CN106685979B - Security terminal mark and authentication method and system based on STiP model - Google Patents

Security terminal mark and authentication method and system based on STiP model Download PDF

Info

Publication number
CN106685979B
CN106685979B CN201710013800.0A CN201710013800A CN106685979B CN 106685979 B CN106685979 B CN 106685979B CN 201710013800 A CN201710013800 A CN 201710013800A CN 106685979 B CN106685979 B CN 106685979B
Authority
CN
China
Prior art keywords
binding
security host
host identifier
source
local
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710013800.0A
Other languages
Chinese (zh)
Other versions
CN106685979A (en
Inventor
蒋文保
朱国库
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Information Science and Technology University
Original Assignee
Beijing Information Science and Technology University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Information Science and Technology University filed Critical Beijing Information Science and Technology University
Priority to CN201710013800.0A priority Critical patent/CN106685979B/en
Publication of CN106685979A publication Critical patent/CN106685979A/en
Application granted granted Critical
Publication of CN106685979B publication Critical patent/CN106685979B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of security terminal mark and authentication method and system based on STiP model, it will include that the data packet original text of source and destination security host identifier is signed that wherein method, which includes: local terminal end host, it obtains data packet to be sent and is sent to access authentication server, access authentication server is not found in local mapped cache table sends inquiry request to local Mapping Resolution device with the binding information of source security host identifier binding, binding information includes at least source security host identifier, the route location of the public key and local terminal couple in router bound with it identifies;Local Mapping Resolution device does not find binding information and successively makes iterative queries into root, top and permissions mapping resolver, access authentication server authentication data packet to be sent also carries out the source and destination security host identifier in operation acquisition source and destination security host identification (RFID) tag replacement data packet original text by being then forwarded to local terminal couple in router using hash algorithm to source and destination security host identifier.

Description

Security terminal mark and authentication method and system based on STiP model
Technical field
The present invention relates to the communications fields, more particularly to one kind to be based on STiP (secure and trusted network protocol, Secure and Trusted internet Protocol) model communication means and system.
Background technique
With people for terminal mobility demand it is growing, movable equipment is made by more and more extensive With, such as the equipment such as laptop, smart phone and tablet computer.Meanwhile in order to avoid the limitation of cable network connection Property, wireless network also becomes increasingly popular.And used as movable equipment is more and more extensive, incident is removable set It is standby due to its mobility bring security risk, identify etc. simultaneously as existing ICP/IP protocol does not have address authenticity Inherent security mechanism causes to attack source and attacker's identity is difficult to trace.
Summary of the invention
The present invention is directed at least overcome one of drawbacks described above provide it is a kind of based on STiP model security terminal mark and recognize Method and system are demonstrate,proved, to guarantee the safety of local terminal end host access.
In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that
One aspect of the present invention provides a kind of security terminal mark and authentication method based on STiP model, comprising: Local terminal end host will be identified using the private key of local terminal end host comprising active security host identifier and purpose security host The data packet original text of symbol is signed, and data packet to be sent is obtained, and data packet to be sent is sent to access authentication server, In, data packet to be sent includes data packet original text and signature, and source security host identifier is unique mark of local terminal end host Know, purpose security host identifier is the unique identification of distant terminal host;Access authentication server receives data packet to be sent, In the case where not finding the binding information with the binding of source security host identifier in local mapped cache table, to local mapping Resolver sends the request of inquiry with the binding information of source security host identifier binding, wherein with source security host identifier It is whole that the binding information of binding includes at least source security host identifier, the public key bound with source security host identifier and local terminal The route location mark of the local terminal couple in router of end main frame access;Local Mapping Resolution device parsing inquiry and source security host mark The request for knowing the binding information of symbol binding is reflected in the binding information of local search and the binding of source security host identifier locally Radiolysis parser do not find with source security host identifier binding binding information in the case where, successively to root Mapping Resolution device, Top level map resolver and permissions mapping resolver make iterative queries into, and obtain and source safety master from permissions mapping resolver The binding information of machine identifier binding, and the binding information bound with source security host identifier is sent to access authentication service Device;Access authentication server receive with source security host identifier binding binding information, using with source security host identifier Data to be forwarded packet is sent to local terminal access routing if upchecking by the true and false of the public key verifications of binding data packet to be sent Device, wherein data to be forwarded packet includes at least data packet original text;Local terminal couple in router receives data to be forwarded packet, in local In the case where not found in mapped cache table with the binding information of purpose security host identifier binding, to local Mapping Resolution Device sends the request of inquiry with the binding information of purpose security host identifier binding, wherein with purpose security host identifier The public key and right that the binding information of binding includes at least purpose security host identifier, binds with purpose security host identifier Hold the route location mark of the opposite end couple in router of end host access;Local Mapping Resolution device parsing inquiry and purpose safety The request of the binding information of hostid binding is believed in local search and the binding with the binding of purpose security host identifier Breath, local Mapping Resolution device do not find with purpose security host identifier binding binding information in the case where, successively to Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver Obtain the binding information with the binding of purpose security host identifier, and the binding information that will be bound with purpose security host identifier It is sent to local terminal couple in router;Local terminal couple in router identifies source route location and purpose route location mark is encapsulated into Data to be forwarded packet after encapsulation is sent to opposite end couple in router, wherein source route location is identified as by data to be forwarded packet The route location of local terminal couple in router identifies, and purpose route location is identified as the route location mark of opposite end couple in router; Opposite end couple in router receives the data to be forwarded packet after encapsulation, and the data to be forwarded packet after encapsulation is decapsulated, is obtained Data to be forwarded packet, and data to be forwarded packet is sent to distant terminal host.
In addition, access authentication server is received with after the binding information of source security host identifier binding, method is also wrapped Include: the binding information bound with source security host identifier is stored in local mapped cache table by access authentication server.
In addition, when being also stored with the caching with the binding information of source security host identifier binding in local mapped cache table Between length;Method further include: access authentication server cache-time length then after, deletion tied up with source security host identifier Fixed binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver form tree-shaped topological structure.
In addition, the topology of root Mapping Resolution device, top level map resolver and the composition decentralization of permissions mapping resolver Structure.
In addition, data to be forwarded packet is sent to local terminal access after access authentication server receives data packet to be sent Before router, method further include: access authentication server is using hash algorithm to source security host identifier and purpose safety Hostid carries out operation, source security host identification (RFID) tag and purpose security host identification (RFID) tag is obtained, by source security host Identification (RFID) tag and source security host identifier and purpose safety master in purpose security host identification (RFID) tag replacement data packet original text Machine identifier.
Another aspect of the present invention provides a kind of security terminal mark and Verification System based on STiP model, comprising: this End host is held, for that will include active security host identifier and purpose security host mark using the private key of local terminal end host The data packet original text for knowing symbol is signed, and obtains data packet to be sent, data packet to be sent is sent to access authentication server, Wherein, data packet to be sent includes data packet original text and signature, and source security host identifier is the unique of local terminal end host Mark, purpose security host identifier are the unique identification of distant terminal host;Access authentication server, it is to be sent for receiving Data packet, in the case where not finding the binding information with the binding of source security host identifier in local mapped cache table, to Local Mapping Resolution device sends the request of inquiry with the binding information of source security host identifier binding, wherein main safely with source Machine identifier binding binding information include at least source security host identifier, with source security host identifier binding public key with And the route location mark of the local terminal couple in router of local terminal end host access;Local Mapping Resolution device, for parsing inquiry The request for the binding information bound with source security host identifier, in the binding of local search and the binding of source security host identifier Information, local Mapping Resolution device do not find with source security host identifier binding binding information in the case where, successively to Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver The binding information with the binding of source security host identifier is obtained, and the binding information bound with source security host identifier is sent To access authentication server;Access authentication server is also used to receive the binding information with the binding of source security host identifier, benefit With the true and false for the public key verifications data packet to be sent bound with source security host identifier, if upchecking, by data to be forwarded Packet is sent to local terminal couple in router, wherein data to be forwarded packet includes at least data packet original text;Local terminal couple in router is used In receiving data to be forwarded packet, does not find in local mapped cache table and believe with the binding of purpose security host identifier binding In the case where breath, the request for the binding information that inquiry is bound with purpose security host identifier is sent to local Mapping Resolution device, Wherein, purpose security host identifier and purpose safety are included at least with the binding information of purpose security host identifier binding The route location mark of the opposite end couple in router of the public key and distant terminal host access of hostid binding;Locally reflect Radiolysis parser, be also used to parse inquiry and purpose security host identifier binding binding information request, local search with With the binding information of purpose security host identifier binding, does not find in local Mapping Resolution device and identified with purpose security host In the case where the binding information for according with binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping resolver It makes iterative queries into, and obtains the binding information bound with purpose security host identifier from permissions mapping resolver, and will be with The binding information of purpose security host identifier binding is sent to local terminal couple in router;Local terminal couple in router, be also used to by Source route location mark and purpose route location mark are encapsulated into data to be forwarded packet, and the data to be forwarded packet after encapsulation is sent out It send to opposite end couple in router, wherein source route location is identified as the route location mark of local terminal couple in router, purpose routing Station location marker is that the route location of opposite end couple in router identifies;Opposite end couple in router, it is to be forwarded after encapsulating for receiving Data packet decapsulates the data to be forwarded packet after encapsulation, obtains data to be forwarded packet, and data to be forwarded packet is sent To distant terminal host.
In addition, access authentication server, is also used to after receiving the binding information bound with source security host identifier, The binding information bound with source security host identifier is stored in local mapped cache table.
In addition, when being also stored with the caching with the binding information of source security host identifier binding in local mapped cache table Between length;Access authentication server, be also used to cache-time length then after, delete with source security host identifier binding Binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver form tree-shaped topological structure.
In addition, the topology of root Mapping Resolution device, top level map resolver and the composition decentralization of permissions mapping resolver Structure.
In addition, access authentication server, is also used to after receiving data packet to be sent, data to be forwarded packet is sent to Before local terminal couple in router, source security host identifier and purpose security host identifier are transported using hash algorithm It calculates, obtains source security host identification (RFID) tag and purpose security host identification (RFID) tag, source security host identification (RFID) tag and purpose are pacified Source security host identifier and purpose security host identifier in full host identification label replacement data packet original text.
As seen from the above technical solution provided by the invention, provide through the embodiment of the present invention based on STiP model Security terminal mark and authentication method and system, the network securitys such as source address spoofing, identity security can be solved from source Problem, to be conducive to construct autonomous controllable, safe and reliable internet environment.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the structural representation of the security terminal mark and Verification System provided in an embodiment of the present invention based on STiP model Figure;
Fig. 2 is the flow chart of the security terminal mark and authentication method provided in an embodiment of the present invention based on STiP model.
Specific embodiment
Detailed description of embodiments of the present invention with reference to the accompanying drawing.
Fig. 1 shows a kind of security terminal mark and Verification System based on STiP model provided in an embodiment of the present invention Structural schematic diagram, referring to Fig. 1, the security terminal mark and Verification System provided in an embodiment of the present invention based on STiP model, packet Include: the mutually independent access net 10 of IP address and backbone network 20, wherein access net 10 include multiple end hosts (wherein extremely Less include local terminal end host 101 and distant terminal host 103) and at least one access authentication server is (wherein at least Including the local terminal access authentication server 102 being connect with local terminal end host 101).Certainly as a kind of optional reality of the invention Mode is applied, at least one access authentication server can also include the opposite end access authentication connecting with distant terminal host 103 Server (not shown).Backbone network 20 include multiple couple in routers (wherein at least include local terminal couple in router 201 with And opposite end couple in router 202), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and Permissions mapping resolver 206, local terminal couple in router 201 connect local terminal access authentication server 102, opposite end couple in router (with opposite end access authentication server, opposite end couple in router 202 connects 202 peer end of the connection end hosts 103 Opposite end access authentication server), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and power Limit Mapping Resolution device 206 is sequentially connected.It will be appreciated by persons skilled in the art that above-mentioned connection can be that wired connection can also Think wireless connection, this is not particularly limited in the present invention.Hereinafter, to provided in an embodiment of the present invention based on STiP model Security terminal mark and Verification System are described in detail:
Local terminal end host 101, for the private key using local terminal end host will comprising active security host identifier and The data packet original text of purpose security host identifier is signed, and data packet to be sent is obtained, and data packet to be sent is sent to Access authentication server 102, wherein data packet to be sent includes data packet original text and signature, and source security host identifier is The unique identification of local terminal end host 101, purpose security host identifier are the unique identification of distant terminal host 103;
Access authentication server 102 is not found and source for receiving data packet to be sent in local mapped cache table In the case where the binding information of security host identifier binding, inquiry and source security host are sent to local Mapping Resolution device 203 The request of the binding information of identifier binding, wherein pacify with the binding information of source security host identifier binding including at least source Full hostid, the local terminal couple in router with the public key of source security host identifier binding and the access of local terminal end host 201 route location mark;
Local Mapping Resolution device 203, for parsing the request of inquiry with the binding information of source security host identifier binding, In the binding information of local search and the binding of source security host identifier, do not found in local Mapping Resolution device main safely with source In the case where the binding information of machine identifier binding, successively to root Mapping Resolution device 204, top level map resolver 205 and power Limit Mapping Resolution device 206 makes iterative queries into, and obtains and the binding of source security host identifier from permissions mapping resolver 206 Binding information, and the binding information bound with source security host identifier is sent to access authentication server 102;
Access authentication server 102 is also used to receive the binding information with the binding of source security host identifier, utilization and source The true and false of the public key verifications data packet to be sent of security host identifier binding sends data to be forwarded packet if upchecking To local terminal couple in router 201, wherein data to be forwarded packet includes at least data packet original text;
Local terminal couple in router 201 is not found and mesh for receiving data to be forwarded packet in local mapped cache table Security host identifier binding binding information in the case where, to local Mapping Resolution device 203 send inquiry with purpose safety The request of the binding information of hostid binding, wherein at least wrapped with the binding information of purpose security host identifier binding Include purpose security host identifier, the opposite end with the public key of purpose security host identifier binding and the access of distant terminal host The route location of couple in router identifies;
Local Mapping Resolution device 203 is also used to parse the binding information of inquiry and the binding of purpose security host identifier Request is not found in local search and the binding information with the binding of purpose security host identifier in local Mapping Resolution device In the case where the binding information bound with purpose security host identifier, successively parsed to root Mapping Resolution device 204, top level map Device 205 and permissions mapping resolver 206 make iterative queries into, and obtain and purpose security host mark from permissions mapping resolver Know the binding information of symbol binding, and the binding information bound with purpose security host identifier is sent to local terminal couple in router 201;
Local terminal couple in router 201, be also used to identify source route location and purpose route location mark be encapsulated into Data packet is forwarded, the data to be forwarded packet after encapsulation is sent to opposite end couple in router 202, wherein source route location mark It is identified for the route location of local terminal couple in router 201, purpose route location is identified as the routing position of opposite end couple in router 202 Set mark;
Opposite end couple in router 202, for receiving the data to be forwarded packet after encapsulating, by the data to be forwarded packet after encapsulation It is decapsulated, obtains data to be forwarded packet, and data to be forwarded packet is sent to distant terminal host 103.
It can be seen that the security terminal mark and Verification System based on STiP model provided through the embodiment of the present invention, The network security problems such as source address spoofing, identity security can be solved from source, to be conducive to the autonomous controllable, safety of building Believable internet environment.
Specifically, access net 10 can complete the access of end host, in STiP model base provided in an embodiment of the present invention On plinth, accessed using globally unique SHI (security host identifier, Secure Host Identifier) to identify in network Every end host, the security host mark be not involved in global routing.Data routing may be implemented in backbone network 20, local to map Resolver 203, root Mapping Resolution device 204, top level map resolver 205 and permissions mapping resolver 206 are configurable to one A server, such as a mapping server, are also configurable to a server cluster, this is in the present invention with no restrictions.
Meanwhile accessing net 10 and backbone network 20 and using independent address space: access net 10 uses security terminal identifier Data are forwarded, backbone network 20 is routed and forwarded data packet using IP address.Since end host cannot directly access access routing Therefore device can effectively prevent attack of the end host to couple in router.So that STiP mould provided in an embodiment of the present invention Net 10 is accessed in type and this design of 20 separation architecture of backbone network can guarantee that future terminal access technology and backbone network framework are distinguished Independently evolution.
In access net 10, the authenticity of end host is verified by access authentication server.Specifically, before use, Each end host can be distributed a pair of public and private key by such as mapping server, which is bound with end host mark, I.e. public and private key is bound with SHI, meanwhile, also by the RLOC of SHI and couple in router, (route location is identified, Routing Locator it) is bound, that is, the triple that mapping server can recorde as the binding of each end host, the triple include SHI, the public key with SHI binding, the RLOC of the couple in router of SHI access.Source terminal host carries out data packet using private key Signature, access authentication server can be obtained by inquiring such as mapping server and the public key of source SHI binding, to whole from source The data packet of end main frame is identified.A kind of specific implementation presented below, but the present invention is not limited thereto, in STiP mould In type, when the end host of a website sends data to the end host of another website, i.e., when local terminal end host 101 to distant terminal host 103 send data when, when data reach access authentication server 102 after, if local terminal access recognize It demonstrate,proves in the local mapped cache table of server and does not find SHI-to-RLOC (the i.e. security host identifier of local terminal end host With local terminal access routing route location mark mapping relations) mapping item, can to LMR (local Mapping Resolution device, Local Map Resolver) send message, the mapping relations of request SHI-to-RLOC;LMR receives access authentication service Start to parse the request message after the request of device 102, is locally searching the binding letter bound with the SHI of local terminal end host first Breath, if SHI record is not present, LMR can initiate iterative query to RMR (root Mapping Resolution device, Root Map Resolver), Local Mapping Resolution device by root Mapping Resolution device, TMR (top level map resolver, Top-level Map Resolver) and It is parsed after the iterative query three times of AMR (permissions mapping resolver, Authoritative Map Resolver) from permissions mapping Device obtains the binding information of the SHI of the inquiry of access authentication server 102, i.e. SHI-Public Key-RLOC is (with SHI binding Public key).After access authentication server 102 sends data packets to local terminal couple in router 201, local terminal couple in router 201 The address RLOC of the SHI binding of distant terminal host 103 is obtained, then local terminal couple in router 201 is using the RLOC of oneself as source Address, using the RLOC of opposite end couple in router 202 as purpose address encapsulated message.Opposite end couple in router 202 receives data Message is decapsulated after packet, then sends distant terminal host 103 for message.
In access net 20 access authentication server 102 to verify the end host of access and not to be forge and pretend to be it is specific can To be accomplished in that message X is obtained very short message digest H1 after operation of making a summary by local terminal end host 101, D operation, i.e. digital signature are carried out to H1 with the private key of oneself again.After obtaining signature D (H1), it is attached to behind message X and is sent out It sees off, access authentication server 102 is received and signature D (H1) separated with message X first after message, then with local terminal end host 101 public key carries out E operation to D (H1), obtains message digest H1, then carry out abstract operation to message X, obtains message digest H2.If H1 is equal to H2, access authentication server 102 can conclude that the message received is true;Otherwise it is not just.
As an optional embodiment of the embodiment of the present invention, access authentication server 102 is also used in reception and source After the binding information of security host identifier binding, the binding information bound with source security host identifier is stored in local In mapped cache table.Specifically, it after each inquiry request of access authentication server 102 obtains response, can will be taken in response message The binding information of band is stored in local mapped cache table, to facilitate subsequent be employed without to go to inquire again, improves processing effect Rate.
As an optional embodiment of the embodiment of the present invention, also it is stored in local mapped cache table main safely with source The cache-time length of the binding information of machine identifier binding;Access authentication server, be also used to cache-time length then Afterwards, the binding information with the binding of source security host identifier is deleted.Specifically, in the caching record of local mapped cache table storage TTL (Time-To-Live) value, the i.e. time span of binding information caching can be set, to guarantee in a timing In while improve efficiency, beyond needing to reacquire binding information in the time to improve safety.
As an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host mark Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention, which can use, layer The host identification nomenclature scheme of secondary structure is named, and thereby may be ensured that the global uniqueness and polymerism of SHI.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205 And permissions mapping resolver 206 forms tree-shaped topological structure.The iterative query from top under can guarantee each time as a result, Mapping Resolution is all most short searching route, can both guarantee the global uniqueness and polymerism of SHI in this way, and also can control each The mapping table scale of layer Mapping Resolution device.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205 And permissions mapping resolver 206 forms the topological structure of decentralization.Since the renewal frequency of mapping relations is mainly by terminal The mobile influence with reachable state of position of host machine, the present invention can quickly be rung by the tree-shaped Mapping Resolution system of the level established Registration, update, inquiry and the removal request of mapping relations are answered, the renewal frequency of mapping relations and the traffic of update message will not As the performance bottleneck of each layer Mapping Resolution device, because the maintenance of mapping relations is that state is convergent, map locating postpones and reflects The state scale of penetrating is controllable.
Specifically, such as SHI name topology example is as follows: facility.scheme.bistu.edu.cn, parsing Steps are as follows for the iterative query of the mapping relations of facility.scheme.bistu.edu.cn:
A, local Mapping Resolution device analyzes full name, determines the server for the control that needs to have authoritative weight to cn Mapping Resolution utensil Position, request and obtain response;
B, it requests to inquire cn Mapping Resolution device the reference information for obtaining edu.cn server;
C, it requests to inquire edu.cn Mapping Resolution device the reference information for obtaining bistu.edu.cn server;
D, bistu.edu.cn Mapping Resolution device is requested, the reference letter of the server of scheme.bistu.edu.cn is obtained Breath;
E, scheme.bistu.edu.cn Mapping Resolution device is requested, facility.scheme.bistu.edu.cn is obtained Binding information response.
As an optional embodiment of the embodiment of the present invention, access authentication server 102 is also used to pending in reception It is main safely to source using hash algorithm before data to be forwarded packet is sent to local terminal couple in router 201 after sending data packet Machine identifier and purpose security host identifier carry out operation, obtain source security host identification (RFID) tag and purpose security host mark Label, by the source security host mark in source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data packet original text Know symbol and purpose security host identifier.Due to security host identifier SHI be it is globally unique, in order to increase in backbone network 20 The privacy of source host identifier in the data packet of transmission, it is contemplated that being used in access authentication server 102 in specific implementation Hash algorithm generates SHIT (security host identification (RFID) tag, the Secure of regular length to the security host identifier of random length Host Identifier Tag), the source host identifier in raw data packets is then replaced with into the cryptographic Hash.
Fig. 2 shows a kind of security terminal marks and authentication method based on STiP model provided in an embodiment of the present invention Flow chart, the security terminal mark and authentication method provided in an embodiment of the present invention based on STiP model are applied to above system, Only the security terminal mark to provided in an embodiment of the present invention based on STiP model and authentication method are briefly described below, His unaccomplished matter, referring specifically to the related description of above system.Referring to fig. 2, provided in an embodiment of the present invention to be based on STiP model Security terminal mark and authentication method include:
S201, local terminal end host will include active security host identifier and purpose using the private key of local terminal end host The data packet original text of security host identifier is signed, and data packet to be sent is obtained, and data packet to be sent is sent to access Certificate server, wherein data packet to be sent includes data packet original text and signature, and source security host identifier is local terminal terminal The unique identification of host, purpose security host identifier are the unique identification of distant terminal host;
S202, access authentication server receive data packet to be sent, do not find in local mapped cache table and pacify with source In the case where the binding information of full hostid binding, inquiry and source security host identifier are sent to local Mapping Resolution device The request of the binding information of binding, wherein include at least source security host with the binding information of source security host identifier binding Identifier, the routing with the public key of source security host identifier binding and the local terminal couple in router of local terminal end host access Station location marker;
S203, the request of local Mapping Resolution device parsing inquiry and the binding information of source security host identifier binding, The binding information of local search and the binding of source security host identifier, does not find and source security host in local Mapping Resolution device In the case where the binding information of identifier binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping solution Parser makes iterative queries into, and the binding information bound with source security host identifier is obtained from permissions mapping resolver, and will Access authentication server is sent to the binding information of source security host identifier binding;
S204, access authentication server receive with source security host identifier binding binding information, using with source safety Data to be forwarded packet is sent to this if upchecking by the true and false of the public key verifications data packet to be sent of hostid binding Hold couple in router, wherein data to be forwarded packet includes at least data packet original text;
S205, local terminal couple in router receive data to be forwarded packet, do not find in local mapped cache table and purpose In the case where the binding information of security host identifier binding, inquiry and purpose security host mark are sent to local Mapping Resolution device Know the request of the binding information of symbol binding, wherein include at least purpose with the binding information of purpose security host identifier binding Security host identifier, the opposite end access road with the public key of purpose security host identifier binding and the access of distant terminal host It is identified by the route location of device;
S206, the request of local Mapping Resolution device parsing inquiry and the binding information of purpose security host identifier binding, In local search and the binding information with the binding of purpose security host identifier, do not found and purpose in local Mapping Resolution device In the case where the binding information of security host identifier binding, successively to root Mapping Resolution device, top level map resolver and power Limit Mapping Resolution device makes iterative queries into, and the binding bound with purpose security host identifier is obtained from permissions mapping resolver Information, and the binding information bound with purpose security host identifier is sent to local terminal couple in router;
S207, local terminal couple in router identifies source route location and purpose route location mark is encapsulated into number to be forwarded According to packet, the data to be forwarded packet after encapsulation is sent to opposite end couple in router, wherein source route location is identified as local terminal access The route location of router identifies, and purpose route location is identified as the route location mark of opposite end couple in router;
S208, opposite end couple in router receive encapsulation after data to be forwarded packet, by the data to be forwarded packet after encapsulation into Row decapsulation, obtains data to be forwarded packet, and data to be forwarded packet is sent to distant terminal host.
It can be seen that the security terminal mark and authentication method based on STiP model provided through the embodiment of the present invention, The network security problems such as source address spoofing, identity security can be solved from source, to be conducive to the autonomous controllable, safety of building Believable internet environment.
As an optional embodiment of the embodiment of the present invention, access authentication server is received to be identified with source security host After the binding information for according with binding, method further include: the binding that access authentication server will be bound with source security host identifier Information preservation is in local mapped cache table.It specifically, can be by sound after each inquiry request of access authentication server obtains response The binding information carried in message is answered to be stored in local mapped cache table, to facilitate subsequent be employed without to go to inquire again, Improve treatment effeciency.
As an optional embodiment of the embodiment of the present invention, also it is stored in local mapped cache table main safely with source The cache-time length of the binding information of machine identifier binding;Method further include: access authentication server is in cache-time length After then, the binding information with the binding of source security host identifier is deleted.Specifically, in the caching of local mapped cache table storage TTL (Time-To-Live) value, the i.e. time span of binding information caching, to guarantee one can be set in record While improving efficiency in fixing time, need to reacquire binding information exceeding in the time to improve safety.
As an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host mark Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention, which can use, layer The host identification nomenclature scheme of secondary structure is named, and thereby may be ensured that the global uniqueness and polymerism of SHI.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power Limit Mapping Resolution device forms tree-shaped topological structure.The iterative query from top under can guarantee Mapping Resolution each time as a result, All it is most short searching route, can have both guaranteed the global uniqueness and polymerism of SHI in this way, also can control each layer of mapping solution The mapping table scale of parser.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power Limit the topological structure of Mapping Resolution device composition decentralization.Since the renewal frequency of mapping relations is mainly moved by end host position Dynamic and reachable state influence, the present invention can be with quick response mapping relations by the tree-shaped Mapping Resolution system of the level established Registration, update, inquiry and removal request, the traffic of the renewal frequencies of mapping relations and update message will not become each layer and reflect The performance bottleneck of radiolysis parser, because the maintenance of mapping relations is that state is convergent, map locating delay and mapping status scale It is controllable.
As an optional embodiment of the embodiment of the present invention, access authentication server receive data packet to be sent it Afterwards, before data to be forwarded packet being sent to local terminal couple in router, method further include: access authentication server is calculated using Hash Method carries out operation to source security host identifier and purpose security host identifier, obtains source security host identification (RFID) tag and purpose Security host identification (RFID) tag, will be in source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data packet original text Source security host identifier and purpose security host identifier.Due to security host identifier SHI be it is globally unique, in order to increase Add the privacy of source host identifier in the data packet transmitted in backbone network 20, can be considered in specific implementation and taken in access authentication Being engaged in, SHIT of the device 102 using hash algorithm to the security host identifier generation regular length of random length (mark by security host mark Label, Secure Host Identifier Tag), the source host identifier in raw data packets is then replaced with into the Hash Value.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention Embodiment person of ordinary skill in the field understood.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.
Above embodiment is only that preferred embodiments of the present invention will be described, is not carried out to the scope of the present invention It limits, without departing from the spirit of the design of the present invention, this field ordinary engineering and technical personnel is to technical solution of the present invention The various changes and improvements made, should fall within the scope of protection determined by the claims of the present invention.

Claims (14)

1. a kind of security terminal mark and authentication method based on STiP model characterized by comprising
Local terminal end host will include active security host identifier and purpose safety using the private key of the local terminal end host The data packet original text of hostid is signed, and data packet to be sent is obtained, and the data packet to be sent is sent to access Certificate server, wherein the data packet to be sent includes the data packet original text and the signature, the source security host Identifier is the unique identification of the local terminal end host, and the purpose security host identifier is the unique of distant terminal host Mark;
The access authentication server receives the data packet to be sent, does not find in local mapped cache table and the source In the case where the binding information of security host identifier binding, inquiry and the source security host are sent to local Mapping Resolution device The request of the binding information of identifier binding, wherein the binding information bound with the source security host identifier is at least Including the source security host identifier, public key and the local terminal end host with source security host identifier binding The route location of the local terminal couple in router of access identifies;
The local Mapping Resolution device parses the request of the inquiry with the binding information of source security host identifier binding, With the binding information of source security host identifier binding described in the local search, institute is not found in local Mapping Resolution device In the case where stating with the binding information of source security host identifier binding, successively to root Mapping Resolution device, top level map solution Parser and permissions mapping resolver make iterative queries into, and obtain the described and described source safety from the permissions mapping resolver The binding information of hostid binding, and the binding information with source security host identifier binding is sent to institute State access authentication server;
The access authentication server receives the binding information with source security host identifier binding, using it is described with The true and false of data packet to be sent described in the public key verifications of source security host identifier binding will be to be forwarded if upchecking Data packet is sent to local terminal couple in router, wherein the data to be forwarded packet includes at least the data packet original text;
The local terminal couple in router receives the data to be forwarded packet, does not find in local mapped cache table and the mesh The binding of security host identifier binding information in the case where, send inquiry and purpose safety to local Mapping Resolution device The request of the binding information of hostid binding, wherein the binding with purpose security host identifier binding is believed The public key and described right that breath includes at least the purpose security host identifier, binds with the purpose security host identifier Hold the route location mark of the opposite end couple in router of end host access;
The local Mapping Resolution device parses asking for the binding information inquired and bound with the purpose security host identifier Ask, in the binding information of local search and the binding with the purpose security host identifier, local Mapping Resolution device not In the case where finding the binding information with purpose security host identifier binding, successively to root Mapping Resolution device, Top level map resolver and permissions mapping resolver make iterative queries into, and from the permissions mapping resolver obtain it is described with The binding information of the purpose security host identifier binding, and tied up described with what the purpose security host identifier was bound Determine information and is sent to the local terminal couple in router;
The local terminal couple in router identifies source route location and purpose route location mark is encapsulated into the number to be forwarded According to packet, the data to be forwarded packet after encapsulation is sent to the opposite end couple in router, wherein the source route location is identified as The route location of the local terminal couple in router identifies, and the purpose route location is identified as the road of the opposite end couple in router By station location marker;
The opposite end couple in router receives the data to be forwarded packet after the encapsulation, by the data to be forwarded packet after the encapsulation It is decapsulated, obtains the data to be forwarded packet, and the data to be forwarded packet is sent to the distant terminal host.
2. pacifying the method according to claim 1, wherein the access authentication server receives the described and source After the binding information of full hostid binding, the method also includes: the access authentication server will it is described with it is described The binding information of source security host identifier binding is stored in the local mapped cache table.
3. according to the method described in claim 2, it is characterized in that, being also stored with described and institute in the local mapped cache table State the cache-time length of the binding information of source security host identifier binding;The method also includes:
The access authentication server the cache-time length then after, delete described with the source security host identifier The binding information of binding.
4. the method according to claim 1, wherein the source security host identifier and the purpose are main safely Machine identifier is named according to preset structure.
5. method according to any one of claims 1 to 4, which is characterized in that described Mapping Resolution device described top reflects Radiolysis parser and the permissions mapping resolver form tree-shaped topological structure.
6. according to the method described in claim 5, it is characterized in that, described Mapping Resolution device, the top level map resolver And the topological structure of the permissions mapping resolver composition decentralization.
7. the method according to claim 1, wherein the access authentication server receives the data to be sent After packet, before data to be forwarded packet is sent to local terminal couple in router, the method also includes:
The access authentication server is using hash algorithm to the source security host identifier and the purpose security host mark Know symbol and carry out operation, obtains the source security host identification (RFID) tag and purpose security host identification (RFID) tag, the source is main safely Machine identification (RFID) tag and the purpose security host identification (RFID) tag replace source security host identifier in the data packet original text and The purpose security host identifier.
8. a kind of security terminal mark and Verification System based on STiP model characterized by comprising
Local terminal end host, for that will include active security host identifier and purpose using the private key of the local terminal end host The data packet original text of security host identifier is signed, and data packet to be sent is obtained, and the data packet to be sent is sent to Access authentication server, wherein the data packet to be sent includes the data packet original text and the signature, the source safety Hostid is the unique identification of the local terminal end host, and the purpose security host identifier is distant terminal host Unique identification;
The access authentication server, for receiving the data packet to be sent, do not found in local mapped cache table with In the case where the binding information of the source security host identifier binding, inquiry is sent to local Mapping Resolution device and is pacified with the source The request of the binding information of full hostid binding, wherein the binding with source security host identifier binding is believed It is whole that breath includes at least the source security host identifier, the public key bound with the source security host identifier and the local terminal The route location mark of the local terminal couple in router of end main frame access;
The local Mapping Resolution device, for parsing the inquiry and the binding information of source security host identifier binding Request is not looked into the binding information of source security host identifier binding described in the local search in local Mapping Resolution device In the case where finding the binding information with source security host identifier binding, successively to root Mapping Resolution device, top Mapping Resolution device and permissions mapping resolver make iterative queries into, and from the permissions mapping resolver obtain it is described with it is described The binding information of source security host identifier binding, and the binding information with source security host identifier binding is sent out It send to the access authentication server;
The access authentication server is also used to receive the binding information with source security host identifier binding, benefit The true and false of data packet to be sent described in public key verifications with the binding with the source security host identifier, if upchecking, Data to be forwarded packet is sent to local terminal couple in router, wherein it is former that the data to be forwarded packet includes at least the data packet Text;
The local terminal couple in router, for receiving the data to be forwarded packet, do not found in local mapped cache table with In the case where the binding information of the purpose security host identifier binding, inquiry and the mesh are sent to local Mapping Resolution device The binding of security host identifier binding information request, wherein the binding with the purpose security host identifier Binding information include at least the purpose security host identifier, with the purpose security host identifier binding public key and The route location mark of the opposite end couple in router of the distant terminal host access;
The local Mapping Resolution device, the binding for being also used to parse the inquiry and purpose security host identifier binding are believed The request of breath, in local search and the binding information with purpose security host identifier binding, in locally mapping solution In the case that parser does not find the binding information with purpose security host identifier binding, successively maps and solve to root Parser, top level map resolver and permissions mapping resolver make iterative queries into, and obtain from the permissions mapping resolver The binding information with purpose security host identifier binding, and tied up described with the purpose security host identifier Fixed binding information is sent to the local terminal couple in router;
The local terminal couple in router, be also used to identify source route location and purpose route location mark be encapsulated into it is described to Data packet is forwarded, the data to be forwarded packet after encapsulation is sent to the opposite end couple in router, wherein the source route location It is identified as the route location mark of the local terminal couple in router, the purpose route location is identified as the opposite end access routing The route location of device identifies;
The opposite end couple in router will be to be forwarded after the encapsulation for receiving the data to be forwarded packet after the encapsulation Data packet is decapsulated, and obtains the data to be forwarded packet, and the data to be forwarded packet is sent to the distant terminal Host.
9. system according to claim 8, which is characterized in that the access authentication server is also used to described in the reception After the binding information of source security host identifier binding, tied up described with what the source security host identifier was bound Information preservation is determined in the local mapped cache table.
10. system according to claim 9, which is characterized in that be also stored in the local mapped cache table it is described with The cache-time length of the binding information of the source security host identifier binding;The access authentication server, is also used to The cache-time length then after, delete the binding information with source security host identifier binding.
11. system according to claim 8, which is characterized in that the source security host identifier and purpose safety Hostid is named according to preset structure.
12. system according to any one of claims 8 to 11, which is characterized in that described Mapping Resolution device, described top Mapping Resolution device and the permissions mapping resolver form tree-shaped topological structure.
13. system according to claim 12, which is characterized in that described Mapping Resolution device, top level map parsing Device and the topological structure of permissions mapping resolver composition decentralization.
14. system according to claim 8, which is characterized in that the access authentication server is also used to described in the reception After data packet to be sent, before data to be forwarded packet is sent to local terminal couple in router, using hash algorithm to the source Security host identifier and the purpose security host identifier carry out operation, obtain source security host identification (RFID) tag and purpose peace It is former to be replaced the data packet by full host identification label for source security host identification (RFID) tag and the purpose security host identification (RFID) tag Source security host identifier and the purpose security host identifier in text.
CN201710013800.0A 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model Active CN106685979B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710013800.0A CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710013800.0A CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Publications (2)

Publication Number Publication Date
CN106685979A CN106685979A (en) 2017-05-17
CN106685979B true CN106685979B (en) 2019-05-28

Family

ID=58849294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710013800.0A Active CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Country Status (1)

Country Link
CN (1) CN106685979B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243190A (en) * 2018-01-09 2018-07-03 北京信息科技大学 The credible management method and system of a kind of network identity
CN111817854B (en) * 2020-06-04 2022-03-18 中国电子科技集团公司第三十研究所 Security authentication method and system based on centerless identification mapping synchronous management
CN113114616A (en) * 2021-01-18 2021-07-13 北京信息科技大学 Method and device for constructing and analyzing terminal protocol stack and terminal

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9344438B2 (en) * 2008-12-22 2016-05-17 Qualcomm Incorporated Secure node identifier assignment in a distributed hash table for peer-to-peer networks
EP4092590A1 (en) * 2009-07-10 2022-11-23 BlackBerry Limited System and method for performing serialization of devices
KR20120005364A (en) * 2010-07-08 2012-01-16 정보통신산업진흥원 Electronic address, and eletronic document distribution system
WO2013111192A1 (en) * 2012-01-26 2013-08-01 National Institute Of Information And Communications Technology Method for securing name registries, network access and data communication in id/locator split-base networks
US9313638B2 (en) * 2012-08-15 2016-04-12 Telecommunication Systems, Inc. Device independent caller data access for emergency calls
US9391777B2 (en) * 2014-08-15 2016-07-12 Palo Alto Research Center Incorporated System and method for performing key resolution over a content centric network

Also Published As

Publication number Publication date
CN106685979A (en) 2017-05-17

Similar Documents

Publication Publication Date Title
CN105009509B (en) It is expanded in the information by trust anchor based on title/prefix Routing Protocol in heart network
CN102769529B (en) Dnssec signing server
US10958725B2 (en) Systems and methods for distributing partial data to subnetworks
US11451510B2 (en) Method and apparatus for processing service request
US11108562B2 (en) Systems and methods for verifying a route taken by a communication
CN101964799B (en) Solution method of address conflict in point-to-network tunnel mode
CN106685979B (en) Security terminal mark and authentication method and system based on STiP model
US10587515B2 (en) Stateless information centric forwarding using dynamic filters
CN106657035B (en) A kind of network message transmission method and device
CN109076082A (en) Anonymous Identity in network and agreement towards identity
CN103873602A (en) Network resource naming method and generating device
CN102437946B (en) Access control method, network access server (NAS) equipment and authentication server
CN109495583B (en) Data security interaction method based on host characteristic confusion
KR102156206B1 (en) Apparatus and method for providing security to an end-to-end communication
CN104468805A (en) Message routing device and method
Yan et al. Is DNS ready for ubiquitous Internet of Things?
CN107948124A (en) A kind of arp entry renewal management method, apparatus and system
CN103997479A (en) Asymmetric service IP proxy method and equipment
CN103402197A (en) Hidden position and path protection method based on IPv6 (Internet Protocol Version 6)
CN102546523B (en) Security certification method, system and equipment for internet access
CN106027555B (en) A kind of method and system improving content distributing network safety using SDN technology
CN103916489B (en) The many IP of a kind of single domain name domain name analytic method and system
CN108243190A (en) The credible management method and system of a kind of network identity
CN116723511B (en) Position management method and system for realizing privacy protection in Internet of vehicles and Internet of vehicles
CN108712391A (en) A kind of method of reply name attack and time analysis attack under content center network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant