CN104901944B - Security protocol cipher-text information estimating method based on main body interbehavior - Google Patents
Security protocol cipher-text information estimating method based on main body interbehavior Download PDFInfo
- Publication number
- CN104901944B CN104901944B CN201510160153.7A CN201510160153A CN104901944B CN 104901944 B CN104901944 B CN 104901944B CN 201510160153 A CN201510160153 A CN 201510160153A CN 104901944 B CN104901944 B CN 104901944B
- Authority
- CN
- China
- Prior art keywords
- message
- agreement
- protocol
- cipher
- main body
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The present invention relates to the security protocol cipher-text information estimating method based on main body interbehavior, according to specific message format, the step information of agreement association message in network is identified, identify the n-th step that certain data message belongs in agreement running, and make full use of protocol specification form, the message that can be monitored in network system, and the data message such as user's online interaction behavior, under conditions of cipher-text information need not be decrypted, calculating and recovery to a certain extent is carried out to the cipher-text information during protocol interaction, suitable for the security protocol using various cipher systems, deployment monitoring program need not be added on monitoring main frame.The present invention in actual applications, has and had a wide range of application, and limitation is small, the advantages such as analyze speed is fast, helps further to strengthen the monitoring and management to network, lifting information system resists the ability of malicious attack.
Description
Technical field
The present invention relates to network safety filed, more particularly to a kind of security protocol cipher-text information based on main body interbehavior
Estimating method.
Background technology
Protocol identification is the important step of the crucial application of a large amount of network securitys, as intrusion detection, network QoS, traffic monitoring,
User behavior analysis etc., it is all significant for network manager, service provider, user.Based on network message data,
Protocol type used by identification information system, and then analyze in the key that user mutual behavior information is procotol identification
Hold, help effectively reduce various network application implementing monitorings and management the security risk of systems face, lift information
System resists the ability of malicious attack.With the extensive use of cryptographic technique, security protocol is widely applied various in internet
In core, crucial application, the various data related to security protocol proportion in network traffics increasingly increases.But network is pacified
Full agreement largely key message is encrypted protection using cryptographic technique, and the related data gathered in network includes many ciphertexts
.Due to cryptographic algorithm to crack difficulty very big, ciphertext data can not be parsed in the case where lacking correct key.
Therefore collection to some key messages can not be completed by relying solely on message data, can not obtain some in message ciphertext data
Key message.In network data, protocol type used by identification information system, and then analysis user mutual behavior contributes to
Strengthen, to various network application implementing monitorings and management, can effectively reducing the security risk of systems face, lift information system
Resist the ability of malicious attack.But with the extensive use of cryptographic technique, security protocol is largely using cryptographic technique to key
Protection is encrypted in information, result in the related data gathered in network and includes the ciphertext item that can not much parse, this is network
The management and control of information brings the problem of very big.
Parsing is carried out to network message information at present and is primarily present two class methods:One kind is based on network message flow information
Method, this method parses procotol using network traffics merely using the network data flow that collects as analysis object;
Other one kind is the method based on destination host program perform track, and this method is to realizing that the server program of procotol is carried out
Binary dynamic trace analysis, the handling process of message is parsed to message by tracking binary file, at present may be used
Realize the content recognition to a certain extent to cipher protocol.Analysis method based on network message flow information is mainly by catching
Network traffic data are obtained, are analyzed based on implementations such as the clear data in flow port, load, the statistical natures of packet,
This method parses procotol, but the party using network traffics merely using the network data flow collected as analysis object
Method is only analyzed plaintext agreement at present, ciphertext data can not be handled, as depicted in figs. 1 and 2, based on famous net
Network protocal analysis instrument Wireshark parses to ssl protocol encrypted handshake message message,
Wireshark only can recognize that the message content is ciphertext, but encryption remaining any feature of message can not be carried out further
Analysis and utilization;It is the another of network protocol analysis based on protocol-dependent application program running state feature on destination host
Kind of thinking, such method is by specific Binary analysis platform, by analyzing on main frame application program to the processing procedure of data
And then speculate the cryptographic algorithm that plaintext structure and ciphertext corresponding to ciphertext use.Although such method can handle encrypted message,
But need to obtain the application information for performing agreement on destination host, and specific monitoring instrument is disposed, and then could be real
Now to the acquisition of specific program running information, therefore, such method and technology realizes complexity, and application limitation is larger, can not
Really meet to data message monitoring requirements in network environment, and in actual applications, should when target program can not be obtained
Class method will fail.
The content of the invention
For deficiency of the prior art, the present invention provides a kind of security protocol cipher-text information based on main body interbehavior
Estimating method, make full use of the message that can be monitored in protocol specification form, network system and user's online interaction behavior
Data message, under conditions of cipher-text information need not be decrypted, one is carried out to the cipher-text information during protocol interaction
The calculating and recovery in degree are determined, suitable for the security protocol using various cipher systems, it is not necessary to disposed on monitoring main frame
Additional monitoring program, has and has a wide range of application, and limitation is small, the advantages such as analyze speed is fast, helps further to strengthen to network
Monitoring and management, lifting information system resists the ability of malicious attack.
According to design provided by the present invention, a kind of security protocol cipher-text information based on main body interbehavior is inferred
Method, comprise the following steps:
Step 1. agreement initiator A sends message 1 to protocol responses side B, and message 1 includes cipher text part
If protocol responses side B is received and sent message 2 to agreement third party S after message 1, it can determine that message 1 meets the pre- of respective party B
Phase;Message 2 includes ciphertext itemIf agreement third party S is sent to association after receiving message 2
Initiator A message 3 is discussed, can determine that message 2 meets S expection, i.e.,:X1_2=X2_2;Message 3 includesWherein, XiRepresent unknown variable, Kas、Kbs、KabPoint
Not Wei agreement initiator A and agreement third party S wildcard, protocol responses side B and agreement third party S pre-share it is close
The session key of key, agreement initiator A and protocol responses side B;
If step 2. after message 1, message 2 and message 3, collects agreement initiator A and is sent to disappearing for protocol responses side B
Breath 4, it can determine that message 3 meets agreement initiator A expection, judge X3_3=X2_1=X1_1;Message 4 includes ciphertext itemWith
If step 3. after message 1, message 2, message 3 and message 4, collect protocol responses side B and agreement initiator A it
Between coded communication message, then message 4 meet protocol responses side B expection, judge X4_l=X3_l=X3_5_1, X4_2=X3_5_2,
X4_3=X4_4=X3_4=X2_3=X3_5_3。
Above-mentioned, main body includes agreement initiator A, protocol responses side B and agreement third party S, since protocol conversation to
Conversation procedure terminates to gather the interacting message behavior between main body, by the interbehavior and cleartext information meter of agreement running
Calculate the information that ciphertext includes in protocol interaction message.
Beneficial effects of the present invention:
The present invention step information of the agreement association message in network is identified, i.e., according to specific message format
The n-th step that certain data message belongs in agreement running is identified, and makes full use of protocol specification form, network system
The data message such as the message that can be monitored in system and user's online interaction behavior, cipher-text information need not be decrypted
Under conditions of, calculating and recovery to a certain extent is carried out to the cipher-text information during protocol interaction, suitable for using various
The security protocol of cipher system, it is not necessary to the additional monitoring program of deployment on monitoring main frame.In actual applications, have and apply model
Enclose extensively, limitation is small, the advantages such as analyze speed is fast, helps further to strengthen the monitoring and management to network, lifting information system
System resists the ability of malicious attack.
Brief description of the drawings:
Fig. 1 is the ssl protocol encrypted handshake message messages of wireshark collections in the prior art
Schematic diagram;
Fig. 2 is the protocol format schematic diagram of the wireshark parsings shown in Fig. 1;
Fig. 3 is the calculation process schematic diagram of the present invention.
Embodiment:
The present invention is further detailed explanation with technical scheme below in conjunction with the accompanying drawings, and detailed by preferred embodiment
Describe bright embodiments of the present invention in detail, but embodiments of the present invention are not limited to this.
Embodiment one, referring to Fig. 3, the present embodiment combination classical protocols interaction, further illustrate the present invention based on master
The embodiment of the security protocol cipher-text information estimating method of body interbehavior is as follows:
l·A→B
2.B→S:
3.S→A:
4.A→B:
With reference to the sequential relationship of protocol specification, the interbehavior of protocol body and internet message, detailed technology of the present invention
Protocol step is described as follows:
Step 1:If after message 1,2, the message 3 that S is sent to A is collected, description messages 2 meet trusted third party S's
It is expected that it can determine that X1_2=X2_2=ID_A, X2_4=ID_B;
Step 2:If after message 1,2,3, collecting the message 4 that A is sent to B, description messages 3 meet the expection of main body A, can
Judge X3_2=ID_B, X3_3=X2_1=X1_1=N1, N1 for can not computational item, herein be only identify;
Step 3:If after the completion of message 1,2,3,4, collect the coded communication message between main body B and A, description messages 4
Meet main body B expection, can determine that X4_1=X3_1=X3_5_1=Ks, X4_2=X3_5_2=ID_A, X4_3=X4_4=X3_4=X2_3
=X3_5_3=N2, wherein, N2, Ks for can not computational item, only identify.
Based on above-mentioned calculating process, whole protocol interaction process can be reverted to following situation:
1.A→B:
2.B→S:
3.S→A:
4.A→B:
The present invention is based on protocol interaction specification and main body interbehavior, can recover cipher-text information to a certain extent;For
Subject identity mark etc., the item that cleartext information obtains occurrence is can refer to, referred to as can computational item;For random number N 1, N2, Ks
Etc. pure cipher-text information, can determine that identical item whether is included in ciphertext, referred to as can not computational item.
The present invention is applied to the security protocol using various password constitutions, it is not necessary to the additional monitoring of deployment on detection main frame
Program, have a wide range of application, limitation is small, and analyze speed is fast, helps further to strengthen the monitoring and management to network, lifting letter
Breath system resists the ability of malicious attack.
The invention is not limited in above-mentioned embodiment, those skilled in the art can also make a variety of changes accordingly,
It is but any all to cover within the scope of the claims with equivalent or similar change of the invention.
Claims (2)
- A kind of 1. security protocol cipher-text information estimating method based on main body interbehavior, it is characterised in that:Comprise the following steps:Step 1. agreement initiator A sends message 1 to protocol responses side B, and message 1 includes cipher text partIf association View responder B is received and is sent message 2 to agreement third party S after message 1, can determine that message 1 meets responder B expection;Disappear Breath 2 includes ciphertext itemIf agreement third party S is sent to agreement initiator after receiving message 2 A message 3, it can determine that message 2 meets agreement third party S expection, i.e.,:X1_2=X2_2, message 3 includesWherein, X1_1, X1_2, X2_1,X2_2, X2_3,X2_4, X3_1,X3_2, X3_3,X3_4,X3_5_1,X3_5_2,X3_5_3Represent unknown variable, Kas、Kbs、KabRespectively agreement initiator A and agreement the 3rd Square S wildcard, protocol responses side B and agreement third party S wildcard, agreement initiator A and protocol responses side B Session key;If step 2. after message 1, message 2 and message 3, collects the message 4 that agreement initiator A is sent to protocol responses side B, It can determine that message 3 meets agreement initiator A expection, judge X3_3=X2_1=X1_1;Message 4 includes ciphertext itemWithIf step 3. after message 1, message 2, message 3 and message 4, is collected between protocol responses side B and agreement initiator A Coded communication message, then message 4 meet protocol responses side B expection, judge X4_1=X3_1=X3_5_1, X4_2=X3_5_2, X4_3= X4_4=X3_4=X2_3=X3_5_3。
- 2. the security protocol cipher-text information estimating method according to claim 1 based on main body interbehavior, its feature exist In:Main body includes agreement initiator A, protocol responses side B and agreement third party S, is gathered since protocol conversation to conversation end Interacting message behavior between main body, calculated by the interbehavior and cleartext information of agreement running in protocol interaction message The information that ciphertext includes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510160153.7A CN104901944B (en) | 2015-04-07 | 2015-04-07 | Security protocol cipher-text information estimating method based on main body interbehavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510160153.7A CN104901944B (en) | 2015-04-07 | 2015-04-07 | Security protocol cipher-text information estimating method based on main body interbehavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104901944A CN104901944A (en) | 2015-09-09 |
| CN104901944B true CN104901944B (en) | 2017-12-15 |
Family
ID=54034341
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510160153.7A Expired - Fee Related CN104901944B (en) | 2015-04-07 | 2015-04-07 | Security protocol cipher-text information estimating method based on main body interbehavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104901944B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302507A (en) * | 2016-08-31 | 2017-01-04 | 北京盛世光明软件股份有限公司 | A kind of method based on SSL network data analytic technique |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1814255A1 (en) * | 2004-08-08 | 2007-08-01 | Huawei Technologies Co., Ltd. | System and method for realizing the security management in 3g mobile communication network |
| CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
-
2015
- 2015-04-07 CN CN201510160153.7A patent/CN104901944B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1814255A1 (en) * | 2004-08-08 | 2007-08-01 | Huawei Technologies Co., Ltd. | System and method for realizing the security management in 3g mobile communication network |
| CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
Non-Patent Citations (2)
| Title |
|---|
| "一个新的无可信第三方的多方不可否认协议";董涛 等;《计算机工程与应用》;20061031;第121-122页 * |
| "一种基于恶意主体的通用公平交换协议";雷新锋 等;《解放军理工大学学报(自然科学版)》;20110228;第12卷(第1期);第19-24页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104901944A (en) | 2015-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11425047B2 (en) | Traffic analysis method, common service traffic attribution method, and corresponding computer system | |
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| Wang et al. | Biprominer: Automatic mining of binary protocol features | |
| Zhang et al. | A sensitive network jitter measurement for covert timing channels over interactive traffic | |
| TW202019127A (en) | Abnormal flow detection device and abnormal flow detection method thereof | |
| CN113676348B (en) | Network channel cracking method, device, server and storage medium | |
| Yan et al. | Identifying wechat red packets and fund transfers via analyzing encrypted network traffic | |
| CN104023352B (en) | A kind of instant communication software side channel testing system towards mobile communication platform | |
| CN103840983A (en) | WEB tunnel detection method based on protocol behavior analysis | |
| CN104363240A (en) | Unknown threat comprehensive detection method based on information flow behavior validity detection | |
| CN112788064B (en) | Encryption network abnormal flow detection method based on knowledge graph | |
| WO2023173790A1 (en) | Data packet-based encrypted traffic classification system | |
| Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
| CN108712369B (en) | Multi-attribute constraint access control decision system and method for industrial control network | |
| CN101577644B (en) | Peer-to-peer network application traffic identification method | |
| Iglesias et al. | DAT detectors: uncovering TCP/IP covert channels by descriptive analytics | |
| CN116346418A (en) | DDoS detection method and device based on federal learning | |
| KR101210622B1 (en) | Method for detecting ip shared router and system thereof | |
| Shi et al. | Website fingerprinting using traffic analysis of dynamic webpages | |
| Sarhan et al. | A framework for digital forensics of encrypted real-time network traffic, instant messaging, and VoIP application case study | |
| CN104901944B (en) | Security protocol cipher-text information estimating method based on main body interbehavior | |
| CN113315678A (en) | Encrypted TCP (Transmission control protocol) traffic acquisition method and device | |
| CN108667804A (en) | A kind of ddos attack detection and means of defence and system based on SDN frameworks | |
| Li et al. | On sliding window based change point detection for hybrid SIP DoS attack | |
| Xue et al. | Bound maxima as a traffic feature under DDOS flood attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171215 Termination date: 20210407 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |