CN104219217B - Security association negotiation method, device and system - Google Patents
Security association negotiation method, device and system Download PDFInfo
- Publication number
- CN104219217B CN104219217B CN201310221599.7A CN201310221599A CN104219217B CN 104219217 B CN104219217 B CN 104219217B CN 201310221599 A CN201310221599 A CN 201310221599A CN 104219217 B CN104219217 B CN 104219217B
- Authority
- CN
- China
- Prior art keywords
- communication
- key
- responder
- initiator
- public
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Abstract
The invention discloses a Security Association (SA) negotiation method, equipment and a system, wherein the method comprises the following steps: the key server respectively generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder; the communication initiator and the communication responder encrypt the digital digests of respective messages to be sent into signature information by using respective private keys, and the signature information is packaged into the messages to be sent and sent to the other party; and the communication initiator and the communication responder respectively determine a public key of the other party and authenticate the other party by utilizing the determined public key of the other party and the signature information in the messages respectively received. The invention can solve the problems of complex implementation process and heavy communication load of SA negotiation, and can carry out safety supervision and legal monitoring on the communication of a network with an internet protocol security (IPSec) protocol.
Description
Technical Field
The present invention relates to digital information transmission technologies, and in particular, to a Security Association (SA) negotiation method, device, and system.
Background
At present, the limited address space defined by Internet Protocol version 4(IPv4, Internet Protocol version4) is exhausted, and the shortage of the address space will certainly hinder the further development of the Internet, so that in order to expand the address space, network deployment based on Internet Protocol version 6(IPv6, Internet Protocol version6) has been gradually promoted.
Compared with IPv4, IPv6 is improved in many aspects, such as: the Security aspect supports Internet Protocol Security (IPSec) Protocol, so that the IPv6 network can implement end-to-end, gateway-to-gateway encrypted communication and authentication, thereby ensuring the communication Security of the network.
The scenarios of the IPSec protocol in the IPv6 network deployment can be classified into the following three types:
(1) a schematic diagram of an IPSec protocol deployment scenario corresponding to a Site-to-Site (Site-to-Site) or a gateway-to-gateway is shown in fig. 1a, three organizations of an enterprise are distributed in three different places of the internet, and the three organizations use a gateway to establish IPSec tunnels each other, and data between a plurality of Personal Computers (PCs) in an intranet of the enterprise is securely interconnected through the IPSec tunnels established by the gateways.
(2) End-to-End (End-to-End) or PC-to-PC, the communication between two PCs is protected by an IPSec session between the two PCs, rather than by a gateway.
(3) End-to-Site or PC-to-gateway (End-to-Site), the communication between two PCs is protected by an IPSec session between the gateway and the foreign PC.
When the IPSec protocol is deployed in the IPv6 network, because the mobile terminal has a high difficulty in supporting the IPSec protocol, the IPSec protocol is primarily deployed in the context of gateway to gateway in the initial application stage of the IPv6 network, and there are two main cases:
(1) the traffic of the IPv6 network traverses the deployment under the IPv4 network, fig. 1B is a schematic diagram of the traffic of the IPv6 network traversing the IPv4 network, as shown in fig. 1B, a host a of the IPv6 network located on one island communicates with a host B of the IPv6 network located on another island, the IPv6 networks on the two islands are connected through a gateway a and a gateway B, and the gateway a and the gateway B communicate in the IPv4 network through an IPSec tunnel;
(2) deployment in an IPv6 network, fig. 1c is a schematic diagram of IPv6 traffic traversing an IPv6 network, as shown in fig. 1c, a host a of an IPv6 network located on one island communicates with a host B of an IPv6 network located on another island, IPv6 networks on the two islands are connected through a gateway a and a gateway B, and the gateway a and the gateway B communicate in an IPv6 network through an IPSec tunnel.
However, when the IPSec protocol is adopted in the IPv6 network to ensure the communication security of the network, because the IPSec protocol itself has higher requirements on the resources, the performance of the network, and other aspects, great resistance is brought to the real deployment and landing of the network, which is specifically shown in the following aspects:
first, the IPSec protocol specifies: the key agreement process requires to support a public key system and a certificate system, which requires the IPSec support end to issue, manage, and verify certificates, etc., and the implementation process is too complex and the communication load is heavy.
The following description of the IPSec protocol deployment process using a gateway-to-gateway scenario as an example includes two phases:
the first stage is as follows: performing Internet Key Exchange (IKE, Internet Key Exchange) SA negotiation between gateways, i.e., establishing IKE Security Association (SA) to protect subsequent IPSec SA negotiation between gateways;
and a second stage: and carrying out IPSec SA negotiation between the gateways, namely establishing IPSec SA to protect subsequent communication between the gateways.
In the first stage, policy negotiation, key material exchange and authentication are performed through six interactive messages among gateways, and a certificate used for authentication also needs additional communication overhead to be realized, wherein the additional communication overhead includes that the gateway needs to package a certificate load into a message to be sent to a peer (namely, another gateway performing SA negotiation), or the gateway informs the peer of the certificate information through advance negotiation, so that the realization process is too complex and the communication load is heavy; moreover, when one gateway needs to perform SA negotiation with multiple gateways, it needs to perform identification operation of certificates corresponding to multiple gateways, which relates to the intercommunication of authentication and authorization (CA) centers, which are systems distributing different public keys, and IPSec vendors also need to perform interoperation, which makes the implementation process complicated and makes the communication load heavy.
Second, the IPSec protocol specifies: the communication of the support end of the IPSec is encrypted and protected, which shields the security supervision and lawful interception to a certain extent, so that the network based on the IPSec protocol in the IPv6 environment is difficult to truly deploy before the IPSec security supervision is not reasonably solved.
In summary, how to solve the problems of complex implementation flow and heavy communication load of SA negotiation and perform security supervision and lawful interception on network communication with an IPSec protocol becomes a problem to be solved urgently.
Disclosure of Invention
In view of this, the main objective of the present invention is to provide an SA negotiation method, device and system, which can solve the problems of complex implementation process and heavy communication load of SA negotiation, and can perform security supervision and lawful interception on the communication of a network in which an IPSec protocol is deployed.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
the invention provides an SA negotiation method, which is used for setting a key server for key management; the method comprises the following steps:
the key server respectively generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder;
the communication initiator and the communication responder encrypt the digital digests of respective messages to be sent into signature information by using respective private keys, and the signature information is packaged into the messages to be sent and sent to the other party;
and the communication initiator and the communication responder respectively determine a public key of the other party and authenticate the other party by utilizing the determined public key of the other party and the signature information in the messages respectively received.
Preferably, the key server generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder respectively, and the key server includes:
the key server generates a master key, determines a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and determines a private key corresponding to the communication responder according to the master key and the ID of the communication responder;
the determining, by the communication initiator and the communication responder, public keys of each other includes:
the key server generates public parameters and respectively sends the public parameters to the communication initiator and the communication responder;
and the communication initiator and the communication responder determine the public key of the other party according to the ID of the other party and the public parameter sent by the key server.
Preferably, the method further comprises: the key server further transmits an exchange and key distribution (DH, Diffie-Hellman) public value and a random number of the other party to the communication initiator and the communication responder, respectively;
correspondingly, the communication initiator and the communication responder respectively determine an encryption key and an integrity key according to the received DH public value and the random number, encrypt the message to be sent by using the respective determined encryption key, and perform integrity check on the received message by using the respective determined integrity key.
Preferably, the authenticating the communication initiator and the communication responder with the determined public key of the other party and the signature information in the message received by each of the communication initiator and the communication responder includes: and the communication initiator and the communication responder decrypt the signature information in the respectively received message according to the determined public key, and when the decrypted digital digest is consistent with the digital digest determined according to the ID of the opposite party and the DH public value sent by the key server, the successful authentication is determined.
Preferably, after the communication initiator and the communication responder successfully authenticate the other party, the method further includes: and the communication initiator and the communication responder encrypt the sent messages by the encryption key and carry out integrity check on the received messages by the integrity key.
Preferably, the method further comprises: the communication initiator forwards an IPSec strategy negotiation message to the communication responder through the key server, and the communication responder forwards an IPSec strategy negotiation result message to the communication initiator through the key server;
wherein, the IPSec policy negotiation packet and the IPSec policy negotiation result packet carry a random number, a Security Parameter Index (SPI), and protocol information of a sender;
correspondingly, the key server determines an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation message or according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation result message.
The present invention also provides a key server, comprising: a key generation unit and a first communication unit; wherein the content of the first and second substances,
the key generation unit is used for respectively generating a private key corresponding to the communication initiator and a private key corresponding to the communication responder for a communication initiator in the communication equipment and a communication responder in the communication equipment;
the first communication unit is configured to correspondingly send the private key generated by the key generation unit to the communication initiator and the communication responder.
Preferably, the key generating unit is further configured to generate a master key, determine a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and determine a private key corresponding to the communication responder according to the master key and the ID of the communication responder.
Preferably, the first communication unit is further configured to send the DH public value and the random number of the other party to the communication initiator and the communication responder, respectively.
Preferably, the first communication unit further sends the IPSec policy negotiation packet from the communication initiator to the communication responder, and sends the IPSec policy negotiation result packet from the communication responder to the communication initiator;
the key generation unit is further configured to determine an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation packet received by the first communication unit, or according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation result packet received by the first communication unit.
The present invention also provides a communication device, comprising: a second communication unit and an authentication unit; wherein the content of the first and second substances,
the second communication unit is used for encrypting the digital abstract of the message to be sent into signature information by using a local private key, packaging the signature information into the message to be sent and sending the message to the opposite communication equipment;
and the authentication unit is used for determining a public key of the communication equipment of the other party and authenticating the communication equipment of the other party by using the determined public key and the signature information in the message received by the second communication unit.
Preferably, the authentication unit is further configured to determine the public key of the counterpart communication device according to the ID of the counterpart communication device and the public parameter generated by the key server.
Preferably, the second communication unit is further configured to receive a DH public value and a random number of the counterpart communication device, which are sent by the key server;
the authentication unit is further configured to determine an encryption key and an integrity key according to the DH public value and the random number of the opposite communication device received by the second communication unit, encrypt a message to be sent by the second communication unit using the encryption key, and perform integrity check on the message received by the second communication unit using the integrity key.
Preferably, the authentication unit is further configured to decrypt, according to the determined public key, the signature information in the message received by the second communication unit, and when the decrypted digital digest is consistent with the digital digest determined according to the ID of the opposite communication device and the DH public value received by the second communication unit, it is determined that the authentication is successful.
Preferably, the second communication unit is further configured to encrypt the sent message with the encryption key determined by the authentication unit, and perform integrity check on the received message with the integrity key determined by the authentication unit.
Preferably, the second communication unit is further configured to send an IPSec policy negotiation packet or an IPSec policy negotiation result packet to the key server, where the IPSec policy negotiation packet and the IPSec policy negotiation result packet carry a random number, an SPI, and protocol information of a sender.
The invention also provides an SA negotiation system, which comprises: a key server and a communication device; wherein the content of the first and second substances,
the key server is used for generating a private key corresponding to the communication equipment for the communication equipment;
the communication equipment is used for encrypting the digital abstract of the message to be sent into signature information by using a local private key, packaging the signature information into the message to be sent and sending the message to the opposite communication equipment; and determining a public key of the communication equipment of the other party, and authenticating the communication equipment of the other party by using the determined public key and the signature information in the received message.
Preferably, the key server key comprises a generation unit and a first communication unit; the communication device comprises a second communication unit and an authentication unit; the functions of the units are the same as described above.
According to the technical scheme of the invention, when the communication initiator and the plurality of communication responders carry out SA negotiation, the key server uniformly generates corresponding keys for the communication initiator and the communication responders, so that the realization process is simple and the communication load is low; and the key server determines an encryption key and an integrity key used when the communication initiator communicates with the communication responder according to the random number, the SPI and the protocol information carried by the negotiation messages of the two communication parties, so that the safety supervision and the legal monitoring of the two communication parties can be realized.
Drawings
Fig. 1a is a schematic diagram of a scenario in which an IPSec protocol is deployed from a site to a site or from a gateway to a gateway;
fig. 1b is a schematic diagram illustrating a scenario in which an IPSec protocol is deployed when IPv6 network traffic traverses an IPv4 network;
fig. 1c is a schematic diagram illustrating a scenario in which an IPSec protocol is deployed when IPv6 network traffic traverses an IPv4 network;
fig. 2 is a schematic diagram illustrating an implementation flow of an SA negotiation method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a structure of an SA negotiation system according to an embodiment of the present invention;
FIG. 4 is a first flowchart illustrating an implementation of SA negotiation according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating an implementation flow of SA negotiation according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
An embodiment of the present invention describes an SA negotiation method, and fig. 2 is a schematic flowchart illustrating an implementation process of the SA negotiation method according to the embodiment of the present invention, and as shown in fig. 2, the SA negotiation method includes:
step 201: the key server respectively generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder;
the key server is arranged for key management.
Preferably, the key server generates a master key, determines a private key corresponding to the communication initiator according to the master key and an Identity (ID) of the communication initiator, and determines a private key corresponding to the communication responder according to the master key and the ID of the communication responder;
step 202: the communication initiator and the communication responder encrypt the digital digests of respective messages to be sent into signature information by using respective private keys, and the signature information is packaged into the messages to be sent and sent to the other party;
preferably, the key server generates public parameters and sends the public parameters to the communication initiator and the communication responder respectively; and the communication initiator and the communication responder determine the public key of the other party according to the ID of the other party and the public parameter sent by the key server.
Preferably, the key server further sends DH public value and random number of the other party to the communication initiator and the communication responder, respectively;
correspondingly, the communication initiator and the communication responder respectively determine an encryption key and an integrity key according to the received DH public value and the random number, encrypt the message to be sent in step 202 by using the respective determined encryption key, and perform integrity check on the received message by using the respective determined integrity key.
Step 203: and the communication initiator and the communication responder respectively determine a public key of the other party and authenticate the other party by utilizing the determined public key of the other party and the signature information in the messages respectively received.
Preferably, the communication initiator and the communication responder decrypt the signature information in the received messages according to the determined public key, and when the decrypted digital digest is consistent with the digital digest determined according to the ID of the other party and the DH public value sent by the key server, it is determined that the authentication is successful.
Preferably, after the communication initiator and the communication responder successfully authenticate the other party, the communication initiator and the communication responder encrypt the sent messages by using the encryption key, and perform integrity check on the received messages by using the integrity key.
Preferably, the communication initiator forwards the IPSec policy negotiation packet to the communication responder through the key server, and the communication responder forwards the IPSec policy negotiation result packet to the communication initiator through the key server;
the IPSec policy negotiation message and the IPSec policy negotiation result message carry a random number, an SPI and protocol information of a sender;
correspondingly, the key server determines an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation message or according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation result message.
An SA system is further described in the embodiment of the present invention, and fig. 3 is a schematic structural diagram of an SA negotiation system in the embodiment of the present invention, as shown in fig. 3, including: a communication device 31 and a key server 32; wherein the content of the first and second substances,
the key server 32 is configured to generate a private key corresponding to the communication device 31 for the communication device 31;
the communication device 31 is configured to encrypt the digital digest of the message to be sent into signature information by using a local private key, package the signature information into the message to be sent, and send the message to the opposite communication device 31; the public key of the counterpart communication device 31 is determined, and the counterpart communication device 31 is authenticated using the determined public key and the signature information in the received message.
The key server 32 includes: a key generation unit 321 and a first communication unit 322; wherein the content of the first and second substances,
the key generating unit 321 is configured to generate a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator in the communication device 31 and the communication responder in the communication device 31, respectively;
the first communication unit 322 is configured to correspondingly send the private key generated by the key generation unit 321 to the communication initiator and the communication responder.
The key generating unit 321 is further configured to generate a master key, determine a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and determine a private key corresponding to the communication responder according to the master key and the ID of the communication responder.
The first communication unit 322 is further configured to send a DH public value and a random number of the other party to the communication initiator and the communication responder, respectively.
The first communication unit 322 is further configured to send the IPSec policy negotiation packet from the communication initiator to the communication responder, and send the IPSec policy negotiation result packet from the communication responder to the communication initiator;
the key generating unit 321 is further configured to determine an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation packet received by the first communication unit 322, or according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation result packet received by the first communication unit 322.
The communication device 31 includes: a second communication unit 311 and an authentication unit 312; wherein the content of the first and second substances,
the second communication unit 311 is configured to encrypt the digital digest of the message to be sent into signature information by using a local private key, package the signature information into the message to be sent, and send the message to the opposite communication device 31;
the authentication unit 312 is configured to determine a public key of the opposite communication device 31, and authenticate the opposite communication device 31 by using the determined public key and the signature information in the message received by the second communication unit 311.
The authentication unit 312 is further configured to determine the public key of the opposite communication device 31 according to the ID of the opposite communication device 31 and the public parameter generated by the key server 32.
The second communication unit 311 is further configured to receive a DH public value and a random number of the counterpart communication device 31 sent by the key server 32;
the authentication unit 312 is further configured to determine an encryption key and an integrity key according to the DH public value and the random number of the opposite communication device 31 received by the second communication unit 311, encrypt, by using the encryption key, a message to be sent by the second communication unit 311, and perform integrity check on the message received by the second communication unit 311 by using the integrity key.
The authenticating unit 312 is further configured to decrypt the signature information in the message received by the second communicating unit 311 according to the determined public key, and determine that the authentication is successful when the decrypted digital digest is consistent with the digital digest determined according to the ID of the opposite communication device 31 and the DH public value received by the second communicating unit 311.
The second communication unit 311 is further configured to encrypt the sent message with the encryption key determined by the authentication unit 312, and perform integrity check on the received message with the integrity key determined by the authentication unit 312.
The second communication unit 311 is further configured to send an IPSec policy negotiation packet or an IPSec policy negotiation result packet to the key server 32, where the IPSec policy negotiation packet and the IPSec policy negotiation result packet carry a random number, an SPI, and protocol information of a sender.
Fig. 4 is a first schematic flow chart illustrating an implementation process of security association negotiation according to an embodiment of the present invention, as shown in fig. 4, including the following steps:
step 401 to step 402: the gateway 1 (initiator) and the gateway 2 (responder) carry out policy negotiation, namely the gateway 1 sends a policy proposal to the gateway 2, and the gateway 2 returns a matched policy to the gateway 1;
in step 401, the gateway 1 sends one or more sets of policy proposals to the gateway 2, where the policy proposals are encapsulated in the SA load of the message, and the message is also encapsulated with a HeaDeR (HDR, HeaDeR) corresponding to an Internet Security Association and Key Management Protocol (ISAKMP);
here, the SA payload includes one or more sets of policy suggestions, and the policy suggestions include five sets, specifically: encryption algorithms, hash algorithms, exchange and key distribution (DH, Diffie-Hellman) algorithms, authentication methods, and IKE SA lifecycle.
In step 402, the gateway 2 locally queries a policy matching the policy proposal according to the policy proposal of the SA load in the received packet, and after matching, sends a packet encapsulating the HDR and the SA load to the gateway 1, where the SA load includes the matched policy information.
Step 403: the gateway 1 requests the key server for the private key Pri1 of the corresponding gateway 1 and the public parameter params generated by the key server, the DH public value g ^ xr and the random number Nr of the gateway 2, and sends the DH public value g ^ xi and the random number Ni of the gateway 1 to the key server.
Where Pri1 is Fuc (MasterKey, IDi), IDi is an ID of the gateway 1, MasterKey is a master key generated by the key server, Fuc () represents an algorithm of multiplying one point on a preset elliptic curve by an integer, and Pri1 (private key) and Pub1 (public key) are paired keys corresponding to the gateway 1.
Wherein, the public value of the gateway DH includes the address and port information bound by the gateway.
Step 404: the key server forwards the gateway 1 request for g x r and Nr to the gateway 2 and sends params, the private key Pri2 for the corresponding gateway 2, g x r and Nr to the gateway 2.
Where Pri2 ═ Fuc (MasterKey, IDr), IDr is the ID of the gateway 2; pri2 (private key) and Pub2 (public key) are keys of the pair corresponding to the gateway 2.
Step 405: the gateway 2 sends g ^ xr and Nr to the key server;
step 406: the key server sends params, Pri1, g ^ xr and Nr to the gateway 1;
step 407: the gateway 1 and the gateway 2 determine a public key corresponding to the other side according to the ID and the number params of the other side, and determine a key material;
the public key Pub2 corresponding to the gateway 2 is Fuc (params, IDr), and the public key Pub1 corresponding to the gateway 1 is Fuc (params, IDi).
The gateway 1 and the gateway 2 determine the first key material SKEYID as prf (Ni _ b | Nr _ b, g ^ xy) according to g ^ xi, g ^ xr, Ni and Nr, and determine the following key materials according to the SKEYID:
SKEYID_d=prf(SKEYID,g^xy|CKY-I|CKY-R|0) (1)
prf () is a hash function used to derive key material.
SKEYID _ d is used to determine the new key material used for encryption at the second stage IPSec SA negotiation;
SKEYID_a=prf(SKEYID,SKEYID_d|g^xy|CKY-I|CKY-R|1) (2)
SKEYID _ a is an integrity key, and is used for performing integrity check on the IKE SA negotiated message after step 407 and the second-stage IPSEC SA negotiated message in this embodiment;
SKEYID_e=prf(SKEYID,SKEYID_a|g^xy|CKY-I|CKY-R|2) (3)
the SKEYID _ e is an encryption key, and is used to encrypt the IKE SA negotiation packet after step 407 and the second-stage IPSEC SA negotiation packet in this embodiment.
Step 408: the gateway 2 authenticates the gateway 1;
taking authentication using a digital signature as an example, the gateway 1 determines the digital digest HASH _ I of the message to be sent to the gateway 2 according to the following formula:
HASH_I=prf(SKEYID,g^xi|g^xr|CKY-I|CKY-R|SAi_b|IDi_b) (4)
the gateway 1 encrypts the HASH _ I by Pri1 to generate a signature SIG _ I, encapsulates the SIG _ I load and the IDi load into a message to be sent, encrypts the load by using the SKEYID _ e determined in the step 407, and sends the encrypted load to the gateway 2;
gateway 2 determines HASH _ I according to equation (4), decrypts SIG _ I using Pub1 determined in step 407, compares the decrypted HASH _ I with HASH _ I determined according to equation (4), and if they match, authenticates gateway 1 successfully, otherwise, aborts the process.
Step 409: gateway 1 authenticates gateway 2;
taking authentication using a digital signature as an example, the gateway 2 determines the digital digest HASH _ R of the message to be sent to the gateway 1 according to the following formula:
HASH_R=prf(SKEYID,g^xr|g^xi|CKY-R|CKY-I|SAi_b|IDr_b) (5)
the gateway 2 encrypts the HASH _ R by Pri2 to generate a signature SIG _ R, encapsulates a SIG _ R load IDr load into a message to be sent, encrypts the load of the message to be sent by using the SKEYID _ e determined in the step 407, and sends the encrypted load to the gateway 2;
And a second stage: and performing IPSec SA negotiation between the gateways.
Fig. 5 is a schematic diagram illustrating a second implementation flow of security association negotiation according to an embodiment of the present invention, as shown in fig. 5, including the following steps:
step 501: the gateway 1 sends an SA negotiation message to the key server;
the negotiation packet encapsulates HDR, HASH [1] load, SA load (including IPSec policy proposal) and random number (NONCE) load, the negotiation packet may further encapsulate DH load, KE load and ID load, the NONCE load includes random number Ni of gateway 1, the DH load includes DH public value of gateway 1, HASH [1] is determined according to formula (6):
HASH[1]=prf(SKEYID_a,M-ID|SA|Ni[|KE][|IDci|IDcr) (6)
the HDR indicates that the payload in the message is encrypted for transmission by SKEYID _ e determined in the first stage step 407; the HASH [1] payload includes HASH _ I redetermined by the gateway 1 according to equation (4), and the gateway 2 performs integrity check according to the HASH _ I to re-authenticate the gateway 1; IPSEC SA policies include security protocol (AH or ESP), SPI, hash algorithm, mode (tunnel mode or transport mode), and IPSEC SA lifecycle;
the payload in the message is integrity checked using the SKEYID _ a determined in the first stage step 407.
Step 502: the key server forwards the message of step 501 to the gateway 2;
step 503: the gateway 2 returns a message carrying the negotiation result to the key server;
the gateway 2 inquires the strategy matched with the strategy proposal locally according to the strategy proposal of the message forwarded by the key server, and returns the message carrying the matching result to the key server.
The SA load (including the IPSec strategy proposal matching result), the NONCE load (including the random number Nr of the gateway 2) and the HASH [2] load are packaged in the message returned by the gateway 2, the HASH [2] load includes the HASH _ R redetermined by the gateway according to the formula (5), when the DH load, the KE load and the ID load are packaged in the message received by the gateway 2, correspondingly, the DH load, the KE load and the ID load are also packaged in the message sent by the gateway 2 to the key server, and the HASH [2] is determined according to the formula (7):
the packet-encapsulated payload returned by the gateway 2 (7) is encrypted by the encryption key SKEYID _ e determined in the first step 407 and integrity-checked by the integrity key SKEYID _ a determined in the first step 407.
The gateway 2 determines a new key material KEYMAT according to the random number Ni carried in the message, and determines the key material based on the KEYMAT, and the processing specifically includes:
if Perfect Forward confidentiality (PFS) is not required and the KE payload is not encapsulated in the received message, determining new keying material according to equation (8):
KEYMAT=prf(SKEYID_d,protocol|SPI|Ni_b|Nr_b) (8)
if the PFS is needed and the encapsulated KE payload in the message is received, the new keying material is determined according to equation (9):
KEYMAT=prf(SKEYID_d,g(qm)^xy|protocol|SPI|Ni_b|Nr_b) (9)
wherein protocol and SPI are obtained from the SA payload.
And (3) substituting KEYMAT for SKEYID in the formulas (1), (2) and (3) based on the new key material, determining new SKEYID _ e and SKEYID _ a, encrypting the message transmitted during the subsequent communication between the gateway 1 and the gateway 2 by using the SKEYID _ e, and performing integrity check on the message transmitted during the subsequent communication between the gateway 1 and the gateway 2 by using the SKEYID _ a.
Step 504: the key server transmits the message returned by the gateway 2 to the gateway 1;
step 505: gateway 1 sends an acknowledgement message to gateway 2.
The packet encapsulates HASH [3] payload, confirms that the packet of the gateway 2 is received, and proves that the gateway 1 is in an Active state (Active), that is, the packet sent by the gateway 1 in step 501 is not forged, HASH [3] is determined according to formula (10):
HASH[3]=prf(SKEYID_a,0|M-ID|Ni_b|Nr_b) (10)
in this embodiment, the parameters of equations (1) to (10) are defined in the same manner as in the specification RFC 2409.
The gateway 1 re-determines the key material KEYMAT according to Nr in the message, and determines new key materials SKEYID _ e and SKEYID _ a based on the KEYMAT, the specific processing is the same as step 503, and the gateway 1 and the gateway 2 encrypt the load of the message for subsequent communication by using the SKEYID _ e, and perform integrity check on the load of the message for subsequent communication by using the SKEYID _ a.
In the above interaction step, the key server stores the SA load and the random numbers Ni and Nr in the messages sent by the gateways 1 and 2, and when communication between the gateways 1 and 2 needs to be supervised, determines KEYMAT according to step 502, and substitutes KEYMAT for the parameters SKEYID in the formulas (1), (2) and (3) to determine new SKEYID _ e and SKEYID _ a, so that encrypted data transmitted when the gateways 1 and 2 communicate can be decrypted, and the purpose of supervising communication between the gateways 1 and 2 is achieved.
After step 505, gateway 1 and gateway 2 secure the communication session and data via SKEYID _ e and SKEYID _ a negotiated at the second stage.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
Claims (17)
1. A security association SA negotiation method is characterized in that a key server for key management is arranged; the method comprises the following steps:
the key server respectively generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder;
the communication initiator and the communication responder encrypt the digital digests of respective messages to be sent into signature information by using respective private keys, and the signature information is packaged into the messages to be sent and sent to the other party;
the communication initiator and the communication responder respectively determine a public key of the other party through the key server, and authenticate the other party by using the determined public key of the other party and the signature information in the messages received by the communication initiator and the communication responder respectively;
and the communication initiator and the communication responder determine a public key of the opposite party according to the identity of the opposite party and the public parameter determined by the key server.
2. The method of claim 1, wherein the key server generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder, respectively, and comprises:
the key server generates a master key, determines a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and determines a private key corresponding to the communication responder according to the master key and the ID of the communication responder;
the determining, by the communication initiator and the communication responder, public keys of each other includes:
the key server generates public parameters and respectively sends the public parameters to the communication initiator and the communication responder;
and the communication initiator and the communication responder determine the public key of the other party according to the ID of the other party and the public parameter sent by the key server.
3. The method according to claim 1 or 2, characterized in that the method further comprises: the key server also sends the exchange and key distribution DH public value and the random number of the other party to the communication initiator and the communication responder respectively;
correspondingly, the communication initiator and the communication responder respectively determine an encryption key and an integrity key according to the received DH public value and the random number, encrypt the message to be sent by using the respective determined encryption key, and perform integrity check on the received message by using the respective determined integrity key.
4. The method of claim 3, wherein the communication initiator and the communication responder authenticate the counterpart by using the determined public key of the counterpart and signature information in each received message, and comprising: and the communication initiator and the communication responder decrypt the signature information in the respectively received message according to the determined public key, and when the decrypted digital digest is consistent with the digital digest determined according to the ID of the opposite party and the DH public value sent by the key server, the successful authentication is determined.
5. The method of claim 3, wherein after the communication initiator and the communication responder successfully authenticate the other party, the method further comprises: and the communication initiator and the communication responder encrypt the sent messages by the encryption key and carry out integrity check on the received messages by the integrity key.
6. The method of claim 5, further comprising: the communication initiator forwards an internet protocol security (IPSec) strategy negotiation message to the communication responder through the key server, and the communication responder forwards an IPSec strategy negotiation result message to the communication initiator through the key server;
the IPSec policy negotiation message and the IPSec policy negotiation result message carry a random number, a Security Parameter Index (SPI) and protocol information of a sender;
correspondingly, the key server determines an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation message or according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation result message.
7. A key server, comprising: a key generation unit and a first communication unit; wherein the content of the first and second substances,
the key generation unit is used for respectively generating a private key corresponding to the communication initiator and a private key corresponding to the communication responder for a communication initiator in the communication equipment and a communication responder in the communication equipment;
the first communication unit is used for correspondingly sending the private key generated by the key generation unit to the communication initiator and the communication responder;
the key generation unit is further configured to generate public parameters and send the public parameters to the communication initiator and the communication responder, respectively, where the communication initiator and the communication responder determine a public key of the other party according to an identity of the other party and the public parameters determined by the key server.
8. The key server of claim 7,
the key generation unit is further configured to generate a master key, determine a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and determine a private key corresponding to the communication responder according to the master key and the ID of the communication responder.
9. The key server of claim 7,
the first communication unit is further configured to send a DH public value and a random number of the other party to the communication initiator and the communication responder, respectively.
10. The key server according to claim 7, 8 or 9,
the first communication unit is further configured to send the IPSec policy negotiation packet from the communication initiator to the communication responder, and send the IPSec policy negotiation result packet from the communication responder to the communication initiator;
the key generation unit is further configured to determine an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation packet received by the first communication unit, or according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation result packet received by the first communication unit.
11. A communication device, characterized in that the communication device comprises: a second communication unit and an authentication unit; wherein the content of the first and second substances,
the second communication unit is used for encrypting the digital abstract of the message to be sent into signature information by using a private key of the communication equipment, packaging the signature information into the message to be sent and sending the message to the communication equipment of the other party;
the authentication unit is used for determining a public key of the communication equipment of the other party through a key server and authenticating the communication equipment of the other party by using the determined public key and the signature information in the message received by the second communication unit;
the authentication unit is further configured to determine a public key of the opposite communication device according to the ID of the opposite communication device and the public parameter generated by the key server.
12. The communication device of claim 11,
the second communication unit is further configured to receive a DH public value and a random number of the opposite communication device, which are sent by the key server;
the authentication unit is further configured to determine an encryption key and an integrity key according to the DH public value and the random number of the opposite communication device received by the second communication unit, encrypt a message to be sent by the second communication unit using the encryption key, and perform integrity check on the message received by the second communication unit using the integrity key.
13. The communication device of claim 12,
the authentication unit is further configured to decrypt, according to the determined public key, signature information in the message received by the second communication unit, and when the decrypted digital digest is consistent with a digital digest determined according to the ID of the opposite communication device and the DH public value received by the second communication unit, determine that authentication is successful.
14. The communication device of claim 12,
the second communication unit is further configured to encrypt the sent message with the encryption key determined by the authentication unit, and perform integrity check on the received message with the integrity key determined by the authentication unit.
15. The communication device according to any one of claims 11 to 14,
the second communication unit is further configured to send an IPSec policy negotiation packet or an IPSec policy negotiation result packet to the key server, where the IPSec policy negotiation packet and the IPSec policy negotiation result packet carry a random number, an SPI, and protocol information of a sender.
16. An SA negotiation system, comprising: a key server and a communication device; wherein the content of the first and second substances,
the key server is used for generating a private key corresponding to the communication equipment for the communication equipment;
the communication equipment is used for encrypting the digital abstract of the message to be sent into signature information by using a local private key, packaging the signature information into the message to be sent and sending the message to the opposite communication equipment; determining a public key of the communication equipment of the opposite party through the key server, and authenticating the communication equipment of the opposite party by using the determined public key and the signature information in the received message;
and the key server is further configured to generate public parameters and send the public parameters to the communication initiator and the communication responder respectively, and the communication initiator and the communication responder determine a public key of the other party according to an identity of the other party and the public parameters determined by the key server.
17. The SA negotiation system of claim 16,
the key server is the key server of any one of claims 7 to 10; the communication device is as claimed in any one of claims 11 to 15.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310221599.7A CN104219217B (en) | 2013-06-05 | 2013-06-05 | Security association negotiation method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310221599.7A CN104219217B (en) | 2013-06-05 | 2013-06-05 | Security association negotiation method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104219217A CN104219217A (en) | 2014-12-17 |
| CN104219217B true CN104219217B (en) | 2020-03-10 |
Family
ID=52100354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310221599.7A Active CN104219217B (en) | 2013-06-05 | 2013-06-05 | Security association negotiation method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104219217B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106304400B (en) * | 2015-05-21 | 2019-05-07 | 阿里巴巴集团控股有限公司 | The IP address distribution method and system of wireless network |
| EP3346659B1 (en) * | 2015-08-31 | 2021-08-18 | Chien-Hwa Lin | Communication method for electronic communication system in open environment |
| CN106357650A (en) * | 2016-09-09 | 2017-01-25 | 庞己人 | System, device and method for safely transmitting verification data |
| CN107135206A (en) * | 2017-04-18 | 2017-09-05 | 北京思特奇信息技术股份有限公司 | Safe precaution method and system that a kind of internet environment lower interface is called |
| CN109768948A (en) * | 2017-11-10 | 2019-05-17 | 中国电信股份有限公司 | Information push method, system and messaging device |
| US11368298B2 (en) | 2019-05-16 | 2022-06-21 | Cisco Technology, Inc. | Decentralized internet protocol security key negotiation |
| CN110266485B (en) * | 2019-06-28 | 2022-06-24 | 宁波奥克斯电气股份有限公司 | Internet of things safety communication control method based on NB-IoT |
| CN110391902B (en) * | 2019-07-08 | 2022-10-25 | 新华三信息安全技术有限公司 | Internet key exchange IKE negotiation method and device |
| CN111614692B (en) * | 2020-05-28 | 2021-06-08 | 广东纬德信息科技股份有限公司 | Inbound message processing method and device based on power gateway |
| CN111865564A (en) * | 2020-07-29 | 2020-10-30 | 北京浪潮数据技术有限公司 | IPSec communication establishing method and system |
| CN112929169B (en) * | 2021-02-07 | 2022-10-28 | 成都薯片科技有限公司 | Key negotiation method and system |
| CN113364811B (en) * | 2021-07-05 | 2022-09-13 | 上海辉禹科技有限公司 | Network layer safety protection system and method based on IKE protocol |
| CN115529184A (en) * | 2022-09-28 | 2022-12-27 | 中国电信股份有限公司 | Message verification method and device, electronic equipment and storage medium |
| CN117061115B (en) * | 2023-10-11 | 2024-02-02 | 腾讯科技(深圳)有限公司 | Key negotiation method, key negotiation apparatus, computer device, and computer-readable storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7146009B2 (en) * | 2002-02-05 | 2006-12-05 | Surety, Llc | Secure electronic messaging system requiring key retrieval for deriving decryption keys |
| US7975140B2 (en) * | 2005-04-08 | 2011-07-05 | Nortel Networks Limited | Key negotiation and management for third party access to a secure communication session |
| CN101626374B (en) * | 2008-07-11 | 2013-08-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for negotiating security association (SA) in internet protocol version 6 (IPv6) network |
| US8707045B2 (en) * | 2009-02-12 | 2014-04-22 | Lg Electronics Inc. | Method and apparatus for traffic count key management and key count management |
| DE102009059893A1 (en) * | 2009-12-21 | 2011-06-22 | Siemens Aktiengesellschaft, 80333 | Apparatus and method for securing a negotiation of at least one cryptographic key between devices |
| US20130108045A1 (en) * | 2011-10-27 | 2013-05-02 | Architecture Technology, Inc. | Methods, networks and nodes for dynamically establishing encrypted communications |
| CN102694650B (en) * | 2012-06-13 | 2015-03-11 | 苏州大学 | Secret key generating method based on identity encryption |
| CN102761553A (en) * | 2012-07-23 | 2012-10-31 | 杭州华三通信技术有限公司 | IPSec SA consultation method and device |
| CN103078743B (en) * | 2013-01-15 | 2015-07-08 | 武汉理工大学 | E-mail IBE (Internet Booking Engine) encryption realizing method |
-
2013
- 2013-06-05 CN CN201310221599.7A patent/CN104219217B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN104219217A (en) | 2014-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104219217B (en) | Security association negotiation method, device and system | |
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| CN103155512B (en) | System and method for providing secure access to service | |
| US8082574B2 (en) | Enforcing security groups in network of data processors | |
| US8559640B2 (en) | Method of integrating quantum key distribution with internet key exchange protocol | |
| CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
| CN102625995B (en) | Galois/counter mode encryption in a wireless network | |
| RU2554532C2 (en) | Method and device for secure data transmission | |
| CN107105060A (en) | A kind of method for realizing electric automobile information security | |
| CN104067595A (en) | System and method for innovative management of transport layer security session tickets in a network environment | |
| CN106878016A (en) | Data is activation, method of reseptance and device | |
| CN108075890A (en) | Data sending terminal, data receiver, data transmission method and system | |
| CN112637136A (en) | Encrypted communication method and system | |
| US11637699B2 (en) | Rollover of encryption keys in a packet-compatible network | |
| CN114285571A (en) | Method, gateway device and system for using quantum key in IPSec protocol | |
| CN115567206A (en) | Method and system for realizing encryption and decryption of network data message by quantum distribution key | |
| CN101861712A (en) | Security method of mobile internet protocol based server | |
| US20080072033A1 (en) | Re-encrypting policy enforcement point | |
| CN114422205B (en) | Method for establishing network layer data tunnel of special CPU chip for electric power | |
| CN113364811A (en) | Network layer safety protection system and method based on IKE protocol | |
| CN115459912A (en) | Communication encryption method and system based on quantum key centralized management | |
| CN114143050B (en) | Video data encryption system | |
| EP3216163B1 (en) | Providing forward secrecy in a terminating ssl/tls connection proxy using ephemeral diffie-hellman key exchange | |
| CN110730071A (en) | Power distribution communication equipment safety access authentication method, device and equipment | |
| Urien et al. | Tandem smart cards: enforcing trust for TLS-based network services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |