CN104580186B - Communication system and communication means based on HIP - Google Patents
Communication system and communication means based on HIP Download PDFInfo
- Publication number
- CN104580186B CN104580186B CN201410846546.9A CN201410846546A CN104580186B CN 104580186 B CN104580186 B CN 104580186B CN 201410846546 A CN201410846546 A CN 201410846546A CN 104580186 B CN104580186 B CN 104580186B
- Authority
- CN
- China
- Prior art keywords
- client
- hip
- gateway node
- module
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000004891 communication Methods 0.000 title claims abstract description 35
- 238000000034 method Methods 0.000 claims description 15
- 238000005538 encapsulation Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Abstract
The invention discloses the communication system based on HIP and communication means.The system includes several client and servers, the client uses HIP protocol communications, in addition to gateway node and authentication center with server, and the gateway node uses HIP protocol communications with client, server respectively, meanwhile gateway node also keeps communicating with authentication center.For the system in the application server of offer service and using gateway node is set up between the client terminal of service, gateway node can perform the safety operations such as authentication, access control as the unique passage between intranet and extranet.
Description
Technical Field
The invention belongs to the field of communication, and particularly relates to a communication system and a communication method based on HIP.
Background
The electronic government affairs and the explosion of intelligent mobile terminals enable an application server to provide and optimize access requests for the mobile terminals, the mobile terminals determine that network environments of the mobile terminals need to be frequently switched between different network systems and different network service areas due to the mobile characteristics of the mobile terminals, the traditional network connection is based on IP address binding, and once the IP addresses change after the network connection is established, the connection is disconnected, so that the network application on the mobile terminals is unavailable.
Currently the internet has two global namespaces, domain names and IP addresses, where the IP addresses serve as both the identity and location of the host. This ambiguous design is one of the main reasons for various problems, such as routing scalability, mobility and multihoming. Especially the binding of the transport layer to the IP address, results in a network connection being disconnected after the IP address is changed. Therefore, in recent years, researchers have proposed decoupling the ambiguity of the IP address, i.e. redesigning a new network architecture based on separation of Identity information and location information, to solve the various problems faced by the current internet, where Host Identity Protocol (HIP) is the most typical Protocol.
HIP inserts a new protocol layer-host identification layer between the transport layer and the network layer, and on the host identification layer, the host identifier is used to replace the original IP address to indicate the identity attribute of the host, and the network layer uses the IP address to route the data packet. The mapping conversion between the identity identifier and the IP address is completed at a host identification layer. Therefore, address switching of the network layer does not affect the continuity of upper layer sessions, so that HIP can easily realize support of host mobility. The architecture of HIP is shown in FIG. 1.
However, how to securely and reliably access the application server based on the HIP becomes a problem. If each application server is directly exposed to an external network, the application server is very vulnerable, and the network security protection for each server is high in cost. HIP uses Internet Protocol Security (IPSec Protocol for short) to secure user data. IPSec binds the security association to the IP address in the traditional TCP/IP system structure, so that the security association of a network layer can not change the position of the security association in the network, the mobility of a host is limited, and after HIP is used, the security association used by the HIP is bound to a host identifier, and the IP address change in communication can be supported.
It is important how to enable a mobile terminal to communicate with a serving application server on a HIP-based basis with low cost and security.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: a HIP-based communication system is provided, which bridges a gateway node between an application server providing a service and a client terminal using the service, the gateway node serving as a unique channel between an internal network and an external network and performing security operations such as authentication and access control.
In order to solve the technical problem, the communication system based on the HIP comprises a plurality of clients and a server, wherein the clients and the server adopt HIP protocol communication, the communication system further comprises a gateway node and an authentication center, the gateway node respectively adopts HIP protocol communication with the clients and the server, meanwhile, the gateway node also keeps communication with the authentication center,
the client comprises a unique digital certificate, a first HIP module, a first data packet capture module, and a client application, wherein,
the client application is an application program supported by a client operating system;
the first data packet capturing module is used for capturing a network layer data packet of a client application program and sending the data packet to the first HIP module;
the unique digital certificate is used as an identity code of the client and is sent to the first HIP module;
the first HIP module is used for realizing HIP protocol and IPSec protocol; when the data packet is sent, the IPSec is used for encryption and encapsulation, the digital certificate is used as the identity identification code of the HIP protocol, and the data packet encapsulated by the first HIP module is sent to the second HIP module; when receiving the data packet sent by the gateway node, the IPSec is used for decrypting and unpacking;
the gateway node comprises a second data packet capturing module, a second HIP module, an identity authentication module and an access control module; wherein,
the second data packet capturing module is used for capturing the network layer data packet of the gateway node and sending the network layer data packet to the second HIP module;
the second HIP module carries out IPSec decryption and HIP protocol decryption on the data message received from the first HIP module to obtain a decrypted data message and a client digital certificate; the gateway node uses IPSec to encrypt and package when sending the data packet;
the identity authentication module is used for receiving and storing a root certificate which is acquired by the authentication center and used for signing and issuing a client digital certificate, and when receiving a user request, the identity authentication module sends the client digital certificate to the authentication center to verify whether the client is a legal user;
the access control module is used for verifying whether a legal user has the authority of accessing the server;
the authentication center is used for storing the root certificate and sending the root certificate to the gateway node, and the root certificate is used for the gateway node to sign a client digital certificate for the client.
Meanwhile, in order to further describe the implementation process of the communication based on HIP, the invention provides a communication method, which comprises the following steps:
step 1, a gateway node acquires a root certificate for signing and issuing a client digital certificate from an authentication center;
step 2, the client sends a request for acquiring the digital certificate to the gateway node, and the gateway node uses the root certificate to sign the digital certificate for the client;
step 3, the client sends a service request to the designated server, when the service request passes through the gateway node, the service request is verified, and whether the service request is sent to the server through the gateway node is determined according to a verification result;
and 4, the server completes corresponding business operation according to the service request.
Further preferably, in the communication method of the present invention, the service request in step 3 includes a client IP address, a server IP address, a digital certificate, and a port.
Further, in a preferred embodiment, in the communication method of the present invention, the step 3 of verifying the service request specifically includes: firstly, the identity authentication is carried out on the client digital certificate, and under the condition of successful identity authentication, the access control is carried out according to the client IP address, the server IP address, the port and the digital certificate.
Compared with the prior art, the invention has the following beneficial effects: the invention sets up the gateway server between the customer terminal of the application server and customer terminal of the use service of providing service, the gateway server is regarded as the only channel between internal and external networks, can carry out safety operations such as authentication, access control, etc.; meanwhile, on the basis of ensuring the safety of the gateway server, the client terminal can not feel the existence of the safety gateway and transparently access the application server.
Drawings
FIG. 1 is an architecture of the HIP protocol.
Fig. 2 is a detailed structural block diagram of the present invention.
Fig. 3 is a schematic block diagram of the present invention.
Detailed Description
As shown in FIG. 2, the communication system based on HIP of the present invention includes several clients and servers, where the clients and the servers communicate with each other by using HIP protocol, and also includes a gateway node and an authentication center, where the gateway node communicates with the clients and the servers by using HIP protocol, and meanwhile, the gateway node also maintains communication with the authentication center,
the client comprises a unique digital certificate, a first HIP module, a first data packet capture module, and a client application, wherein,
the client application is an application program supported by a client operating system, such as a browser, a mail client and the like;
the first data packet capturing module is used for capturing a network layer data packet of a client application program and sending the data packet to the first HIP module;
the unique digital certificate is used as an identity code of the client and is sent to the first HIP module;
the first HIP module is used for realizing HIP protocol and IPSec protocol; when the data packet is sent, the IPSec is used for encryption and encapsulation, the digital certificate is used as the identity identification code of the HIP protocol, and the data packet encapsulated by the first HIP module is sent to the second HIP module; when receiving the data packet sent by the gateway node, the IPSec is used for decrypting and unpacking;
the gateway node comprises a second data packet capturing module, a second HIP module, an identity authentication module and an access control module; wherein,
the second HIP module carries out IPSec decryption and HIP protocol decryption on the data message received from the first HIP module to obtain a decrypted data message and a client digital certificate; the gateway node uses IPSec to encrypt and package when sending the data packet;
the identity authentication module is used for receiving and storing a root certificate which is acquired by the authentication center and used for signing and issuing a client digital certificate, and when receiving a user request, the identity authentication module sends the client digital certificate to the authentication center to verify whether the client is a legal user;
the access control module is used for verifying whether a legal user has the authority of accessing the server;
the second data packet capturing module is used for capturing the network layer data packet of the gateway node and sending the network layer data packet to the second HIP module;
the authentication center is used for storing the root certificate and sending the root certificate to the gateway node, and the root certificate is used for the gateway node to sign a client digital certificate for the client.
In the implementation process, a gateway node is shared by a plurality of clients and a plurality of servers, and the framework structure of the gateway node is shown in fig. 3.
The specific implementation process of each module is as follows:
1. a client: the virtual network card equipment tun0 and HIP0 are established by utilizing a virtual network card technology, all data packets of a client are sent to the virtual network card tun0, the tun0 captures the inflowing data packets and forwards the data packets to the HIP0 network card, and the HIP0 virtual network card realizes an HIP protocol and supports the initiation of HIP connection by using a host identity.
2. Implementation of the client HIP module: the HIP0 virtual network card realizes the HIP protocol and simultaneously joins the transmission of digital certificates in the four-way handshake process of the HIP. And the data packet received from the hip0 is subjected to IP-IN-IP packaging, and meanwhile, the data part is encrypted and packaged by using the IPSec technology and is assembled into a UDP data packet.
3. The processing flow of the gateway node is as follows: after receiving the UDP data packet, the gateway node firstly removes the UDP header, then performs IPSec decryption, and delivers the decrypted message to the second HIP module. The second HIP module performs an identity authentication operation on the digital certificate in the decrypted message and replaces the source address of the data packet with the address of HIP 0. The gateway node executes access control check on the data packet, the data packet passing the check is forwarded to the server, and the message failing the access control check is discarded.
4. Reply of the server: after receiving the response data packet of the background application server, the gateway node captures the data packet from the hip0 virtual network card of the gateway node, and performs packet processing in the same way as the client, wherein the only difference is that the gateway node does not inject the digital certificate packet into the data packet.
5. Sending the data packet to the client: the unpacking process is the same as that of the gateway node, but the identity authentication and access control process is not available.
Meanwhile, the communication method provided by the invention comprises the following steps:
step 1, a gateway node acquires a root certificate for signing and issuing a client digital certificate from an authentication center;
step 2, the client sends a request for acquiring the digital certificate to the gateway node, and the gateway node uses the root certificate to sign the digital certificate for the client;
step 3, the client sends a service request to the designated server, when the service request passes through the gateway node, the service request is verified, and whether the service request is sent to the server through the gateway node is determined according to a verification result; the service request comprises a client IP address, a server IP address, a digital certificate and a port; the service request is verified, specifically: firstly, performing identity authentication on a client digital certificate, and performing access control according to a client IP address, a server IP address, a port and the digital certificate under the condition of successful identity authentication;
and 4, the server completes corresponding business operation according to the service request.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And such obvious changes and modifications which fall within the spirit of the invention are deemed to be covered by the present invention.
Claims (5)
1. The communication system based on the HIP comprises a plurality of clients and a server, wherein the clients and the server adopt the HIP protocol for communication, and the communication system is characterized by further comprising a gateway node and an authentication center, wherein the gateway node respectively adopts the HIP protocol for communication with the clients and the server, and meanwhile, the gateway node also keeps communication with the authentication center,
the client comprises a unique digital certificate, a first HIP module, a first data packet capture module, and a client application, wherein,
the client application is an application program supported by a client operating system;
the first data packet capturing module is used for capturing a network layer data packet of a client application program and sending the data packet to the first HIP module;
the unique digital certificate is used as an identity code of the client and is sent to the first HIP module;
the first HIP module is used for realizing HIP protocol and IPSec protocol; when the data packet is sent, the IPSec is used for encryption and encapsulation, the digital certificate is used as the identity identification code of the HIP protocol, and the data packet encapsulated by the first HIP module is sent to the second HIP module; when receiving the data packet sent by the gateway node, the IPSec is used for decrypting and unpacking;
the gateway node comprises a second data packet capturing module, a second HIP module, an identity authentication module and an access control module; wherein,
the second data packet capturing module is used for capturing the network layer data packet of the gateway node and sending the network layer data packet to the second HIP module;
the second HIP module carries out IPSec decryption and HIP protocol decryption on the data message received from the first HIP module to obtain a decrypted data message and a client digital certificate; the gateway node uses IPSec to encrypt and package when sending the data packet;
the identity authentication module is used for receiving and storing a root certificate of the digital certificate of the issuing client acquired by the authentication center, and sending the digital certificate of the client to the authentication center and verifying whether the client is a legal user or not when receiving the user request;
the access control module is used for verifying whether a legal user has the authority of accessing the server;
the authentication center is used for storing the root certificate and sending the root certificate to the gateway node, and the root certificate is used for the gateway node to sign a client digital certificate for the client.
2. The HIP-based communication system according to claim 1, wherein the applications supported by the client operating system are browser and mail client.
3. A communication method of the HIP-based communication system as claimed in claim 1, comprising the steps of:
step 1, a gateway node acquires a root certificate for signing and issuing a client digital certificate from an authentication center;
step 2, the client sends a request for acquiring the digital certificate to the gateway node, and the gateway node uses the root certificate to sign the digital certificate for the client;
step 3, the client sends a service request to the designated server, when the service request passes through the gateway node, the service request is verified, and whether the service request is sent to the server through the gateway node is determined according to a verification result;
and 4, the server completes corresponding business operation according to the service request.
4. The communication method according to claim 3, wherein the service request in step 3 comprises a client IP address, a server IP address, a digital certificate and a port.
5. The communication method according to claim 4, wherein the step 3 of verifying the service request specifically comprises: firstly, the identity authentication is carried out on the client digital certificate, and under the condition of successful identity authentication, the access control is carried out according to the client IP address, the server IP address, the port and the digital certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410846546.9A CN104580186B (en) | 2014-12-31 | Communication system and communication means based on HIP |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410846546.9A CN104580186B (en) | 2014-12-31 | Communication system and communication means based on HIP |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104580186A CN104580186A (en) | 2015-04-29 |
| CN104580186B true CN104580186B (en) | 2018-02-09 |
Family
ID=
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741523A (en) * | 2004-08-25 | 2006-03-01 | 华为技术有限公司 | Key exchange protocol method for realizing main machine transferability and multi-home function |
| CN101120572A (en) * | 2005-02-18 | 2008-02-06 | 艾利森电话股份有限公司 | Host identity protocol method and apparatus |
| CN102377829A (en) * | 2010-08-09 | 2012-03-14 | 中兴通讯股份有限公司 | Communication method, system and equipment based on host identity protocol (HIP) |
| CN103595823A (en) * | 2012-08-17 | 2014-02-19 | 华为技术有限公司 | Data transmission method, terminal and system |
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741523A (en) * | 2004-08-25 | 2006-03-01 | 华为技术有限公司 | Key exchange protocol method for realizing main machine transferability and multi-home function |
| CN101120572A (en) * | 2005-02-18 | 2008-02-06 | 艾利森电话股份有限公司 | Host identity protocol method and apparatus |
| CN102377829A (en) * | 2010-08-09 | 2012-03-14 | 中兴通讯股份有限公司 | Communication method, system and equipment based on host identity protocol (HIP) |
| CN103595823A (en) * | 2012-08-17 | 2014-02-19 | 华为技术有限公司 | Data transmission method, terminal and system |
Non-Patent Citations (1)
| Title |
|---|
| Securing the contrl channel of software-defined mobile networks;Madhusanka Liyanage, et al.;《Proceeding of IEEE international Symposium on a World of Wireless,Mobile and Multimedia Networks》;20140619;全文 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102661985B1 (en) | Secure Dynamic Communication Network And Protocol | |
| CN110191031B (en) | Network resource access method and device and electronic equipment | |
| US9100370B2 (en) | Strong SSL proxy authentication with forced SSL renegotiation against a target server | |
| US10348686B2 (en) | Systems and methods for application-specific access to virtual private networks | |
| CN108243143B (en) | Web agent-based gatekeeper penetration method and system | |
| JP5921460B2 (en) | Authentication method, transfer device, and authentication server | |
| EP3272059B1 (en) | Apparatus and method for using certificate data to route data | |
| KR102299865B1 (en) | Method and system related to authentication of users for accessing data networks | |
| US10944736B2 (en) | Application authentication wrapper | |
| US20080104692A1 (en) | Virtual security interface | |
| CN106878133B (en) | Message forwarding method and device | |
| CN101399838A (en) | Method, apparatus and system for processing packet | |
| CN105207778B (en) | A method of realizing packet identity and digital signature on accessing gateway equipment | |
| CN101521667B (en) | Method and device for safety data communication | |
| CN109309684A (en) | A kind of business access method, apparatus, terminal, server and storage medium | |
| CN105491169A (en) | Data proxy method and system | |
| CN108064441B (en) | Method and system for accelerating network transmission optimization | |
| CN110049024B (en) | Data transmission method, transfer server and access network point server | |
| CN104580186B (en) | Communication system and communication means based on HIP | |
| GB2496380A (en) | Private cloud server and client architecture using e-mail/SMS to establish communication | |
| CN110995730B (en) | Data transmission method and device, proxy server and proxy server cluster | |
| Khan et al. | An HTTPS approach to resist man in the middle attack in secure SMS using ECC and RSA | |
| CN110351308B (en) | Virtual private network communication method and virtual private network device | |
| CN104580186A (en) | Communication system and method based on HIP | |
| CN102594785B (en) | IP secure tunnel method for building up, device and the network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180209 |