CN104901944A - Security protocol cipher-text information inference method based on main body interactive behavior - Google Patents
Security protocol cipher-text information inference method based on main body interactive behavior Download PDFInfo
- Publication number
- CN104901944A CN104901944A CN201510160153.7A CN201510160153A CN104901944A CN 104901944 A CN104901944 A CN 104901944A CN 201510160153 A CN201510160153 A CN 201510160153A CN 104901944 A CN104901944 A CN 104901944A
- Authority
- CN
- China
- Prior art keywords
- message
- protocol
- agreement
- cipher
- main body
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a security protocol cipher-text information inference method based on main body interactive behavior, comprising the steps as follows: recognizing step information of a protocol related message in a network according to a specific message format, that is to recognize that some data message belongs to the No. N step in a protocol operation process, and adequately using a protocol specification format, a message which can be monitored in a network system, and data information such as user online interactive behavior, and so on to perform certain calculation and recover cipher text information in a protocol interaction process under the condition that cipher text information is not decoded. The security protocol cipher-text information inference method based on main body interactive behavior of the invention is suitable for security protocol using all kinds of cryptosystems and does not need to deploy and add a monitoring program on a monitor host. In a practical application, the security protocol cipher-text information inference method based on main body interactive behavior of the invention is wide in applied range, small in boundedness and fast in analysis speed, and is suitable for further strengthening monitor and management of the network and improving capacity of an information system to resist hostile attack.
Description
Technical field
The present invention relates to network safety filed, particularly a kind of security protocol cipher-text information estimating method based on main body interbehavior.
Background technology
Protocol identification is the important step of a large amount of network security key application, as intrusion detection, network QoS, traffic monitoring, user behavior analysis etc., all significant for network manager, service provider, user.Message data Network Based, the protocol type that identifying information system adopts, and then analyze the key content that user interactions behavioural information is procotol identification, contribute to various network application implementing monitoring and management, effectively can reduce the security risk of systems face, promote the ability that information system resists malicious attack.Along with the extensive use of cryptographic technique, security protocol is widely applied in the various core in the Internet, crucial application, and various data in network traffics the proportion relevant to security protocol increases day by day.But network security protocol adopts cryptographic technique to be encrypted protection to key message in a large number, and the related data gathered in network comprises a lot of ciphertext item.Due to cryptographic algorithm to crack difficulty very large, can not resolve encrypt data when lacking correct key.Therefore only dependence message data can not complete the collection to some key messages, cannot obtain some key messages in message encrypt data.In network data, the protocol type that identifying information system adopts, and then the behavior of analysis user interactions contributes to strengthening various network application implementing monitoring and management, effectively can reduce the security risk of systems face, promotes the ability that information system resists malicious attack.But; along with the extensive use of cryptographic technique; security protocol adopts cryptographic technique to be encrypted protection to key message in a large number, result in the related data gathered in network and comprises the ciphertext item much cannot resolved, and this is that the management and control of the network information brings very large problem.
At present main existence two class methods are resolved to network message information: a class is the method for message flow information Network Based, and the method for analytic target, utilizes merely network traffics to resolve procotol with the network data flow collected; An other class is the method that based target mainframe program performs track, the method carries out binary dynamic trace analysis to the server program realizing procotol, by following the tracks of the handling process of binary file to message, message being resolved, the content recognition to a certain extent to cipher protocol can be realized at present.The analytical method of message flow information Network Based is mainly through catching network traffic data, based on flow port, clear data in load, the statistical natures of packet etc. are implemented to analyze, the method with the network data flow collected for analytic target, utilize merely network traffics to resolve procotol, but the method is only analyzed plaintext agreement at present, cannot process encrypt data, as depicted in figs. 1 and 2, based on famous network protocol analysis instrument Wireshark, ssl protocol encrypted handshake message message is resolved, it is ciphertext that Wireshark only can identify this message content, but encrypting messages all the other features any cannot be further analyzed and utilize, protocol-dependent application program running state feature on based target main frame, it is the another kind of thinking of network protocol analysis, these class methods by specific Binary analysis platform, by analyzing on main frame application program to the processing procedure of data and then infer the plaintext structure that ciphertext is corresponding and the cryptographic algorithm that ciphertext uses.Although these class methods can process encrypted message, but need on destination host, obtain the application information carried on an agreement, and dispose specific monitoring tool, and then the acquisition that could realize specific program running information, therefore, such method and technology realizes complicated, application limitation is larger, cannot really meet to data message monitoring requirements in network environment, and in actual applications, when obtaining target program, these class methods will lose efficacy.
Summary of the invention
For deficiency of the prior art, the invention provides a kind of security protocol cipher-text information estimating method based on main body interbehavior, make full use of protocol specification form, the message that can monitor in network system, and the data message of user's online interaction behavior, do not needing under the condition that cipher-text information is decrypted, calculating to a certain extent and recovery are carried out to the cipher-text information in protocol interaction process, be applicable to the security protocol adopting various cryptographic system, do not need to add monitoring facilities in monitoring main frame deploy, there is applied range, limitation is little, the advantages such as analysis speed is fast, contribute to the monitor and managment strengthened further network, promote the ability that information system resists malicious attack.
According to design provided by the present invention, a kind of security protocol cipher-text information estimating method based on main body interbehavior, comprises following steps:
Step 1. agreement initiator A sends message 1 to protocol responses side B, and message 1 comprises cipher text part
if protocol responses side B receives after message 1 send message 2 to agreement third party S, decision message 1 expection of respective party B can be met; Message 2 comprises ciphertext item
if send to the message 3 of agreement initiator A after agreement third party S receives message 2, decision message 2 expection of S, that is: X can be met
1_2=X
2_2; Message 3 comprises
wherein, X
irepresent unknown variable, K
as, K
bs, K
abbe respectively the wildcard of the wildcard of agreement initiator A and agreement third party S, protocol responses side B and agreement third party S, the session key of agreement initiator A and protocol responses side B;
If step 2. is after message 1, message 2 and message 3, collect the message 4 that agreement initiator A sends to protocol responses side B, decision message three can meet the expection of agreement initiator A, judge X
3_3=X
2_1=X
1_1; Message 4 comprises ciphertext item
with
If step 3. is after message 1, message 2, message 3 and message 4, collect the decrypt communications messages between protocol responses side B and agreement initiator A, then message 4 meets the expection of protocol responses side B, judges X
4_1=X
3_1=X
3_5_1, X
4_2=X
3_5_2, X
4_3=X
4_4=X
3_4=X
2_3=X
3_5_3.
Above-mentioned, main body comprises agreement initiator A, protocol responses side B and agreement third party S, terminate to gather the interacting message behavior between main body to conversation procedure from protocol conversation, calculate by the interbehavior of agreement running and cleartext information the information that in protocol interaction message, ciphertext comprises.
Beneficial effect of the present invention:
The present invention is according to specific message format, the Step Information of the agreement association message in network is identified, namely identify certain data message and belong to N number of step in agreement running, and make full use of protocol specification form, the message that can monitor in network system, and the data message such as user's online interaction behavior, do not needing under the condition that cipher-text information is decrypted, calculating to a certain extent and recovery are carried out to the cipher-text information in protocol interaction process, be applicable to the security protocol adopting various cryptographic system, do not need to add monitoring facilities in monitoring main frame deploy.The advantages such as in actual applications, have applied range, limitation is little, and analysis speed is fast, contribute to the monitor and managment strengthened further network, promote the ability that information system resists malicious attack.
Accompanying drawing illustrates:
Fig. 1 is the ssl protocol encrypted handshake message message schematic diagram that in prior art, wireshark gathers;
The protocol format schematic diagram that Fig. 2 resolves for the wireshark shown in Fig. 1;
Fig. 3 is calculation process schematic diagram of the present invention.
Embodiment:
Below in conjunction with accompanying drawing and technical scheme, the present invention is further detailed explanation, and describe embodiments of the present invention in detail by preferred embodiment, but embodiments of the present invention are not limited to this.
Embodiment one, see Fig. 3, the present embodiment, in conjunction with classical protocols reciprocal process, further illustrates the embodiment of the security protocol cipher-text information estimating method that the present invention is based on main body interbehavior, as follows:
In conjunction with the interbehavior of protocol specification, protocol body and the sequential relationship of internet message, detailed technology protocol step of the present invention is described below:
Step 1: if after message 1,2, collect the message 3 that S sends to A, description messages 2 meets the expection of trusted third party S, can judge X
1_2=X
2_2=ID_A, X
2_4=ID_B;
Step 2: if after message 1,2,3, collect the message 4 that A sends to B, description messages 3 meets the expection of main body A, can judge X
3_2=ID_B, X
3_3=X
2_1=X
1_1=N1, N1 are can not computational item, are only mark herein;
Step 3: if after message 1,2,3,4 completes, collect the decrypt communications messages between main body B and A, description messages 4 meets the expection of main body B, can judge X
4_1=X
3_1=X
3_5_1=Ks, X
4_2=X
3_5_2=ID_A, X
4_3=X
4_4=X
3_4=X
2_3=X
3_5_3=N2, wherein, N2, Ks are can not computational item, are only mark.
Based on above-mentioned computational process, can be following situation by whole protocol interaction Procedure recovery:
The present invention is based on protocol interaction specification and main body interbehavior, cipher-text information can be recovered to a certain extent; For subject identity mark etc., can refer to cleartext information and obtain the item of occurrence, being referred to as can computational item; For pure cipher-text information such as random number N 1, N2, Ks, can judge whether to comprise in ciphertext identical item, being referred to as can not computational item.
The present invention is applicable to the security protocol adopting various password physique, does not need to add monitoring facilities, applied range in detection main frame deploy, limitation is little, analysis speed is fast, contributes to the monitor and managment strengthened further network, promotes the ability that information system resists malicious attack.
The present invention is not limited to above-mentioned embodiment, and those skilled in the art also can make multiple change accordingly, but to be anyly equal to the present invention or similar change all should be encompassed in the scope of the claims in the present invention.
Claims (2)
1., based on a security protocol cipher-text information estimating method for main body interbehavior, it is characterized in that: comprise following steps:
Step 1. agreement initiator A sends message 1 to protocol responses side B, and message 1 comprises cipher text part
if protocol responses side B receives after message 1 send message 2 to agreement third party S, decision message 1 expection of respective party B can be met; Message 2 comprises ciphertext item
if send to the message 3 of agreement initiator A after agreement third party S receives message 2, decision message 2 expection of agreement third party S, that is: X can be met
1_2=X
2_2, message 3 comprises
wherein, X
1_1, X
1_2, X
2_1, X
2_2, X
1_3, X
3_4, X
3_1, X
3_2, X
3_3, X
3_4, X
3_5_1, X
3_5_2, X
3_5_3all represent unknown variable, K
as, K
bs, K
abbe respectively the wildcard of the wildcard of agreement initiator A and agreement third party S, protocol responses side B and agreement third party S, the session key of agreement initiator A and protocol responses side B;
If step 2. is after message 1, message 2 and message 3, collect the message 4 that agreement initiator A sends to protocol responses side B, decision message three can meet the expection of agreement initiator A, judge X
3_3=X
2_1=X
1_1; Message 4 comprises ciphertext item
with
If step 3. is after message 1, message 2, message 3 and message 4, collect the decrypt communications messages between protocol responses side B and agreement initiator A, then message 4 meets the expection of protocol responses side B, judges X
4_1=X
3_1=X
3_5_1, X
4_2=X
3_5_2, X
4_3=X
4_4=X
3_4=X
2_3=X
3_5_3.
2. the security protocol cipher-text information estimating method based on main body interbehavior according to claim 1, it is characterized in that: main body comprises agreement initiator A, protocol responses side B and agreement third party S, from protocol conversation, gather the interacting message behavior between main body to conversation end, calculate by the interbehavior of agreement running and cleartext information the information that in protocol interaction message, ciphertext comprises.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510160153.7A CN104901944B (en) | 2015-04-07 | 2015-04-07 | Security protocol cipher-text information estimating method based on main body interbehavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510160153.7A CN104901944B (en) | 2015-04-07 | 2015-04-07 | Security protocol cipher-text information estimating method based on main body interbehavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104901944A true CN104901944A (en) | 2015-09-09 |
| CN104901944B CN104901944B (en) | 2017-12-15 |
Family
ID=54034341
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510160153.7A Expired - Fee Related CN104901944B (en) | 2015-04-07 | 2015-04-07 | Security protocol cipher-text information estimating method based on main body interbehavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104901944B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302507A (en) * | 2016-08-31 | 2017-01-04 | 北京盛世光明软件股份有限公司 | A kind of method based on SSL network data analytic technique |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1814255A1 (en) * | 2004-08-08 | 2007-08-01 | Huawei Technologies Co., Ltd. | System and method for realizing the security management in 3g mobile communication network |
| CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
-
2015
- 2015-04-07 CN CN201510160153.7A patent/CN104901944B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1814255A1 (en) * | 2004-08-08 | 2007-08-01 | Huawei Technologies Co., Ltd. | System and method for realizing the security management in 3g mobile communication network |
| CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
Non-Patent Citations (2)
| Title |
|---|
| 董涛 等: ""一个新的无可信第三方的多方不可否认协议"", 《计算机工程与应用》 * |
| 雷新锋 等: ""一种基于恶意主体的通用公平交换协议"", 《解放军理工大学学报(自然科学版)》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302507A (en) * | 2016-08-31 | 2017-01-04 | 北京盛世光明软件股份有限公司 | A kind of method based on SSL network data analytic technique |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104901944B (en) | 2017-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Anderson et al. | Identifying encrypted malware traffic with contextual flow data | |
| CN110069918B (en) | Efficient double-factor cross-domain authentication method based on block chain technology | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| Ling et al. | Novel packet size-based covert channel attacks against anonymizer | |
| Clarke et al. | A novel privacy preserving user identification approach for network traffic | |
| Yan et al. | Identifying wechat red packets and fund transfers via analyzing encrypted network traffic | |
| CN103840983A (en) | WEB tunnel detection method based on protocol behavior analysis | |
| Liu et al. | Maldetect: A structure of encrypted malware traffic detection | |
| Iglesias et al. | DAT detectors: uncovering TCP/IP covert channels by descriptive analytics | |
| Puthal et al. | Decision tree based user-centric security solution for critical IoT infrastructure | |
| Russo et al. | Detection of illicit cryptomining using network metadata | |
| Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
| Huang et al. | A secure communication over wireless environments by using a data connection core | |
| Xu et al. | ME-Box: A reliable method to detect malicious encrypted traffic | |
| Luo et al. | Fingerprinting cryptographic protocols with key exchange using an entropy measure | |
| Foroushani et al. | Intrusion detection in encrypted accesses with SSH protocol to network public servers | |
| CN104901944A (en) | Security protocol cipher-text information inference method based on main body interactive behavior | |
| Khosroshahi et al. | Detection of sources being used in ddos attacks | |
| Venkatesan et al. | Analysis of accounting models for the detection of duplicate requests in web services | |
| CN111371727A (en) | Detection method for NTP protocol covert communication | |
| CN110233735B (en) | Comprehensive safety protection method and system for grid-connected power station industrial control system | |
| Sachan et al. | Light Weighted Mutual Authentication and Dynamic Key Encryption for IoT Devices Applications | |
| Naru et al. | Proposed IoT framework using third party with enhanced security | |
| Cherukuri et al. | Integrity of IoT network flow records in encrypted traffic analytics | |
| Keshkeh et al. | A machine learning classification approach to detect TLS-based malware using entropy-based flow set features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171215 Termination date: 20210407 |