CN105141612A - DNS (Domain Name System) data packet privacy protection method - Google Patents
DNS (Domain Name System) data packet privacy protection method Download PDFInfo
- Publication number
- CN105141612A CN105141612A CN201510552889.9A CN201510552889A CN105141612A CN 105141612 A CN105141612 A CN 105141612A CN 201510552889 A CN201510552889 A CN 201510552889A CN 105141612 A CN105141612 A CN 105141612A
- Authority
- CN
- China
- Prior art keywords
- server
- dns
- public key
- client
- dns request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a DNS (Domain Name System) data packet privacy protection method. The DNS data packet privacy protection method comprises the following steps that: (1) a client, a recursive server and an authoritative server generate and maintain respective asymmetrical key pairs; (2) the client or the recursive server incorporates public key information of the client or the recursive server into a DNS request data packet during initiation of a DNS request; (3) a DNS request initiator encrypts the DNS request data packet by an opposite-end server public key, and transmits the encrypted DNS request data packet to an opposite-side server; (4) the opposite-end server decrypts the received DNS request data packet including the public key information of the DNS request initiator by a private key of the opposite-end server, encrypts a returned response data packet by the public key included in the DNS request data packet, and transmits the encrypted returned response data packet to the DNS request initiator; and (5) the DNS request initiator decrypts the received response data packet by a private key of the DNS request initiator to obtain a final inquiry result. Through adoption of the DNS data packet privacy protection method, the privacy of DNS data transmission can be ensured.
Description
Technical field
The invention belongs to network technology, field of information security technology, be specifically related to a kind of DNS packet method for secret protection.
Background technology
Today flourish in the Internet, Internet user rapidly increases, and various upper layer application emerges in an endless stream.DNS (DomainNameSystem, DNS) is as the infrastructure service of parsing internet resource name and Internet resources address, and its importance is more outstanding.And as the root service system of dns resolution entrance, its safety and stability is the prerequisite that whole domain name mapping business operates normally and efficiently.
DNS is a kind of distributed interconnection service system domain name being mapped as some predefined type resource record (as IP address).As a kind of addressing resources service of internet, applications layer, domain name service is the basis of other internet application service, and common internet application service (as Web service, E-mail service, FTP service etc.) all realizes addressing and the location of resource based on domain name service.
The original agreement of DNS is a kind of lightweight protocol, and it can not provide safety assurance to service data content; And DNS data are transmitted with clear-text way on the internet, data are easy to be kidnapped or distort in transmitting procedure.Because DNS Protocol itself does not provide the integrity protection mechanism of data content, therefore recipient cannot differentiate whether correct whether the message received be tampered and originate; In addition, the realization of DNS Protocol is usually based on udp protocol, and lack the Reliability Assurance of communication, this has increased the weight of the possibility that message is tampered or is forged further.Just because of the above safety defect that DNS Protocol comes out, impel the emergence and development of DNSSEC.
DNSSEC agreement is a security extension for DNS Protocol, and it is by adding the digital signature based on rivest, shamir, adelman to the response message of DNS, ensures that data are without distorting and originating correct; Submitted to the public keys of oneself again by domain name system from bottom to top step by step to father field, realize the safety certification step by step of whole domain name system.Specifically, DNSSEC is the safety guarantee that DNS data provide three aspects: (1) source-verify: ensure that DNS response message is from authorized authoritative server; (2) integrity verification: ensure DNS response message in transmission way without distorting; (3) there is checking in negative: when user asks a non-existent domain name, dns server also can provide the negative acknowledgment message comprising digital signature, to ensure the reliability of this negative response.
DNSSEC is in essence on the basis of the tree-like mandate system of domain name system, set up a set of signature/verification system based on cryptography means again, namely trust chain system, by the safety verification step by step on trust chain, guarantee true and reliable (data integrity and the non repudiation protocol) of DNS query result.
But, the application program of being undertaken communicating by the Internet also faces the threat that information is eavesdropped, distorts or forged, for tackling above-mentioned threat, the transmission of current internet data generally adopts Transport Layer Security (TransportLayerSecurity, TLS) agreement, channel is encrypted, guarantees the integrality of data, confidentiality.Transport Layer Security employs data encryption and signature technology, and the height of its safe coefficient depends on its key used, if private key is leaked or PKI is forged, then the fail safe of transmitted data will seriously undermine and even completely lose.
Transport Layer Security utilizes key algorithm to provide end points authentication and communication security on the internet, its basis is digital certification authority (CertificationAuthority, CA), namely PKI and relevant information (comprising possessory name, CA title, the term of validity of PKI, the digital signature etc. of CA) is bound by digital certificate.Digital certification authority can keep properly its private key, for TLS server signs and issues digital certificate, and its PKI is supplied to TLS client.The PKI of digital certification authority is considered as " trust anchor " by TLS client, and verifies the validity of TLS server certificate with this.After being verified, just can securely communicate between TLS server and client.
Though above-mentioned public CA pattern is widely used, but still there is place not fully up to expectations, bring hidden danger to the safe transmission of information.As CA pattern allows any CA to be that TLS server signs and issues digital certificate, this can make system become fragile, once certain CA runs counter to safety commitment, no matter be that all digital certificates that this CA will be caused to sign and issue lose safety function because subjective reason or odjective cause (as private key leaks).
Based on DNSSEC agreement, IETFDANE working group devises a kind of new DNS resource record TLSA, and (TLSA is only a kind of title of resource record, without other implication), to use DNSSEC infrastructure to preserve the digital certificate or PKI used in tls protocol.The core of DANE agreement is: rely on DNSSEC infrastructure come restricted T LS server can CA scope, thus district operator can be stated can for the scope of the digital signature of TLS client.Suppose that client is Charlie, when its access example.cn, above-mentioned TLSA resource record can be received, and use foregoing to verify that it receives, from the TLS digital certificate of example.cn.If this certificate is signed and issued by Bob, then effectively; Otherwise it is invalid.
DANE agreement uses DNSSEC infrastructure to preserve the digital certificate or PKI used in tls protocol, and this makes the various advantages of DANE protocol inheritance DNSSEC agreement.Although principle and CA model class are seemingly, it improves traditional CA model in following three:
(1) key binds mutually with the domain name in DNS, instead of bind mutually with arbitrary identifier, so that all kinds of Internet protocol uses;
(2) PKI after signature can be obtained by DNS system, and client only need send a common DNS request just can inquire required PKI, and the distribution of PKI is very simple;
The key of (3) districts (zone) can only be signed by the key in his father district, and such as, the key of district " example.com " can only be signed by district " .com ", and the key of district " .com " can only be signed by root key.
Although DNSSEC provides the checking to completing property of DNS data and source, and DANE provides certificate management and the authentication mechanism of a kind of the Internet named entity based on DNSSEC.But DNS remains a kind of plaintext transmission agreement, at client and recursion server and the encipherment protection that lacks between recursion server and authoritative server transmission packet, to ensure the privacy of DNS data to greatest extent.
Summary of the invention
The present invention is directed to the problems referred to above, propose a kind of DNS packet method for secret protection, the privacy of DNS transfer of data can be ensured.
A kind of DNS packet method for secret protection of the present invention, its step comprises:
1) client, recursion server and authoritative server generate and safeguard respective unsymmetrical key pair;
2) client is when initiating DNS request, is included in by its public key information in DNS request packet; In like manner, when recursion server initiates DNS request, its public key information is included in DNS request packet;
3) DNS request packet opposite end server public key is encrypted by DNS request initiator, then issues opposite end server;
4) the server private key of oneself in opposite end deciphers the DNS request packet comprising DNS request initiator public key information received, and the PKI that the response data packet returned comprises with DNS request packet is encrypted, then send to DNS request initiator;
5) DNS request initiator deciphers with the private key of oneself response data packet received, and obtains final Query Result.
Further, maintenance package is containing the TLSA resource record of its public key information in zones of inversions for described recursion server, and described authoritative server maintenance package in forward region contains the TLSA resource record of its public key information.
Further, step 2) package head format of DNS request packet is expanded, to carry the public key information of DNS request initiator in DNS request packet, described expansion comprises two parts:
A) in the field retained, increase the flag bit PP of a byte, show that this DNS request person wishes that respondent is encrypted packet, and carry requestor's public key information in Additoanl field;
B) ARCOUNT is set to 1, shows in request data package, comprise an Additional field, for storage resource request person public key information.
Further, described request person's public key information, based on EDNS0 form, is carried in the Additional field of request message, and described Additional field comprises:
OPTION-CODE: show the EDNS0 option number storing client public key information;
OPTION-LENGTH: option;
TYPE: key schedule;
KEY-DATA: public key data.
The present invention is based on maturation and the standardization agreement of DNS, propose a kind of DNS Extended Protocol, for encrypting client and recursion server, DNS packet mutual between recursion server and authoritative server, the privacy of DNS transfer of data can be ensured.
Accompanying drawing explanation
Fig. 1 is the DNS packet header schematic diagram expanded in embodiment.
Fig. 2 is RDATA form schematic diagram in the Additional field of carrying request message.
Fig. 3 is client and recursion server Data Packet Encryption flow chart.
Fig. 4 is recursion server and authoritative server Data Packet Encryption flow chart.
Embodiment
For enabling above-mentioned purpose of the present invention, feature and advantage become apparent more, and below by specific embodiments and the drawings, the present invention will be further described.
The DNS packet method for secret protection that the present invention proposes, for encrypting client and recursion server, DNS packet mutual between recursion server and authoritative server, concrete improvements comprise: 1. propose the public key information safeguarding dns server (comprising recursion server and authoritative server) based on DANE agreement; 2. client oneself generates and safeguards unsymmetrical key pair, when initiating DNS request, is included in by its public key information in DNS request packet; In like manner, when recursion server initiates DNS request, its public key information is included in DNS request packet; Expansion DNS signaling message, makes it comprise the public key information of packet initiator; 3.DNS request data package opposite end server public key is encrypted; 4. after receiving the DNS request packet comprising public key information, first server is decrypted with the private key of oneself, and is encrypted the PKI that the response data packet returned comprises with DNS request packet.
1) dns server public key information is safeguarded
For recursion server, generally only has IP address information; But for authoritative server, generally there is NS resource record, indicate the name of this server.Therefore, dns server public key information used in the present invention safeguards there are two kinds of situations: in forward region (as .cn .com etc.); In zones of inversions (as ip6.arpa and in-addr.arpa).If server has name, namely in forward region, maintenance package is containing the TLSA resource record of its public key information, if server only has IP address, namely in zones of inversions, maintenance package contains the TLSA resource record of its public key information.
Be exemplified below:
A) recursion server public key information is safeguarded
Suppose that the IP address of certain recursion server is 1.2.4.8, after so this server generates public key information, in in-addr.arpa district, safeguard following resource record:
_53._udp.8.4.2.1.in-addr.arpaLifetimeINTLSAPub_key-Server
Wherein each field meanings is as follows:
● the TLSA that _ 53._udp.8.4.2.1.in-addr.arpa identifies this recursion server records corresponding name, represents that the server that address is 1.2.4.8 provides dns resolution service based on UDP at 53 ports;
● Lifetime identifies the effective time that this TLSA records, server should this record expired between to upgrade in time resource record, the present invention does not limit the concrete duration of this Lifetime.Which kind of in addition, adopt mode to carry out key wheel turn for server also will not limit;
● IN identifies the resource record that this is an Internet type (InternetClass);
● it is TLSA that TLSA identifies this resource record types;
● Pub_key-Server identifies the public key information that this server uses.
Private key (Pte_key-Server) security maintenance that recursion server is corresponding.
B) authoritative server public key information is safeguarded
Suppose that the NS of the authoritative server of .cn is ns1.cn, after so this server generates public key information, in .cn district, safeguard following resource record:
_53._udp.ns1.cnLifetimeINTLSAPub-key_Server
Wherein each field meanings is as follows:
● the TLSA that _ 53._udp.ns1.cn identifies this authoritative server records corresponding name, represents that the server that server name is ns1.cn provides dns resolution service based on UDP at 53 ports;
● Lifetime identifies the effective time that this TLSA records, server should this record expired between to upgrade in time resource record, the present invention does not limit the concrete duration of this Lifetime.Which kind of in addition, adopt mode to carry out key wheel turn for server also will not limit;
● IN identifies the resource record that this is an Internet type (InternetClass);
● it is TLSA that TLSA identifies this resource record types;
● Pub_key-Server identifies the public key information that this server uses.
The private key (Pte_key-Server) that authoritative server is corresponding is by its corresponding server security maintenance.
2) client key generates
Client can generate unsymmetrical key pair based on any algorithm (RSA, Elgamal and knapsack algorithm etc.), and wherein private key is Pte_key-Client, and PKI is Pub_key-Client.
3) DNS request packet expansion
In order to transmit public key information, initiate the public key information that DNS request one side needs to carry initiator in DNS request packet, the package head format of DNS packet is expanded as shown in Figure 1.
The packet header expansion of the present invention to DNS packet mainly comprises two parts:
A) in the field retained, increase the flag bit (PP, PrivacyProtection) of a byte, show that this DNS request person wishes that respondent is encrypted packet, and carry requestor's public key information in Additoanl field;
B) ARCOUNT is set to 1, shows in request data package, comprise an Additional field, for storage resource request person public key information.
Requestor's public key information of the present invention, based on EDNS0 form, is carried at (OPT=41) in the Additional field of request message.In Additional field, the concrete form of RDATA as shown in Figure 2.The present invention claims this option to be Client-Pub_key, and its each several part implication is as follows:
OPTION-CODE: show the EDNS0 option number storing client public key information;
OPTION-LENGTH: option;
TYPE: key schedule;
KEY-DATA: public key data.
4) DNS data-privacy protection flow process
Based on above-mentioned Extended Protocol and data, the present invention proposes complete DNS packet secret protection flow process.
A) client and recursion server data encryption flow process are as shown in Figure 3.
● first client inquires about the public key information (Pub_key-Server-R) of configured recursion server by DANE;
● certain domain name of client-requested, in DNS query message, arrange PP is 1, show that request recursion server is encrypted response data packet, in addition, client carries Client-Pub_key option by EDNS0 in request message, and the public key information wherein comprising client is Pub_key-Client.The PKI Pub_key-Server-R of client recursion server is encrypted the DNS request packet that this is expanded, and sends to recursion server;
● after the private key that recursion server use Pub_key-Server-R is corresponding carries out packet deciphering, obtain the domain name of client-requested and the public key information (Pub_key-Client) of client, this public key information of recursion server is encrypted response data packet;
● client only has the private key by Pub_key-Client is corresponding to decipher response data packet, obtains final Query Result.
Based on above-mentioned flow process, DNS request packet and DNS response data packet have all carried out encryption, have ensured the privacy of DNS signaling message.
B) recursion server and authoritative server data encryption flow process are as shown in Figure 4.
● recursion server first by DANE inquiry ask the public key information (Pub_key-Server-A) of authoritative server;
● when recursion server inquires about this authoritative server, in DNS query message, arrange PP is 1, show that request authoritative server is encrypted response data packet, in addition, recursion server carries Client-Pub_key option by EDNS0 in request message, and the public key information wherein comprising recursion server is Pub_key-Server-R.The PKI Pub_key-Server-A of recursion server authoritative server is encrypted the DNS request packet that this is expanded, and sends to authoritative server;
● after the private key that authoritative server use Pub_key-Server-A is corresponding carries out packet deciphering, obtain the domain name of recursion server request and the public key information (Pub_key-Server-R) of recursion server, this public key information of authoritative server is encrypted response data packet;
● recursion server only has the private key by Pub_key-Server-R is corresponding to decipher response data packet, obtains final Query Result.
Based on above-mentioned flow process, DNS request packet and DNS response data packet have all carried out encryption, have ensured the privacy of DNS signaling message.
Above embodiment is only in order to illustrate technical scheme of the present invention but not to be limited; those of ordinary skill in the art can modify to technical scheme of the present invention or equivalent replacement; and not departing from the spirit and scope of the present invention, protection scope of the present invention should be as the criterion with described in claims.
Claims (6)
1. a DNS packet method for secret protection, is characterized in that, comprises the steps:
1) client, recursion server and authoritative server generate and safeguard respective unsymmetrical key pair;
2) client is when initiating DNS request, is included in by its public key information in DNS request packet; In like manner, when recursion server initiates DNS request, its public key information is included in DNS request packet;
3) DNS request packet opposite end server public key is encrypted by DNS request initiator, then issues opposite end server;
4) the server private key of oneself in opposite end deciphers the DNS request packet comprising DNS request initiator public key information received, and the PKI that the response data packet returned comprises with DNS request packet is encrypted, then send to DNS request initiator;
5) DNS request initiator deciphers with the private key of oneself response data packet received, and obtains final Query Result.
2. the method for claim 1, is characterized in that: maintenance package is containing the TLSA resource record of its public key information in zones of inversions for described recursion server, and described authoritative server maintenance package in forward region contains the TLSA resource record of its public key information.
3. the method for claim 1, is characterized in that: step 2) package head format of DNS request packet is expanded, to carry the public key information of DNS request initiator in DNS request packet, described expansion comprises two parts:
A) in the field retained, increase the flag bit PP of a byte, show that this DNS request person wishes that respondent is encrypted packet, and carry requestor's public key information in Additoanl field;
B) ARCOUNT is set to 1, shows in request data package, comprise an Additional field, for storage resource request person public key information.
4. method as claimed in claim 3, is characterized in that: described request person's public key information, based on EDNS0 form, is carried in the Additional field of request message, and described Additional field comprises:
OPTION-CODE: show the EDNS0 option number storing client public key information;
OPTION-LENGTH: option;
TYPE: key schedule;
KEY-DATA: public key data.
5. the method as described in claim 3 or 4, is characterized in that, the data encryption flow process of client and recursion server comprises:
A) client inquires about the public key information Pub_key-Server-R of configured recursion server by DANE;
B) certain domain name of client-requested, in DNS query message, arrange PP is 1, show that request recursion server is encrypted response data packet, and client carries the public key information Pub_key-Client of client in request message by EDNS0; The PKI Pub_key-Server-R of client recursion server is encrypted the DNS request packet that this is expanded, and sends to recursion server;
C) after the private key that recursion server use Pub_key-Server-R is corresponding carries out packet deciphering, obtain the domain name of client-requested and the public key information Pub_key-Client of client, this public key information of recursion server is encrypted response data packet;
D) client deciphers response data packet by the private key that Pub_key-Client is corresponding, obtains final Query Result.
6. the method as described in claim 3 or 4, is characterized in that, the data encryption flow process of recursion server and authoritative server comprises:
A) recursion server by DANE inquiry ask the public key information Pub_key-Server-A of authoritative server;
B) when recursion server inquires about this authoritative server, in DNS query message, arrange PP is 1, show that request authoritative server is encrypted response data packet, and recursion server carries the public key information Pub_key-Server-R of recursion server in request message by EDNS0; The PKI Pub_key-Server-A of recursion server authoritative server is encrypted the DNS request packet that this is expanded, and sends to authoritative server;
C) after the private key that authoritative server use Pub_key-Server-A is corresponding carries out packet deciphering, obtain the domain name of recursion server request and the public key information Pub_key-Server-R of recursion server, this public key information of authoritative server is encrypted response data packet;
D) recursion server deciphers response data packet by the private key that Pub_key-Server-R is corresponding, obtains final Query Result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510552889.9A CN105141612A (en) | 2015-09-01 | 2015-09-01 | DNS (Domain Name System) data packet privacy protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510552889.9A CN105141612A (en) | 2015-09-01 | 2015-09-01 | DNS (Domain Name System) data packet privacy protection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105141612A true CN105141612A (en) | 2015-12-09 |
Family
ID=54726820
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510552889.9A Pending CN105141612A (en) | 2015-09-01 | 2015-09-01 | DNS (Domain Name System) data packet privacy protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105141612A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108400953A (en) * | 2017-02-06 | 2018-08-14 | 中兴通讯股份有限公司 | Control terminal is surfed the Internet and the method for terminal online, router device and terminal |
CN108476246A (en) * | 2015-09-25 | 2018-08-31 | 微软技术许可有限责任公司 | Secure domain name parsing in computer network |
CN109413076A (en) * | 2018-11-06 | 2019-03-01 | 北京奇虎科技有限公司 | Domain name analytic method and device |
CN110113364A (en) * | 2019-05-29 | 2019-08-09 | 深圳市网心科技有限公司 | Domain Hijacking defence method and device, computer installation and storage medium |
CN111615820A (en) * | 2018-10-15 | 2020-09-01 | 华为技术有限公司 | Method and equipment for performing domain name resolution by sending key value to GRS server |
CN111953678A (en) * | 2020-08-11 | 2020-11-17 | 福州职业技术学院 | Method and system for verifying DNS request security |
CN113014561A (en) * | 2021-02-18 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device for DNS request message |
CN113347144A (en) * | 2021-04-14 | 2021-09-03 | 西安慧博文定信息技术有限公司 | Method, system, equipment and storage medium for reciprocal data encryption |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101242426A (en) * | 2007-02-06 | 2008-08-13 | 华为技术有限公司 | Method, system and device for establishing secure connection at transmission layer |
CN101841521A (en) * | 2010-01-22 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, server and system for authenticating identify information in DNS message |
CN103929435A (en) * | 2014-05-05 | 2014-07-16 | 中国科学院计算机网络信息中心 | Credibility verification method based on DNSSEC and DANE protocols |
CN104702714A (en) * | 2015-03-31 | 2015-06-10 | 北京奇虎科技有限公司 | DNS (Domain Name Server) safety querying method and device |
-
2015
- 2015-09-01 CN CN201510552889.9A patent/CN105141612A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101242426A (en) * | 2007-02-06 | 2008-08-13 | 华为技术有限公司 | Method, system and device for establishing secure connection at transmission layer |
CN101841521A (en) * | 2010-01-22 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, server and system for authenticating identify information in DNS message |
CN103929435A (en) * | 2014-05-05 | 2014-07-16 | 中国科学院计算机网络信息中心 | Credibility verification method based on DNSSEC and DANE protocols |
CN104702714A (en) * | 2015-03-31 | 2015-06-10 | 北京奇虎科技有限公司 | DNS (Domain Name Server) safety querying method and device |
Non-Patent Citations (2)
Title |
---|
M. DEMPSKY: "DNSCurve: Link-Level Security for the Domain Name System draft-dempsky-dnscurve-01", 《IETF》 * |
许海涛等: "DNS 数据安全解决方案", 《计 算 机 系 统 应 用》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108476246A (en) * | 2015-09-25 | 2018-08-31 | 微软技术许可有限责任公司 | Secure domain name parsing in computer network |
CN108400953A (en) * | 2017-02-06 | 2018-08-14 | 中兴通讯股份有限公司 | Control terminal is surfed the Internet and the method for terminal online, router device and terminal |
CN111615820B (en) * | 2018-10-15 | 2022-04-05 | 华为技术有限公司 | Method and equipment for performing domain name resolution by sending key value to GRS server |
CN111615820A (en) * | 2018-10-15 | 2020-09-01 | 华为技术有限公司 | Method and equipment for performing domain name resolution by sending key value to GRS server |
CN109413076A (en) * | 2018-11-06 | 2019-03-01 | 北京奇虎科技有限公司 | Domain name analytic method and device |
CN109413076B (en) * | 2018-11-06 | 2022-11-29 | 北京奇虎科技有限公司 | Domain name resolution method and device |
CN110113364A (en) * | 2019-05-29 | 2019-08-09 | 深圳市网心科技有限公司 | Domain Hijacking defence method and device, computer installation and storage medium |
CN110113364B (en) * | 2019-05-29 | 2022-02-25 | 深圳市网心科技有限公司 | Domain name hijacking defense method and device, computer device and storage medium |
CN111953678B (en) * | 2020-08-11 | 2022-04-12 | 福州职业技术学院 | Method and system for verifying DNS request security |
CN111953678A (en) * | 2020-08-11 | 2020-11-17 | 福州职业技术学院 | Method and system for verifying DNS request security |
CN113014561A (en) * | 2021-02-18 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device for DNS request message |
CN113014561B (en) * | 2021-02-18 | 2022-09-06 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device for DNS request message |
CN113347144A (en) * | 2021-04-14 | 2021-09-03 | 西安慧博文定信息技术有限公司 | Method, system, equipment and storage medium for reciprocal data encryption |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105141612A (en) | DNS (Domain Name System) data packet privacy protection method | |
Seth et al. | Practical security for disconnected nodes | |
Tan et al. | A secure and authenticated key management protocol (SA-KMP) for vehicular networks | |
CN105577383A (en) | Management of cryptographic keys | |
CN102355663B (en) | Credible inter-domain rapid authentication method on basis of separation mechanism network | |
CN112351019B (en) | Identity authentication system and method | |
KR20050037244A (en) | Device authentication method using certificate and digital content processing device using the method | |
CN111865988B (en) | Certificate-free key management method, system and terminal based on block chain | |
CN104486325A (en) | Safe login certification method based on RESTful | |
CN111080299B (en) | Anti-repudiation method for transaction information, client and server | |
CN107493165A (en) | A kind of car networking certification and cryptographic key negotiation method with strong anonymity | |
CN101808142A (en) | Method and device for realizing trusted network connection through router or switch | |
CN104468859A (en) | DANE expanding query method supporting carrying service address information and system | |
CN103428692A (en) | Wireless access network authentication method and wireless access network authentication system capable of holding accountability and protecting privacy | |
CN118540164A (en) | Quantum security enhancement method for Internet key exchange protocol | |
CN115189903A (en) | Distributed access control method supporting privacy protection in Internet of vehicles | |
CN104410635A (en) | NDN security authentication method based on DANE | |
CN102340487B (en) | Integrity report transferring method and system among multiple trust domains | |
KR100984275B1 (en) | Method for generating secure key using certificateless public key in insecure communication channel | |
KR100970552B1 (en) | Method for generating secure key using certificateless public key | |
Nepal et al. | Secure Data Provenance for Internet of Vehicles with Verifiable Credentials | |
CN108696539B (en) | Information service agent method for safety, fairness and privacy protection | |
Cheng et al. | Research on vehicle-to-cloud communication based on lightweight authentication and extended quantum key distribution | |
CN114866244A (en) | Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption | |
KR101042834B1 (en) | A Self-Certified Signcryption Method for Mobile Communications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151209 |
|
RJ01 | Rejection of invention patent application after publication |