | Dynamic cryptographic algorithm based on time line |
| CN111294326A (en) * | 2018-12-10 | 2020-06-16 | 中国移动通信集团新疆有限公司 | Method, apparatus, device and medium for confirming system data security |
| CN111310242A (en) * | 2020-02-03 | 2020-06-19 | 同盾控股有限公司 | Method and device for generating device fingerprint, storage medium and electronic device |
| CN114915416A (en) * | 2022-04-20 | 2022-08-16 | 中金金融认证中心有限公司 | Method for encrypting file, method for verifying decryption and related products |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1771691A (en) * | 2003-05-29 | 2006-05-10 | 意大利电信股份公司 | Method, system and computer program for the secured management of network devices |
| CN101419652A (en) * | 2008-08-22 | 2009-04-29 | 航天信息股份有限公司 | Software and hardware combined program protecting method |
| CN101980558A (en) * | 2010-11-16 | 2011-02-23 | 北京航空航天大学 | Method for encryption authentication on Ad hoc network transmission layer protocol |
-
2012
- 2012-03-21 CN CN201210075898XA patent/CN102594842A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1771691A (en) * | 2003-05-29 | 2006-05-10 | 意大利电信股份公司 | Method, system and computer program for the secured management of network devices |
| CN101419652A (en) * | 2008-08-22 | 2009-04-29 | 航天信息股份有限公司 | Software and hardware combined program protecting method |
| CN101980558A (en) * | 2010-11-16 | 2011-02-23 | 北京航空航天大学 | Method for encryption authentication on Ad hoc network transmission layer protocol |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678334A (en) * | 2012-09-03 | 2014-03-26 | 人人游戏网络科技发展(上海)有限公司 | Method and equipment for calculating digital digests of geographic information |
| CN103634113B (en) * | 2013-11-26 | 2017-02-15 | 成都卫士通信息产业股份有限公司 | Encryption and decryption method and device with user/equipment identity authentication |
| CN105550533A (en) * | 2016-02-24 | 2016-05-04 | 成都信汇聚源科技有限公司 | Electrocardiograph information acquisition and management method |
| CN107229857A (en) * | 2016-03-25 | 2017-10-03 | 宇龙计算机通信科技(深圳)有限公司 | The generation method and device of a kind of identifying code |
| CN109150505A (en) * | 2017-06-16 | 2019-01-04 | 苏宁云商集团股份有限公司 | A kind of information transferring method and device for SAP system |
| CN107688729A (en) * | 2017-07-27 | 2018-02-13 | 大唐高鸿信安(浙江)信息科技有限公司 | Protection system of application program and method based on trusted host |
| CN111294326A (en) * | 2018-12-10 | 2020-06-16 | 中国移动通信集团新疆有限公司 | Method, apparatus, device and medium for confirming system data security |
| CN110175448A (en) * | 2019-04-28 | 2019-08-27 | 众安信息技术服务有限公司 | A kind of credible equipment login authentication method and the application system with authentication function |
| CN110768953A (en) * | 2019-09-15 | 2020-02-07 | 杭州拓深科技有限公司 | Rapid Internet of things data encryption transmission method |
| CN111010268A (en) * | 2019-11-15 | 2020-04-14 | 珠海数字动力科技股份有限公司 | Dynamic cryptographic algorithm based on time line |
| CN111310242A (en) * | 2020-02-03 | 2020-06-19 | 同盾控股有限公司 | Method and device for generating device fingerprint, storage medium and electronic device |
| CN114915416A (en) * | 2022-04-20 | 2022-08-16 | 中金金融认证中心有限公司 | Method for encrypting file, method for verifying decryption and related products |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102594842A (en) | Device-fingerprint-based network management message authentication and encryption scheme | |
| CN101917270B (en) | Weak authentication and key agreement method based on symmetrical password | |
| Xie et al. | Cloud-based RFID authentication | |
| US10937339B2 (en) | Digital cryptosystem with re-derivable hybrid keys | |
| CN101677269B (en) | Method and system for transmitting keys | |
| CN108347419A (en) | Data transmission method and device | |
| CN103560879A (en) | Method for achieving lightweight authentication and key agreement | |
| CN105049401A (en) | Secure communication method based on intelligent vehicle | |
| CN107277059A (en) | A kind of one-time password identity identifying method and system based on Quick Response Code | |
| CN105025019A (en) | Data safety sharing method | |
| CN109309566B (en) | Authentication method, device, system, equipment and storage medium | |
| CN104243494A (en) | Data processing method | |
| Han et al. | A lightweight authentication mechanism between IoT devices | |
| CN102404329A (en) | Method for validating and encrypting interaction between user terminal and virtual community platform | |
| CN104486756B (en) | A kind of encryption and decryption method and system of close writing paper short message | |
| CN105162592B (en) | A kind of method and system of certification wearable device | |
| CN116709325B (en) | Mobile equipment security authentication method based on high-speed encryption algorithm | |
| CN116208330A (en) | Industrial Internet cloud-edge cooperative data secure transmission method and system based on quantum encryption | |
| KR101929355B1 (en) | Encryption and decryption system using unique serial number and symmetric cryptography | |
| KR102400260B1 (en) | In-vehicle communication system based on edge computing using attribute-based access control and method thereof | |
| JP5932709B2 (en) | Transmission side device and reception side device | |
| Sandeep et al. | A Novel Mechanism for Design and Implementation of Confidentiality in Data for the Internet of Things with DES Technique | |
| CN115242392B (en) | Method and system for realizing industrial information safety transmission based on safety transmission protocol | |
| CN103634113A (en) | Encryption and decryption method and device with user/equipment identity authentication | |
| Yoo et al. | Confidential information protection system for mobile devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120718 |