CN106685979A - Security terminal identifier based on STiP model and authentication method and system - Google Patents
Security terminal identifier based on STiP model and authentication method and system Download PDFInfo
- Publication number
- CN106685979A CN106685979A CN201710013800.0A CN201710013800A CN106685979A CN 106685979 A CN106685979 A CN 106685979A CN 201710013800 A CN201710013800 A CN 201710013800A CN 106685979 A CN106685979 A CN 106685979A
- Authority
- CN
- China
- Prior art keywords
- binding
- security host
- host identifier
- source
- local
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a security terminal identifier based on an STiP model and an authentication method and system. The authentication method comprises the steps that a home terminal mainframe conducts signature on data packet original texts containing active and target security mainframe identifiers to obtain data packets to be sent and send the data packets to an access authentication server, the access authentication server does not look up binding information bound with the active security mainframe identifier in a local mapping cache table and sends a query request to a local mapping resolver, wherein the binding information includes at least the active security mainframe identifier, a public key bound with the active security mainframe identifier and a routing position identifier of a home terminal access router; the local mapping resolver does not look up the binding information and performs iterative query towards root, top-level and authority mapping resolvers sequentially, an access authentication server verifies the data packets to be sent and forwards the data packets to the home terminal access router if verification is yes, and a Hash algorithm is further used for conducting operation on the active and target security mainframe identifiers to obtain active and target security mainframe identifier labels for replacing the active and target security mainframe identifiers in the data packet original texts.
Description
Technical field
The present invention relates to the communications field, more particularly to it is a kind of based on STiP (secure and trusted procotol, Secure and
Trusted internet Protocol) model communication means and system.
Background technology
As people are growing for the demand of terminal mobility, movable equipment is more and more widely made
With such as equipment such as notebook computer, smart mobile phone and panel computer.Meanwhile, in order to avoid the limitation of cable network connection
Property, wireless network also becomes increasingly popular.And as movable equipment is more and more widely used, incident is removable setting
For the potential safety hazard brought due to its mobility, simultaneously as existing ICP/IP protocol does not possess address verity discriminating etc.
Inherent security mechanism, causes to attack source and attacker's identity is difficult to trace.
The content of the invention
It is contemplated that at least overcoming one of drawbacks described above to provide a kind of security terminal mark based on STiP models and recognize
Card method and system, to ensure the safety that local terminal end host is accessed.
To reach above-mentioned purpose, what technical scheme was specifically realized in:
One aspect of the present invention provides a kind of security terminal mark based on STiP models and authentication method, including:
Local terminal end host will be identified using the private key of local terminal end host comprising active security host identifier and purpose security host
The packet original text of symbol is signed, and obtains packet to be sent, and packet to be sent is sent to access authentication server, its
In, packet to be sent includes packet original text and signature, and source security host identifier is unique mark of local terminal end host
Know, purpose security host identifier is the unique mark of distant terminal main frame;Access authentication server receives packet to be sent,
In the case of the binding information with source security host identifier binding is not found in local mapped cache table, to local mapping
Resolver sends the request of inquiry and the binding information of source security host identifier binding, wherein, with source security host identifier
The binding information of binding at least includes public key and the local terminal end of source security host identifier and source security host identifier binding
The route location mark of the local terminal couple in router that end main frame is accessed;Local Mapping Resolution device parsing inquiry and source security host mark
Know the request of the binding information of symbol binding, in local search and the binding information of source security host identifier binding, locally reflecting
In the case that radiolysis parser does not find the binding information with the binding of source security host identifier, successively to root Mapping Resolution device,
Top level map resolver and permissions mapping resolver make iterative queries into, and obtain main safely with source from permissions mapping resolver
The binding information of machine identifier binding, and will send to access authentication service with the binding information of source security host identifier binding
Device;Access authentication server receives the binding information with source security host identifier binding, utilizes and source security host identifier
The true and false of the public key verifications packet to be sent of binding, if upchecking, data to be forwarded bag is sent to local terminal and accesses route
Device, wherein, data to be forwarded bag at least includes packet original text;Local terminal couple in router receives data to be forwarded bag, local
In the case of the binding information with the binding of purpose security host identifier is not found in mapped cache table, to local Mapping Resolution
Device sends the request of inquiry and the binding information of purpose security host identifier binding, wherein, with purpose security host identifier
The binding information of binding at least includes the public key that purpose security host identifier and purpose security host identifier bind and right
The route location mark of the opposite end couple in router that end end host is accessed;Local Mapping Resolution device parsing inquiry and purpose safety
The request of the binding information of hostid binding, in local search and the binding letter with the binding of purpose security host identifier
Breath, local Mapping Resolution device do not find with purpose security host identifier binding binding information in the case of, successively to
Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver
Obtain the binding information with the binding of purpose security host identifier, and the binding information that will be bound with purpose security host identifier
Send to local terminal couple in router;Local terminal couple in router is encapsulated into source routing station location marker and purpose route location mark
Data to be forwarded bag, the data to be forwarded bag after encapsulation is sent to opposite end couple in router, wherein, source routing station location marker is
The route location mark of local terminal couple in router, purpose route location is designated the route location mark of opposite end couple in router;
Opposite end couple in router receives the data to be forwarded bag after encapsulation, and the data to be forwarded bag after encapsulation is decapsulated, and obtains
Data to be forwarded bag, and data to be forwarded bag is sent to distant terminal main frame.
In addition, access authentication server is received after the binding information with source security host identifier binding, method is also wrapped
Include:Access authentication server will be stored in local mapped cache table with the binding information of source security host identifier binding.
In addition, during the caching of the binding information bound with source security host identifier that is also stored with local mapped cache table
Between length;Method also includes:Access authentication server cache-time length then after, deletion tie up with source security host identifier
Fixed binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute tree-shaped topological structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute the topology of decentration
Structure.
In addition, access authentication server is received after packet to be sent, data to be forwarded bag is sent to local terminal and is accessed
Before router, method also includes:Access authentication server is using hash algorithm to source security host identifier and purpose safety
Hostid carries out computing, source security host identification (RFID) tag and purpose security host identification (RFID) tag is obtained, by source security host
Source security host identifier and purpose in identification (RFID) tag and purpose security host identification (RFID) tag replacement data bag original text is main safely
Machine identifier.
Another aspect of the present invention provides a kind of security terminal mark based on STiP models and Verification System, including:This
End end host, for will be comprising active security host identifier and purpose security host mark using the private key of local terminal end host
The packet original text for knowing symbol is signed, and obtains packet to be sent, and packet to be sent is sent to access authentication server,
Wherein, packet to be sent includes packet original text and signature, and source security host identifier is the unique of local terminal end host
Mark, purpose security host identifier is the unique mark of distant terminal main frame;Access authentication server, it is to be sent for receiving
Packet, in the case of the binding information with source security host identifier binding is not found in local mapped cache table, to
Local Mapping Resolution device sends the request of inquiry and the binding information of source security host identifier binding, wherein, it is main safely with source
The binding information of machine identifier binding at least include the public key of source security host identifier and the binding of source security host identifier with
And the route location mark of the local terminal couple in router of local terminal end host access;Local Mapping Resolution device, for parsing inquiry
The request of the binding information bound with source security host identifier, in local search and the binding of source security host identifier binding
Information, in the case of the binding information that local Mapping Resolution device is not found with the binding of source security host identifier, successively to
Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver
The binding information with source security host identifier binding is obtained, and will be sent with the binding information of source security host identifier binding
To access authentication server;Access authentication server, is additionally operable to receive the binding information with source security host identifier binding, profit
With the true and false with the public key verifications packet to be sent of source security host identifier binding, if upchecking, by data to be forwarded
Bag is sent to local terminal couple in router, wherein, data to be forwarded bag at least includes packet original text;Local terminal couple in router, uses
In data to be forwarded bag is received, the binding letter with the binding of purpose security host identifier is not found in local mapped cache table
In the case of breath, the request of inquiry and the binding information of purpose security host identifier binding is sent to local Mapping Resolution device,
Wherein, purpose security host identifier and purpose safety are at least included with the binding information of purpose security host identifier binding
The route location mark of the opposite end couple in router that the public key and distant terminal main frame of hostid binding is accessed;Locally reflect
Radiolysis parser, be additionally operable to parse inquiry with purpose security host identifier binding binding information request, local search with
With the binding information of purpose security host identifier binding, do not find and purpose security host mark in local Mapping Resolution device
In the case of the binding information of symbol binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping resolver
Make iterative queries into, and the binding information with the binding of purpose security host identifier is obtained from permissions mapping resolver, and will be with
The binding information of purpose security host identifier binding is sent to local terminal couple in router;Local terminal couple in router, be additionally operable to by
Source routing station location marker and purpose route location mark are encapsulated into data to be forwarded bag, and the data to be forwarded bag after encapsulation is sent out
Opposite end couple in router is delivered to, wherein, source routing station location marker is identified for the route location of local terminal couple in router, purpose route
Station location marker is identified for the route location of opposite end couple in router;Opposite end couple in router, it is to be forwarded after encapsulating for receiving
Packet, the data to be forwarded bag after encapsulation is decapsulated, and obtains data to be forwarded bag, and data to be forwarded bag is sent
To distant terminal main frame.
In addition, access authentication server, is additionally operable to after the binding information with source security host identifier binding is received,
To be stored in local mapped cache table with the binding information of source security host identifier binding.
In addition, during the caching of the binding information bound with source security host identifier that is also stored with local mapped cache table
Between length;Access authentication server, be additionally operable to cache-time length then after, delete and the binding of source security host identifier
Binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute tree-shaped topological structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver constitute the topology of decentration
Structure.
In addition, access authentication server, be additionally operable to after packet to be sent is received, by data to be forwarded bag send to
Before local terminal couple in router, source security host identifier and purpose security host identifier are transported using hash algorithm
Calculate, obtain source security host identification (RFID) tag and purpose security host identification (RFID) tag, source security host identification (RFID) tag and purpose are pacified
Source security host identifier and purpose security host identifier in full host identification label replacement data bag original text.
As seen from the above technical solution provided by the invention, by provided in an embodiment of the present invention based on STiP models
Security terminal mark and authentication method and system, the network securitys such as source address spoofing, identity security can be solved from source
Problem, so as to be conducive to building autonomous controllable, safe and reliable internet environment.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to use needed for embodiment description
Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill in field, on the premise of not paying creative work, can be obtaining other according to these accompanying drawings
Accompanying drawing.
Fig. 1 is the structural representation of the security terminal mark based on STiP models provided in an embodiment of the present invention and Verification System
Figure;
Fig. 2 is the flow chart of the security terminal mark based on STiP models provided in an embodiment of the present invention and authentication method.
Specific embodiment
Embodiments of the present invention are described in detail below in conjunction with the accompanying drawings.
Fig. 1 shows a kind of security terminal mark and Verification System based on STiP models provided in an embodiment of the present invention
Structural representation, referring to Fig. 1, the security terminal mark and Verification System based on STiP models provided in an embodiment of the present invention, bag
Include:The separate access network 10 of IP address and backbone network 20, wherein, access network 10 includes multiple end hosts (wherein extremely
Include local terminal end host 101 and distant terminal main frame 103 less) and at least one access authentication server (wherein at least
Local terminal access authentication server 102 including being connected with local terminal end host 101).Certainly as a kind of optional reality of the present invention
Mode is applied, at least one access authentication server can also include the opposite end access authentication being connected with distant terminal main frame 103
Server (not shown).Backbone network 20 include multiple couple in routers (wherein at least include local terminal couple in router 201 with
And opposite end couple in router 202), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and
Permissions mapping resolver 206, the connection local terminal access authentication of local terminal couple in router 201 server 102, opposite end couple in router
(in the case of with opposite end access authentication server, opposite end couple in router 202 connects 202 peer end of the connection end hosts 103
Opposite end access authentication server), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and power
Limit Mapping Resolution device 206 is sequentially connected.It will be appreciated by persons skilled in the art that above-mentioned connection can also may be used for wired connection
Think wireless connection, this is not particularly limited in the present invention.Hereinafter, to provided in an embodiment of the present invention based on STiP models
Security terminal is identified and Verification System is described in detail:
Local terminal end host 101, for using the private key of local terminal end host will comprising active security host identifier and
The packet original text of purpose security host identifier is signed, and obtains packet to be sent, by packet to be sent send to
Access authentication server 102, wherein, packet to be sent includes packet original text and signature, and source security host identifier is
The unique mark of local terminal end host 101, purpose security host identifier is the unique mark of distant terminal main frame 103;
Access authentication server 102, for receiving packet to be sent, does not find and source in local mapped cache table
In the case of the binding information of security host identifier binding, to local Mapping Resolution device 203 inquiry and source security host are sent
The request of the binding information of identifier binding, wherein, at least pacify including source with the binding information of source security host identifier binding
The local terminal couple in router that full hostid and the public key and local terminal end host of source security host identifier binding are accessed
201 route location mark;
Local Mapping Resolution device 203, the request of the binding information bound with source security host identifier for parsing inquiry,
In local search and the binding information of source security host identifier binding, do not find in local Mapping Resolution device main safely with source
In the case of the binding information of machine identifier binding, successively to root Mapping Resolution device 204, top level map resolver 205 and power
Limit Mapping Resolution device 206 makes iterative queries into, and obtains and source security host identifier binding from permissions mapping resolver 206
Binding information, and will send to access authentication server 102 with the binding information of source security host identifier binding;
Access authentication server 102, is additionally operable to receive the binding information with source security host identifier binding, utilizes and source
The true and false of the public key verifications packet to be sent of security host identifier binding, if upchecking, data to be forwarded bag is sent
To local terminal couple in router 201, wherein, data to be forwarded bag at least includes packet original text;
Local terminal couple in router 201, for receiving data to be forwarded bag, does not find and mesh in local mapped cache table
Security host identifier binding binding information in the case of, to local Mapping Resolution device 203 send inquiry with purpose safety
The request of the binding information of hostid binding, wherein, at least wrap with the binding information of purpose security host identifier binding
Include public key and the opposite end of distant terminal main frame access of purpose security host identifier and the binding of purpose security host identifier
The route location mark of couple in router;
Local Mapping Resolution device 203, is additionally operable to parse inquiry with the binding information of purpose security host identifier binding
Request, in local search and the binding information with the binding of purpose security host identifier, does not find in local Mapping Resolution device
In the case of the binding information bound with purpose security host identifier, parse to root Mapping Resolution device 204, top level map successively
Device 205 and permissions mapping resolver 206 make iterative queries into, and obtain and purpose security host mark from permissions mapping resolver
Know the binding information of symbol binding, and the binding information bound with purpose security host identifier is sent to local terminal couple in router
201;
Local terminal couple in router 201, is additionally operable to that source routing station location marker and purpose route location mark are encapsulated into and are treated
Forwarding packet, the data to be forwarded bag after encapsulation is sent to opposite end couple in router 202, wherein, source routing station location marker
Route location for local terminal couple in router 201 is identified, and purpose route location is designated the route position of opposite end couple in router 202
Put mark;
Opposite end couple in router 202, for receiving the data to be forwarded bag after encapsulating, by the data to be forwarded bag after encapsulation
Decapsulated, obtained data to be forwarded bag, and data to be forwarded bag is sent to distant terminal main frame 103.
As can be seen here, by the security terminal mark based on STiP models provided in an embodiment of the present invention and Verification System,
The network security problems such as source address spoofing, identity security can be solved from source, so as to be conducive to building autonomous controllable, safety
Believable internet environment.
Specifically, access network 10 can complete the access of end host, in STiP models base provided in an embodiment of the present invention
On plinth, using globally unique SHI (security host identifier, Secure Host Identifier) to identify network in access
Every station terminal main frame, security host mark is not involved in global route.Backbone network 20 can realize that data route, local mapping
Resolver 203, root Mapping Resolution device 204, top level map resolver 205 and permissions mapping resolver 206 are configurable to one
Individual server, such as one mapping server, it is also possible to be configured to a server cluster, this is not limited in the present invention.
Meanwhile, access network 10 uses independent address space with backbone network 20:Access network 10 uses security terminal identifier
Forwarding data, backbone network 20 route and forwards packet using IP address.Because end host can not directly access access route
Device, therefore, can effectively prevent attack of the end host to couple in router.So that STiP moulds provided in an embodiment of the present invention
Access network 10 and the separation architecture of backbone network 20 this design in type can ensure that future terminal access technology is distinguished with backbone network framework
Independently evolution.
In access network 10, the verity of end host is verified by access authentication server.Specifically, using front,
Each end host can distribute a pair public and private keys by such as mapping server, and the public and private key is bound with end host mark,
I.e. public and private key is bound with SHI, meanwhile, also by the RLOC of SHI and couple in router, (route location is identified, Routing
Locator) bound, i.e. mapping server can be recorded as the tlv triple of each end host binding, the tlv triple includes
The public key of SHI and SHI bindings, the RLOC of the couple in router that SHI is accessed.Source terminal main frame is carried out using private key to packet
Signature, access authentication server can pass through the public key of inquiry such as mapping server acquisition and source SHI bindings, to from source end
The packet of end main frame is differentiated.A kind of specific implementation presented below, but this is the invention is not limited in, in STiP moulds
In type, when the end host of a website sends data to the end host of another website, i.e., when local terminal end host
101 to distant terminal main frame 103 send data when, when data reach access authentication server 102 after, if local terminal access recognize
SHI-to-RLOC (i.e. security host identifiers of local terminal end host are not found in the local mapped cache table of card server
With local terminal access route route location mark mapping relations) mapping item, can to LMR (local Mapping Resolution device,
Local Map Resolver) send message, the mapping relations of acquisition request SHI-to-RLOC;LMR receives access authentication service
Start to parse the request message after the request of device 102, first in the local binding letter searched and bound with the SHI of local terminal end host
Breath, if SHI records are not present, LMR can initiate iterative query to RMR (root Mapping Resolution device, Root Map Resolver),
Local Mapping Resolution device through root Mapping Resolution device, TMR (top level map resolver, Top-level Map Resolver) and
Parse from permissions mapping after three iterative querys of AMR (permissions mapping resolver, Authoritative Map Resolver)
Device obtains the binding information of the SHI of the inquiry of access authentication server 102, i.e. SHI-Public Key-RLOC are (with SHI bindings
Public key).After access authentication server 102 sends data packets to local terminal couple in router 201, local terminal couple in router 201
The RLOC addresses of the SHI bindings of distant terminal main frame 103 are obtained, then local terminal couple in router 201 is with the RLOC of oneself as source
Address, with the RLOC of opposite end couple in router 202 as purpose address encapsulated message.Opposite end couple in router 202 receives data
Message is decapsulated after bag, then message is sent to into distant terminal main frame 103.
In access network 20 access authentication server 102 to verify the end host of access be not forge and pretend to be it is concrete can
To realize in the following way:Message X is obtained very short message digest H1 by local terminal end host 101 after computing of making a summary,
Again D computings, i.e. digital signature are carried out to H1 with the private key of oneself.After drawing signature D (H1), it is attached to behind message X and is sent out
See off, access authentication server 102 received and after message signature D (H1) is separated with message X first, then uses local terminal end host
101 public key carries out E computings to D (H1), draws message digest H1, then carries out summary computing to message X, draws message digest
H2.If H1 is equal to H2, access authentication server 102 can just conclude that the message for receiving is real;Otherwise it is not just.
As an optional embodiment of the embodiment of the present invention, access authentication server 102, it is additionally operable in reception and source
After the binding information of security host identifier binding, will be stored in locally with the binding information of source security host identifier binding
In mapped cache table.Specifically, after each inquiry request of access authentication server 102 meets with a response, will can take in response message
The binding information of band is stored in local mapped cache table, go again inquiry to facilitate subsequently be employed without, and is improved and is processed effect
Rate.
As an optional embodiment of the embodiment of the present invention, also it is stored with local mapped cache table main safely with source
The cache-time length of the binding information of machine identifier binding;Access authentication server, is additionally operable in cache-time length then
Afterwards, the binding information with source security host identifier binding is deleted.Specifically, in the caching record of local mapped cache table storage
One TTL (Time-To-Live) value, i.e., the time span of one binding information caching, so as to ensure in a timing can be set
While interior raising efficiency, needing to reacquire binding information within the time to improve safety.
Used as an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host are identified
Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention can be adopted layer
The host identification nomenclature scheme of secondary structure thereby may be ensured that the global uniqueness and polymerism of SHI naming.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205
And permissions mapping resolver 206 constitutes tree-shaped topological structure.Thus, the iterative query from top under can ensure each time
Mapping Resolution is all most short searching route, so both can ensure that the global uniqueness and polymerism of SHI, it is also possible to control each
The mapping table scale of layer Mapping Resolution device.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205
And permissions mapping resolver 206 constitutes the topological structure of decentration.Because the renewal frequency of mapping relations mainly receives terminal
Position of host machine moves the impact with reachable state, and the present invention can quickly be rung by the tree-shaped Mapping Resolution system of the level set up
Registration, renewal, inquiry and the removal request of mapping relations are answered, the renewal frequency of mapping relations and the traffic of new information will not
Become the performance bottleneck of each layer Mapping Resolution device, because the maintenance of mapping relations is state convergence, map locating postpones and reflects
The state scale of penetrating is controllable.
Specifically, for example SHI names topology example is as follows:Facility.scheme.bistu.edu.cn, parsing
The iterative query step of the mapping relations of facility.scheme.bistu.edu.cn is as follows:
A, local Mapping Resolution device analyze full name, it is determined that the server of the control that needs to have authoritative weight cn Mapping Resolution utensils
Position, ask and obtain response;
The reference information for obtaining edu.cn servers is inquired about cn Mapping Resolutions device in B, request;
The reference information for obtaining bistu.edu.cn servers is inquired about edu.cn Mapping Resolutions device in C, request;
D, request bistu.edu.cn Mapping Resolution devices, obtain the reference letter of the server of scheme.bistu.edu.cn
Breath;
E, request scheme.bistu.edu.cn Mapping Resolution devices, obtain facility.scheme.bistu.edu.cn
Binding information response.
As an optional embodiment of the embodiment of the present invention, access authentication server 102, it is additionally operable to receiving pending
After sending packet, data to be forwarded bag is sent to before local terminal couple in router 201, it is main safely to source using hash algorithm
Machine identifier and purpose security host identifier carry out computing, obtain source security host identification (RFID) tag and purpose security host mark
Label, by the source security host mark in source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data bag original text
Know symbol and purpose security host identifier.Because security host identifier SHI is globally unique, in order to increase in backbone network 20
The privacy of source host identifier in the packet of transmission, can consider to be used in access authentication server 102 in implementing
Hash algorithm generates SHIT (security host identification (RFID) tag, the Secure of regular length to the security host identifier of random length
Host Identifier Tag), then the source host identifier in raw data packets is replaced with into the cryptographic Hash.
Fig. 2 shows a kind of security terminal mark and authentication method based on STiP models provided in an embodiment of the present invention
Flow chart, the security terminal mark and authentication method based on STiP models provided in an embodiment of the present invention is applied to said system,
Hereinafter only the security terminal mark based on STiP models provided in an embodiment of the present invention and authentication method are briefly described, its
His unaccomplished matter, referring specifically to the related description of said system.It is provided in an embodiment of the present invention based on STiP models referring to Fig. 2
Security terminal mark and authentication method include:
S201, local terminal end host will be comprising active security host identifier and purpose using the private key of local terminal end host
The packet original text of security host identifier is signed, and obtains packet to be sent, and packet to be sent is sent to access
Certificate server, wherein, packet to be sent includes packet original text and signature, and source security host identifier is local terminal terminal
The unique mark of main frame, purpose security host identifier is the unique mark of distant terminal main frame;
S202, access authentication server receives packet to be sent, does not find in local mapped cache table and source peace
In the case of the binding information of full hostid binding, to local Mapping Resolution device inquiry and source security host identifier are sent
The request of the binding information of binding, wherein, at least include source security host with the binding information of source security host identifier binding
The route of the local terminal couple in router that identifier and the public key and local terminal end host of source security host identifier binding are accessed
Station location marker;
S203, the request of the binding information that local Mapping Resolution device parsing inquiry is bound with source security host identifier,
Local search and the binding information of source security host identifier binding, do not find and source security host in local Mapping Resolution device
In the case of the binding information of identifier binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping solution
Parser makes iterative queries into, and obtains the binding information with source security host identifier binding from permissions mapping resolver, and will
Send to access authentication server with the binding information of source security host identifier binding;
S204, access authentication server receives the binding information with source security host identifier binding, utilizes and source safety
The true and false of the public key verifications packet to be sent of hostid binding, if upchecking, data to be forwarded bag is sent to this
End couple in router, wherein, data to be forwarded bag at least includes packet original text;
S205, local terminal couple in router receives data to be forwarded bag, does not find and purpose in local mapped cache table
In the case of the binding information of security host identifier binding, to local Mapping Resolution device inquiry and purpose security host mark are sent
Know the request of the binding information of symbol binding, wherein, at least include purpose with the binding information of purpose security host identifier binding
The opposite end access road that security host identifier and the public key and distant terminal main frame of the binding of purpose security host identifier are accessed
Identified by the route location of device;
S206, the request of the binding information that local Mapping Resolution device parsing inquiry is bound with purpose security host identifier,
In local search and the binding information with the binding of purpose security host identifier, do not find and purpose in local Mapping Resolution device
In the case of the binding information of security host identifier binding, successively to root Mapping Resolution device, top level map resolver and power
Limit Mapping Resolution device makes iterative queries into, and obtains the binding with the binding of purpose security host identifier from permissions mapping resolver
Information, and the binding information bound with purpose security host identifier is sent to local terminal couple in router;
Source routing station location marker and purpose route location mark are encapsulated into number to be forwarded by S207, local terminal couple in router
According to bag, the data to be forwarded bag after encapsulation is sent to opposite end couple in router, wherein, source routing station location marker is local terminal access
The route location mark of router, purpose route location is designated the route location mark of opposite end couple in router;
S208, opposite end couple in router receives the data to be forwarded bag after encapsulation, and the data to be forwarded bag after encapsulation is entered
Row decapsulation, obtains data to be forwarded bag, and data to be forwarded bag is sent to distant terminal main frame.
As can be seen here, by the security terminal mark based on STiP models provided in an embodiment of the present invention and authentication method,
The network security problems such as source address spoofing, identity security can be solved from source, so as to be conducive to building autonomous controllable, safety
Believable internet environment.
Used as an optional embodiment of the embodiment of the present invention, access authentication server is received and source security host mark
After the binding information of symbol binding, method also includes:The binding that access authentication server will be bound with source security host identifier
Information is stored in local mapped cache table.Specifically, after each inquiry request of access authentication server meets with a response, can be by sound
Answer the binding information carried in message to be stored in local mapped cache table, go again inquiry to facilitate subsequently be employed without,
Improve treatment effeciency.
As an optional embodiment of the embodiment of the present invention, also it is stored with local mapped cache table main safely with source
The cache-time length of the binding information of machine identifier binding;Method also includes:Access authentication server is in cache-time length
After then, the binding information with source security host identifier binding is deleted.Specifically, in the caching of local mapped cache table storage
Record can arrange TTL (Time-To-Live) value, i.e., the time span of one binding information caching, so as to ensure
While interior raising efficiency of fixing time, needing to reacquire binding information within the time to improve safety.
Used as an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host are identified
Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention can be adopted layer
The host identification nomenclature scheme of secondary structure thereby may be ensured that the global uniqueness and polymerism of SHI naming.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power
Limit Mapping Resolution device constitutes tree-shaped topological structure.Thus, the iterative query from top under can ensure Mapping Resolution each time
All it is most short searching route, had so both can ensure that the global uniqueness and polymerism of SHI, it is also possible to controls each layer of mapping solution
The mapping table scale of parser.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power
Limit Mapping Resolution device constitutes the topological structure of decentration.Because the renewal frequency of mapping relations is mainly moved by end host position
The impact of dynamic and reachable state, the present invention can be with quick response mapping relations by the tree-shaped Mapping Resolution system of the level set up
Registration, renewal, inquiry and removal request, the renewal frequency of mapping relations and the traffic of new information will not become each layer and reflect
The performance bottleneck of radiolysis parser, because the maintenance of mapping relations is state convergence, map locating postpones and mapping status scale
It is controllable.
As an optional embodiment of the embodiment of the present invention, access authentication server receive packet to be sent it
Afterwards, data to be forwarded bag is sent to before local terminal couple in router, method also includes:Access authentication server is calculated using Hash
Method carries out computing to source security host identifier and purpose security host identifier, obtains source security host identification (RFID) tag and purpose
Security host identification (RFID) tag, by source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data bag original text
Source security host identifier and purpose security host identifier.Because security host identifier SHI is globally unique, in order to increase
Plus backbone network 20 in transmission packet in source host identifier privacy, can consider in implementing access authentication take
Business device 102 generates SHIT (the security host mark marks of regular length using hash algorithm to the security host identifier of random length
Sign, Secure Host Identifier Tag), then the source host identifier in raw data packets is replaced with into the Hash
Value.
In flow chart or here any process described otherwise above or method description are construed as, expression includes
It is one or more for realizing specific logical function or process the step of the module of code of executable instruction, fragment or portion
Point, and the scope of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussion suitable
Sequence, including according to involved function by it is basic simultaneously in the way of or in the opposite order, carry out perform function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
Those skilled in the art are appreciated that to realize all or part of step that above-described embodiment method is carried
Suddenly the hardware that can be by program to instruct correlation is completed, and described program can be stored in a kind of computer-readable storage medium
In matter, the program upon execution, including one or a combination set of the step of embodiment of the method.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means to combine specific features, structure, material or spy that the embodiment or example are described
Point is contained at least one embodiment of the present invention or example.In this manual, to the schematic representation of above-mentioned term not
Necessarily refer to identical embodiment or example.And, the specific features of description, structure, material or feature can be any
One or more embodiments or example in combine in an appropriate manner.
Embodiment above is only that the preferred embodiment of the present invention is described, and not the scope of the present invention is carried out
Limit, on the premise of without departing from design spirit of the present invention, this area ordinary skill technical staff is to technical scheme
The various modifications made and improvement, all should fall in the protection domain of claims of the present invention determination.
Claims (14)
1. a kind of security terminal based on STiP models is identified and authentication method, it is characterised in that included:
Local terminal end host will be comprising active security host identifier and purpose safety using the private key of the local terminal end host
The packet original text of hostid is signed, and obtains packet to be sent, and the packet to be sent is sent to access
Certificate server, wherein, the packet to be sent includes the packet original text and the signature, the source security host
Identifier is the unique mark of the local terminal end host, and the purpose security host identifier is unique for distant terminal main frame
Mark;
The access authentication server receives the packet to be sent, does not find in local mapped cache table and the source
In the case of the binding information of security host identifier binding, to local Mapping Resolution device inquiry and the source security host are sent
The request of the binding information of identifier binding, wherein, the binding information bound with the source security host identifier is at least
Including the source security host identifier and the public key and the local terminal end host of source security host identifier binding
The route location mark of the local terminal couple in router of access;
The local Mapping Resolution device parses the request of the inquiry and the binding information of source security host identifier binding,
In the binding information bound with the source security host identifier described in local search, in local Mapping Resolution device institute is not found
In the case of stating the binding information with source security host identifier binding, successively to root Mapping Resolution device, top level map solution
Parser and permissions mapping resolver make iterative queries into, and obtain described with the source safety from the permissions mapping resolver
The binding information of hostid binding, and the binding information with source security host identifier binding is sent to institute
State access authentication server;
The access authentication server receives the binding information with source security host identifier binding, using it is described with
The true and false of packet to be sent described in the public key verifications of the source security host identifier binding, if upchecking, will be to be forwarded
Packet is sent to local terminal couple in router, wherein, the data to be forwarded bag at least includes the packet original text;
The local terminal couple in router receives the data to be forwarded bag, does not find in local mapped cache table and the mesh
Security host identifier binding binding information in the case of, to local Mapping Resolution device send inquiry and the purpose safety
The request of the binding information of hostid binding, wherein, the binding letter with purpose security host identifier binding
Breath at least includes the public key that the purpose security host identifier and the purpose security host identifier bind and described right
The route location mark of the opposite end couple in router that end end host is accessed;
The local Mapping Resolution device parses asking for the binding information that the inquiry is bound with the purpose security host identifier
Ask, in local search and the binding information of the binding with the purpose security host identifier, in local Mapping Resolution device not
In the case of finding the binding information with purpose security host identifier binding, successively to root Mapping Resolution device,
Top level map resolver and permissions mapping resolver make iterative queries into, and from the permissions mapping resolver obtain it is described with
The binding information of purpose security host identifier binding, and by the tying up with purpose security host identifier binding
Determine information to send to the local terminal couple in router;
Source routing station location marker and purpose route location mark are encapsulated into the number to be forwarded by the local terminal couple in router
According to bag, the data to be forwarded bag after encapsulation is sent to the opposite end couple in router, wherein, the source routing station location marker is
The route location mark of the local terminal couple in router, the purpose route location is designated the road of the opposite end couple in router
By station location marker;
The opposite end couple in router receives the data to be forwarded bag after the encapsulation, by the data to be forwarded bag after the encapsulation
Decapsulated, obtained the data to be forwarded bag, and the data to be forwarded bag is sent to the distant terminal main frame.
2. method according to claim 1, it is characterised in that the access authentication server receives described with source peace
After the binding information of full hostid binding, methods described also includes:The access authentication server by it is described with it is described
The binding information of source security host identifier binding is stored in the local mapped cache table.
3. method according to claim 2, it is characterised in that be also stored with described and institute in the local mapped cache table
State the cache-time length of the binding information of source security host identifier binding;Methods described also includes:
The access authentication server the cache-time length then after, delete described with the source security host identifier
The binding information of binding.
4. method according to claim 1, it is characterised in that the source security host identifier and the purpose are main safely
Machine identifier is named according to preset structure.
5. the method according to any one of Claims 1-4, it is characterised in that described Mapping Resolution device, described top reflect
Radiolysis parser and the permissions mapping resolver constitute tree-shaped topological structure.
6. method according to claim 5, it is characterised in that described Mapping Resolution device, the top level map resolver
And the permissions mapping resolver constitutes the topological structure of decentration.
7. method according to claim 1, it is characterised in that the access authentication server receives the data to be sent
After bag, data to be forwarded bag is sent to before local terminal couple in router, methods described also includes:
The access authentication server is using hash algorithm to the source security host identifier and the purpose security host mark
Knowing symbol carries out computing, obtains the source security host identification (RFID) tag and purpose security host identification (RFID) tag, and the source is main safely
Machine identification (RFID) tag and the purpose security host identification (RFID) tag replace the source security host identifier in the packet original text and
The purpose security host identifier.
8. a kind of security terminal based on STiP models is identified and Verification System, it is characterised in that included:
Local terminal end host, for will be comprising active security host identifier and purpose using the private key of the local terminal end host
The packet original text of security host identifier is signed, and obtains packet to be sent, by the packet to be sent send to
Access authentication server, wherein, the packet to be sent includes the packet original text and the signature, the source safety
Hostid is the unique mark of the local terminal end host, and the purpose security host identifier is distant terminal main frame
Unique mark;
The access authentication server, for receiving the packet to be sent, do not find in local mapped cache table with
In the case of the binding information of the source security host identifier binding, inquiry is sent with source peace to local Mapping Resolution device
The request of the binding information of full hostid binding, wherein, the binding letter with source security host identifier binding
Breath at least includes public key and the local terminal end of the source security host identifier and source security host identifier binding
The route location mark of the local terminal couple in router that end main frame is accessed;
The local Mapping Resolution device, for parsing the inquiry with the binding information of source security host identifier binding
Request, in the binding information bound with the source security host identifier described in local search, does not look in local Mapping Resolution device
In the case of finding the binding information with source security host identifier binding, successively to root Mapping Resolution device, top
Mapping Resolution device and permissions mapping resolver make iterative queries into, and from the permissions mapping resolver obtain it is described with it is described
The binding information of source security host identifier binding, and the binding information with source security host identifier binding is sent out
Deliver to the access authentication server;
The access authentication server, is additionally operable to receive the binding information with source security host identifier binding, profit
With the true and false of packet to be sent described in the public key verifications with source security host identifier binding, if upchecking,
Data to be forwarded bag is sent to local terminal couple in router, wherein, the data to be forwarded bag at least includes that the packet is former
Text;
The local terminal couple in router, for receiving the data to be forwarded bag, do not find in local mapped cache table with
In the case of the binding information of the purpose security host identifier binding, to local Mapping Resolution device inquiry and the mesh are sent
The binding of security host identifier binding information request, wherein, the binding with the purpose security host identifier
Binding information at least include the public key that the purpose security host identifier and the purpose security host identifier bind and
The route location mark of the opposite end couple in router that the distant terminal main frame is accessed;
The local Mapping Resolution device, is additionally operable to parse the binding letter of the inquiry and purpose security host identifier binding
The request of breath, in local search and the binding information with purpose security host identifier binding, in local mapping solution
In the case that parser does not find the binding information with purpose security host identifier binding, solve to root mapping successively
Parser, top level map resolver and permissions mapping resolver make iterative queries into, and obtain from the permissions mapping resolver
The binding information with purpose security host identifier binding, and tie up described with the purpose security host identifier
Fixed binding information is sent to the local terminal couple in router;
The local terminal couple in router, is additionally operable to for source routing station location marker and purpose route location mark to be encapsulated into described treating
Forwarding packet, the data to be forwarded bag after encapsulation is sent to the opposite end couple in router, wherein, the source routing position
The route location mark of the local terminal couple in router is designated, the purpose route location is designated the opposite end and accesses route
The route location mark of device;
The opposite end couple in router, for receiving the encapsulation after data to be forwarded bag, by the encapsulation after it is to be forwarded
Packet is decapsulated, and obtains the data to be forwarded bag, and the data to be forwarded bag is sent to the distant terminal
Main frame.
9. system according to claim 8, it is characterised in that the access authentication server, is additionally operable to receiving described
After the binding information of source security host identifier binding, by tying up for the binding with the source security host identifier
Determine information to be stored in the local mapped cache table.
10. system according to claim 9, it is characterised in that be also stored with the local mapped cache table it is described with
The cache-time length of the binding information of the source security host identifier binding;The access authentication server, is additionally operable to
The cache-time length then after, delete the binding information with source security host identifier binding.
11. systems according to claim 8, it is characterised in that the source security host identifier and the purpose safety
Hostid is named according to preset structure.
12. systems according to any one of claim 8 to 11, it is characterised in that described Mapping Resolution device, described top
Mapping Resolution device and the permissions mapping resolver constitute tree-shaped topological structure.
13. systems according to claim 12, it is characterised in that described Mapping Resolution device, top level map parsing
Device and the permissions mapping resolver constitute the topological structure of decentration.
14. systems according to claim 8, it is characterised in that the access authentication server, are additionally operable to receiving described
After packet to be sent, data to be forwarded bag is sent to before local terminal couple in router, using hash algorithm to the source
Security host identifier and the purpose security host identifier carry out computing, obtain source security host identification (RFID) tag and purpose peace
Full host identification label, replaces the packet former by source security host identification (RFID) tag and the purpose security host identification (RFID) tag
Source security host identifier and the purpose security host identifier in text.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710013800.0A CN106685979B (en) | 2017-01-09 | 2017-01-09 | Security terminal mark and authentication method and system based on STiP model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710013800.0A CN106685979B (en) | 2017-01-09 | 2017-01-09 | Security terminal mark and authentication method and system based on STiP model |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106685979A true CN106685979A (en) | 2017-05-17 |
CN106685979B CN106685979B (en) | 2019-05-28 |
Family
ID=58849294
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710013800.0A Active CN106685979B (en) | 2017-01-09 | 2017-01-09 | Security terminal mark and authentication method and system based on STiP model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106685979B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108243190A (en) * | 2018-01-09 | 2018-07-03 | 北京信息科技大学 | The credible management method and system of a kind of network identity |
CN111817854A (en) * | 2020-06-04 | 2020-10-23 | 中国电子科技集团公司第三十研究所 | Security authentication method and system based on centerless identification mapping synchronous management |
CN113114616A (en) * | 2021-01-18 | 2021-07-13 | 北京信息科技大学 | Method and device for constructing and analyzing terminal protocol stack and terminal |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102265581A (en) * | 2008-12-22 | 2011-11-30 | 高通股份有限公司 | Secure node identifier assignment in a distributed hash table for peer-to-peer networks |
CN102696045A (en) * | 2009-07-10 | 2012-09-26 | 塞尔蒂卡姆公司 | System and method for performing serialization of devices |
CN103124981A (en) * | 2010-07-08 | 2013-05-29 | 情报通信产业振兴院 | Electronic document distribution system and electronic document distribution method |
WO2013111192A1 (en) * | 2012-01-26 | 2013-08-01 | National Institute Of Information And Communications Technology | Method for securing name registries, network access and data communication in id/locator split-base networks |
US20140051381A1 (en) * | 2012-08-15 | 2014-02-20 | Telecommunication Systems, Inc. | Device Independent Caller Data Access for Emergency Calls |
CN105376212A (en) * | 2014-08-15 | 2016-03-02 | 帕洛阿尔托研究中心公司 | System and method for performing key resolution over a content centric network |
-
2017
- 2017-01-09 CN CN201710013800.0A patent/CN106685979B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102265581A (en) * | 2008-12-22 | 2011-11-30 | 高通股份有限公司 | Secure node identifier assignment in a distributed hash table for peer-to-peer networks |
CN102696045A (en) * | 2009-07-10 | 2012-09-26 | 塞尔蒂卡姆公司 | System and method for performing serialization of devices |
CN103124981A (en) * | 2010-07-08 | 2013-05-29 | 情报通信产业振兴院 | Electronic document distribution system and electronic document distribution method |
WO2013111192A1 (en) * | 2012-01-26 | 2013-08-01 | National Institute Of Information And Communications Technology | Method for securing name registries, network access and data communication in id/locator split-base networks |
US20140051381A1 (en) * | 2012-08-15 | 2014-02-20 | Telecommunication Systems, Inc. | Device Independent Caller Data Access for Emergency Calls |
CN105376212A (en) * | 2014-08-15 | 2016-03-02 | 帕洛阿尔托研究中心公司 | System and method for performing key resolution over a content centric network |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108243190A (en) * | 2018-01-09 | 2018-07-03 | 北京信息科技大学 | The credible management method and system of a kind of network identity |
CN111817854A (en) * | 2020-06-04 | 2020-10-23 | 中国电子科技集团公司第三十研究所 | Security authentication method and system based on centerless identification mapping synchronous management |
CN111817854B (en) * | 2020-06-04 | 2022-03-18 | 中国电子科技集团公司第三十研究所 | Security authentication method and system based on centerless identification mapping synchronous management |
CN113114616A (en) * | 2021-01-18 | 2021-07-13 | 北京信息科技大学 | Method and device for constructing and analyzing terminal protocol stack and terminal |
Also Published As
Publication number | Publication date |
---|---|
CN106685979B (en) | 2019-05-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3258663B1 (en) | Verification method, apparatus and system for network application access | |
CN102769529B (en) | Dnssec signing server | |
US20090172156A1 (en) | Address security in a routed access network | |
CN104040964B (en) | Method, device and data center network across service area communication | |
WO2008116416A1 (en) | Method, device and system for domain name system to update dynamically | |
CN108881308A (en) | A kind of user terminal and its authentication method, system, medium | |
CN104618369A (en) | Method, device and system for unique authorization of Internet-of-Things equipment based on OAuth | |
CN102437946B (en) | Access control method, network access server (NAS) equipment and authentication server | |
CN108243413B (en) | Method and system for wireless access to railway information network | |
KR20130087932A (en) | Method and apparatus for mapping locator and identifier of mobile host | |
CN111885604B (en) | Authentication method, device and system based on heaven and earth integrated network | |
CN104683306A (en) | Safe and controllable internet real-name certification mechanism | |
CN106685979A (en) | Security terminal identifier based on STiP model and authentication method and system | |
CN109495583B (en) | Data security interaction method based on host characteristic confusion | |
CN109819068A (en) | User terminal and its block chain domain name analytic method | |
CN101834864A (en) | Method and device for preventing attack in three-layer virtual private network | |
CN103067411B (en) | Prevent the DoS attack method and apparatus in DS-Lite networking | |
CN106936945A (en) | Distributed domain name analysis method and device | |
CN105049546B (en) | A kind of Dynamic Host Configuration Protocol server is the method and device of client distribution IP address | |
CN102546523B (en) | Security certification method, system and equipment for internet access | |
CN107948124A (en) | A kind of arp entry renewal management method, apparatus and system | |
CN109120611A (en) | User authen method, equipment, system and the medium of server are generated for address | |
WO2014206152A1 (en) | Network safety monitoring method and system | |
CN101594339B (en) | Method for managing and querying mapping information, device and communication system | |
CN108243190A (en) | The credible management method and system of a kind of network identity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |