CN105791218A - Anti-replay method and device - Google Patents
Anti-replay method and device Download PDFInfo
- Publication number
- CN105791218A CN105791218A CN201410803108.4A CN201410803108A CN105791218A CN 105791218 A CN105791218 A CN 105791218A CN 201410803108 A CN201410803108 A CN 201410803108A CN 105791218 A CN105791218 A CN 105791218A
- Authority
- CN
- China
- Prior art keywords
- message
- sliding window
- playback
- playback sliding
- serial number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Communication Control (AREA)
Abstract
The embodiment of the invention provides an anti-replay method and device. The method comprises the following steps: receiving an IPSec message, wherein the message contains a sequence number k, obtaining an upper limit overflow mark of an anti-replay sliding window, if the upper limit overflow mark of the anti-replay sliding window is effective, when the sequence number k of the message is not within a section of the anti-replay sliding window and when the sequence number k of the message is between M1 and M2, moving the anti-replay sliding window rightwards to make the upper limit value of the anti-replay sliding window become the sequence number k of the message. Wherein, M1 refers to a minimum value of the sequence number of the message, M3 refers to a maximum value of the sequence number of the message, M1 is an integer larger than or equal to 0, the size of the anti-replay sliding window is constantly N, N is an integer larger than or equal to 1, and M2= M1+N. Therefore, the problems of wrong replay and wrong discard of the message are avoided.
Description
Technical field
The present embodiments relate to computer technology, particularly relate to a kind of anti-playback method and device.
Background technology
The Internet protocol security (InternetProtocolSecurity, hereinafter referred to as: IPSec) can be used for guaranteeing end to end Internet protocol (InternetProtocol, hereinafter referred to as the IP) communication security of layer.
IPSec provides secure communication between the two endpoints, claiming the two end points is IPSec transmitting terminal and IPSec receiving terminal, ipsec security alliance (SecurityAssociation, hereinafter referred to as: SA) it is agreement to some key element between IPSec transmitting terminal and receiving terminal, for instance: use which kind of agreement, use which kind of protocol encapsulation pattern, use which kind of AES etc..IPSecSA has life cycle, terminate life cycle to be called IPSecSA aging (inefficacy), in prior art, the life cycle of IPSecSA is based on set of time or based on flow set, refer to setting up from IPSecSA based on set of time, when the time of SA survival reaches the time arranged, IPSecSA is aging;Refer to that IPSecSA is aging when adopting the IPSecSA flow processed to reach the flow arranged based on flow set.
IPSec detects playback message by anti-playback sliding window mechanism, before IPSecSA is aging, the serial number of the message that transmitting terminal sends is incremented by successively, when the sequence of message number of the message received drops in anti-playback sliding window interval, then preserving message, anti-playback sliding window is constant;When the sequence of message number of the message received drops on the right side of anti-playback sliding window interval, then preserve message and anti-playback sliding window is moved to right, making the sequence of message number that higher limit is the message received of anti-playback sliding window;When the sequence of message number of the message received drops on the left of anti-playback sliding window interval, then abandon the message of reception.When IPSecSA trigger aging after, the serial number of message that transmitting terminal sends from minima, and, the interval of anti-playback sliding window becomes [0, N-1], and wherein, N is the size of anti-playback sliding window;But, the method adopting prior art, when the sequence of message number of transmitting terminal reaches maximum, sequence of message number overturns from minima, aging because also not triggering IPSecSA the life cycle that would be likely to occur based on set of time or based on flow set, the interval of anti-playback sliding window is [MAX-N, MAX], MAX is the maximum of sequence of message number, after receiving terminal receives the sequence of message number after upset, owing to sequence of message number is in the left side of anti-playback sliding window, then abandon the message of reception, cause that message is abandoned by anti-playback by mistake.
Summary of the invention
The embodiment of the present invention provides a kind of anti-playback method and device, to solve the problem that message is abandoned by anti-playback by mistake.
First aspect, it is provided that a kind of anti-playback method, including:
The safe IPSec message of received internet protocol, described message includes serial number K;
Obtain the upper limit overflow indicator of anti-playback sliding window, wherein, when the higher limit of described anti-playback sliding window reaches M3, or, when the higher limit of described anti-playback sliding window is be more than or equal to M1 and the numerical value less than M2, described upper limit overflow indicator is effective, described M1 is sequence of message minima, described M3 is sequence of message maximum, described M1 is the integer be more than or equal to 0, it is the integer be more than or equal to 1 that the size of described anti-playback sliding window is fixed as N, described N, and described M2 is M1 and N sum;
If described upper limit overflow indicator is effective, then when the serial number K of described message is not in the interval of described anti-playback sliding window, and the serial number K of described message between M1 and M2 time, described anti-playback sliding window is moved to right, makes the serial number K that higher limit is described message of described anti-playback window.
In conjunction with first aspect, in the first possible implementation of first aspect, described method also includes:
If the upper limit overflow indicator of described anti-playback sliding window is effective, the serial number K of described message not described anti-playback sliding window interval in and the serial number K of described message not between M1 and M2, then abandon described message.
In conjunction with the first possible implementation of first aspect or first aspect, in the implementation that the second of first aspect is possible, before the upper limit overflow indicator of the anti-playback sliding window of described acquisition, also include:
If the higher limit of described anti-playback sliding window reaches M3, the upper limit overflow indicator of described anti-playback sliding window is set to effectively.
In conjunction with the implementation that the first possible implementation of first aspect or first aspect or the second of first aspect are possible, in the third possible implementation of first aspect, described described anti-playback sliding window is moved to right, after making the serial number K that higher limit is described message of described anti-playback window, also include:
If the higher limit of described anti-playback sliding window is M2, it is invalid to be set to by described anti-playback sliding window upper limit overflow indicator.
Second aspect, it is provided that a kind of anti-replay device, including:
Receiver module, for the safe IPSec message of received internet protocol, described message includes serial number K;
Acquisition module, for obtaining the upper limit overflow indicator of anti-playback sliding window, wherein, when the higher limit of described anti-playback sliding window reaches M3, or, when the higher limit of described anti-playback sliding window is be more than or equal to M1 and the numerical value less than M2, described upper limit overflow indicator is effective, described M1 is sequence of message minima, described M3 is sequence of message maximum, and described M1 is the integer be more than or equal to 0, and the size of described anti-playback sliding window is fixed as N, described N is the integer be more than or equal to 1, and described M2 is M1 and N sum;
Processing module, if being effective for described upper limit overflow indicator, then when the serial number K of described message is not in the interval of described anti-playback sliding window, and the serial number K of described message between M1 and M2 time, described anti-playback sliding window is moved to right, makes the serial number K that higher limit is described message of described anti-playback window.
In conjunction with second aspect, in the first possible implementation of second aspect, if the upper limit overflow indicator that described processing module is additionally operable to described anti-playback sliding window is effective, the serial number K of described message not described anti-playback sliding window interval in and the serial number K of described message not between M1 and M2, then abandon described message.
The first possible implementation in conjunction with second aspect or second aspect, in the implementation that the second of second aspect is possible, before described processing module is additionally operable to obtain the upper limit overflow indicator of anti-playback sliding window, if the higher limit of described anti-playback sliding window reaches M3, the upper limit overflow indicator of described anti-playback sliding window is set to effectively.
In conjunction with the implementation that the first possible implementation of second aspect or second aspect or the second of second aspect are possible, in the third possible implementation of second aspect, described processing module is additionally operable to move to right described anti-playback sliding window, after making the serial number K that higher limit is described message of described anti-playback window, if the higher limit of described anti-playback sliding window is M2, it is invalid to be set to by described anti-playback sliding window upper limit overflow indicator.
The anti-playback method of embodiment of the present invention offer and device, by receiving IPSec message, message comprises serial number K, obtain the upper limit overflow indicator of anti-playback sliding window, if the upper limit overflow indicator of anti-playback sliding window is effectively, then when the serial number K of message is not in the interval of anti-playback sliding window, and the serial number K of message between M1 and M2 time, anti-playback sliding window is moved to right, makes the serial number K that higher limit is message of described anti-playback window.Wherein, M1 is sequence of message minima, and M3 is sequence of message maximum, M1 is the integer be more than or equal to 0, and it is the integer be more than or equal to 1 that the size of anti-playback sliding window is fixed as N, N, M2 is M1 and N sum, thus, solve the problem that message is abandoned by anti-playback by mistake.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
The schematic flow sheet of a kind of anti-playback method that Fig. 1 provides for the embodiment of the present invention;
The anti-playback sliding window schematic diagram one that Fig. 2 provides for the embodiment of the present invention;
The anti-playback sliding window schematic diagram two that Fig. 3 provides for the embodiment of the present invention;
The anti-playback sliding window schematic diagram three that Fig. 4 provides for the embodiment of the present invention;
The anti-playback sliding window schematic diagram four that Fig. 5 provides for the embodiment of the present invention;
The anti-playback sliding window schematic diagram five that Fig. 6 provides for the embodiment of the present invention;
The anti-playback sliding window schematic diagram six that Fig. 7 provides for the embodiment of the present invention;
The schematic flow sheet of the anti-playback method of another kind that Fig. 8 provides for the embodiment of the present invention;
The structural representation of a kind of anti-replay device that Fig. 9 provides for the embodiment of the present invention;
The structural representation of the anti-replay device of another kind that Figure 10 provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
The present invention is not mainly for before the IPSecSA solved based on set of time or based on flow set terminates life cycle, sequence of message number reaches sequence of message maximum, sequence of message number overturns, sequence of message number after upset cannot drop on the right side of the interval interior or anti-playback sliding window of anti-playback sliding window all the time, causes that reception message is abandoned because of anti-playback by mistake.The present invention is by receiving IPSec message, message comprises serial number K, obtain the upper limit overflow indicator of anti-playback sliding window, if the upper limit overflow indicator of anti-playback sliding window is effective, then when the serial number K of message is not in the interval of anti-playback sliding window, and the serial number K of message between M1 and M2 time, anti-playback sliding window is moved to right, make the serial number K that higher limit is message of anti-playback window, wherein, M1 is sequence of message minima, M3 is sequence of message maximum, M1 is the integer be more than or equal to 0, the size of anti-playback sliding window is fixed as N, N is the integer be more than or equal to 1, M2=M1+N, thus, solve the problem that message is abandoned by anti-playback by mistake.
With specifically embodiment, technical scheme is described in detail below.These specific embodiments can be combined with each other below, is likely to repeat no more in some embodiment for same or analogous concept or process.
The schematic flow sheet of a kind of anti-playback method that Fig. 1 provides for the embodiment of the present invention, as it is shown in figure 1, the method for the present embodiment is as follows:
S101: receiving terminal receives IPSec message, and message includes serial number K.
The span of the serial number of IPSec message is relevant with the figure place representing sequence of message number, and for 32 serial numbers represented, sequence of message minima is 0, and maximum is 0xFFFFFFFF.The span of the serial number K of message is between sequence of message minima and sequence of message maximum, including sequence of message minima and sequence of message maximum.
S102: receiving terminal obtains the upper limit overflow indicator of anti-playback sliding window.
Anti-playback sliding window is in sliding process, window size immobilizes all the time, as shown in Figure 2, the anti-playback sliding window schematic diagram one that Fig. 2 provides for the embodiment of the present invention, anti-playback sliding window be sized to N, N is the integer be more than or equal to 1, the value (R-N) of the left end point of anti-playback sliding window is called the lower limit of anti-playback window by various embodiments of the present invention, the value (R) of the right endpoint of anti-playback sliding window is called the higher limit of anti-playback window, and the difference between higher limit and lower limit is the size of anti-playback window.
When the higher limit of anti-playback sliding window reaches M3, or, when the higher limit of anti-playback sliding window is be more than or equal to M1 and the numerical value less than M2, upper limit overflow indicator is effectively.When the higher limit of anti-playback sliding window is M2, it is invalid to be set to by anti-playback sliding window upper limit overflow indicator.
When the higher limit of anti-playback sliding window reaches M3, the upper limit overflow indicator of anti-playback sliding window is set to effectively, for 32 serial numbers represented, sequence of message minima is 0, sequence of message maximum is 0xFFFFFFFF, the upper limit overflow indicator of anti-playback sliding window is set to effectively, is equivalent on the basis of original 32 sliding windows, add the 33rd.
The upper limit overflow indicator of anti-playback sliding window is set to effective manner a lot, for instance: upper limit overflow indicator is set to " 1 " by a kind of mode, represents effectively, upper limit overflow indicator is set to " 0 " by another way, represents effectively, specifically relevant with how to define, to this, the present invention is not limited as.
S103: if upper limit overflow indicator is effectively, then when the serial number K of message is not in the interval of anti-playback sliding window, and the serial number K of message between M1 and M2 time, anti-playback sliding window is moved to right, makes the serial number K that higher limit is message of anti-playback window.
For example: the serial number K of the message that receiving terminal receives is sequence of message maximum M3, assume now, the interval of anti-playback sliding window is [M3-N-1, M3-1], as shown in Figure 3, the anti-playback sliding window schematic diagram two that Fig. 3 provides for the embodiment of the present invention, sequence of message number is on the right side of anti-playback sliding window, then preserve message, and anti-playback sliding window is moved to right, make serial number K (M3) that higher limit is message of anti-playback sliding window, the interval of anti-playback sliding window is [M3-N, M3], as shown in Figure 4, the anti-playback sliding window schematic diagram three that Fig. 4 provides for the embodiment of the present invention, now, the higher limit of anti-playback sliding window reaches sequence of message maximum, then the upper limit overflow indicator of anti-playback sliding window is set to effectively.The sequence of message number that transmitting terminal sends is from 0, when receiving terminal reception sequence of message number is 0, now, the interval of anti-playback sliding window is [M3-N, M3], as shown in Figure 4, and, the upper limit overflow indicator of anti-playback sliding window is effective, the serial number K of message is not in the interval of anti-playback sliding window, assume that sequence of message minima is 0, N=4, then M1=0, M2=4, the serial number of message is between M1 and M2, namely sequence of message number is [0, 4] between, then sliding window is moved to right, make the serial number that higher limit is message of anti-playback sliding window, now, the interval of anti-playback sliding window is [M3-3, M3] and 0, as shown in Figure 5, the anti-playback sliding window schematic diagram four that Fig. 5 provides for the embodiment of the present invention.If the sequence of message number received is 3, the interval of anti-playback sliding window is as it is shown in figure 5, now, the serial number of message not in the interval of anti-playback sliding window, and the serial number of message between M1 and M2 time, namely [0,4] between, then being moved to right by sliding window, the upper limit making anti-playback sliding window is sequence of message number, now, the interval of anti-playback sliding window is M3 and [0,3], as shown in Figure 6, the anti-playback sliding window schematic diagram five that Fig. 6 provides for the embodiment of the present invention.If the sequence of message number received is 4, the interval of anti-playback sliding window is as shown in Figure 6, now, the serial number of message is not in the interval of anti-playback sliding window, and the serial number of message between M1 and M2 time, namely [0, 4] between, then sliding window is moved to right, the upper limit making anti-playback sliding window is sequence of message number, now, the interval of anti-playback sliding window is [0, 4], as shown in Figure 7, the anti-playback sliding window schematic diagram six that Fig. 7 provides for the embodiment of the present invention, now, the higher limit of anti-playback sliding window is 4 (M2), it is invalid to be then set to by the upper limit overflow indicator of anti-playback sliding window.When the upper limit overflow indicator of anti-playback sliding window is set to invalid, when the sequence of message number of the message received drops in anti-playback sliding window interval, then preserving message, anti-playback sliding window is constant;When the sequence of message number of the message received drops on the right side of anti-playback sliding window interval, then preserve message and anti-playback sliding window is moved to right, making the sequence of message number that higher limit is the message received of anti-playback sliding window;When the sequence of message number of the message received drops on the left of anti-playback sliding window interval, then abandon the message of reception, thus, sequence of message number is avoided to reach sequence of message maximum, sequence of message number overturns, sequence of message number after upset cannot drop in the valid interval of anti-playback sliding window all the time, causes receiving the problem that message is abandoned by mistake because of anti-playback.
If upper limit overflow indicator is effectively, the serial number of message not in the interval of described anti-playback sliding window, and, the serial number of message not between M1 and M2, then abandons described reception message.
The present embodiment, by receiving IPSec message, message comprises serial number K, obtain the upper limit overflow indicator of anti-playback sliding window, if the upper limit overflow indicator of anti-playback sliding window is effectively, then when the serial number K of message is not in the interval of anti-playback sliding window, and the serial number K of message between M1 and M2 time, anti-playback sliding window is moved to right, makes the serial number K that higher limit is message of described anti-playback window.Wherein, M1 is sequence of message minima, and M3 is sequence of message maximum, and M1 is the integer be more than or equal to 0, and it is the integer be more than or equal to 1 that the size of anti-playback sliding window is fixed as N, N, M2=M1+N, thus, solve the problem that message is abandoned by anti-playback by mistake.
Fig. 8 is the schematic flow sheet of the anti-playback method embodiment two of the present invention, and as shown in Figure 8, receiving terminal is handled as follows after receiving message:
S801: judge whether the upper limit overflow indicator of anti-playback sliding window is set to effectively.If effectively, perform S805, if invalid, perform S802.
S802: judge whether the higher limit of anti-playback sliding window reaches the maximum of sequence of message number.If it does not, perform S804, if it is, perform S803.
S803: the upper limit overflow indicator of anti-playback sliding window is set to effectively.
S804: by former flow processing.
Refer to by former flow processing: when the sequence of message number of the message received drops in anti-playback sliding window interval, then preserving message, anti-playback sliding window is constant;When the sequence of message number of the message received drops on the right side of anti-playback sliding window interval, then preserve message and anti-playback sliding window is moved to right, making the sequence of message number that higher limit is the message received of anti-playback sliding window;When the sequence of message number of the message received drops on the left of anti-playback sliding window interval, then abandon the message of reception.
S805: judge that the serial number of message is whether in the interval of anti-playback sliding window, if so, performs S806.If it is not, perform S807.
S806: message is constant by window.
S807: judge that the serial number of message is whether between M1 and M2, if it is not, perform S808, if so, performs S809.
S808: abandon above-mentioned message.
S809: preserve message, move to right anti-playback sliding window, make the serial number that higher limit is message of anti-playback sliding window.
S810: whether the higher limit judging anti-playback sliding window is M2.If so, S811 is performed, if it is not, perform S812.
S811: it is invalid to be set to by the upper limit overflow indicator of anti-playback sliding window.
S812: continue other and process.
Correspondingly, the transmitting terminal of IPSec message performs following steps:
Judge whether the serial number of IPSec message reaches sequence of message maximum;If so, step A is performed, if it is not, perform step B.
Step A: by the serial number of next IPSec message from minima.
Step B: the serial number of next IPSec message is added 1.
In the embodiment of the present invention, the transmitting terminal of IPSec message is without changing, as long as before IPSecSA is aging, IPSec message is sent from small to large according to serial number, when serial number at IPSec message reaches sequence of message maximum, by the serial number of next IPSec message from minima, otherwise the serial number of next IPSec message is added 1.Receiving terminal implements anti-playback method provided by the invention such that it is able to solve the problem that message is abandoned by anti-playback by mistake.
The structural representation of a kind of anti-replay device that Fig. 9 provides for the embodiment of the present invention, as shown in Figure 9, the device of the present embodiment includes receiver module 901, acquisition module 902 and processing module 903, wherein, receiver module 901 is for the safe IPSec message of received internet protocol, and above-mentioned message includes serial number K;Acquisition module 902 is for obtaining the upper limit overflow indicator of anti-playback sliding window, wherein, when the higher limit of above-mentioned anti-playback sliding window reaches M3, or, when the higher limit of above-mentioned anti-playback sliding window is be more than or equal to M1 and the numerical value less than M2, above-mentioned upper limit overflow indicator is effective, above-mentioned M1 is sequence of message minima, above-mentioned M3 is sequence of message maximum, above-mentioned M1 is the integer be more than or equal to 0, it is the integer be more than or equal to 1 that the size of above-mentioned anti-playback sliding window is fixed as N, above-mentioned N, and above-mentioned M2 is M1 and N sum;If processing module 903 is effective for above-mentioned upper limit overflow indicator, then when the serial number K of above-mentioned message is not in the interval of above-mentioned anti-playback sliding window, and the serial number K of above-mentioned message between M1 and M2 time, above-mentioned anti-playback sliding window is moved to right, makes the serial number K that higher limit is above-mentioned message of above-mentioned anti-playback window.
In the above-described embodiments, if the upper limit overflow indicator that above-mentioned processing module 903 is additionally operable to above-mentioned anti-playback sliding window is effective, the serial number K of above-mentioned message not above-mentioned anti-playback sliding window interval in and the serial number K of above-mentioned message not between M1 and M2, then abandon above-mentioned message.
In the above-described embodiments, the upper limit overflow indicator of above-mentioned anti-playback sliding window if the higher limit of above-mentioned anti-playback sliding window reaches M3, is set to effectively before being additionally operable to obtain the upper limit overflow indicator of anti-playback sliding window by above-mentioned processing module 903.
In the above-described embodiments, above-mentioned processing module 903 is additionally operable to move to right above-mentioned anti-playback sliding window, after making the serial number K that higher limit is above-mentioned message of above-mentioned anti-playback window, if the higher limit of above-mentioned anti-playback sliding window is M2, it is invalid to be set to by above-mentioned anti-playback sliding window upper limit overflow indicator.
The device of above-described embodiment, IPSec message is received by receiver module, message comprises serial number K, acquisition module obtains the upper limit overflow indicator of anti-playback sliding window, if the upper limit overflow indicator of the anti-playback sliding window of processing module is effectively, then when the serial number K of message is not in the interval of anti-playback sliding window, and the serial number K of message between M1 and M2 time, anti-playback sliding window is moved to right, makes the serial number K that higher limit is message of above-mentioned anti-playback window.Wherein, M1 is sequence of message minima, and M3 is sequence of message maximum, M1 is the integer be more than or equal to 0, and it is the integer be more than or equal to 1 that the size of anti-playback sliding window is fixed as N, N, M2 is M1 and N sum, thus, solve the problem that message is abandoned by anti-playback by mistake.
The structural representation of the anti-replay device of another kind that Figure 10 provides for the embodiment of the present invention, described anti-replay device is deployed in receiving terminal, as shown in Figure 10, described anti-replay device 1000 includes communication interface 1001, memorizer 1003 and processor 1002, wherein, communication interface 1001, processor 1002, memorizer 1003, be connected with each other by bus 1004;Bus 1004 can be Peripheral Component Interconnect standard (peripheralcomponentinterconnect, it is called for short PCI) bus or EISA (extendedindustrystandardarchitecture is called for short EISA) bus etc..Described bus can be divided into address bus, data/address bus, control bus etc..For ease of representing, Figure 10 only represents with a thick line, it is not intended that only have a bus or a type of bus.
Described communication interface 1001 is used for and transmitting terminal communication.Memorizer 1003, is used for depositing program.Specifically, program can include program code, and described program code includes computer-managed instruction.Memorizer 1003 is likely to comprise random access memory (randomaccessmemory is called for short RAM), it is also possible to also include nonvolatile memory (non-volatilememory), for instance at least one disk memory.
Processor 1002 performs the program that memorizer 1003 is deposited, it is achieved the anti-playback method shown in Fig. 1 or Fig. 8 of the present invention, including:
The safe IPSec message of received internet protocol, described message includes serial number K;
Obtain the upper limit overflow indicator of anti-playback sliding window, wherein, when the higher limit of described anti-playback sliding window reaches M3, or, when the higher limit of described anti-playback sliding window is be more than or equal to M1 and the numerical value less than M2, described upper limit overflow indicator is effective, described M1 is sequence of message minima, described M3 is sequence of message maximum, described M1 is the integer be more than or equal to 0, it is the integer be more than or equal to 1 that the size of described anti-playback sliding window is fixed as N, described N, and described M2 is M1 and N sum;
If described upper limit overflow indicator is effective, then when the serial number K of described message is not in the interval of described anti-playback sliding window, and the serial number K of described message between M1 and M2 time, described anti-playback sliding window is moved to right, makes the serial number K that higher limit is described message of described anti-playback window.
Described method can also include:
If the upper limit overflow indicator of described anti-playback sliding window is effective, the serial number K of described message not described anti-playback sliding window interval in and the serial number K of described message not between M1 and M2, then abandon described message.
Described method can also include:
If the higher limit of described anti-playback sliding window reaches M3, the upper limit overflow indicator of described anti-playback sliding window is set to effectively.
Described method can also include:
If the higher limit of described anti-playback sliding window is M2, it is invalid to be set to by described anti-playback sliding window upper limit overflow indicator.
Above-mentioned processor 1002 can be general processor, including central processing unit (CentralProcessingUnit is called for short CPU), network processing unit (NetworkProcessor is called for short NP) etc.;Can also is that digital signal processor (DSP), special IC (ASIC), field programmable gate array (FPGA) or other PLDs, discrete gate or transistor logic, discrete hardware components.
In the embodiment of the present invention, IPSec message is received by processor, message comprises serial number K, processor acquisition module obtains the upper limit overflow indicator of anti-playback sliding window, if the upper limit overflow indicator of anti-playback sliding window is effectively, then when the serial number K of message is not in the interval of anti-playback sliding window, and the serial number K of message between M1 and M2 time, anti-playback sliding window is moved to right, makes the serial number K that higher limit is message of above-mentioned anti-playback window.Wherein, M1 is sequence of message minima, and M3 is sequence of message maximum, and M1 is the integer be more than or equal to 0, and it is the integer be more than or equal to 1 that the size of anti-playback sliding window is fixed as N, N, M2=M1+N, thus, solve the problem that message is abandoned by anti-playback by mistake.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can be completed by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program upon execution, performs to include the step of above-mentioned each embodiment of the method;And aforesaid storage medium includes: the various media that can store program code such as ROM, RAM, magnetic disc or CDs.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit;Although the present invention being described in detail with reference to foregoing embodiments, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein some or all of technical characteristic is carried out equivalent replacement;And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (8)
1. an anti-playback method, it is characterised in that including:
The safe IPSec message of received internet protocol, described message includes serial number K;
Obtain the upper limit overflow indicator of anti-playback sliding window, wherein, when the higher limit of described anti-playback sliding window reaches M3, or, when the higher limit of described anti-playback sliding window is be more than or equal to M1 and the numerical value less than M2, described upper limit overflow indicator is effective, described M1 is sequence of message minima, described M3 is sequence of message maximum, described M1 is the integer be more than or equal to 0, it is the integer be more than or equal to 1 that the size of described anti-playback sliding window is fixed as N, described N, and described M2 is M1 and N sum;
If described upper limit overflow indicator is effective, then when the serial number K of described message is not in the interval of described anti-playback sliding window, and the serial number K of described message between M1 and M2 time, described anti-playback sliding window is moved to right, makes the serial number K that higher limit is described message of described anti-playback window.
2. method according to claim 1, it is characterised in that also include:
If the upper limit overflow indicator of described anti-playback sliding window is effective, the serial number K of described message not described anti-playback sliding window interval in and the serial number K of described message not between M1 and M2, then abandon described message.
3. method according to claim 1 and 2, it is characterised in that before the upper limit overflow indicator of the anti-playback sliding window of described acquisition, also include:
If the higher limit of described anti-playback sliding window reaches M3, the upper limit overflow indicator of described anti-playback sliding window is set to effectively.
4. the method according to any one of claims 1 to 3, it is characterised in that described moved to right by described anti-playback sliding window, after making the serial number K that higher limit is described message of described anti-playback window, also includes:
If the higher limit of described anti-playback sliding window is M2, it is invalid to be set to by described anti-playback sliding window upper limit overflow indicator.
5. an anti-replay device, it is characterised in that including:
Receiver module, for the safe IPSec message of received internet protocol, described message includes serial number K;
Acquisition module, for obtaining the upper limit overflow indicator of anti-playback sliding window, wherein, when the higher limit of described anti-playback sliding window reaches M3, or, when the higher limit of described anti-playback sliding window is be more than or equal to M1 and the numerical value less than M2, described upper limit overflow indicator is effective, described M1 is sequence of message minima, described M3 is sequence of message maximum, and described M1 is the integer be more than or equal to 0, and the size of described anti-playback sliding window is fixed as N, described N is the integer be more than or equal to 1, and described M2 is M1 and N sum;
Processing module, if being effective for described upper limit overflow indicator, then when the serial number K of described message is not in the interval of described anti-playback sliding window, and the serial number K of described message between M1 and M2 time, described anti-playback sliding window is moved to right, makes the serial number K that higher limit is described message of described anti-playback window.
6. device according to claim 5, it is characterized in that, if the upper limit overflow indicator that described processing module is additionally operable to described anti-playback sliding window is effective, the serial number K of described message not described anti-playback sliding window interval in and the serial number K of described message not between M1 and M2, then abandon described message.
7. the device according to claim 5 or 6, it is characterized in that, the upper limit overflow indicator of described anti-playback sliding window if the higher limit of described anti-playback sliding window reaches M3, is set to effectively before being additionally operable to obtain the upper limit overflow indicator of anti-playback sliding window by described processing module.
8. the device according to any one of claim 5~7, it is characterized in that, described processing module is additionally operable to move to right described anti-playback sliding window, after making the serial number K that higher limit is described message of described anti-playback window, if the higher limit of described anti-playback sliding window is M2, it is invalid to be set to by described anti-playback sliding window upper limit overflow indicator.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410803108.4A CN105791218B (en) | 2014-12-22 | 2014-12-22 | Anti- playback method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410803108.4A CN105791218B (en) | 2014-12-22 | 2014-12-22 | Anti- playback method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105791218A true CN105791218A (en) | 2016-07-20 |
| CN105791218B CN105791218B (en) | 2019-06-21 |
Family
ID=56385957
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410803108.4A Active CN105791218B (en) | 2014-12-22 | 2014-12-22 | Anti- playback method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105791218B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106899606A (en) * | 2017-03-16 | 2017-06-27 | 新华三技术有限公司 | A kind of message processing method and device |
| WO2023087590A1 (en) * | 2021-11-18 | 2023-05-25 | 深圳市中兴微电子技术有限公司 | Network anti-replay method and apparatus, electronic device, and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471784A (en) * | 2007-12-29 | 2009-07-01 | 北京天融信网络安全技术有限公司 | Method for implementing IPSEC resistance of replay aggression |
| CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
| CN102769572A (en) * | 2012-07-30 | 2012-11-07 | 福建星网锐捷网络有限公司 | Message anti-replay method, message anti-replay device and network device |
-
2014
- 2014-12-22 CN CN201410803108.4A patent/CN105791218B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471784A (en) * | 2007-12-29 | 2009-07-01 | 北京天融信网络安全技术有限公司 | Method for implementing IPSEC resistance of replay aggression |
| CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
| CN102769572A (en) * | 2012-07-30 | 2012-11-07 | 福建星网锐捷网络有限公司 | Message anti-replay method, message anti-replay device and network device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106899606A (en) * | 2017-03-16 | 2017-06-27 | 新华三技术有限公司 | A kind of message processing method and device |
| CN106899606B (en) * | 2017-03-16 | 2020-02-11 | 新华三技术有限公司 | Message processing method and device |
| WO2023087590A1 (en) * | 2021-11-18 | 2023-05-25 | 深圳市中兴微电子技术有限公司 | Network anti-replay method and apparatus, electronic device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105791218B (en) | 2019-06-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10397221B2 (en) | Network controller provisioned MACsec keys | |
| CN105791219A (en) | Anti-replay method and device | |
| WO2017038500A1 (en) | Relay device | |
| EP3062466B1 (en) | Network security method and device | |
| WO2018130079A1 (en) | Method for encrypting internet protocol security (ipsec) protocol and network device | |
| CA2956801C (en) | Managing private and public service set utilization | |
| CN113452594B (en) | Inner layer message matching method and device of tunnel message | |
| CN103763194A (en) | Message forwarding method and device | |
| CN105791218A (en) | Anti-replay method and device | |
| EP3322148A1 (en) | Apparatus, system, and method for protecting against denial of service attacks using one-time cookies | |
| US20110093946A1 (en) | Router and method for protecting tcp ports utilizing the same | |
| EP3076592B1 (en) | Setting method, communication device, and master device | |
| US20160099862A1 (en) | Redundant network formation | |
| WO2016008212A1 (en) | Terminal as well as method for detecting security of terminal data interaction, and storage medium | |
| CN105515970B (en) | A kind of method and apparatus being used for transmission message | |
| US20150215161A1 (en) | Near field communication based bootstrapping | |
| CN108055172B (en) | Bidirectional forwarding detection method and device | |
| US9667650B2 (en) | Anti-replay checking with multiple sequence number spaces | |
| EP2940965B1 (en) | Time-locked network and nodes for exchanging secure data packets | |
| CN109067934A (en) | A kind of address conflict processing method and processing device | |
| CN109067666B (en) | Message transmission method and device | |
| CN113037880A (en) | Gateway IP address configuration method and device, gateway and readable storage medium | |
| US20200120132A1 (en) | Method for an object to communicate with a connected objects network to report that a clone may be impersonating the object in the network | |
| CN104601464A (en) | Point-to-point service transmission method and device | |
| CN108965316A (en) | Anti- explosion method and system based on driving layer packet check technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |