CN105553966B - The method and device that key exchanges - Google Patents
The method and device that key exchanges Download PDFInfo
- Publication number
- CN105553966B CN105553966B CN201510919203.5A CN201510919203A CN105553966B CN 105553966 B CN105553966 B CN 105553966B CN 201510919203 A CN201510919203 A CN 201510919203A CN 105553966 B CN105553966 B CN 105553966B
- Authority
- CN
- China
- Prior art keywords
- key
- message
- exchanges
- correspondent node
- node equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000004891 communication Methods 0.000 claims abstract description 65
- 230000005540 biological transmission Effects 0.000 claims description 18
- 230000008859 change Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000003362 replicative effect Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the method and devices that a kind of key exchanges, and are related to information technology field, communicating pair can be made to determine attacker, and then can divulging a secret to avoid communication message.The method includes:Communication end-device sends key and exchanges message to forwarding unit first, then forwarding unit exchanges message to key according to preset strategy and replicates, it obtains multiple keys and exchanges message, and multiple keys are forwarded to exchange message to Correspondent Node equipment by different links, thereafter Correspondent Node equipment, which determines, receives the stand-by period that key exchanges message, and judge whether internuncial attack, if last judge that there are internuncial attacks, then warning message is sent to network management system by Correspondent Node, so that network management system is according to warning message, determine attacker, and correct key is sent to Correspondent Node equipment.The present invention is suitable for detecting attack of the chain road with the presence or absence of intermediate of communicating pair.
Description
Technical field
The present invention relates to information technology field, more particularly to a kind of method and device of key exchange.
Background technology
With the increase year by year of Internet-scale and number of users, various network modes emerge one after another, and constantly change
People's lives mode.However due to the opening and anonymity of network, network security problem becomes increasingly conspicuous, in existing network
Confirm key by communicating pair, to realize the encryption to transmitting information, however how communicating pair carries out key exchange and become
One major issue.
Currently, a kind of method that key exchanges, communicating pair realizes public keys by Diffie Hellman algorithms
It exchanges, specifically, transmitting terminal and receiving terminal determine corresponding first public keys respectively, then, transmitting terminal and connect
It is close according to the communication being respectively received that corresponding first public keys is sent to opposite end, transmitting terminal and recipient by receiving end respectively
Key determines the second public keys, wherein the second public keys that communicating pair determines is identical.
However, when communicating pair by Diffie Hellman algorithms realize public keys exchange when, if transmitting terminal with
There are attackers, the attacker can listen to the key information of communicating pair in the communication channel of receiving terminal, and according to prison
The key information heard determines public keys corresponding with transmitting terminal and receiving terminal respectively, and by determining
Public keys, obtain and decrypt the information between transmitting terminal and receiving terminal, due to network delay, transmitting terminal with receive
End can not be obtained with the presence or absence of attacker, can not determine whether there is attacker so as to cause communicating pair, and then cause to lead to
Letter message is divulged a secret.
Invention content
The present invention provides the method and device that a kind of key exchanges, and communicating pair can be made to determine attacker, and then can be with
Avoid divulging a secret for communication message.
The technical solution adopted by the present invention is:
In a first aspect, the present invention provides a kind of method that key exchanges, including:
Communication end-device sends key and exchanges message to forwarding unit;
The forwarding unit exchanges message to key according to preset strategy and replicates, and obtains multiple keys and exchanges message;
The forwarding unit forwards the multiple key to exchange message to Correspondent Node equipment by different links;
The Correspondent Node equipment determines that receiving key exchanges the stand-by period of message, and judges whether go-between
Attack, the stand-by period is that the communication end-device sends the key and exchanges message to the Correspondent Node equipment
Receive the normal stand-by period that the key exchanges message;
If judging, there are the internuncial attack, warning message is sent to webmaster system by the Correspondent Node
System;
The network management system determines attacker, and correct key is sent to the communication according to the warning message
Opposite equip..
Second aspect, the present invention provides the devices that a kind of key exchanges, including:
First transmission unit is located in communication end-device, and message is exchanged to forwarding unit for sending key;
Copied cells are located in the forwarding unit, replicate, obtain for exchanging message to key according to preset strategy
Message is exchanged to multiple keys;
Retransmission unit is located in the forwarding unit, for forwarding the multiple key to exchange report by different links
Text is to Correspondent Node equipment;
First determination unit is located in the Correspondent Node equipment, for determining the waiting for receiving key and exchanging message
Time;
Judging unit is located in the Correspondent Node equipment, described for judging whether internuncial attack
Stand-by period is that communication end-device transmission key exchange message to the Correspondent Node equipment receives the key
Exchange the normal stand-by period of message;
Second transmission unit is located in the Correspondent Node equipment, for when judgement, there are the internuncial attacks to go
For when, warning message is sent to network management system;
Second determination unit is located in the network management system, for according to the warning message, determining attacker;
Third transmission unit is located in the network management system, is set for correct key to be sent to the Correspondent Node
It is standby.
The method and device that key provided by the invention exchanges, first communication end-device send key and exchange message to forwarding
Equipment, then forwarding unit message is exchanged to key according to preset strategy and is replicated, obtain multiple keys and exchange messages, and
Multiple keys are forwarded to exchange message to Correspondent Node equipment by different links, Correspondent Node equipment determination thereafter receives close
Key exchanges the stand-by period of message, and judges whether internuncial attack, wherein the stand-by period is communication end-device
It sends key and exchanges the normal stand-by period that message to Correspondent Node equipment receives key exchange message, if last judge exist
Internuncial attack, then warning message is sent to network management system by Correspondent Node, so that network management system is reported according to alarm
Text determines attacker, and correct key is sent to Correspondent Node equipment.Pass through Diffie with current communicating pair
Hellman algorithms realize that the exchange of public keys is compared, and key exchange message is replicated and passed through by forwarding unit by the present invention
Different signal paths are forwarded, therefore when some chain road is there are when attacker, Correspondent Node can be according to when waiting for
The interior all keys received exchange in message whether there is only a keys, judge whether attacker, and work as and deposit
It in attacker, can send a warning message to network management system, so that network management system determines attacker, and be carried
The key of correct key exchanges message, so as to so that communicating pair determines attacker, and then can letting out to avoid communication message
It is close.
Description of the drawings
It, below will be to the present invention or the prior art in order to illustrate more clearly of the present invention or technical solution in the prior art
Attached drawing needed in description is briefly described, it should be apparent that, the accompanying drawings in the following description is only the present invention's
Some embodiments for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other attached drawings.
Fig. 1 is the system schematic that key exchanges in the embodiment of the present invention;
Fig. 2 is a kind of method flow diagram that key exchanges in the embodiment of the present invention;
Fig. 3 is the method flow diagram that another key exchanges in the embodiment of the present invention;
Fig. 4 is the method flow diagram that another key exchanges in the embodiment of the present invention;
Fig. 5 is the method flow diagram that another key exchanges in the embodiment of the present invention;
Fig. 6 is the method flow diagram that another key exchanges in the embodiment of the present invention;
Fig. 7 is a kind of schematic device that key exchanges in the embodiment of the present invention;
Fig. 8 is the schematic device that another key exchanges in the embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other
Embodiment shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of method that key exchanges, and is applied to cipher key exchange system, as shown in Figure 1, this is close
Key exchange system includes:Communication ends, Correspondent Node, at least one forwarding unit and network management system, wherein communication end-device with
Correspondent Node equipment can carry out information exchange with forwarding unit, network management system can with communication end-device and communicate pair
End equipment carries out information exchange.
An embodiment of the present invention provides a kind of methods that key exchanges, and communicating pair can be made to determine attacker, Jin Erke
To avoid divulging a secret for communication message.As shown in Fig. 2, the method includes:
201, communication end-device sends key and exchanges message to forwarding unit.
Wherein, which exchanges in message and carries key.
For the embodiment of the present invention, communication end-device is according to Diffie Hellman algorithms first, with Correspondent Node equipment
It determines an integer g and a Big prime p, and integer a one big is generated according to integer g and Big prime P.Communication end-device
Public-key cryptography X is generated according to above three parameter, wherein X=gaMod (p), then, communication end-device will include key X, lead to
Believe end equipment identity (full name in English:Identification, english abbreviation:ID) key of information exchanges message and is set by forwarding
Preparation is to Correspondent Node equipment.
For the embodiment of the present invention, forwarding unit can be router device.
202, forwarding unit exchanges message to key according to preset strategy and replicates, and obtains multiple keys and exchanges message.
For the embodiment of the present invention, forwarding unit can recognize that key exchanges message, and can be exchanged according to key
Information in message determines that the key exchanges the number of forwarding unit of the message apart from the communication end-device, at this point, forwarding unit
Key exchange message is replicated, is forwarded by multiple ports.
For example, after first forwarding unit receives key exchange message, the information in key exchange message is extracted, really
Fixed itself is the first forwarding unit, then for first forwarding unit according to parameter informations such as configuration rule or link states, setting is close
It is 4 that key, which exchanges message number of copies, and passes through two ports, interval random time t14 parts of keys are exchanged message to transfer
It goes, wherein 0<t1<T0, and key exchanges the identification information and public-key cryptography X that communication end-device is carried in message.
203, forwarding unit forwards multiple keys to exchange message to Correspondent Node equipment by different links.
For the embodiment of the present invention, one is divided between the multiple key forwarding messages corresponding forwarding time replicated
A random time t, wherein 0<t<T0.For the closer forwarding unit in distance communication end, when it is received comprising open X's
When key exchanges message, it is forwarded to next forwarding unit until Correspondent Node successively by multiple port interval t times
Equipment.Wherein, communication end-device sets T according to aggregation of data such as network size, chain-circuit time delays0Value.
For the embodiment of the present invention, forwarding unit will replicate obtained multiple keys exchange message and be led to by different signals
The Correspondent Node equipment that road is sent, therefore, there are when man-in-the-middle attack on some channel channel, Correspondent Node equipment can lead to
It crosses all keys for judging to receive within the stand-by period and exchanges in message whether there is only a kind of keys, to determine whether there is
Internuncial attack.
204, Correspondent Node equipment, which determines, receives the stand-by period that key exchanges message.
Wherein, the stand-by period is that communication end-device transmission key exchange message to Correspondent Node equipment receives key exchange
The normal stand-by period of message.
205, Correspondent Node equipment judges whether internuncial attack.
For the embodiment of the present invention, Correspondent Node equipment judges that all keys received within the stand-by period exchange message
In whether there is only a kind of key, then Correspondent Node equipment judges that there are internuncial attacks;If within the stand-by period
There is only a kind of keys in all keys exchange message received, then Correspondent Node equipment, which determines, is not present internuncial attack
Behavior;If the key received within the stand-by period exchanges not there is only a kind of key in message, Correspondent Node equipment determines
There are internuncial attacks.
If 206, judging that warning message is sent to network management system by Correspondent Node there are internuncial attack.
Wherein, the IP of the corresponding identity ID identification informations of communication end-device, communication end-device is carried in warning message
The corresponding ID identification informations of location information, Correspondent Node equipment, the IP address information of Correspondent Node equipment, Correspondent Node receive
Key exchanges a variety of keys in message and the key of Correspondent Node equipment itself generation.
For the embodiment of the present invention, if Correspondent Node equipment finds man-in-the-middle attack behavior, record different keys and
The key of identical identity information exchanges the address information of the corresponding sending ending equipment of message, and by this by address information carry to
Network management system is reported in warning information.
For the embodiment of the present invention, if Correspondent Node equipment, which determines, is not present internuncial attack, Correspondent Node
Equipment directly parses, and obtains key.
207, network management system determines attacker according to warning message.
For the embodiment of the present invention, if the key that Correspondent Node equipment receives exchanges in message there are two kinds of keys of X, Z,
Then Correspondent Node equipment will send the key for carrying key Y and exchange the transmission address information of message and carry the key exchange of Z
The address letter of the transmission address information of message and the User Identity information of itself, Self address information, communication end-device
Breath, relationship corresponding with equipment identities identification information is sent to webmaster system to the key that X, Z, Correspondent Node equipment itself generate respectively
System.Wherein, the key that Correspondent Node equipment itself generates is what Correspondent Node equipment was generated according to Diffie Hellman algorithms
Public-key cryptography.
208, correct key is sent to Correspondent Node equipment by network management system.
For the embodiment of the present invention, when network management system receives above-mentioned warning message, network management system passes through analysis first
The source and destination address correspondence of the corresponding identification information of communication two-end device, public-key cryptography and message, you can
The key and its address information of attacker's publication are found out, then network management system by message interaction or will issue ACL strategies extremely
The modes such as the switch port that attacker is connected filter out the relevant information of attacker.
The method that key provided in an embodiment of the present invention exchanges, first communication end-device send key and exchange message to forwarding
Equipment, then forwarding unit message is exchanged to key according to preset strategy and is replicated, obtain multiple keys and exchange messages, and
Multiple keys are forwarded to exchange message to Correspondent Node equipment by different links, Correspondent Node equipment determination thereafter receives close
Key exchanges the stand-by period of message, and judges whether internuncial attack, wherein the stand-by period is communication end-device
It sends key and exchanges the normal stand-by period that message to Correspondent Node equipment receives key exchange message, if last judge exist
Internuncial attack, then warning message is sent to network management system by Correspondent Node, so that network management system is reported according to alarm
Text determines attacker, and correct key is sent to Correspondent Node equipment.Pass through Diffie with current communicating pair
Hellman algorithms realize that the exchange of public keys is compared, and key is exchanged message by forwarding unit and replicated by the embodiment of the present invention
And be forwarded by different signal paths, therefore when some chain road is there are when attacker, Correspondent Node can according to
Whether all keys received in the stand-by period exchange in message there is only a key, judge whether attacker, and
It and when there are attacker, can send a warning message to network management system, so that network management system determines attacker, and obtain
The key for carrying correct key exchanges message, so as to so that communicating pair determines attacker, and then can be reported to avoid communication
Text is divulged a secret.
Alternatively possible realization method in the embodiment of the present invention, on the basis of as shown in Figure 2, step 201, communication ends
Equipment sends key and exchanges message to forwarding unit, further includes step 301-302 as shown in Figure 3 later.
301, forwarding unit number information is added to key and exchanges message by forwarding unit.
Wherein, forwarding unit number information representation key exchanges the number that message passes through forwarding unit.
For the embodiment of the present invention, key exchanges in message that there are forwarding unit number information, so that forwarding unit connects
After receiving the key transitional information, according to the forwarding unit number information wherein carried, it is close to determine that the forwarding unit receives this
Before key exchanges message, the number of the forwarding unit of process.
302, message number of copies information is added separately to multiple keys and exchanges message by forwarding unit.
For the embodiment of the present invention, each forwarding unit is required to the number for replicating message, is added to key and exchanges report
Wen Zhong, so that each forwarding unit can exchange the number that the message in message replicates according to the key received, determining needs
The key to be replicated exchanges the number of message, and the number that message is exchanged to avoid key in network is more.
For the embodiment of the present invention, forwarding unit exchanges message by the way that message number of copies information is added to key, when
After other forwarding units receive key exchange message, the message number of copies information in message can be exchanged according to key,
It determines and replicates the number that key exchanges message, exchange message so as to avoid forwarding unit from replicating more key, lead to net
Message storm in network.
Alternatively possible realization method in the embodiment of the present invention, on the basis of as shown in Figure 3, step 204, communication pair
End equipment, which determines, receives the stand-by period that key exchanges message, further includes step 401 as shown in Figure 4 before, step 204,
Correspondent Node equipment, which determines, receives the stand-by period that key exchanges message, specifically includes step 402 as shown in Figure 4.
401, Correspondent Node equipment, which obtains forwarding time interval and exchanged from the key received, obtains forwarding in message
The number information of equipment.
Wherein, the maximum time interval that forwarding unit forwarding key exchanges message is divided between forwarding time.
It is divided into for the embodiment of the present invention, between forwarding time between the maximum time that forwarding unit forwarding key exchanges message
Every.
For the embodiment of the present invention, Correspondent Node equipment exchanges of the forwarding unit in message according to the key received
Number information determines that the key exchanges the number for the forwarding unit that message is passed through, and is passed through to exchange message according to the key
The number of forwarding unit determines that the key exchanges the chain-circuit time delay of message.
402, Correspondent Node equipment is according to formula T=T0*N0+ u is determined and is received the stand-by period that key exchanges message.
Wherein, T is the stand-by period for receiving key and exchanging message, T0For forwarding time interval, N0For of forwarding unit
Number information, u is chain-circuit time delay.
For example, being divided between forwarding time 2 seconds, the number of forwarding unit is 3, and chain-circuit time delay is 0.2 second, then T=T0*N0+
U=2*3+0.2=6.2.
Alternatively possible realization method in the embodiment of the present invention, on the basis of as shown in Figure 4, step 205, communication
Opposite equip. judges whether internuncial attack, specifically includes step 501-502 as shown in Figure 5.
501, Correspondent Node equipment judges all keys received within the stand-by period for receiving key exchange message
Exchange in message whether there is only a kind of keys.
Wherein, it is that the key that all forwarding units replicate exchanges message that all keys, which exchange message,.
For the embodiment of the present invention, stand-by period characterization Correspondent Node equipment can receive all keys and exchange message
Estimate the time.
For the embodiment of the present invention, if all keys that Correspondent Node receives exchange in message there is only a kind of key,
It then characterizes each chain road and internuncial aggression is not present;If all keys that Correspondent Node receives exchange message not
It is merely in the presence of a kind of key exchange message, then characterizing chain road, there are internuncial attacks.
If 502, all keys exchange not there is only a kind of key in message, Correspondent Node equipment, which determines, has centre
The attack of people.
For example, the link between the second forwarding unit and third forwarding unit has man-in-the-middle attack behavior, go-between to steal
The cipher key interaction message that second forwarding unit is sent out, obtains the identity information of communication end-device, and according to Diffie
Hellman algorithm constructions go out a public-key cryptography Z, and by the identity information containing communication end-device and the key of key Z
It exchanges message and is sent to Correspondent Node equipment, at this point, 8 in network key exchanges in message, it includes X keys, 2 packets to have 6
Key containing Z.
For the embodiment of the present invention, Correspondent Node equipment receives all keys within the stand-by period and exchanges message, and
And judge that the key received exchanges in message whether there is only a kind of keys, to judge whether that internuncial attack is gone
For, it can determine that all keys are received within the stand-by period exchanges message, and avoid the key according only to man-in-the-middle attack
It exchanges message and judges whether internuncial attack, but receive all keys within the stand-by period and exchange report
Text is carrying out judging whether internuncial attack, and internuncial attack row is judged whether so as to improve
For accuracy.
Alternatively possible realization method in the embodiment of the present invention, on the basis of as shown in Figure 2, step 208, webmaster
Correct key is sent to Correspondent Node equipment by system, further includes step 601 as shown in Figure 6, step 208, webmaster before
Correct key is sent to Correspondent Node equipment by system, further includes step 602 as shown in Figure 6 later.
601, network management system determines the key that communication end-device is sent.
602, the key that Correspondent Node equipment is sent according to communication ends and the key itself generated generate correctly open
Key.
For the embodiment of the present invention, key that communication end-device that Correspondent Node equipment is sent according to gateway system is sent with
And the key itself generated, determine correct public-key cryptography, and the disclosure key is sent to communication end-device.
Further, an embodiment of the present invention provides the method that another key exchanges, forwarding unit is by answering message
Number information processed is added to key and exchanges message, can be according to close after other forwarding units, which receive key, exchanges message
Key exchanges the message number of copies information in message, determines and replicates the number that key exchanges message, so as to avoid forwarding from setting
It is standby to replicate more key exchange message, lead to the message storm in network;Correspondent Node equipment receives within the stand-by period
All keys exchange message, and judge that the key received exchanges in message whether there is only a kind of keys, to judge to be
It is no to can determine that all keys are received within the stand-by period exchanges message there are internuncial attack, and avoid only
Message is exchanged according to the key of man-in-the-middle attack and judges whether internuncial attack, but is received within the stand-by period
Message is exchanged to all keys, is carrying out judging whether internuncial attack, judge whether so as to improve
There are the accuracy of internuncial attack.
As the realization to method shown in Fig. 2, Fig. 3, Fig. 4, Fig. 5 and Fig. 6, the embodiment of the present invention additionally provides a kind of key
The device of exchange can make communicating pair determine attacker, so can divulging a secret to avoid communication message, as shown in fig. 7, described
Device includes:First transmission unit 71, copied cells 72, retransmission unit 73, the first determination unit 74, judging unit 75, second
Transmission unit 76, the second determination unit 77, third transmission unit 78.
First transmission unit 71 is located in communication end-device, and message is exchanged to forwarding unit for sending key.
Copied cells 72 are located in forwarding unit, replicate, obtain for exchanging message to key according to preset strategy
Multiple keys exchange message.
Retransmission unit 73 is located in forwarding unit, for forwarding multiple keys to exchange messages to logical by different link
Believe opposite equip..
First determination unit 74 is located in Correspondent Node equipment, when for determining that receiving key exchanges the waiting of message
Between.
Wherein, the stand-by period is that communication end-device transmission key exchange message to Correspondent Node equipment receives key exchange
The normal stand-by period of message.
Judging unit 75 is located in Correspondent Node equipment, for judging whether internuncial attack.
Second transmission unit 76 is located in Correspondent Node equipment, will for when judging there are when internuncial attack
Warning message is sent to network management system.
Second determination unit 77 is located in network management system, for according to warning message, determining attacker.
Third transmission unit 78 is located in network management system, for correct key to be sent to Correspondent Node equipment.
Further, as shown in figure 8, described device further includes:Adding device 81.
Adding device 81 is located in forwarding unit, and message is exchanged for forwarding unit number information to be added to key.
Wherein, forwarding unit number information representation key exchanges the number that message has already passed through forwarding unit.
Adding device 81 is located in forwarding unit, is additionally operable to message number of copies information being added separately to multiple keys
Exchange message.
Further, as shown in figure 8, described device further includes:Acquiring unit 82.
Acquiring unit 82 is located in Correspondent Node equipment, for obtaining forwarding time interval and from the key received
Exchange the number information that forwarding unit is obtained in message.
Wherein, the maximum time interval that forwarding unit forwarding key exchanges message is divided between forwarding time.
First determination unit 74 is located in Correspondent Node equipment, is specifically used for according to formula T=T0*N0+ u is determined and is received
The stand-by period of message is exchanged to key.
Wherein, T is the stand-by period for receiving key and exchanging message, T0For forwarding time interval, N0For of forwarding unit
Number information, u is chain-circuit time delay.
Judging unit 75 is located in Correspondent Node equipment, specifically for judging in the waiting for receiving key exchange message
All keys received in time exchange in message whether there is only a kind of keys.
Judging unit 75 is located in Correspondent Node equipment, is specifically additionally operable to not only deposit when all keys exchange in message
In a kind of key, determine that there are internuncial attacks.
Wherein, the IP of the corresponding identity ID identification informations of communication end-device, communication end-device is carried in warning message
The corresponding ID identification informations of location information, Correspondent Node equipment, the IP address information of Correspondent Node equipment, Correspondent Node receive
Key exchanges a variety of keys in message and the key of Correspondent Node equipment itself generation.
Second determination unit 77 is located in network management system, is additionally operable to determine the key that communication end-device is sent.
Further, as shown in figure 8, device further includes:Generation unit 83.
Generation unit 83 is located in Correspondent Node equipment, the key and itself generation for being sent according to communication ends
Key generates correct public-key cryptography.
The device that key provided in an embodiment of the present invention exchanges, first communication end-device send key and exchange message to forwarding
Equipment, then forwarding unit message is exchanged to key according to preset strategy and is replicated, obtain multiple keys and exchange messages, and
Multiple keys are forwarded to exchange message to Correspondent Node equipment by different links, Correspondent Node equipment determination thereafter receives close
Key exchanges the stand-by period of message, and judges whether internuncial attack, wherein the stand-by period is communication end-device
It sends key and exchanges the normal stand-by period that message to Correspondent Node equipment receives key exchange message, if last judge exist
Internuncial attack, then warning message is sent to network management system by Correspondent Node, so that network management system is reported according to alarm
Text determines attacker, and correct key is sent to Correspondent Node equipment.Pass through Diffie with current communicating pair
Hellman algorithms realize that the exchange of public keys is compared, and key is exchanged message by forwarding unit and replicated by the embodiment of the present invention
And be forwarded by different signal paths, therefore when some chain road is there are when attacker, Correspondent Node can according to
Whether all keys received in the stand-by period exchange in message there is only a key, judge whether attacker, and
It and when there are attacker, can send a warning message to network management system, so that network management system determines attacker, and obtain
The key for carrying correct key exchanges message, so as to so that communicating pair determines attacker, and then can be reported to avoid communication
Text is divulged a secret.
Further, an embodiment of the present invention provides the device that another key exchanges, forwarding unit is by answering message
Number information processed is added to key and exchanges message, can be according to close after other forwarding units, which receive key, exchanges message
Key exchanges the message number of copies information in message, determines and replicates the number that key exchanges message, so as to avoid forwarding from setting
It is standby to replicate more key exchange message, lead to the message storm in network;Correspondent Node equipment receives within the stand-by period
All keys exchange message, and judge that the key received exchanges in message whether there is only a kind of keys, to judge to be
It is no to can determine that all keys are received within the stand-by period exchanges message there are internuncial attack, and avoid only
Message is exchanged according to the key of man-in-the-middle attack and judges whether internuncial attack, but is received within the stand-by period
Message is exchanged to all keys, is carrying out judging whether internuncial attack, judge whether so as to improve
There are the accuracy of internuncial attack.
It should be noted that other phases in the device that the key provided in the embodiment of the present invention exchanges corresponding to each unit
It should describe, can be with the corresponding description in reference chart 2, Fig. 3, Fig. 4, Fig. 5 and Fig. 6, details are not described herein.
The embodiment of the method for above-mentioned offer, concrete function may be implemented in the device that key provided in an embodiment of the present invention exchanges
Realize the explanation referred in embodiment of the method, details are not described herein.Method that key provided in an embodiment of the present invention exchanges and
The chain road that device can be adapted for detecting communicating pair whether there is the attack of intermediate, but be not limited only to this.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer read/write memory medium
In, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, all answer by the change or replacement that can be readily occurred in
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (10)
1. a kind of method that key exchanges, which is characterized in that including:
Communication end-device sends key and exchanges message to forwarding unit;
The forwarding unit exchanges message to key according to preset strategy and replicates, and obtains multiple keys and exchanges message;
The forwarding unit forwards the multiple key to exchange message to Correspondent Node equipment by different links;
The difference link is the different links formed by delay time by same forwarding unit different port;
The Correspondent Node equipment, which determines, receives the stand-by period that key exchanges message, is received within the stand-by period by judging
To all keys exchange message in whether there is only a kind of keys, judge whether internuncial attack, it is described etc.
Wait for that the time is that communication end-device transmission key exchange message to the Correspondent Node equipment receives the key friendship
Change the normal stand-by period of message;
If judging, there are the internuncial attack, warning message is sent to network management system by the Correspondent Node;
The network management system determines attacker, and correct key is sent to the Correspondent Node according to the warning message
Equipment.
2. the method that key according to claim 1 exchanges, which is characterized in that the communication end-device sends key and exchanges
After the step of message to forwarding unit, further include:
The forwarding unit number information is added to the key and exchanges message, the forwarding unit number by the forwarding unit
Key described in information representation exchanges the number that message has already passed through the forwarding unit;
Message number of copies information is added separately to the multiple key and exchanges message by the forwarding unit.
3. the method that key according to claim 2 exchanges, which is characterized in that the Correspondent Node equipment determination receives
Before key exchanges the step of stand-by period of message, further include:
The Correspondent Node equipment obtains forwarding time interval and is exchanged in message described in acquisition from the key received
The number information of forwarding unit, when being divided into the forwarding unit between the forwarding time key being forwarded to exchange the maximum of message
Between be spaced;
The Correspondent Node equipment, which determines, receives the step of key exchanges the stand-by period of message, specifically includes:
The Correspondent Node equipment is according to formula T=T0*N0+ u, determine described in receive key exchange message stand-by period,
In, T is the stand-by period for receiving key and exchanging message, T0For the forwarding time interval, N0For the forwarding unit
Number information, u are chain-circuit time delay.
4. the method that key according to claim 3 exchanges, which is characterized in that described to judge whether internuncial attack
The step of hitting behavior specifically includes:
The Correspondent Node equipment judges in all keys for receiving and being received in the stand-by period that key exchanges message
Exchange in message whether there is only a kind of keys;
If all keys exchange not there is only a kind of key in message, the Correspondent Node equipment, which determines, has centre
The attack of people.
5. the method that key exchanges according to claim 1, which is characterized in that carry communication ends in the warning message and set
Standby corresponding identity ID identification informations, the IP address information of communication end-device, the corresponding ID identification informations of Correspondent Node equipment, lead to
Believe a variety of keys in the key exchange message that the IP address information of opposite equip., the Correspondent Node receive and institute
State the key of Correspondent Node equipment itself generation;
Before described the step of correct key is sent to the Correspondent Node equipment, further include:
The network management system determines the key that the communication end-device is sent;
After described the step of correct key is sent to the Correspondent Node equipment, further include:
The key that the Correspondent Node equipment is sent according to the communication ends and the key itself generated generate correctly open
Key.
6. the device that a kind of key exchanges, which is characterized in that including:
First transmission unit is located in communication end-device, and message is exchanged to forwarding unit for sending key;
Copied cells are located in the forwarding unit, replicate, obtain more for exchanging message to key according to preset strategy
A key exchanges message;
Retransmission unit is located in the forwarding unit, for forwarding the multiple key to exchange message extremely by different links
Correspondent Node equipment;The difference link is the different links formed by delay time by same forwarding unit different port;
First determination unit is located in the Correspondent Node equipment, for determining the stand-by period for receiving key and exchanging message;
Judging unit is located in the Correspondent Node equipment, for by judging all keys received within the stand-by period
It whether exchanges in message there is only a kind of key, judges whether that internuncial attack, the stand-by period are described
Communication end-device sends key exchange message to the Correspondent Node equipment and receives the normal of the key exchange message
Stand-by period;
Second transmission unit is located in the Correspondent Node equipment, for when judging there are when the internuncial attack,
Warning message is sent to network management system;
Second determination unit is located in the network management system, for according to the warning message, determining attacker;
Third transmission unit is located in the network management system, for correct key to be sent to the Correspondent Node equipment.
7. the device that key according to claim 6 exchanges, which is characterized in that described device further includes:Adding device;
The adding device is located in the forwarding unit, for the forwarding unit number information to be added to the key
Message is exchanged, key exchanges the number that message has already passed through the forwarding unit described in the forwarding unit number information representation;
The adding device is located in the forwarding unit, is additionally operable to message number of copies information being added separately to described more
A key exchanges message.
8. the device that key according to claim 7 exchanges, which is characterized in that described device further includes:Acquiring unit;
The acquiring unit is located in the Correspondent Node equipment, the institute for obtaining forwarding time interval and from receiving
It states key and exchanges the number information for obtaining the forwarding unit in message, the forwarding unit forwarding is divided between the forwarding time
The key exchanges the maximum time interval of message;
First determination unit is located in the Correspondent Node equipment, is specifically used for according to formula T=T0*N0+ u determines institute
It states and receives the stand-by period that key exchanges message, wherein T is the stand-by period for receiving key and exchanging message, T0For
The forwarding time interval, N0For the number information of the forwarding unit, u is chain-circuit time delay.
9. the device that key according to claim 8 exchanges, which is characterized in that
The judging unit is located in the Correspondent Node equipment, specifically for judging to exchange message in the key that receives
Stand-by period in all keys for receiving exchange in message whether there is only a kind of keys;
The judging unit is located in the Correspondent Node equipment, is specifically additionally operable to exchange in message when all keys
There is only when a kind of key, determine that there are internuncial attacks.
10. the device that key exchanges according to claim 6, which is characterized in that carry communication ends in the warning message
The corresponding identity ID identification informations of equipment, the IP address information of communication end-device, the corresponding ID identification informations of Correspondent Node equipment,
The key that the IP address information of Correspondent Node equipment, the Correspondent Node receive exchange a variety of keys in message and
The key that the Correspondent Node equipment itself generates;
Second determination unit is located in the network management system, is additionally operable to determine the key that the communication end-device is sent;
Described device further includes:Generation unit;
The generation unit is located in the Correspondent Node equipment, key for being sent according to the communication ends and itself
The key of generation generates correct public-key cryptography.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510919203.5A CN105553966B (en) | 2015-12-10 | 2015-12-10 | The method and device that key exchanges |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510919203.5A CN105553966B (en) | 2015-12-10 | 2015-12-10 | The method and device that key exchanges |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105553966A CN105553966A (en) | 2016-05-04 |
| CN105553966B true CN105553966B (en) | 2018-11-09 |
Family
ID=55832902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510919203.5A Active CN105553966B (en) | 2015-12-10 | 2015-12-10 | The method and device that key exchanges |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105553966B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113923668B (en) * | 2021-10-11 | 2023-07-25 | 中国联合网络通信集团有限公司 | Method, device, chip and readable storage medium for identifying network attack behavior |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459506B (en) * | 2007-12-14 | 2011-09-14 | 华为技术有限公司 | Cipher key negotiation method, system, customer terminal and server for cipher key negotiation |
| CN103401872B (en) * | 2013-08-05 | 2016-12-28 | 北京工业大学 | The method prevented and detect man-in-the-middle attack based on RDP improved protocol |
| CN103763094A (en) * | 2014-01-03 | 2014-04-30 | 沈阳中科博微自动化技术有限公司 | Intelligent electric meter system safety monitoring information processing method |
-
2015
- 2015-12-10 CN CN201510919203.5A patent/CN105553966B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN105553966A (en) | 2016-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Xiaopeng et al. | A novel gray hole attack detection scheme for mobile ad-hoc networks | |
| Raffo et al. | An advanced signature system for OLSR | |
| CN111585845B (en) | Method, device and equipment for detecting network card node performance and readable medium | |
| Wahane et al. | Technique for detection of cooperative black hole attack in MANET | |
| CN101188498B (en) | Communication terminal and communication method | |
| Obaidat et al. | Preventing packet dropping and message tampering attacks on AODV-based mobile ad hoc networks | |
| Wacker et al. | A new approach for establishing pairwise keys for securing wireless sensor networks | |
| CN105553966B (en) | The method and device that key exchanges | |
| Mizrak et al. | Detecting compromised routers via packet forwarding behavior | |
| Bhardwaj et al. | Detection and avoidance of blackhole attack in AOMDV protocol in MANETs | |
| Cuppens et al. | Property based intrusion detection to secure OLSR | |
| El Mougy et al. | Preserving privacy in wireless sensor networks using onion routing | |
| Vegda et al. | Review paper on mobile ad-hoc networks | |
| Chaudhari et al. | Comparative analysis of attack detection methods in delay tolerant network | |
| Joanna et al. | Quota based routing protocol in disruption tolerant networks | |
| Hedau et al. | Design of A Secure Scheme employing In-Packet Bloom Filter for Detecting Provenance Forgery and Packet Drop Attacks in WSN | |
| Yi et al. | Security Threats for the Neighborhood Discovery Protocol (NHDP) | |
| Venkatraman | Secured Routing Protocol for ad hoc Networks | |
| Alafi et al. | Preventing Black hole attack from Routing Path in MANETs by Secret key and hashing | |
| Lavanya et al. | Deducing malicious attacks in disruption tolerant networks | |
| Zi et al. | Evaluating the transmission rate of covert timing channels in a network | |
| Rana et al. | Security-Aware Efficient Route Discovery for DSR in MANET | |
| Ahmad et al. | Robust And Secured WEP Protocol For Wireless Adhoc Network | |
| Sehgal et al. | Notice of Violation of IEEE Publication Principles: Security in Vehicular Ad-hoc Networks | |
| Morehart | Evaluating the effectiveness of ip hopping via an address routing gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |