CN105141612A - DNS (Domain Name System) data packet privacy protection method - Google Patents

DNS (Domain Name System) data packet privacy protection method Download PDF

Info

Publication number
CN105141612A
CN105141612A CN201510552889.9A CN201510552889A CN105141612A CN 105141612 A CN105141612 A CN 105141612A CN 201510552889 A CN201510552889 A CN 201510552889A CN 105141612 A CN105141612 A CN 105141612A
Authority
CN
China
Prior art keywords
server
dns
public key
client
dns request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510552889.9A
Other languages
Chinese (zh)
Inventor
延志伟
耿光刚
李晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Internet Network Information Center
Original Assignee
China Internet Network Information Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Internet Network Information Center filed Critical China Internet Network Information Center
Priority to CN201510552889.9A priority Critical patent/CN105141612A/en
Publication of CN105141612A publication Critical patent/CN105141612A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a DNS (Domain Name System) data packet privacy protection method. The DNS data packet privacy protection method comprises the following steps that: (1) a client, a recursive server and an authoritative server generate and maintain respective asymmetrical key pairs; (2) the client or the recursive server incorporates public key information of the client or the recursive server into a DNS request data packet during initiation of a DNS request; (3) a DNS request initiator encrypts the DNS request data packet by an opposite-end server public key, and transmits the encrypted DNS request data packet to an opposite-side server; (4) the opposite-end server decrypts the received DNS request data packet including the public key information of the DNS request initiator by a private key of the opposite-end server, encrypts a returned response data packet by the public key included in the DNS request data packet, and transmits the encrypted returned response data packet to the DNS request initiator; and (5) the DNS request initiator decrypts the received response data packet by a private key of the DNS request initiator to obtain a final inquiry result. Through adoption of the DNS data packet privacy protection method, the privacy of DNS data transmission can be ensured.

Description

A kind of DNS packet method for secret protection
Technical field
The invention belongs to network technology, field of information security technology, be specifically related to a kind of DNS packet method for secret protection.
Background technology
Today flourish in the Internet, Internet user rapidly increases, and various upper layer application emerges in an endless stream.DNS (DomainNameSystem, DNS) is as the infrastructure service of parsing internet resource name and Internet resources address, and its importance is more outstanding.And as the root service system of dns resolution entrance, its safety and stability is the prerequisite that whole domain name mapping business operates normally and efficiently.
DNS is a kind of distributed interconnection service system domain name being mapped as some predefined type resource record (as IP address).As a kind of addressing resources service of internet, applications layer, domain name service is the basis of other internet application service, and common internet application service (as Web service, E-mail service, FTP service etc.) all realizes addressing and the location of resource based on domain name service.
The original agreement of DNS is a kind of lightweight protocol, and it can not provide safety assurance to service data content; And DNS data are transmitted with clear-text way on the internet, data are easy to be kidnapped or distort in transmitting procedure.Because DNS Protocol itself does not provide the integrity protection mechanism of data content, therefore recipient cannot differentiate whether correct whether the message received be tampered and originate; In addition, the realization of DNS Protocol is usually based on udp protocol, and lack the Reliability Assurance of communication, this has increased the weight of the possibility that message is tampered or is forged further.Just because of the above safety defect that DNS Protocol comes out, impel the emergence and development of DNSSEC.
DNSSEC agreement is a security extension for DNS Protocol, and it is by adding the digital signature based on rivest, shamir, adelman to the response message of DNS, ensures that data are without distorting and originating correct; Submitted to the public keys of oneself again by domain name system from bottom to top step by step to father field, realize the safety certification step by step of whole domain name system.Specifically, DNSSEC is the safety guarantee that DNS data provide three aspects: (1) source-verify: ensure that DNS response message is from authorized authoritative server; (2) integrity verification: ensure DNS response message in transmission way without distorting; (3) there is checking in negative: when user asks a non-existent domain name, dns server also can provide the negative acknowledgment message comprising digital signature, to ensure the reliability of this negative response.
DNSSEC is in essence on the basis of the tree-like mandate system of domain name system, set up a set of signature/verification system based on cryptography means again, namely trust chain system, by the safety verification step by step on trust chain, guarantee true and reliable (data integrity and the non repudiation protocol) of DNS query result.
But, the application program of being undertaken communicating by the Internet also faces the threat that information is eavesdropped, distorts or forged, for tackling above-mentioned threat, the transmission of current internet data generally adopts Transport Layer Security (TransportLayerSecurity, TLS) agreement, channel is encrypted, guarantees the integrality of data, confidentiality.Transport Layer Security employs data encryption and signature technology, and the height of its safe coefficient depends on its key used, if private key is leaked or PKI is forged, then the fail safe of transmitted data will seriously undermine and even completely lose.
Transport Layer Security utilizes key algorithm to provide end points authentication and communication security on the internet, its basis is digital certification authority (CertificationAuthority, CA), namely PKI and relevant information (comprising possessory name, CA title, the term of validity of PKI, the digital signature etc. of CA) is bound by digital certificate.Digital certification authority can keep properly its private key, for TLS server signs and issues digital certificate, and its PKI is supplied to TLS client.The PKI of digital certification authority is considered as " trust anchor " by TLS client, and verifies the validity of TLS server certificate with this.After being verified, just can securely communicate between TLS server and client.
Though above-mentioned public CA pattern is widely used, but still there is place not fully up to expectations, bring hidden danger to the safe transmission of information.As CA pattern allows any CA to be that TLS server signs and issues digital certificate, this can make system become fragile, once certain CA runs counter to safety commitment, no matter be that all digital certificates that this CA will be caused to sign and issue lose safety function because subjective reason or odjective cause (as private key leaks).
Based on DNSSEC agreement, IETFDANE working group devises a kind of new DNS resource record TLSA, and (TLSA is only a kind of title of resource record, without other implication), to use DNSSEC infrastructure to preserve the digital certificate or PKI used in tls protocol.The core of DANE agreement is: rely on DNSSEC infrastructure come restricted T LS server can CA scope, thus district operator can be stated can for the scope of the digital signature of TLS client.Suppose that client is Charlie, when its access example.cn, above-mentioned TLSA resource record can be received, and use foregoing to verify that it receives, from the TLS digital certificate of example.cn.If this certificate is signed and issued by Bob, then effectively; Otherwise it is invalid.
DANE agreement uses DNSSEC infrastructure to preserve the digital certificate or PKI used in tls protocol, and this makes the various advantages of DANE protocol inheritance DNSSEC agreement.Although principle and CA model class are seemingly, it improves traditional CA model in following three:
(1) key binds mutually with the domain name in DNS, instead of bind mutually with arbitrary identifier, so that all kinds of Internet protocol uses;
(2) PKI after signature can be obtained by DNS system, and client only need send a common DNS request just can inquire required PKI, and the distribution of PKI is very simple;
The key of (3) districts (zone) can only be signed by the key in his father district, and such as, the key of district " example.com " can only be signed by district " .com ", and the key of district " .com " can only be signed by root key.
Although DNSSEC provides the checking to completing property of DNS data and source, and DANE provides certificate management and the authentication mechanism of a kind of the Internet named entity based on DNSSEC.But DNS remains a kind of plaintext transmission agreement, at client and recursion server and the encipherment protection that lacks between recursion server and authoritative server transmission packet, to ensure the privacy of DNS data to greatest extent.
Summary of the invention
The present invention is directed to the problems referred to above, propose a kind of DNS packet method for secret protection, the privacy of DNS transfer of data can be ensured.
A kind of DNS packet method for secret protection of the present invention, its step comprises:
1) client, recursion server and authoritative server generate and safeguard respective unsymmetrical key pair;
2) client is when initiating DNS request, is included in by its public key information in DNS request packet; In like manner, when recursion server initiates DNS request, its public key information is included in DNS request packet;
3) DNS request packet opposite end server public key is encrypted by DNS request initiator, then issues opposite end server;
4) the server private key of oneself in opposite end deciphers the DNS request packet comprising DNS request initiator public key information received, and the PKI that the response data packet returned comprises with DNS request packet is encrypted, then send to DNS request initiator;
5) DNS request initiator deciphers with the private key of oneself response data packet received, and obtains final Query Result.
Further, maintenance package is containing the TLSA resource record of its public key information in zones of inversions for described recursion server, and described authoritative server maintenance package in forward region contains the TLSA resource record of its public key information.
Further, step 2) package head format of DNS request packet is expanded, to carry the public key information of DNS request initiator in DNS request packet, described expansion comprises two parts:
A) in the field retained, increase the flag bit PP of a byte, show that this DNS request person wishes that respondent is encrypted packet, and carry requestor's public key information in Additoanl field;
B) ARCOUNT is set to 1, shows in request data package, comprise an Additional field, for storage resource request person public key information.
Further, described request person's public key information, based on EDNS0 form, is carried in the Additional field of request message, and described Additional field comprises:
OPTION-CODE: show the EDNS0 option number storing client public key information;
OPTION-LENGTH: option;
TYPE: key schedule;
KEY-DATA: public key data.
The present invention is based on maturation and the standardization agreement of DNS, propose a kind of DNS Extended Protocol, for encrypting client and recursion server, DNS packet mutual between recursion server and authoritative server, the privacy of DNS transfer of data can be ensured.
Accompanying drawing explanation
Fig. 1 is the DNS packet header schematic diagram expanded in embodiment.
Fig. 2 is RDATA form schematic diagram in the Additional field of carrying request message.
Fig. 3 is client and recursion server Data Packet Encryption flow chart.
Fig. 4 is recursion server and authoritative server Data Packet Encryption flow chart.
Embodiment
For enabling above-mentioned purpose of the present invention, feature and advantage become apparent more, and below by specific embodiments and the drawings, the present invention will be further described.
The DNS packet method for secret protection that the present invention proposes, for encrypting client and recursion server, DNS packet mutual between recursion server and authoritative server, concrete improvements comprise: 1. propose the public key information safeguarding dns server (comprising recursion server and authoritative server) based on DANE agreement; 2. client oneself generates and safeguards unsymmetrical key pair, when initiating DNS request, is included in by its public key information in DNS request packet; In like manner, when recursion server initiates DNS request, its public key information is included in DNS request packet; Expansion DNS signaling message, makes it comprise the public key information of packet initiator; 3.DNS request data package opposite end server public key is encrypted; 4. after receiving the DNS request packet comprising public key information, first server is decrypted with the private key of oneself, and is encrypted the PKI that the response data packet returned comprises with DNS request packet.
1) dns server public key information is safeguarded
For recursion server, generally only has IP address information; But for authoritative server, generally there is NS resource record, indicate the name of this server.Therefore, dns server public key information used in the present invention safeguards there are two kinds of situations: in forward region (as .cn .com etc.); In zones of inversions (as ip6.arpa and in-addr.arpa).If server has name, namely in forward region, maintenance package is containing the TLSA resource record of its public key information, if server only has IP address, namely in zones of inversions, maintenance package contains the TLSA resource record of its public key information.
Be exemplified below:
A) recursion server public key information is safeguarded
Suppose that the IP address of certain recursion server is 1.2.4.8, after so this server generates public key information, in in-addr.arpa district, safeguard following resource record:
_53._udp.8.4.2.1.in-addr.arpaLifetimeINTLSAPub_key-Server
Wherein each field meanings is as follows:
● the TLSA that _ 53._udp.8.4.2.1.in-addr.arpa identifies this recursion server records corresponding name, represents that the server that address is 1.2.4.8 provides dns resolution service based on UDP at 53 ports;
● Lifetime identifies the effective time that this TLSA records, server should this record expired between to upgrade in time resource record, the present invention does not limit the concrete duration of this Lifetime.Which kind of in addition, adopt mode to carry out key wheel turn for server also will not limit;
● IN identifies the resource record that this is an Internet type (InternetClass);
● it is TLSA that TLSA identifies this resource record types;
● Pub_key-Server identifies the public key information that this server uses.
Private key (Pte_key-Server) security maintenance that recursion server is corresponding.
B) authoritative server public key information is safeguarded
Suppose that the NS of the authoritative server of .cn is ns1.cn, after so this server generates public key information, in .cn district, safeguard following resource record:
_53._udp.ns1.cnLifetimeINTLSAPub-key_Server
Wherein each field meanings is as follows:
● the TLSA that _ 53._udp.ns1.cn identifies this authoritative server records corresponding name, represents that the server that server name is ns1.cn provides dns resolution service based on UDP at 53 ports;
● Lifetime identifies the effective time that this TLSA records, server should this record expired between to upgrade in time resource record, the present invention does not limit the concrete duration of this Lifetime.Which kind of in addition, adopt mode to carry out key wheel turn for server also will not limit;
● IN identifies the resource record that this is an Internet type (InternetClass);
● it is TLSA that TLSA identifies this resource record types;
● Pub_key-Server identifies the public key information that this server uses.
The private key (Pte_key-Server) that authoritative server is corresponding is by its corresponding server security maintenance.
2) client key generates
Client can generate unsymmetrical key pair based on any algorithm (RSA, Elgamal and knapsack algorithm etc.), and wherein private key is Pte_key-Client, and PKI is Pub_key-Client.
3) DNS request packet expansion
In order to transmit public key information, initiate the public key information that DNS request one side needs to carry initiator in DNS request packet, the package head format of DNS packet is expanded as shown in Figure 1.
The packet header expansion of the present invention to DNS packet mainly comprises two parts:
A) in the field retained, increase the flag bit (PP, PrivacyProtection) of a byte, show that this DNS request person wishes that respondent is encrypted packet, and carry requestor's public key information in Additoanl field;
B) ARCOUNT is set to 1, shows in request data package, comprise an Additional field, for storage resource request person public key information.
Requestor's public key information of the present invention, based on EDNS0 form, is carried at (OPT=41) in the Additional field of request message.In Additional field, the concrete form of RDATA as shown in Figure 2.The present invention claims this option to be Client-Pub_key, and its each several part implication is as follows:
OPTION-CODE: show the EDNS0 option number storing client public key information;
OPTION-LENGTH: option;
TYPE: key schedule;
KEY-DATA: public key data.
4) DNS data-privacy protection flow process
Based on above-mentioned Extended Protocol and data, the present invention proposes complete DNS packet secret protection flow process.
A) client and recursion server data encryption flow process are as shown in Figure 3.
● first client inquires about the public key information (Pub_key-Server-R) of configured recursion server by DANE;
● certain domain name of client-requested, in DNS query message, arrange PP is 1, show that request recursion server is encrypted response data packet, in addition, client carries Client-Pub_key option by EDNS0 in request message, and the public key information wherein comprising client is Pub_key-Client.The PKI Pub_key-Server-R of client recursion server is encrypted the DNS request packet that this is expanded, and sends to recursion server;
● after the private key that recursion server use Pub_key-Server-R is corresponding carries out packet deciphering, obtain the domain name of client-requested and the public key information (Pub_key-Client) of client, this public key information of recursion server is encrypted response data packet;
● client only has the private key by Pub_key-Client is corresponding to decipher response data packet, obtains final Query Result.
Based on above-mentioned flow process, DNS request packet and DNS response data packet have all carried out encryption, have ensured the privacy of DNS signaling message.
B) recursion server and authoritative server data encryption flow process are as shown in Figure 4.
● recursion server first by DANE inquiry ask the public key information (Pub_key-Server-A) of authoritative server;
● when recursion server inquires about this authoritative server, in DNS query message, arrange PP is 1, show that request authoritative server is encrypted response data packet, in addition, recursion server carries Client-Pub_key option by EDNS0 in request message, and the public key information wherein comprising recursion server is Pub_key-Server-R.The PKI Pub_key-Server-A of recursion server authoritative server is encrypted the DNS request packet that this is expanded, and sends to authoritative server;
● after the private key that authoritative server use Pub_key-Server-A is corresponding carries out packet deciphering, obtain the domain name of recursion server request and the public key information (Pub_key-Server-R) of recursion server, this public key information of authoritative server is encrypted response data packet;
● recursion server only has the private key by Pub_key-Server-R is corresponding to decipher response data packet, obtains final Query Result.
Based on above-mentioned flow process, DNS request packet and DNS response data packet have all carried out encryption, have ensured the privacy of DNS signaling message.
Above embodiment is only in order to illustrate technical scheme of the present invention but not to be limited; those of ordinary skill in the art can modify to technical scheme of the present invention or equivalent replacement; and not departing from the spirit and scope of the present invention, protection scope of the present invention should be as the criterion with described in claims.

Claims (6)

1. a DNS packet method for secret protection, is characterized in that, comprises the steps:
1) client, recursion server and authoritative server generate and safeguard respective unsymmetrical key pair;
2) client is when initiating DNS request, is included in by its public key information in DNS request packet; In like manner, when recursion server initiates DNS request, its public key information is included in DNS request packet;
3) DNS request packet opposite end server public key is encrypted by DNS request initiator, then issues opposite end server;
4) the server private key of oneself in opposite end deciphers the DNS request packet comprising DNS request initiator public key information received, and the PKI that the response data packet returned comprises with DNS request packet is encrypted, then send to DNS request initiator;
5) DNS request initiator deciphers with the private key of oneself response data packet received, and obtains final Query Result.
2. the method for claim 1, is characterized in that: maintenance package is containing the TLSA resource record of its public key information in zones of inversions for described recursion server, and described authoritative server maintenance package in forward region contains the TLSA resource record of its public key information.
3. the method for claim 1, is characterized in that: step 2) package head format of DNS request packet is expanded, to carry the public key information of DNS request initiator in DNS request packet, described expansion comprises two parts:
A) in the field retained, increase the flag bit PP of a byte, show that this DNS request person wishes that respondent is encrypted packet, and carry requestor's public key information in Additoanl field;
B) ARCOUNT is set to 1, shows in request data package, comprise an Additional field, for storage resource request person public key information.
4. method as claimed in claim 3, is characterized in that: described request person's public key information, based on EDNS0 form, is carried in the Additional field of request message, and described Additional field comprises:
OPTION-CODE: show the EDNS0 option number storing client public key information;
OPTION-LENGTH: option;
TYPE: key schedule;
KEY-DATA: public key data.
5. the method as described in claim 3 or 4, is characterized in that, the data encryption flow process of client and recursion server comprises:
A) client inquires about the public key information Pub_key-Server-R of configured recursion server by DANE;
B) certain domain name of client-requested, in DNS query message, arrange PP is 1, show that request recursion server is encrypted response data packet, and client carries the public key information Pub_key-Client of client in request message by EDNS0; The PKI Pub_key-Server-R of client recursion server is encrypted the DNS request packet that this is expanded, and sends to recursion server;
C) after the private key that recursion server use Pub_key-Server-R is corresponding carries out packet deciphering, obtain the domain name of client-requested and the public key information Pub_key-Client of client, this public key information of recursion server is encrypted response data packet;
D) client deciphers response data packet by the private key that Pub_key-Client is corresponding, obtains final Query Result.
6. the method as described in claim 3 or 4, is characterized in that, the data encryption flow process of recursion server and authoritative server comprises:
A) recursion server by DANE inquiry ask the public key information Pub_key-Server-A of authoritative server;
B) when recursion server inquires about this authoritative server, in DNS query message, arrange PP is 1, show that request authoritative server is encrypted response data packet, and recursion server carries the public key information Pub_key-Server-R of recursion server in request message by EDNS0; The PKI Pub_key-Server-A of recursion server authoritative server is encrypted the DNS request packet that this is expanded, and sends to authoritative server;
C) after the private key that authoritative server use Pub_key-Server-A is corresponding carries out packet deciphering, obtain the domain name of recursion server request and the public key information Pub_key-Server-R of recursion server, this public key information of authoritative server is encrypted response data packet;
D) recursion server deciphers response data packet by the private key that Pub_key-Server-R is corresponding, obtains final Query Result.
CN201510552889.9A 2015-09-01 2015-09-01 DNS (Domain Name System) data packet privacy protection method Pending CN105141612A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510552889.9A CN105141612A (en) 2015-09-01 2015-09-01 DNS (Domain Name System) data packet privacy protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510552889.9A CN105141612A (en) 2015-09-01 2015-09-01 DNS (Domain Name System) data packet privacy protection method

Publications (1)

Publication Number Publication Date
CN105141612A true CN105141612A (en) 2015-12-09

Family

ID=54726820

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510552889.9A Pending CN105141612A (en) 2015-09-01 2015-09-01 DNS (Domain Name System) data packet privacy protection method

Country Status (1)

Country Link
CN (1) CN105141612A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108400953A (en) * 2017-02-06 2018-08-14 中兴通讯股份有限公司 Control terminal is surfed the Internet and the method for terminal online, router device and terminal
CN108476246A (en) * 2015-09-25 2018-08-31 微软技术许可有限责任公司 Secure domain name parsing in computer network
CN109413076A (en) * 2018-11-06 2019-03-01 北京奇虎科技有限公司 Domain name analytic method and device
CN110113364A (en) * 2019-05-29 2019-08-09 深圳市网心科技有限公司 Domain Hijacking defence method and device, computer installation and storage medium
CN111615820A (en) * 2018-10-15 2020-09-01 华为技术有限公司 Method and equipment for performing domain name resolution by sending key value to GRS server
CN111953678A (en) * 2020-08-11 2020-11-17 福州职业技术学院 Method and system for verifying DNS request security
CN113014561A (en) * 2021-02-18 2021-06-22 支付宝(杭州)信息技术有限公司 Privacy protection method and device for DNS request message
CN113347144A (en) * 2021-04-14 2021-09-03 西安慧博文定信息技术有限公司 Method, system, equipment and storage medium for reciprocal data encryption

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242426A (en) * 2007-02-06 2008-08-13 华为技术有限公司 Method, system and device for establishing secure connection at transmission layer
CN101841521A (en) * 2010-01-22 2010-09-22 中国科学院计算机网络信息中心 Method, server and system for authenticating identify information in DNS message
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
CN104702714A (en) * 2015-03-31 2015-06-10 北京奇虎科技有限公司 DNS (Domain Name Server) safety querying method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242426A (en) * 2007-02-06 2008-08-13 华为技术有限公司 Method, system and device for establishing secure connection at transmission layer
CN101841521A (en) * 2010-01-22 2010-09-22 中国科学院计算机网络信息中心 Method, server and system for authenticating identify information in DNS message
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
CN104702714A (en) * 2015-03-31 2015-06-10 北京奇虎科技有限公司 DNS (Domain Name Server) safety querying method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
M. DEMPSKY: "DNSCurve: Link-Level Security for the Domain Name System draft-dempsky-dnscurve-01", 《IETF》 *
许海涛等: "DNS 数据安全解决方案", 《计 算 机 系 统 应 用》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108476246A (en) * 2015-09-25 2018-08-31 微软技术许可有限责任公司 Secure domain name parsing in computer network
CN108400953A (en) * 2017-02-06 2018-08-14 中兴通讯股份有限公司 Control terminal is surfed the Internet and the method for terminal online, router device and terminal
CN111615820B (en) * 2018-10-15 2022-04-05 华为技术有限公司 Method and equipment for performing domain name resolution by sending key value to GRS server
CN111615820A (en) * 2018-10-15 2020-09-01 华为技术有限公司 Method and equipment for performing domain name resolution by sending key value to GRS server
CN109413076A (en) * 2018-11-06 2019-03-01 北京奇虎科技有限公司 Domain name analytic method and device
CN109413076B (en) * 2018-11-06 2022-11-29 北京奇虎科技有限公司 Domain name resolution method and device
CN110113364A (en) * 2019-05-29 2019-08-09 深圳市网心科技有限公司 Domain Hijacking defence method and device, computer installation and storage medium
CN110113364B (en) * 2019-05-29 2022-02-25 深圳市网心科技有限公司 Domain name hijacking defense method and device, computer device and storage medium
CN111953678B (en) * 2020-08-11 2022-04-12 福州职业技术学院 Method and system for verifying DNS request security
CN111953678A (en) * 2020-08-11 2020-11-17 福州职业技术学院 Method and system for verifying DNS request security
CN113014561A (en) * 2021-02-18 2021-06-22 支付宝(杭州)信息技术有限公司 Privacy protection method and device for DNS request message
CN113014561B (en) * 2021-02-18 2022-09-06 支付宝(杭州)信息技术有限公司 Privacy protection method and device for DNS request message
CN113347144A (en) * 2021-04-14 2021-09-03 西安慧博文定信息技术有限公司 Method, system, equipment and storage medium for reciprocal data encryption

Similar Documents

Publication Publication Date Title
CN105141612A (en) DNS (Domain Name System) data packet privacy protection method
Seth et al. Practical security for disconnected nodes
Tan et al. A secure and authenticated key management protocol (SA-KMP) for vehicular networks
CN105577383A (en) Management of cryptographic keys
CN102355663B (en) Credible inter-domain rapid authentication method on basis of separation mechanism network
CN112351019B (en) Identity authentication system and method
KR20050037244A (en) Device authentication method using certificate and digital content processing device using the method
CN111865988B (en) Certificate-free key management method, system and terminal based on block chain
CN104486325A (en) Safe login certification method based on RESTful
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN107493165A (en) A kind of car networking certification and cryptographic key negotiation method with strong anonymity
CN101808142A (en) Method and device for realizing trusted network connection through router or switch
CN104468859A (en) DANE expanding query method supporting carrying service address information and system
CN103428692A (en) Wireless access network authentication method and wireless access network authentication system capable of holding accountability and protecting privacy
CN118540164A (en) Quantum security enhancement method for Internet key exchange protocol
CN115189903A (en) Distributed access control method supporting privacy protection in Internet of vehicles
CN104410635A (en) NDN security authentication method based on DANE
CN102340487B (en) Integrity report transferring method and system among multiple trust domains
KR100984275B1 (en) Method for generating secure key using certificateless public key in insecure communication channel
KR100970552B1 (en) Method for generating secure key using certificateless public key
Nepal et al. Secure Data Provenance for Internet of Vehicles with Verifiable Credentials
CN108696539B (en) Information service agent method for safety, fairness and privacy protection
Cheng et al. Research on vehicle-to-cloud communication based on lightweight authentication and extended quantum key distribution
CN114866244A (en) Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption
KR101042834B1 (en) A Self-Certified Signcryption Method for Mobile Communications

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20151209

RJ01 Rejection of invention patent application after publication