CN104580186A - Communication system and method based on HIP - Google Patents

Communication system and method based on HIP Download PDF

Info

Publication number
CN104580186A
CN104580186A CN201410846546.9A CN201410846546A CN104580186A CN 104580186 A CN104580186 A CN 104580186A CN 201410846546 A CN201410846546 A CN 201410846546A CN 104580186 A CN104580186 A CN 104580186A
Authority
CN
China
Prior art keywords
client
hip
gateway node
module
digital certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410846546.9A
Other languages
Chinese (zh)
Other versions
CN104580186B (en
Inventor
张涛
陈融
赵敏
王金双
袁志坚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA University of Science and Technology
Original Assignee
PLA University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA University of Science and Technology filed Critical PLA University of Science and Technology
Priority to CN201410846546.9A priority Critical patent/CN104580186B/en
Priority claimed from CN201410846546.9A external-priority patent/CN104580186B/en
Publication of CN104580186A publication Critical patent/CN104580186A/en
Application granted granted Critical
Publication of CN104580186B publication Critical patent/CN104580186B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a communication system and method based on HIP. The system comprises a plurality of client terminals and a server, and the client terminals are in HIP protocol communication with the server; the system further comprises a gateway node and an authentication center, and the gateway node is in HIP protocol communication with the client terminals and the server; meanwhile, the gateway node is further in communication with the authentication center all the time. By means of the system, the gateway node is erected between the application server for providing services and the client terminals using the services and serves as a unique channel between an internal network and an external network, and safe operation such as identity authentication and access control can be executed.

Description

Based on communication system and the communication means of HIP
Technical field
The invention belongs to the communications field, is more particularly the communication system based on HIP and communication means.
Background technology
E-Government and intelligent mobile terminal flourish, application server is made to need provide and optimize the access request to mobile terminal, mobile terminal needs frequently to switch between different network formats and heterogeneous networks service area because its mobility determines its network environment, traditional network connects based on IP address binding, when after network connection establishment, once IP address change, connection will disconnect, and causes the network application on mobile terminal unavailable.
Current Internet has two overall name spaces, domain name and IP address, and wherein IP address is simultaneously as identify label and the station location marker of main frame.This ambiguity design is the main cause causing the various problems such as route extensibility, mobility and many places.Especially the binding of transport layer and IP address, after causing IP address modification, network connection can disconnect.Therefore there is scholar to propose in recent years and this ambiguity of IP address is carried out solution coupling, namely the new network architecture that identity-based information is separated with positional information is redesigned, to solve the various problems that current internet faces, wherein host identity protocol (Host Identity Protocol is called for short HIP) is most typical agreement.
HIP inserts a new protocol layer between transport layer and network layer---and host identity layer, on host identity layer, use hostid to substitute original IP address to show the identity attribute of main frame, network layer uses IP address route data packets.Mapping and Converting between identification identifier and IP address completes in host identity layer.Therefore the address switchover of network layer, can not affect the continuity of layer conversation, and such HIP is easy to realize the support to Host Mobility.The architecture of HIP as shown in Figure 1.
But how mobile terminal becomes a problem based on HIP access application server safely and reliably.If every platform application server is all directly exposed to external network, very easily attacked, and it is higher to be that every station server carries out network safety prevention cost.HIP uses Internet Protocol Security(internet protocol secure, is called for short ipsec protocol) ensure the safety of user data.In conventional TCP/IP architecture, security association is tied on IP address by IPSec, make the security association of network layer can not change the position of oneself in a network, limit the mobility of main frame, and after using HIP, the security association that HIP uses is bound on host identification, can support the IP address modification in communicating.
How to make mobile terminal and provide the application server of service low and secure communication can just seem particularly important based on the basis of HIP being carried out cost.
Summary of the invention
Technical problem to be solved by this invention is: provide a kind of communication system based on HIP, this system sets up gateway node between the client terminal providing the application server of service and use service, gateway node, as the unique passage between intranet and extranet, can perform the safety operation such as authentication, access control.
In order to solve the problems of the technologies described above, the present invention is based on the communication system of HIP, comprise several client and servers, described client and server adopt HIP protocol communication, also comprise gateway node and authentication center, described gateway node adopts HIP protocol communication with client, server respectively, simultaneously, gateway node also keeps communicating with authentication center
Client comprises unique digital certificate, a HIP module, the first packet capture module and client application, wherein,
The application program that client application is supported for client operating system;
First packet capture module be used for capture client application program network layer data bag and by Packet Generation to a HIP module;
Unique digital certificate, as the Identity Code of client, is sent to a HIP module;
One HIP module is used for realizing HIP agreement and ipsec protocol; Encryption using ipsec encapsulation when a packet is transmitted, and use digital certificate as the Identity Code of HIP agreement, the Packet Generation after a HIP module package is to the 2nd HIP module; When receiving the packet that gateway node sends over, IPSec is used to unpack;
Gateway node comprises the second packet capture module, the 2nd HIP module, authentication module, access control module; Wherein,
Second packet capture module, for the network layer data bag of capture net artis, and is sent to the 2nd HIP module;
The data message received from a HIP module is carried out IPSec deciphering and the deciphering of HIP agreement by the 2nd HIP module, obtains the data message after deciphering and client digital certificate; Encryption using ipsec encapsulation during gateway node transmission packet;
Authentication module, for receiving and storing the root certificate signing and issuing client digital certificate that authenticated center obtains, receive user when asking, client digital certificate is sent to authentication center, and whether checking client is validated user;
Access control module, for verifying whether validated user possesses the authority of access services device;
Authentication center is for storing root certificate and root certificate being sent to gateway node, and it is that client signs and issues client digital certificate that root certificate is used for gateway node.
Simultaneously in order to further describe the implementation procedure of the communication that the present invention is based on HIP, the present invention proposes a kind of communication means, comprises the following steps:
Step 1, gateway node obtain the root certificate for signing and issuing client digital certificate from authentication center;
Step 2, client send to gateway node and obtain digital certificate request, and gateway node uses root certificate to sign and issue digital certificate to client;
Step 3, client send service request to given server, when service request is by gateway node, verify this service request, determine whether allow this service request be sent to server by gateway node according to check results;
Step 4, server complete corresponding business operation according to service request.
Preferred version further, in communication means of the present invention, in step 3, service request comprises client ip address, server ip address, digital certificate and port.
Preferred version further, in communication means of the present invention, in step 3, this service request is verified, be specially: first authentication is carried out to client digital certificate, under authentication successful instance, to conduct interviews control according to client ip address, server ip address, port, digital certificate.
Compared with prior art, the present invention has following beneficial effect: the present invention sets up gateway server between the client terminal providing the application server of service and use service, gateway server, as the unique passage between intranet and extranet, can perform the safety operation such as authentication, access control; Simultaneously on the basis ensureing gateway server safety, allow client terminal impression less than the existence of security gateway, access application server pellucidly.
Accompanying drawing explanation
Fig. 1 is the architecture of HIP agreement.
Fig. 2 is detailed block diagram of the present invention.
Fig. 3 is Sketch block diagram of the present invention.
Embodiment
As shown in Figure 2, a kind of communication system based on HIP of the present invention, comprise several client and servers, described client and server adopt HIP protocol communication, also comprise gateway node and authentication center, described gateway node adopts HIP protocol communication with client, server respectively, simultaneously, gateway node also keeps communicating with authentication center
Client comprises unique digital certificate, a HIP module, the first packet capture module and client application,
Wherein,
The application program that client application is supported for client operating system, as browser, Mail Clients etc.;
First packet capture module be used for capture client application program network layer data bag and by Packet Generation to a HIP module;
Unique digital certificate, as the Identity Code of client, is sent to a HIP module;
One HIP module is used for realizing HIP agreement and ipsec protocol; Encryption using ipsec encapsulation when a packet is transmitted, use digital certificate as the Identity Code of HIP agreement, the Packet Generation after a HIP module package is to the 2nd HIP module; When receiving the packet that gateway node sends over, IPSec is used to unpack; ;
Gateway node comprises the second packet capture module, the 2nd HIP module, authentication module, access control module; Wherein,
The data message received from a HIP module is carried out IPSec deciphering and the deciphering of HIP agreement by the 2nd HIP module, obtains the data message after deciphering and client digital certificate; Encryption using ipsec encapsulation during gateway node transmission packet;
Authentication module, for receiving and storing the root certificate signing and issuing client digital certificate that authenticated center obtains, receive user when asking, client digital certificate is sent to authentication center, and whether checking client is validated user;
Access control module, for verifying whether validated user possesses the authority of access services device;
Second packet capture module, for the network layer data bag of capture net artis, and is sent to the 2nd HIP module;
Authentication center is for storing root certificate and root certificate being sent to gateway node, and it is that client signs and issues client digital certificate that root certificate is used for gateway node.
In specific implementation process, multiple client and multiple server share a gateway node, its frame structure as
Shown in Fig. 3.
The specific implementation process of each module is as follows:
1, client: utilize virtual network card technology, set up virtual network card equipment tun0, hip0, the all packet of client is all sent to Microsoft Loopback Adapter tun0, tun0 catches the packet of inflow, be forwarded to hip0 network interface card, hip0 Microsoft Loopback Adapter achieves HIP agreement, supports that using host identification to initiate HIP connects.
2, the realization of client HIP module: hip0 Microsoft Loopback Adapter, while realizing HIP agreement, in the 4-Way Handshake process of HIP, adds the transmission of digital certificate.From the packet that hip0 receives, perform IP-IN-IP package, utilize ipsec technology data portion to do encryption encapsulation simultaneously, be assembled into UDP message bag.
3, the handling process of gateway node: first gateway node sloughs UDP header after receiving UDP message bag, then carry out IPSec deciphering, give the 2nd HIP module by the message after deciphering.2nd HIP module performs authentication operation to the digital certificate in message after deciphering, and the source address of packet is replaced to the address of hip0.Gateway node performs access control inspection to packet, and be transmitted to server by the packet checked, the message do not checked by access control is then abandoned.
4, the answer of server: after gateway node receives the response data packet of background application server, from the hip0 Microsoft Loopback Adapter capture-data bag of gateway node, use the mode identical with client to carry out package process, unique difference is that digital certificate package is not squeezed in packet by gateway node.
5, Packet Generation is to client: the process unpacked is with the unpacking process of gateway node, and difference is do not have authentication and access control process.
Meanwhile, a kind of communication means that the present invention proposes, comprises the following steps:
Step 1, gateway node obtain the root certificate for signing and issuing client digital certificate from authentication center;
Step 2, client send to gateway node and obtain digital certificate request, and gateway node uses root certificate to sign and issue digital certificate to client;
Step 3, client send service request to given server, when service request is by gateway node, verify this service request, determine whether allow this service request be sent to server by gateway node according to check results; Service request comprises client ip address, server ip address, digital certificate and port; This service request is verified, is specially: first authentication is carried out to client digital certificate, under authentication successful instance, to conduct interviews control according to client ip address, server ip address, port, digital certificate;
Step 4, server complete corresponding business operation according to service request.
Obviously, the above embodiment of the present invention is only for example of the present invention is clearly described, and is not the restriction to embodiments of the present invention.For those of ordinary skill in the field, can also make other changes in different forms on the basis of the above description.Here exhaustive without the need to also giving all execution modes.And these belong to connotation of the present invention the apparent change of extending out or variation still belong to protection scope of the present invention.

Claims (5)

1. based on the communication system of HIP, comprise several client and servers, described client and server adopt HIP protocol communication, it is characterized in that, also comprise gateway node and authentication center, described gateway node adopts HIP protocol communication with client, server respectively, simultaneously, gateway node also keeps communicating with authentication center
Client comprises unique digital certificate, a HIP module, the first packet capture module and client application, wherein,
The application program that client application is supported for client operating system;
First packet capture module be used for capture client application program network layer data bag and by Packet Generation to a HIP module;
Unique digital certificate, as the Identity Code of client, is sent to a HIP module;
One HIP module is used for realizing HIP agreement and ipsec protocol; Encryption using ipsec encapsulation when a packet is transmitted, and use digital certificate as the Identity Code of HIP agreement, the Packet Generation after a HIP module package is to the 2nd HIP module; When receiving the packet that gateway node sends over, IPSec is used to unpack;
Gateway node comprises the second packet capture module, the 2nd HIP module, authentication module, access control module; Wherein,
Second packet capture module, for the network layer data bag of capture net artis, and is sent to the 2nd HIP module;
The data message received from a HIP module is carried out IPSec deciphering and the deciphering of HIP agreement by the 2nd HIP module, obtains the data message after deciphering and client digital certificate; Encryption using ipsec encapsulation during gateway node transmission packet;
Authentication module, for receiving and storing the root certificate signing and issuing client digital certificate that authenticated center obtains, receive user when asking, client digital certificate is sent to authentication center, and whether checking client is validated user;
Access control module, for verifying whether validated user possesses the authority of access services device;
Authentication center is for storing root certificate and root certificate being sent to gateway node, and it is that client signs and issues client digital certificate that root certificate is used for gateway node.
2. according to claim 1 based on the communication system of HIP, it is characterized in that, the application program that client operating system is supported is browser, Mail Clients.
3. described in claim 1 based on a communication means for the communication system of HIP, it is characterized in that, comprise the following steps:
Step 1, gateway node obtain the root certificate for signing and issuing client digital certificate from authentication center;
Step 2, client send to gateway node and obtain digital certificate request, and gateway node uses root certificate to sign and issue digital certificate to client;
Step 3, client send service request to given server, when service request is by gateway node, verify this service request, determine whether allow this service request be sent to server by gateway node according to check results;
Step 4, server complete corresponding business operation according to service request.
4. communication means according to claim 3, it is characterized in that, in step 3, service request comprises client ip address, server ip address, digital certificate and port.
5. communication means according to claim 4, it is characterized in that, in step 3, this service request is verified, be specially: first authentication is carried out to client digital certificate, under authentication successful instance, to conduct interviews control according to client ip address, server ip address, port, digital certificate.
CN201410846546.9A 2014-12-31 Communication system and communication means based on HIP Expired - Fee Related CN104580186B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410846546.9A CN104580186B (en) 2014-12-31 Communication system and communication means based on HIP

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410846546.9A CN104580186B (en) 2014-12-31 Communication system and communication means based on HIP

Publications (2)

Publication Number Publication Date
CN104580186A true CN104580186A (en) 2015-04-29
CN104580186B CN104580186B (en) 2018-02-09

Family

ID=

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429722A (en) * 2017-02-15 2018-08-21 成都飞天联合网络技术有限公司 Control method, control system and the wearable device of cabin

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741523A (en) * 2004-08-25 2006-03-01 华为技术有限公司 Key exchange protocol method for realizing main machine transferability and multi-home function
US20070124489A1 (en) * 2000-01-24 2007-05-31 Microsoft Corporation Nat access control with ipsec
CN101120572A (en) * 2005-02-18 2008-02-06 艾利森电话股份有限公司 Host identity protocol method and apparatus
CN102377829A (en) * 2010-08-09 2012-03-14 中兴通讯股份有限公司 Communication method, system and equipment based on host identity protocol (HIP)
CN103595823A (en) * 2012-08-17 2014-02-19 华为技术有限公司 Data transmission method, terminal and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070124489A1 (en) * 2000-01-24 2007-05-31 Microsoft Corporation Nat access control with ipsec
CN1741523A (en) * 2004-08-25 2006-03-01 华为技术有限公司 Key exchange protocol method for realizing main machine transferability and multi-home function
CN101120572A (en) * 2005-02-18 2008-02-06 艾利森电话股份有限公司 Host identity protocol method and apparatus
CN102377829A (en) * 2010-08-09 2012-03-14 中兴通讯股份有限公司 Communication method, system and equipment based on host identity protocol (HIP)
CN103595823A (en) * 2012-08-17 2014-02-19 华为技术有限公司 Data transmission method, terminal and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MADHUSANKA LIYANAGE, ET AL.: "Securing the contrl channel of software-defined mobile networks", 《PROCEEDING OF IEEE INTERNATIONAL SYMPOSIUM ON A WORLD OF WIRELESS,MOBILE AND MULTIMEDIA NETWORKS》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429722A (en) * 2017-02-15 2018-08-21 成都飞天联合网络技术有限公司 Control method, control system and the wearable device of cabin
CN108429722B (en) * 2017-02-15 2021-01-05 飞天联合(北京)系统技术有限公司 Control method and control system of cabin and wearable equipment

Similar Documents

Publication Publication Date Title
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
CN110800331A (en) Network verification method, related equipment and system
CN105430059A (en) Smart client routing
CN104993993B (en) A kind of message processing method, equipment and system
CN101136929B (en) Internet small computer system interface data transmission method and apparatus
CN107438074A (en) The means of defence and device of a kind of ddos attack
WO2011032447A1 (en) Method, system and communication terminal for implementing inter-communication between new network and internet
CN110474922B (en) Communication method, PC system and access control router
CN105592038B (en) Portal authentication method and device
CN102611712A (en) Digital home network access and authentication method
CN104901796B (en) A kind of authentication method and equipment
CN101447976B (en) Method for accessing dynamic IP session, system and device thereof
CN105814918B (en) Long-range socket for load shedding connects
CN110351721A (en) Access method and device, the storage medium, electronic device of network slice
CN102202108A (en) Method, device and system for realizing NAT (network address translation) traverse of IPSEC (Internet protocol security) in AH (authentication header) mode
CN117119463A (en) CPE security authentication method and system for 5G private network
CN111586017A (en) Method and device for authenticating communication user
CN104092687A (en) BGP conversation establishing method and device
CN103227822A (en) Method for establishing P2P communication connection and equipment
CN109587204B (en) Method and device for accessing public network and electronic equipment
CN103200147B (en) The requesting method and device of third party's business
CN103634221A (en) Access control method of environmental protection and technology service network
CN104580186A (en) Communication system and method based on HIP
CN103945379A (en) Method of realizing access authentication and data communication in access network
CN102685667A (en) Method, device and system for transmitting and acquiring position information of access user

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180209