CN106685987A - Safety certificate method and device of cascade network - Google Patents

Safety certificate method and device of cascade network Download PDF

Info

Publication number
CN106685987A
CN106685987A CN201710051060.XA CN201710051060A CN106685987A CN 106685987 A CN106685987 A CN 106685987A CN 201710051060 A CN201710051060 A CN 201710051060A CN 106685987 A CN106685987 A CN 106685987A
Authority
CN
China
Prior art keywords
network
certified
network equipment
trustable
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710051060.XA
Other languages
Chinese (zh)
Other versions
CN106685987B (en
Inventor
胡志文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dongtu Jinyue Technology Co Ltd
Original Assignee
Beijing Dongtu Jinyue Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dongtu Jinyue Technology Co Ltd filed Critical Beijing Dongtu Jinyue Technology Co Ltd
Priority to CN201710051060.XA priority Critical patent/CN106685987B/en
Publication of CN106685987A publication Critical patent/CN106685987A/en
Application granted granted Critical
Publication of CN106685987B publication Critical patent/CN106685987B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An embodiment of the invention discloses a safety certificate method and device of a cascade network. The safety certificate method and device of the cascade network are applied to trusted root network equipment, which is connected with trusted network equipment in a second-stage network through a cascade port, in a first-stage network in the cascade network. The method comprises the following steps: receiving a connection request transmitted from the trusted network equipment to be certified in the cascade network; acquiring device identification of the trusted network equipment to be certified; judging whether the trusted network equipment to be certified meets a preset safety condition or not according to the device identification; and if the trusted network equipment to be certified meets the preset safety condition, starting the data transmission function of cascade network required by the trusted network equipment to be certified so that the trusted network equipment to be certified transmits data through the cascade port. Because the trusted network equipment of various stages of networks in the cascade network needs to be subjected to safety certificate through the trusted root network equipment of the first-stage network before the data are transmitted, and therefore, the safety of the cascade network is improved greatly.

Description

A kind of safety certifying method and device of cascade network
Technical field
The present invention relates to technical field of network security, the safety certifying method and dress of more particularly to a kind of cascade network Put.
Background technology
In the last few years, network technology by leaps and bounds developed, and from amusement shopping to work and study, the life of people is almost Jing can not depart from network.The popularization and application of network also causes some malpractices to have an opportunity to take advantage of, and steals wealth by network or steals The event for taking confidential information happens occasionally, and Network Security Issues become increasingly conspicuous.
Existing network is usually to be formed by multistage network cascade, as shown in figure 1, the rank highest of first order network, second Level network takes second place, and network-level is reduced successively according to hierarchic sequence.Wherein, first order network includes a server and a friendship Change planes, the network of other ranks includes multiple servers and multiple switch, and switch-to-server is corresponded.Second level net The cascade port of the switch in network is connected with the cascade port of the switch in first order network, for transmission data, if Second level network includes multiple switch, and each switch can be connected respectively with the switch in first order network, also may be used Be multiple switch series connection after be connected with the switch in first order network again.Switch and the second level in third level network The connected mode of the switch in network is similar with aforesaid way, the switch in third level network can by with second level net What the switch in network was connected cascades port to the switch transmission data in the network of the second level, and then, in the network of the second level Switch can send the data to the switch in first order network.
For the safety certification of existing cascade network, IEEE 802.1X protocol realizations are based primarily upon.Pass through server first Local TCM (Trusted Cryptography Module, credible password module) carries out safety certification to home server, TCM starts to carry out home server BIOS (Basic Input Output System, basic input output system) after starting Tolerance certification, application program white list certification, data integrity certification and configuration legitimacy certification etc., TCM is to home server After certification passes through, authentication result is fed back to home server, home server starts, and start to read the relevant information of switch (including BIOS tolerance, application program white list, data integrity and configuration legitimacy etc.) is authenticated.After certification passes through, hand over Change planes startup, such that it is able to carry out safety certification to the terminal for accessing.Terminal sends authentication information to through safety certification The authentication information is forwarded to home server by switch, the switch, and home server is authenticated to the authentication information, recognizes After card passes through, feedback authentication result is to terminal, it is allowed to the accessing terminal to network.
It is above-mentioned that local security certification can be only done for the safety certification of existing cascade network, i.e., can only be to local service Network in device coverage carries out safety certification, for safety certification is not carried out between the networks at different levels of cascade, no Can guarantee that the safety of connected external network so that the safety of whole cascade network is not high.
The content of the invention
The embodiment of the invention discloses the safety certifying method and device of a kind of cascade network, to improve cascade network Safety.Technical scheme is as follows:
In a first aspect, embodiments providing a kind of safety certifying method of cascade network, the cascade is applied to Trusted root network equipment in network, the trusted root network equipment is located in first order network and by cascading port and second Trustable network equipment connection in level network, methods described includes:
In receiving the cascade network, the connection request that trustable network equipment to be certified sends;
Obtain the device identification of the trustable network equipment to be certified;
Judge whether the trustable network equipment to be certified meets default safety condition according to the device identification;
If it is satisfied, the data-transformation facility that the trustable network to be certified equips asked cascade port is opened, with The trustable network equipment to be certified is made by the cascade port transmission data.
Optionally, the opening trustable network to be certified equips the data-transformation facility of asked cascade port Step, including:
Judge whether the connection request carries forwarding labelling;
If it is, send certification successfully instruct to forwarding trustable network equipment, so that the forwarding trustable network equipment is beaten Open for connecting the data-transformation facility of the cascade port of the trustable network equipment to be certified, and forward the certification successfully to refer to Make to the trustable network to be certified and equipping, wherein, the forwarding trustable network is equipped for:Receive the connection request and by its The trustable network equipment of the trusted root network equipment is forwarded to after addition forwarding labelling;
If not, the data-transformation facility for connecting the cascade port of the trustable network equipment to be certified is opened, and Send certification successfully to instruct to the trustable network equipment to be certified.
Optionally, the connection request includes the device identification of the trustable network equipment to be certified;
It is described obtain the trustable network to be certified equipment device identification the step of, including:From the connection request Read the device identification of the trustable network equipment to be certified;
Or,
According to the cascade port for receiving the connection request, certification request is sent to the trustable network equipment to be certified, So that the trustable network equipment feedback device to be certified is identified to the trusted root network equipment.
Optionally, the trusted root network equipment includes:Credible root server and credible root switch;
Receive in the cascade network described, the step of the connection request that trustable network equipment to be certified sends before, Methods described also includes:
The coupled credible root server of the credible root switch carries out local security certification;
After the local security certification passes through, in performing the reception cascade network, trustable network equipment to be certified The step of connection request of transmission.
Second aspect, embodiments provides a kind of safety certifying method of cascade network, is applied to the cascade Forwarding trustable network equipment in network, the forwarding trustable network is equipped for trustable network equipment to be certified by cascading port The trustable network equipment being directly accessed, methods described includes:
In receiving the cascade network, positioned at the forwarding trustable network treating with primary network station or next stage network is equipped The connection request that certification trustable network equipment sends, and to connection request addition forwarding labelling;
Send the trusted root net of the connection request to first order network in the cascade network after the addition forwarding labelling Network is equipped, so that the trusted root network equipment obtains the device identification of the trustable network equipment to be certified, and according to described The device identification of trustable network equipment to be certified, judges whether the trustable network equipment to be certified meets default safe bar Part, if it is satisfied, send certification successfully instructing to the forwarding trustable network equipment;
Receive the certification successfully to instruct, and open for connecting the cascade port that the trustable network to be certified is equipped Data-transformation facility;
Send the certification successfully to instruct to the trustable network equipment to be certified, so that the trustable network dress to be certified It is standby that transmission data is equipped to the forwarding trustable network by the cascade port.
Optionally, the forwarding trustable network equipment includes:Forwarding trusted servers and forwarding credible switchboard;
Receive in the cascade network described, equip with primary network station or next stage net positioned at the forwarding trustable network Before the connection request step that the trustable network to be certified equipment of network sends, methods described also includes:
The coupled forwarding trusted servers of the forwarding credible switchboard carry out local security certification;
After the local security certification passes through, described reception in the cascade network, positioned at the forwarding trusted networks is performed The step of network equips the connection request with the trustable network to be certified equipment transmission of primary network station or next stage network.
The third aspect, the embodiment of the present invention additionally provides a kind of safety certification device of cascade network, is applied to the level Trusted root network equipment in networking network, the trusted root network equipment is located in first order network and by cascading port and the Trustable network equipment connection in two grade network, described device includes:
Connection request receiver module, for receiving the cascade network in, the connection that trustable network to be certified equipment sends Request;
Device identification obtains module, for obtaining the device identification of the trustable network equipment to be certified;
Safety condition judge module, for judging whether the trustable network equipment to be certified is full according to the device identification The default safety condition of foot;
Data-transformation facility opening module, for meeting default safety condition in the trustable network equipment to be certified When, open the data-transformation facility that the trustable network to be certified equips asked cascade port so that it is described it is to be certified can Communication network equipment is by the cascade port transmission data.
Optionally, the data-transformation facility opening module includes:
Forwarding marker for judgment unit, for judging whether the connection request carries forwarding labelling;
First data transmission function opening unit, for when the connection request carries the forwarding labelling, transmission to be recognized Demonstrate,prove successfully instruct to forwarding trustable network equipment so that it is described forwarding trustable network equipment open for connect it is described it is to be certified can The data-transformation facility of the cascade port of communication network equipment, and forward the certification successfully to instruct to the trustable network to be certified Equipment, wherein, the forwarding trustable network is equipped for:Receive the connection request and added and be forwarded to institute after forwarding labelling State the trustable network equipment of trusted root network equipment;
Second data-transformation facility opening unit, for when the connection request does not carry the forwarding labelling, opening Successfully instruct to institute for connecting the data-transformation facility of the cascade port of the trustable network equipment to be certified, and sending certification State trustable network equipment to be certified.
Optionally, the device identification obtains module, is used for
When the connection request includes the device identification of the trustable network equipment to be certified, from the connection request The middle device identification for reading the trustable network equipment to be certified;
Or,
According to the cascade port for receiving the connection request, certification request is sent to the trustable network equipment to be certified, So that the trustable network equipment feedback device to be certified is identified to the trusted root network equipment.
Fourth aspect, embodiments provides a kind of safety certification device of cascade network, is applied to the cascade Forwarding trustable network equipment in network, the forwarding trustable network is equipped for trustable network equipment to be certified by cascading port The trustable network equipment being directly accessed, described device includes:
Forwarding labelling add module, for receiving the cascade network in, positioned at it is described forwarding trustable network equipment it is same The connection request that the trustable network to be certified equipment of level network or next stage network sends, and connection request addition is forwarded Labelling;
Request forwarding module, for sending the addition connection request forwarded after labelling in the cascade network first The trusted root network equipment of level network, so that the equipment that the trusted root network equipment obtains the trustable network equipment to be certified Mark, and judge whether the trustable network equipment to be certified meets according to the device identification of the trustable network equipment to be certified The default safety condition, if it is satisfied, send certification successfully instructing to the forwarding trustable network equipment;
Command reception module, successfully instructs for receiving the certification, and opens for connecting the trusted networks to be certified The data-transformation facility of the cascade port of network equipment;
Instruction forwarding module, successfully instructs to the trustable network equipment to be certified, so that institute for sending the certification State trustable network equipment to be certified and transmission data is equipped to the forwarding trustable network by the cascade port.
In this programme, the trusted root network equipment of the first order network in cascade network is received first in cascade network, is treated The connection request that certification trustable network equipment sends, obtains the device identification of trustable network equipment to be certified, then according to equipment Mark judges whether trustable network equipment to be certified meets default safety condition, if it is satisfied, opening trustable network to be certified The data-transformation facility of the asked cascade port of equipment, so that trustable network to be certified equipment is by cascading port transmission number According to.The trustable network of the networks at different levels in due to cascade network is equipped before transmitting the data, need by first order network can Letter the root network equipment carries out safety certification, substantially increases the safety of cascade network.
Description of the drawings
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of structural representation of cascade network;
The flow chart of the safety certifying method of the first cascade network that Fig. 2 is provided by the embodiment of the present invention;
Fig. 3 is the schematic diagram of the safety certifying method of the cascade network provided using the embodiment of the present invention;
Fig. 4 is the particular flow sheet of step 203 in embodiment illustrated in fig. 2;
Fig. 5 is another kind of structural representation of cascade network;
The flow chart of the safety certifying method of second cascade network that Fig. 6 is provided by the embodiment of the present invention;
Fig. 7 is the flow chart that trustable network equipment transmission connection request to be certified carries out safety certification process;
The structural representation of the safety certification device of the first cascade network that Fig. 8 is provided by the embodiment of the present invention;
The structural representation of the safety certification device of second cascade network that Fig. 9 is provided by the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than the embodiment of whole.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
In order to improve the safety of cascade network, a kind of safety certifying method of cascade network is embodiments provided And device.
The safety certifying method of the first cascade network for being provided the embodiment of the present invention below is introduced.
As shown in Fig. 2 a kind of safety certifying method of cascade network, the credible the root network being applied in the cascade network Equipment, the method comprising the steps of:
S201, in receiving the cascade network, the connection request that trustable network equipment to be certified sends;
It is understood that the first order network in cascade network is highest-ranking network, in order to ensure whole network Safety, safety certification can be carried out to all trustable networks equipment by the trusted root network equipment of first order network.Its In, the trusted root network equipment is to fill with the trustable network in the network of the second level in first order network and by cascading port The standby trustable network equipment being connected.
Trustable network equipment to be certified may be located in any level network in cascade network, can fill with credible the root network It is standby to be joined directly together, it is also possible to be indirectly connected to.When trustable network to be certified equipment needs to connect network, connection request can be sent To trusted root network equipment, and then, trusted root network equipment just can receive the connection request.It should be noted that above-mentioned Trustable network equipment to be certified is used only for referring to the trustable network for sending connection request equipment, not with any other limit Determine meaning.
The connection request of trustable network equipment to be certified, for asking trustable network equipment to be certified straight by cascade port The trustable network equipment of access, opens the data transfer work(of the cascade port being connected with trustable network to be certified equipment thereon Energy.If the trustable network equipment that trustable network equipment to be certified is directly accessed is not trusted root network equipment, need to wait to recognize Connection request is forwarded to trusted root network equipment by the trustable network equipment that card trustable network equipment is directly accessed, according to actual feelings Condition is possible to the forwarding through multiple trustable networks equipment, it is also possible to through the forwarding of a trustable network equipment.If waiting to recognize It is not trusted root network equipment that card trustable network equips the trustable network equipment being directly accessed by cascading port, hereinafter will Trustable network to be certified is equipped by cascading the trustable network equipment referred to as forwarding trustable network equipment that port is directly accessed.
For example, as shown in figure 3, because the trustable network equipment 21 in the network of the second level passes through the cascade port of itself 2 are connected with the cascade port 1 of the trusted root network equipment 11 in first order network, so trustable network equipment 21 is to trusted root net Network equipment 11 sends connection request, and the data transfer of the cascade port 1 in trusted root network equipment 11 is opened for request Function, so that trustable network equips 21 access networks.Now, trustable network equipment 21 is trustable network equipment to be certified. So, trusted root network equipment 11 just can receive the connection request that trustable network equipment 21 sends, and carry out next step behaviour Make.
As shown in figure 3, trustable network equipment 22 sends connection request as trustable network to be certified equipment, can for request Communication network equipment 21 is opened:Connect the data-transformation facility of the cascade port 3 of trustable network equipment 22 on trustable network equipment 21, Trustable network equipment 21 is the trustable network equipment that trustable network equipment 22 is directly accessed by cascade port 3;Trustable network is filled Standby 31 send connection request as trustable network to be certified equipment, for asking trustable network equipment 21 to be opened:Trustable network is filled Connect the data-transformation facility of the cascade port 5 of trustable network equipment 31 on standby 21, trustable network equipment 21 is trustable network dress The standby 31 trustable network equipments being directly accessed by cascade port 5;Trustable network equipment 33 is equipped as trustable network to be certified Connection request is sent, for asking trustable network equipment 22 to be opened:Connect trustable network equipment 33 on trustable network equipment 22 The data-transformation facility of cascade port 6, trustable network equipment 22 is that trustable network equipment 33 is directly accessed by cascade port 6 Trustable network is equipped.
S202, obtains the device identification of the trustable network equipment to be certified;
In one embodiment, when above-mentioned trustable network equipment to be certified sends above-mentioned connection request, will can wait to recognize The device identification of card trustable network equipment includes in a connection request, sending to trusted root network equipment, then, credible the root network Equipment is received after the connection request that above-mentioned trustable network equipment to be certified sends, and just can be read from the connection request and be waited to recognize The device identification of card trustable network equipment.
In another embodiment, trusted root network equipment receive connection that trustable network to be certified equipment sends please After asking, certification request can be sent, so as to treat to trustable network to be certified equipment according to the cascade port for receiving the connection request Certification trustable network equipment feedback device is identified to trusted root network equipment.That is, trusted root network equipment can pass through The cascade port for connecting machine request is received, to trustable network to be certified equipment certification request, trustable network dress to be certified are sent It is standby to receive after the certification request, just the device identification of itself can be sent to trusted root network equipment.
It is understood that due between each trustable network equipment, connection cascade port used be it is fixed, and one Cascade port is only used for connection one trustable network equipment, that is to say, that cascade port and trustable network equipment are one a pair Answer, be not in that a cascade port connects the situation that multiple trustable networks are equipped.So, trusted root network equipment with wait to recognize The connected cascade port of card trustable network equipment is fixed, so trusted root network equipment receives trustable network dress to be certified After the connection request that preparation is sent, just can know which cascade port the cascade port for receiving the connection request is, and then, just Certification request can be sent to trustable network to be certified equipment by the cascade port.
S203, judges whether the trustable network equipment to be certified meets default safe bar according to the device identification Part, if it is satisfied, execution step S204;
Trusted root network equipment is obtained after the device identification of appeal trustable network equipment to be certified, can be according to the equipment mark Knowledge judges whether trustable network equipment to be certified meets default safety condition, to determine that trustable network equipment to be certified whether may be used With access network with transmission data.
For example, the default safety condition can be the corresponding relation of the default device identification for arranging and safety, so, Trusted root network equipment just can judge trustable network equipment to be certified according to the device identification of trustable network to be certified equipment Safety, it is of course also possible to use alternate manner judges whether trustable network equipment to be certified meets default safety condition, be It is clear with scheme that layout understands, subsequently will be to judging trustable network to be certified equips whether meet default according to device identification Safety condition specific implementation carries out citing introduction.
S204, opens the data-transformation facility that the trustable network to be certified equips asked cascade port, so that institute Trustable network equipment to be certified is stated by the cascade port transmission data.
When judging that above-mentioned trustable network equipment to be certified meets default safety condition, the trusted networks to be certified are illustrated Network equipment can be with secure accessing network, and now trusted root network equipment just can open trustable network equipment to be certified and be asked Cascade port data-transformation facility so that trustable network to be certified equipment passes through the cascade port transmission data.
As a kind of embodiment of the embodiment of the present invention, open trustable network to be certified and equip asked cascade port The mode of data-transformation facility can include:
Judge whether the connection request carries forwarding labelling;If it is, send certification successfully instructing to forwarding trusted networks Network is equipped, so that the forwarding trustable network equipment opening is used to connect the cascade port of the trustable network equipment to be certified Data-transformation facility, and forward the certification successfully to instruct to the trustable network equipment to be certified;If not, opening for connecting The data-transformation facility of the cascade port of the trustable network to be certified equipment is connect, and is sent certification and is successfully instructed to described and wait to recognize Card trustable network equipment.
Wherein, above-mentioned forwarding trustable network is equipped for:Receive the connection request and added and forward after forwarding labelling Trustable network to the trusted root network equipment is equipped.Forwarding trustable network described in the embodiment of the present invention is equipped for and waits to recognize The trustable network equipment that card trustable network equipment is joined directly together, forwarding trustable network equipment may be equipped with trustable network to be certified Positioned at same primary network station, it is also possible to positioned at network not at the same level.
Because above-mentioned connection request is probably to be sent by trustable network to be certified equipment, through forwarding trustable network equipment to turn Be sent to trusted root network equipment (trustable network to be certified equipment be likely located at the same one-level of forwarding trustable network equipment or Next stage network), so trusted root network equipment is after the connection request is received, it can be determined that whether connection request carries turns Issue of bidding documents is remembered, if it is then illustrating that the connection request is credible by being forwarded to after forwarding trustable network equipment addition forwarding labelling The root network equipment, be not that forwarding trustable network equipment directly sends, then, trusted root network equipment now just can be sent out Certification is sent successfully to instruct to forwarding trustable network equipment, forwarding trustable network equipment is received after the certification successfully instructs, and is opened For connecting the data-transformation facility of the cascade port of trustable network to be certified equipment, and certification is forwarded successfully to instruct to be certified Trustable network is equipped, so that trustable network to be certified is equipped to forwarding trustable network equipment transmission data.
If trusted root network equipment judges that above-mentioned connection request does not carry forwarding labelling, then illustrate the connection request Be by two grade network in trustable network to be certified equipment directly transmit, now trusted root network equipment just can be opened and is used for Connect the data-transformation facility of the cascade port of trustable network to be certified equipment, and send certification successfully instruct it is to be certified to this Trustable network is equipped, and the trustable network equipment to be certified just can send data to trusted root network equipment.
It should be noted that before safety certification is carried out, the data-transformation facility of the cascade port of each trustable network equipment It is to close, that is to say, that cascade port only allows the non-traffic data of protocol massages, certification request etc to pass through, and does not permit Perhaps business datum passes through, to ensure the safety of whole network.For the data-transformation facility that closing and opening cascade port Mode, can realize, for example can realize using depositor, here is not specifically limited using existing any-mode.
For example, if as shown in figure 3, trusted root network equipment 11 judges the connection that trustable network equipment 21 sends Forwarding labelling is carried in request, then illustrate that the connection request that trustable network equipment 21 sends is forwarded by trustable network equipment 21 , that is to say, that trustable network equipment 21 is a forwarding trustable network equipment, then, trusted root network equipment 11 just sends recognizes Demonstrate,prove and successfully instruct to trustable network equipment 21, but the data-transformation facility of cascade port 1 can't be opened, trustable network equipment 21 receive after the certification successfully instructs, if connection request is trusted root network equipment 22, trustable network equipment 21 just can be with Open the cascade port 3 of connection trustable network equipment 21;If connection request is trusted root network equipment 32, trustable network equipment The 21 cascade ports 4 that just can open connection trustable network equipment 32.
If trusted root network equipment 11 is judged not carried in the connection request that the trustable network for receiving equipment 21 sends Forwarding labelling, then illustrate that connection request is sent by trustable network equipment 21, that is to say, that trustable network equipment 21 is one Individual trustable network equipment to be certified, then, trusted root network equipment 11 just sends certification and successfully instructs to trustable network equipment 21, And open cascade port 1 data-transformation facility.
It can be seen that, in the scheme that the embodiment of the present invention is provided, the credible the root network dress of the first order network in cascade network Standby to receive first in cascade network, the connection request that trustable network equipment to be certified sends obtains trustable network equipment to be certified Device identification, then judge whether trustable network to be certified equipment meets default safety condition according to device identification, if Meet, the data-transformation facility that trustable network to be certified equips asked cascade port is opened, so that trustable network to be certified Equipment is by cascading port transmission data.The trustable network of the networks at different levels in due to cascade network is equipped before transmitting the data, Need to carry out safety certification by the trusted root network equipment of first order network, substantially increase the safety of cascade network.
As a kind of embodiment of the embodiment of the present invention, as shown in figure 4, judging trusted networks to be certified according to device identification Whether network equipment meets the mode of default safety condition may comprise steps of:
S401, from the information table for prestoring, searches the corresponding encrypted message of the device identification;
Trusted root network equipment can locally preserving an information table, and in the information table recording equipment mark with it is close The one-to-one relationship of code information, wherein, device identification can not done specifically for the identification informations such as device id, MAC Address, here Limit, as long as can be equipped with unique mark trustable network.Encrypted message can be trustable network corresponding with device identification The information such as the access pin of equipment.
So, after the device identification that trusted root network equipment obtains trustable network equipment to be certified, just can be from the letter In breath table, encrypted message corresponding with the device identification is found.
S402, generates encrypted word, and the encrypted message is encrypted using the encrypted word, obtains first and adds Confidential information;
In order to ensure that trustable network to be certified equips the safety of access network, trusted root network equipment can be generated at random One encrypted word, and the encrypted message for finding is encrypted using the encrypted word, obtain the first encryption information.Can be with It is understood by, the encrypted word is usually a string is used for the character of cryptographic calculation.
S403, the encrypted word is sent to the trustable network to be certified and is equipped, so that the trustable network to be certified Equipment is encrypted using the encrypted word to the corresponding encrypted message of the device identification, obtains the second encryption information, And second encryption information is sent to the trusted root network equipment;
After encrypted word is generated, trusted root network equipment can send the encrypted word to trustable network to be certified equipment. Trustable network equipment to be certified is received just can be corresponding close using device identification of the encrypted word to itself after the encrypted word Code information is encrypted, and obtains the second encryption information, and then, second encryption information is sent to credible the root network dress It is standby.
S404, receives second encryption information, and judge second encryption information whether with described first plus secret letter Manner of breathing is same, if identical, execution step S405, otherwise, execution step S406;
Whether trusted root network equipment is received after second encryption information, full in order to determine trustable network equipment to be certified Sufficient safety condition, it can be determined that whether the first encryption information for itself generating is identical with the second encryption information.
S405, determines that the trustable network equipment to be certified meets the default safety condition;
If trusted root network equipment judges that the first encryption information is identical with the second encryption information, then just illustrate to wait to recognize Card trustable network equipment meets default safety condition, can be with secure accessing network and transmission data.
S406, determines that the trustable network equipment to be certified is unsatisfactory for the default safety condition.
If trusted root network equipment judges that the first encryption information is different from the second encryption information, then just illustrate to wait to recognize Card trustable network equipment is unsatisfactory for default safety condition, it is impossible to secure accessing network.
As a kind of embodiment of the embodiment of the present invention, as shown in figure 5, the trusted root network equipment can include: Credible root server 111 and credible root switch 112;
In the cascade network is received, the step of the connection request that trustable network equipment to be certified sends before, it is described Method can also include:
The coupled credible root server 111 of the credible root switch 112 carries out local security certification;It is described local After safety certification passes through, in performing the reception cascade network, the connection request that trustable network equipment to be certified sends Step.
The safety overall in order to ensure network, receives what trustable network equipment to be certified sent in trusted root network equipment Before connection request, local security certification can be first carried out, in the case where local network safety is guaranteed, receive connection request. That is, credible root switch 112 can carry out local security certification with coupled credible root server 111, when local peace After full certification passes through, then carry out receiving in the cascade network, the step of the connection request that trustable network equipment to be certified sends. For example, the credible root switch 112 in Fig. 5 can carry out local security certification with coupled credible root server 111.
Explanation is needed, above-mentioned credible root server can complete the server of safety certification by TCM, so, The safety of whole network can further be improved.Explanation is needed further exist for, above-mentioned credible root switch is coupled Credible root server carries out the mode of local security certification and credible root server is equal by way of TCM completes safety certification Can be to be carried out using existing mode, those skilled in the art can determine that here is not done to be had according to factors such as real network agreements Body is limited and explanation.
It is understood that all trustable networks equipment in above-mentioned cascade network can include trusted servers and can Letter switch.In order to ensure the safety of whole cascade network, all trustable networks are equipped in transmission connection request or the company of reception Before connecing request, local security certification can be carried out.
It should be noted that in the first order network of cascade network, one or more trustable network equipments can be included (trustable network equipment 12 as shown in Figure 3), one of them is trusted root network equipment, can between other trustable network equipments To be connected serially to trusted root network equipment by cascading port, when these trustable network equipments need to be connected into network, Jing is needed also exist for The safety certification of trusted root network equipment is crossed, concrete authentication is identical with above-mentioned authentication, and here is no longer gone to live in the household of one's in-laws on getting married State.
As a kind of embodiment of the embodiment of the present invention, in order to avoid when above-mentioned trusted root network equipment breaks down The problem that safety certification cannot be carried out occurs, and standby credible the root network dress can be arranged in the first order network of cascade network It is standby, when trusted root network equipment breaks down cannot be run, just can start the standby trusted root network equipment and proceed Safety certification.It is understood that the configuration of the standby trusted root network equipment and the configuration of trusted root network equipment are complete Identical.Generally, it is standby in order to ensure can quickly and safely to start this when trusted root network equipment breaks down Trusted root network equipment, the standby trusted root network equipment can in advance carry out local security certification.
The embodiment of the present invention additionally provides the safety certifying method of another kind of cascade network.Below to embodiment of the present invention institute The safety certifying method of second cascade network for providing is introduced.
As shown in fig. 6, a kind of safety certifying method of cascade network, the forwarding trusted networks being applied in the cascade network Network is equipped, and the forwarding trustable network is equipped for the trustable network equipment that trustable network equipment to be certified is directly accessed, trusted root Network equipment is not belonging to forward trustable network equipment.As shown in figure 3, trustable network equipment 22 is directly accessed trustable network equipment 21 Cascade port 3, trustable network equipment 21 be trustable network equipment 22 be directly accessed trustable networks equipment;Trustable network is equipped The 31 cascade ports 5 for being directly accessed trustable network equipment 21, trustable network equipment 21 is that trustable network equipment 31 is directly accessed Trustable network is equipped;Communication network equipment 33 is directly accessed the cascade port 6 of trustable network equipment 22, and trustable network equipment 22 is can The trustable network equipment that communication network equipment 33 is directly accessed.Trustable network equipment 21 is directly accessed the level of trusted root network equipment 11 Connection port 1, trusted root network equipment 11 is that the trustable network that trustable network equipment 21 is directly accessed is equipped, but credible the root network is filled It is standby to be not belonging to forward trustable network equipment.The method comprising the steps of:
S601, in receiving the cascade network, equips with primary network station or next stage net positioned at the forwarding trustable network The connection request that the trustable network to be certified equipment of network sends, and to connection request addition forwarding labelling;
It is understood that now forwarding trustable network equipment to be certified to forward as a forwarding trustable network equipment The connection request that trustable network equipment sends.Wherein, trustable network equipment to be certified can be positioned at forwarding trustable network equipment Equip with the trustable network of primary network station or next stage network.For example, as shown in figure 3, trustable network equipment 21 can connect Receive and be in the trustable network equipment 31,32 etc. that the trustable network of same primary network station is equipped in 22, or its next stage network with it The connection request that trustable network equipment sends.
Forwarding trustable network is equipped in and receives after the connection request that trustable network equipment to be certified sends, due to the connection Request is not that forwarding trustable network equipment directly sends, and forwarding trustable network equipment can please add forwarding mark to the connection Note, so that trusted root network equipment is after the connection request is received, it may be determined that go out whether the connection request is that forwarding is credible What network equipment directly sent.Except trustable network to be certified equipment is turned by cascading the trustable network equipment that port is directly accessed Send out outside trustable network equipment, other trustable network equipments for receiving connection request only do simple forwarding, it is not necessary to add Forwarding labelling.
Wherein, the forwarding labelling can be existing forwarding identification information, as long as can identify the connection request be through Forwarding, here is not specifically limited.
S602, sends the connection request after the addition forwarding labelling to the trusted root network equipment, so that described can Letter the root network equipment obtains the device identification of the trustable network equipment to be certified, and is equipped according to the trustable network to be certified Device identification judge whether the trustable network to be certified equipment meets the default safety condition, if it is satisfied, sending Certification is successfully instructed to the forwarding trustable network equipment;
Forwarding trustable network equipment please add after forwarding labelling to the connection, just can be by the company after the addition forwarding labelling Connect request to send to trusted root network equipment, and then, trusted root network equipment just can obtain trustable network equipment to be certified Device identification, and according to the device identification of trustable network to be certified equipment judges that trustable network to be certified equips and whether meet Default safety condition, if it is satisfied, send certification successfully instructing to forwarding trustable network equipment.
For the mode of the device identification that trusted root network equipment obtains trustable network to be certified equipment, according to it is to be certified can The device identification of communication network equipment judges whether trustable network equipment to be certified meets the mode of default safety condition and beat The mode that trustable network to be certified equips the data-transformation facility of asked cascade port is opened, in above-mentioned the first cascade network It is described in the safety certifying method of network, related part may refer to the safety certifying method of above-mentioned the first cascade network The explanation of middle appropriate section, will not be described here.
It should be noted that for the feelings of the device identification for not including trustable network to be certified equipment in above-mentioned connection request Condition, trusted root network equipment is received after the connection request that forwarding trustable network equipment sends, and can be asked according to the connection is received The cascade port asked, to forwarding trustable network equipment certification request is sent.Forwarding trustable network equipment just can be somebody's turn to do according to receiving The cascade port of connection request, by the certification request trustable network equipment to be certified is forwarded to, and then, trustable network dress to be certified Standby just device identification to be sent to forwarding trustable network equipment, forwarding trustable network equipment is forwarded to the device identification can Letter the root network equipment.
S603, receives the certification and successfully instructs, and opens the cascade for connecting the trustable network equipment to be certified The data-transformation facility of port;
Forwarding trustable network equipment is received after certification successfully instructs, and illustrate that trustable network equipment to be certified has passed through to pacify Full certification, then, now forward trustable network equipment just can open for connecting the cascade end of trustable network equipment to be certified The data-transformation facility of mouth.
If as shown in figure 3, above-mentioned connection request is trustable network equipment 22 sending, then trustable network equipment 21 is made To forward trustable network equipment, the data-transformation facility of cascade port 3 just can be opened.If above-mentioned connection request is trusted networks What network equipment 31 sent, then trustable network equipment 21 just can be opened and trustable network dress as forwarding trustable network equipment The data-transformation facility of the standby 31 cascade ports 5 being connected.Similar, if above-mentioned connection request is trustable network equipment 33 sent , then trustable network equipment 22 just can open the level being connected with trustable network equipment 33 as forwarding trustable network equipment The data-transformation facility of connection port 6.
If it is understood that the trustable network device being connected with trustable network to be certified equipment forwards trustable network Device is straight with the trusted root network equipment with forwarding trustable network equipment in the case of not being joined directly together with trusted root network equipment Connect in the case of being connected, forward the mode of trustable network device opening cascade port identical, will not be described here.
If it is understood that trustable network to be certified equipment is located in the fourth stage or the other network of even lower level, then It is also required for two or more trustable networks to equip to forward the trustable network to be certified to equip the connection request for sending, it is concrete to turn Originating party formula is identical with above-mentioned pass-through mode, will not be described here.
As shown in fig. 6, step S604, sends the certification and successfully instructs to the trustable network equipment to be certified, so that The trustable network equipment to be certified equips transmission data by the cascade port to the forwarding trustable network.
Forwarding trustable network equipment is received just can successfully be instructed the certification after above-mentioned certification is successfully instructed and is forwarded to Trustable network equipment to be certified, and then, trustable network equipment to be certified just can pass through what above-mentioned data-transformation facility had been opened Cascade port is to forwarding trustable network equipment transmission data.
It can be seen that, in the scheme that the embodiment of the present invention is provided, the forwarding trustable network equipment in cascade network receives described In cascade network, equip positioned at forwarding trustable network and sent with the trustable network to be certified equipment of primary network station or next stage network Connection request, and to connection request addition forwarding labelling after, send addition forwarding labelling after connection request to trusted root net Network is equipped, so that the device identification that trusted root network equipment is equipped according to trustable network to be certified, judges trustable network to be certified Whether equipment meets default safety condition, if it is satisfied, send certification successfully instructing to the forwarding trustable network equipment, turns Send out trustable network equipment reception certification successfully to instruct, and open the number for connecting the cascade port of trustable network equipment to be certified According to transfer function, send certification and successfully instruct to trustable network to be certified equipment, so that trustable network to be certified equipment passes through level Connection port is to forwarding trustable network equipment transmission data.Need and trusted root when equipping access network due to trustable network to be certified Network equipment carries out safety certification, after certification passes through, could pass through to cascade port transmission data, substantially increases whole cascade network The safety of network.
As a kind of embodiment of the embodiment of the present invention, as shown in figure 5, the forwarding trustable network equipment can be wrapped Include:Forwarding trusted servers and forwarding credible switchboard;
In the cascade network is received, equip with primary network station or next stage network positioned at the forwarding trustable network Before the connection request that trustable network equipment to be certified sends, methods described can also include:
The coupled forwarding trusted servers of the forwarding credible switchboard carry out local security certification;The local peace After full certification passes through, perform it is described receive in the cascade network, positioned at the forwarding trustable network equipment with primary network station or The step of connection request that the trustable network to be certified equipment of next stage network sends.
The safety overall in order to ensure network, receives in cascade network in forwarding trustable network equipment, can positioned at forwarding Communication network is equipped before the connection request sent with the trustable network to be certified equipment of primary network station or next stage network, can be with advanced Row local security certification, in the case where local network safety is guaranteed, receives connection request.That is, forwarding credible exchange Machine can carry out local security certification with coupled forwarding trusted servers, after local security certification passes through, then receiver stage In networking network, equip what is sent with the trustable network to be certified equipment of primary network station or next stage network positioned at forwarding trustable network Connection request.For example, the credible switchboard 212 in Fig. 5 can carry out local security and recognizes with coupled trusted servers 211 Card.
Wherein, above-mentioned forwarding trusted servers are used only for referring to the trusted servers in forwarding trustable network equipment, turn Send out credible switchboard to be used only for referring to the credible switchboard in forwarding trustable network equipment, do not contain with any other restriction Justice.
Explanation is needed, above-mentioned forwarding trusted servers can complete the server of safety certification by TCM, this Sample, can further improve the safety of whole network.Need further exist for explanation, above-mentioned forwarding credible switchboard and its phase Forwarding trusted servers even carry out the mode of local security certification and forwarding trusted servers complete safety certification by TCM Mode can be to be carried out using existing mode, those skilled in the art can determine according to factors such as real network agreements, This is not specifically limited and illustrates.
Explanation is needed further exist for, for the safety certifying method of above two cascade network, accessing in client can During letter switch, credible switchboard can also carry out safety certification to the client, and specific implementation can adopt existing Meaning mode, here is not specifically limited.During the network operation, whether TCM can safe with the local trusted servers of real-time monitoring Operation, that is to say, that TCM can monitor whether local trusted servers run uneasy Whole Process etc., if it is, can close Local trusted servers, to ensure the safety of whole network.In the same manner, trusted servers can also real-time monitoring it is locally credible Switch whether safe operation, credible switchboard then can be with the whether safe operation of real-time monitoring client, when finding security threat When, then close corresponding credible switchboard or client.
When trustable network to be certified equips direct with the trusted root network equipment of the first order network in the cascade network When connected, as shown in fig. 7, the trustable network to be certified equips carried out safety certifying method may comprise steps of:
S701, send connection request into the cascade network, positioned at the trusted root network equipment of first order network so that The trusted root network equipment obtains the device identification of trustable network equipment to be certified, and is filled according to the trustable network to be certified Standby device identification judges whether the trustable network equipment to be certified meets default safety condition, if it is satisfied, opening institute State the data-transformation facility that trustable network to be certified equips asked cascade port;
When the trustable network to be certified equipment in cascade network needs access network transmission data, can send connection please Ask into cascade network, positioned at the trusted root network equipment of first order network.As shown in figure 3, when be located at second level network can When communication network equips 21 access network, connection request can be sent to the trusted root network equipment 11 of first order network.
When trusted root network equipment receives the connection request, the equipment that just can obtain trustable network equipment to be certified Mark, and judge whether trustable network equipment to be certified meets default peace according to the device identification of trustable network to be certified equipment Full condition, if it is satisfied, opening the data-transformation facility that trustable network to be certified equips asked cascade port.
For the mode of the device identification that trusted root network equipment obtains trustable network to be certified equipment, according to it is to be certified can The device identification of communication network equipment judges whether trustable network equipment to be certified meets the mode of default safety condition and beat The mode that trustable network to be certified equips the data-transformation facility of asked cascade port is opened, in above-mentioned the first cascade network It is described in the safety certifying method of network, related part may refer to the safety certifying method of above-mentioned the first cascade network The explanation of middle appropriate section, will not be described here.
S702, by the cascade port transmission data.
When trusted root network equipment opens the data-transformation facility that trustable network to be certified equips asked cascade port Afterwards, trustable network equipment to be certified just can pass through the cascade port transmission data.
Corresponding to above-mentioned first method embodiment, the embodiment of the present invention additionally provides a kind of safety certification of cascade network Device, the safety certification device of the first cascade network for being provided the embodiment of the present invention below is introduced.
As shown in figure 8, a kind of safety certification device of cascade network, it is characterised in that in being applied to the cascade network Trusted root network equipment, the trusted root network equipment is located in first order network and by cascading port and second level network In trustable network equipment connection, described device includes:
Connection request receiver module 810, for receiving the cascade network in, the company that trustable network to be certified equipment sends Connect request;
Device identification obtains module 820, for obtaining the device identification of the trustable network equipment to be certified;
Safety condition judge module 830, for judging that the trustable network equipment to be certified is according to the device identification It is no to meet default safety condition;
Data-transformation facility opening module 840, for meeting default safe bar in the trustable network equipment to be certified During part, the data-transformation facility that the trustable network to be certified equips asked cascade port is opened, so that described to be certified Trustable network equipment is by the cascade port transmission data.
It can be seen that, in the scheme that the embodiment of the present invention is provided, the credible the root network dress of the first order network in cascade network Standby to receive first in cascade network, the connection request that trustable network equipment to be certified sends obtains trustable network equipment to be certified Device identification, then judge whether trustable network to be certified equipment meets default safety condition according to device identification, if Meet, the data-transformation facility that trustable network to be certified equips asked cascade port is opened, so that trustable network to be certified Equipment is by cascading port transmission data.The trustable network of the networks at different levels in due to cascade network is equipped before transmitting the data, Need to carry out safety certification by the trusted root network equipment of first order network, substantially increase the safety of cascade network.
Used as a kind of embodiment of the embodiment of the present invention, the data-transformation facility opening module 840 can include:
Forwarding marker for judgment unit (not shown in Fig. 8), for judging whether the connection request carries forwarding labelling;
First data transmission function opening unit (not shown in Fig. 8), for carrying the forwarding in the connection request During labelling, send certification and successfully instruct to forwarding trustable network equipment, so that the forwarding trustable network equipment is opened for connecting Connect the data-transformation facility of the cascade port of the trustable network to be certified equipment, and forward the certification successfully to instruct to described Trustable network equipment to be certified, wherein, the forwarding trustable network is equipped for:Receive the connection request and added forwarding The trustable network equipment of the trusted root network equipment is forwarded to after labelling;
Second data-transformation facility opening unit (not shown in Fig. 8), for not carrying described turning in the connection request Issue of bidding documents is clocked, and is opened and is recognized for connecting the data-transformation facility of the cascade port of the trustable network equipment to be certified, and sending To demonstrate,prove successfully instruct to the trustable network to be certified and equip.
Used as a kind of embodiment of the embodiment of the present invention, the device identification obtains module 820, can be used for:
When the connection request includes the device identification of the trustable network equipment to be certified, from the connection request The middle device identification for reading the trustable network equipment to be certified;
Or,
According to the cascade port for receiving the connection request, certification request is sent to the trustable network equipment to be certified, So that the trustable network equipment feedback device to be certified is identified to the trusted root network equipment.
Corresponding to above-mentioned second method embodiment, the embodiment of the present invention additionally provides the safety of another kind of cascade network and recognizes Card device, the safety certification device of second cascade network for being provided the embodiment of the present invention below is introduced.
As shown in figure 9, a kind of safety certification device of cascade network, it is characterised in that be applied to the cascade Forwarding trustable network equipment in network, the forwarding trustable network is equipped for trustable network equipment to be certified by cascading port The trustable network equipment being directly accessed, described device includes:
Forwarding labelling add module 910, for receiving the cascade network in, it is same positioned at the forwarding trustable network equipment The connection request that the trustable network to be certified equipment of primary network station or next stage network sends, and connection request addition is turned Issue of bidding documents is remembered;
Request forwarding module 920, for the connection request after the transmission addition forwarding labelling into the cascade network The trusted root network equipment of first order network, so that the trusted root network equipment obtains the trustable network equipment to be certified Device identification, and whether the trustable network equipment to be certified is judged according to the device identification of the trustable network equipment to be certified The default safety condition is met, if it is satisfied, send certification successfully instructing to the forwarding trustable network equipment;
Command reception module 930, successfully instructs for receiving the certification, and opens described to be certified credible for connecting The data-transformation facility of the cascade port of network equipment;
Instruction forwarding module 940, successfully instructs to the trustable network equipment to be certified for sending the certification, so that The trustable network equipment to be certified equips transmission data by the cascade port to the forwarding trustable network.
It can be seen that, in the scheme that the embodiment of the present invention is provided, the forwarding trustable network equipment in cascade network receives described In cascade network, equip positioned at forwarding trustable network and sent with the trustable network to be certified equipment of primary network station or next stage network Connection request, and to connection request addition forwarding labelling after, send addition forwarding labelling after connection request to trusted root net Network is equipped, so that the device identification that trusted root network equipment is equipped according to trustable network to be certified, judges trustable network to be certified Whether equipment meets default safety condition, if it is satisfied, send certification successfully instructing to the forwarding trustable network equipment, turns Send out trustable network equipment reception certification successfully to instruct, and open the number for connecting the cascade port of trustable network equipment to be certified According to transfer function, send certification and successfully instruct to trustable network to be certified equipment, so that trustable network to be certified equipment passes through level Connection port is to forwarding trustable network equipment transmission data.Need and trusted root when equipping access network due to trustable network to be certified Network equipment carries out safety certification, after certification passes through, could pass through to cascade port transmission data, substantially increases whole cascade network The safety of network.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality Body or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or deposit between operating In any this actual relation or order.And, term " including ", "comprising" or its any other variant are intended to Nonexcludability is included, so that a series of process, method, article or equipment including key elements not only will including those Element, but also including other key elements being not expressly set out, or also include for this process, method, article or equipment Intrinsic key element.In the absence of more restrictions, the key element for being limited by sentence "including a ...", it is not excluded that Also there is other identical element in process, method, article or equipment including the key element.
Each embodiment in this specification is described by the way of correlation, identical similar portion between each embodiment Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for device reality For applying example, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method Part explanation.
Presently preferred embodiments of the present invention is the foregoing is only, protection scope of the present invention is not intended to limit.It is all Any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in protection scope of the present invention It is interior.

Claims (10)

1. a kind of safety certifying method of cascade network, it is characterised in that the credible the root network being applied in the cascade network Equipment, the trusted root network equipment is located in first order network and by cascading port and the trustable network in the network of the second level Equipment connection, methods described includes:
In receiving the cascade network, the connection request that trustable network equipment to be certified sends;
Obtain the device identification of the trustable network equipment to be certified;
Judge whether the trustable network equipment to be certified meets default safety condition according to the device identification;
If it is satisfied, the data-transformation facility that the trustable network to be certified equips asked cascade port is opened, so that institute Trustable network equipment to be certified is stated by the cascade port transmission data.
2. the method for claim 1, it is characterised in that the opening trustable network equipment to be certified is asked The step of data-transformation facility of cascade port, including:
Judge whether the connection request carries forwarding labelling;
If it is, send certification successfully instruct to forwarding trustable network equipment, so that the forwarding trustable network equipment is opened and used In the data-transformation facility of the cascade port for connecting the trustable network to be certified equipment, and forward the certification successfully instruct to The trustable network equipment to be certified, wherein, the forwarding trustable network is equipped for:Receive the connection request and added The trustable network equipment of the trusted root network equipment is forwarded to after forwarding labelling;
If not, opening for connecting the data-transformation facility of the cascade port of the trustable network equipment to be certified, and send Certification is successfully instructed to the trustable network to be certified and equipped.
3. the method for claim 1, it is characterised in that the connection request includes the trustable network dress to be certified Standby device identification;
It is described obtain the trustable network to be certified equipment device identification the step of, including:Read from the connection request The device identification of the trustable network equipment to be certified;
Or,
According to the cascade port for receiving the connection request, certification request is sent to the trustable network equipment to be certified, so that The trustable network equipment feedback device to be certified is identified to the trusted root network equipment.
4. the method for claim 1, it is characterised in that the trusted root network equipment includes:Credible root server and Credible root switch;
Receive in the cascade network described, the step of the connection request that trustable network equipment to be certified sends before, it is described Method also includes:
The coupled credible root server of the credible root switch carries out local security certification;
After the local security certification passes through, in performing the reception cascade network, trustable network equipment to be certified sends Connection request the step of.
5. a kind of safety certifying method of cascade network, it is characterised in that the forwarding trusted networks being applied in the cascade network Network is equipped, and the forwarding trustable network is equipped for trustable network to be certified and equips by cascading the trustable network that port is directly accessed Equipment, methods described includes:
In receiving the cascade network, equip with the to be certified of primary network station or next stage network positioned at the forwarding trustable network The connection request that trustable network equipment sends, and to connection request addition forwarding labelling;
Send the credible the root network dress of the connection request after the addition forwarding labelling to first order network in the cascade network It is standby, so that the trusted root network equipment obtains the device identification of the trustable network equipment to be certified, and wait to recognize according to described The device identification of card trustable network equipment, judges whether the trustable network equipment to be certified meets default safety condition, such as Fruit meets, and sends certification and successfully instructs to the forwarding trustable network equipment;
Receive the certification successfully to instruct, and open the data for connecting the cascade port of the trustable network equipment to be certified Transfer function;
Send the certification successfully to instruct to the trustable network equipment to be certified, so that the trustable network equipment to be certified is logical The cascade port is crossed to the forwarding trustable network equipment transmission data.
6. method as claimed in claim 5, it is characterised in that the forwarding trustable network equipment includes:Forwarding trusted service Device and forwarding credible switchboard;
Receive in the cascade network described, equip with primary network station or next stage network positioned at the forwarding trustable network Before the connection request step that trustable network equipment to be certified sends, methods described also includes:
The coupled forwarding trusted servers of the forwarding credible switchboard carry out local security certification;
After the local security certification passes through, in performing the reception cascade network, positioned at the forwarding trustable network dress The step of connection request that the standby trustable network to be certified equipment with primary network station or next stage network sends.
7. a kind of safety certification device of cascade network, it is characterised in that the credible the root network being applied in the cascade network Equipment, the trusted root network equipment is located in first order network and by cascading port and the trustable network in the network of the second level Equipment connection, described device includes:
Connection request receiver module, for receiving the cascade network in, the connection request that trustable network to be certified equipment sends;
Device identification obtains module, for obtaining the device identification of the trustable network equipment to be certified;
Safety condition judge module, for judging whether the trustable network equipment to be certified meets pre- according to the device identification If safety condition;
Data-transformation facility opening module, for when the trustable network equipment to be certified meets default safety condition, beating The data-transformation facility that the trustable network to be certified equips asked cascade port is opened, so that the trustable network to be certified Equipment is by the cascade port transmission data.
8. device as claimed in claim 7, it is characterised in that the data-transformation facility opening module includes:
Forwarding marker for judgment unit, for judging whether the connection request carries forwarding labelling;
First data transmission function opening unit, for the connection request carry it is described forwarding labelling when, send certification into Work(is instructed to forwarding trustable network equipment, so that the forwarding trustable network equipment is opened for connecting the trusted networks to be certified The data-transformation facility of the cascade port of network equipment, and forward the certification successfully to instruct to the trustable network dress to be certified It is standby, wherein, the forwarding trustable network is equipped for:Receive the connection request and added be forwarded to after forwarding labelling it is described The trustable network equipment of trusted root network equipment;
Second data-transformation facility opening unit, for when the connection request does not carry the forwarding labelling, opening to be used for Connect the data-transformation facility of the cascade port of the trustable network to be certified equipment, and send certification and successfully instruct to described and treat Certification trustable network is equipped.
9. device as claimed in claim 7, it is characterised in that the device identification obtains module, is used for
When the connection request includes the device identification of the trustable network equipment to be certified, read from the connection request Take the device identification of the trustable network equipment to be certified;
Or,
According to the cascade port for receiving the connection request, certification request is sent to the trustable network equipment to be certified, so that The trustable network equipment feedback device to be certified is identified to the trusted root network equipment.
10. a kind of safety certification device of cascade network, it is characterised in that the forwarding trusted networks being applied in the cascade network Network is equipped, and the forwarding trustable network is equipped for trustable network to be certified and equips by cascading the trustable network that port is directly accessed Equipment, described device includes:
Forwarding labelling add module, for receiving the cascade network in, positioned at it is described forwarding trustable network equip with one-level net The connection request that the trustable network to be certified equipment of network or next stage network sends, and to connection request addition forwarding mark Note;
Request forwarding module, for sending the addition connection request forwarded after labelling to first order net in the cascade network The trusted root network equipment of network, so that the trusted root network equipment obtains the equipment mark of the trustable network equipment to be certified Know, and judge whether the trustable network equipment to be certified meets pre- according to the device identification of the trustable network equipment to be certified If safety condition, if it is satisfied, send certification successfully instruct to it is described forwarding trustable network equipment;
Command reception module, successfully instructs for receiving the certification, and opens for connecting the trustable network dress to be certified The data-transformation facility of standby cascade port;
Instruction forwarding module, successfully instructs to the trustable network equipment to be certified, so that described treat for sending the certification Certification trustable network equipment equips transmission data by the cascade port to the forwarding trustable network.
CN201710051060.XA 2017-01-23 2017-01-23 Security authentication method and device for cascade network Active CN106685987B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710051060.XA CN106685987B (en) 2017-01-23 2017-01-23 Security authentication method and device for cascade network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710051060.XA CN106685987B (en) 2017-01-23 2017-01-23 Security authentication method and device for cascade network

Publications (2)

Publication Number Publication Date
CN106685987A true CN106685987A (en) 2017-05-17
CN106685987B CN106685987B (en) 2020-06-05

Family

ID=58859913

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710051060.XA Active CN106685987B (en) 2017-01-23 2017-01-23 Security authentication method and device for cascade network

Country Status (1)

Country Link
CN (1) CN106685987B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145915A (en) * 2007-10-10 2008-03-19 中国科学院计算技术研究所 An authentication system and method of trustable router
CN101150406A (en) * 2006-09-18 2008-03-26 华为技术有限公司 Network device authentication method and system and relay forward device based on 802.1x protocol
CN201491035U (en) * 2009-09-07 2010-05-26 北京鼎普科技股份有限公司 Trustworthy terminal system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150406A (en) * 2006-09-18 2008-03-26 华为技术有限公司 Network device authentication method and system and relay forward device based on 802.1x protocol
CN101145915A (en) * 2007-10-10 2008-03-19 中国科学院计算技术研究所 An authentication system and method of trustable router
CN201491035U (en) * 2009-09-07 2010-05-26 北京鼎普科技股份有限公司 Trustworthy terminal system

Also Published As

Publication number Publication date
CN106685987B (en) 2020-06-05

Similar Documents

Publication Publication Date Title
CN111783068B (en) Device authentication method, system, electronic device and storage medium
CN107770182A (en) The date storage method and home gateway of home gateway
US7325133B2 (en) Mass subscriber management
CN1711740B (en) Lightweight extensible authentication protocol password preprocessing
US9444801B2 (en) Method, device and system for verifying communication sessions
US6725276B1 (en) Apparatus and method for authenticating messages transmitted across different multicast domains
CN107801229A (en) Smart home is with network method, terminal, equipment and the device with store function
CN108599925A (en) A kind of modified AKA identity authorization systems and method based on quantum communication network
CN106027456A (en) Apparatus and method for authenticating network devices
CN103503408A (en) System and method for providing access credentials
CN101304310B (en) Method for reinforcing network SSL service
JP2007208758A (en) Encryption communication method and system
US9998287B2 (en) Secure authentication of remote equipment
CN106230594B (en) Method for user authentication based on dynamic password
CN105162808A (en) Safety login method based on domestic cryptographic algorithm
CN104902470B (en) A kind of connection control method and system of the hotspot based on dynamic key
FI109254B (en) Method, system and device for verification
CN106713360A (en) Method for realizing web encrypted access and information encryption storage based on gateway device
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
CN108632042A (en) A kind of class AKA identity authorization systems and method based on pool of symmetric keys
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
CN105722072A (en) Business authorization method, device, system and router
CN106453321A (en) Authentication server, system and method, and to-be-authenticated terminal
US8219812B2 (en) Methods and a device for associating a first device with a second device
CN113194476B (en) Equipment activation and authentication binding method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant