CN107733929A - Authentication method and Verification System - Google Patents
Authentication method and Verification System Download PDFInfo
- Publication number
- CN107733929A CN107733929A CN201711234947.9A CN201711234947A CN107733929A CN 107733929 A CN107733929 A CN 107733929A CN 201711234947 A CN201711234947 A CN 201711234947A CN 107733929 A CN107733929 A CN 107733929A
- Authority
- CN
- China
- Prior art keywords
- authentication information
- sdn
- information
- interchanger
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Abstract
The invention discloses a kind of authentication method and Verification System.This method includes:First encrypted authentication information is decrypted SDN controllers, draws interchanger authentication information;Second encrypted authentication information is decrypted SDN switch, draws controller authentication information;SDN controllers compare the decryption interchanger authentication information drawn and whether the interchanger authentication information that obtains in advance identical and SDN switch whether compare the controller authentication information decrypted the controller authentication information drawn and obtained in advance identical;If if SDN controllers compare that the interchanger authentication information that draws of decryption is identical with the interchanger authentication information obtained in advance and SDN switch compare controller authentication information that decryption is drawn it is identical with the controller authentication information obtained in advance when, SDN controllers are proved to be successful information to SDN switch return and SDN switch is proved to be successful information to the return of SDN controllers.The security of south orientation channel transmission data has been effectively ensured in the present invention.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of authentication method and Verification System.
Background technology
Current software defines south orientation communication protocols of the network SDN using OpenFlow as its main flow, is responsible for controller with handing over
Communication between changing planes.Interchanger is established by two ways and controller and connected, and one kind is to establish connection based on TLS modes,
Another kind is to establish connection by TCP modes.
In order to ensure southbound interface safety, prior art realizes safety certification function, the party using TLS connected modes
Case depends on the certificate file that security authentication center is issued.When interchanger and controller, which are established, to be connected, it is exchanged with each other in certification
It is decrypted by the key of authentication center after obtaining certificate file by the certificate file of heart distribution, certification both sides, Ran Houtong
The information after verification is decrypted is crossed to judge whether the identity for being currently accessed interchanger is effective.Used for current OpenFlow
TLS connected modes are, it is necessary to which the certificate of authority for having Third Party Authentication center can just ensure the safety of channel.First, should at some
With in scene, such as under group private network environment, interchanger access network be user be not intended to by authentication center to its
Certificate, and certificate is copied in the interchanger or controller;Secondly, the OpenFlow agreements of version simply will at present
For TLS connected modes as option, attacker can still specify carries out false access with general T CP connected mode.
For general T CP connected modes, established and pacified by TCP connections between the interchanger and controller of OpenFlow agreements
Full tunnel, this mode is although efficient and relatively reliable, but effective measures do not ensure the peace of south orientation channel transmission data
Quan Xing.
The content of the invention
The present invention provides a kind of authentication method and Verification System, for ensureing the security of south orientation channel transmission data.
To achieve the above object, the invention provides a kind of authentication method, including:
First encrypted authentication information is decrypted SDN controllers, draws interchanger authentication information;
Second encrypted authentication information is decrypted SDN switch, draws controller authentication information;
SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information that obtains in advance whether phase
With and SDN switch compares the decryption controller authentication information drawn and whether the controller authentication information that obtains in advance identical;
If SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information phase obtained in advance
With and SDN switch if to compare the controller authentication information that draws of decryption identical with the controller authentication information obtained in advance
When, SDN controllers are proved to be successful information to SDN switch return and SDN switch returns to SDN controllers and is proved to be successful letter
Breath.
Alternatively, in addition to:
If the SDN controllers compare the decryption interchanger authentication information drawn and the interchanger certification obtained in advance letter
Breath is different and/or SDN switch compares the decryption controller authentication information drawn and the controller authentication information obtained in advance
Difference, SDN controllers return to authentication failed information and/or SDN switch to SDN switch and return to checking mistake to SDN controllers
Information is lost, and SDN controllers connect with the separated TCP of SDN switch.
Alternatively, the SDN controllers return to SDN switch is proved to be successful information and SDN switch is to SDN controllers
Return also includes after being proved to be successful information:
SDN controllers send parameter acquiring request to SDN switch;
SDN switch sends return information to SDN controllers, and the return information includes the identification information of SND interchangers;
The identification information of SND interchangers is sent to authentication database by SDN controllers;
Whether authentication data library inquiry is locally stored with the identification information of the SND interchangers;
If authentication database inquires the identification information that the SND interchangers are locally stored, mistake is returned to SDN controllers
Information;
If authentication database inquires the local identification information for not being stored with the SDN switch, the SDN switch is stored
Identification information, and return to correct information to SDN controllers.
Alternatively, the first encrypted authentication information is decrypted the SDN controllers, before drawing interchanger authentication information
Including:
Interchanger authentication information is encrypted using the first public key for SDN switch, generates the first encrypted authentication information;
SDN switch sends the first encrypted authentication information to SDN controllers;
Second encrypted authentication information is decrypted the SDN switch, includes before drawing controller authentication information:
Controller authentication information is encrypted using the second public key for SDN controllers, generates the second encrypted authentication information;
SDN controllers send the second encrypted authentication information to SDN switch.
Alternatively, interchanger authentication information is encrypted using the first public key for the SDN switch, the encryption of generation first
Include before authentication information:
SDN controllers send the first public key of SDN controllers to SDN switch;
Controller authentication information is encrypted using the second public key for the SDN controllers, the encryption certification letter of generation second
Include before breath:
SDN switch sends the second public key of SDN switch to SDN controllers.
Alternatively, the first encrypted authentication information is decrypted the SDN controllers, draws interchanger authentication information bag
Include:
The first encrypted authentication information is decrypted using the first private key for SDN controllers, draws interchanger authentication information;
Second encrypted authentication information is decrypted the SDN switch, show that controller authentication information includes:
The second encrypted authentication information is decrypted using the second private key for SDN switch, draws controller authentication information.
Alternatively, the first encrypted authentication information is decrypted the SDN controllers, before drawing interchanger authentication information
Including:
TCP connections are established between SDN controllers and SDN switch.
To achieve the above object, the invention provides a kind of Verification System, including:SDN controllers and SDN switch;
SDN controllers, for the first encrypted authentication information to be decrypted, draw interchanger authentication information;Compare decryption
Whether the interchanger authentication information drawn and the interchanger authentication information obtained in advance are identical;If compare the exchange that decryption is drawn
Machine authentication information is identical with the interchanger authentication information obtained in advance and if SDN switch compares the controller that decryption is drawn and recognized
When card information is identical with the controller authentication information obtained in advance, is returned to SDN switch and be proved to be successful information;
SDN switch, for the second encrypted authentication information to be decrypted, draw controller authentication information;Compare decryption
Whether the controller authentication information drawn and the controller authentication information obtained in advance are identical;If compare the control that decryption is drawn
When device authentication information is identical with the controller authentication information obtained in advance and SDN controllers compare the interchanger that decryption is drawn and recognized
When card information is identical with the interchanger authentication information obtained in advance, is returned to SDN controllers and be proved to be successful information.
Alternatively, if the SDN controllers are additionally operable to compare interchanger authentication information and the acquisition in advance that decryption is drawn
Interchanger authentication information is different and/or SDN switch is additionally operable to compare controller authentication information that decryption draws and in advance
The controller authentication information of acquisition is different, SDN controllers to SDN switch return authentication failed information and/or SDN switch to
SDN controllers return to authentication failed information, and SDN controllers connect with the separated TCP of SDN switch.
Alternatively, in addition to:Authentication database;
SDN controllers are additionally operable to send parameter acquiring request to SDN switch;The identification information of SND interchangers is sent
To authentication database;
SDN switch is additionally operable to send return information to SDN controllers, and the return information includes the mark of SND interchangers
Information;
Authentication database, for inquiring about the local identification information for whether being stored with the SND interchangers;If inquire local deposit
The identification information of the SND interchangers is contained, error message is returned to SDN controllers;If inquire the local SDN that is not stored with to hand over
The identification information changed planes, the identification information of the SDN switch is stored, and correct information is returned to SDN controllers.
The invention has the advantages that:
In the technical scheme of authentication method and Verification System provided by the invention, SDN controllers compare the friendship that decryption is drawn
Change planes authentication information and whether the interchanger authentication information that obtains in advance is identical and SDN switch compares the controller that decryption is drawn
Whether authentication information and the controller authentication information obtained in advance are identical, if SDN controllers compare the interchanger that decryption is drawn
Authentication information is identical with the interchanger authentication information obtained in advance and if SDN switch compares the controller certification that decryption is drawn
When information is identical with the controller authentication information obtained in advance, SDN controllers to SDN switch return be proved to be successful information and
SDN switch returns to SDN controllers and is proved to be successful information, realizes and carries out body between SDN controllers and SDN switch mutually
Part legitimate verification, so as to which the security of south orientation channel transmission data be effectively ensured.
Brief description of the drawings
Fig. 1 is a kind of flow chart for authentication method that the embodiment of the present invention one provides;
Fig. 2 is a kind of flow chart for authentication method that the embodiment of the present invention two provides;
Fig. 3 is a kind of structural representation for Verification System that the embodiment of the present invention three provides.
Embodiment
To make those skilled in the art more fully understand technical scheme, the present invention is carried below in conjunction with the accompanying drawings
The authentication method and Verification System of confession are described in detail.
Fig. 1 is a kind of flow chart for authentication method that the embodiment of the present invention one provides, as shown in figure 1, this method includes:
The first encrypted authentication information is decrypted for step 101, SDN controllers, draws interchanger authentication information.
The second encrypted authentication information is decrypted for step 102, SDN switch, draws controller authentication information.
Step 103, SDN controllers compare the decryption interchanger authentication information drawn and the interchanger certification obtained in advance letter
Whether the controller authentication information that identical and SDN switch compares the decryption controller authentication information drawn and obtained in advance is breath
It is no identical, if SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information phase obtained in advance
With and SDN switch if to compare the controller authentication information that draws of decryption identical with the controller authentication information obtained in advance
When, perform step 104;If it is different with the interchanger authentication information obtained in advance to compare the interchanger authentication information that decryption is drawn
And/or, the execution step different with the controller authentication information obtained in advance that compare the controller authentication information that draws of decryption
105。
Step 104, SDN controllers are proved to be successful information to SDN switch return and SDN switch is returned to SDN controllers
Return and be proved to be successful information, flow terminates.
Step 105, SDN controllers return to authentication failed information and/or SDN switch to SDN controllers to SDN switch
Return to authentication failed information.
The execution sequence of each step can change as needed in the present embodiment, for example, step 102 is held before step 101
OK.
In the technical scheme for the authentication method that the present embodiment provides, SDN controllers compare the interchanger certification that decryption is drawn
Information and whether the interchanger authentication information obtained in advance identical and SDN switch compares the controller authentication information that decryption is drawn
Whether the controller authentication information obtained in advance is identical, if SDN controllers compare the interchanger authentication information that decryption is drawn
The interchanger authentication information obtained in advance is identical and if SDN switch compares controller authentication information that decryption draws and pre-
When the controller authentication information first obtained is identical, SDN controllers return to SDN switch and are proved to be successful information and SDN switch
Returned to SDN controllers and be proved to be successful information, realized and carry out identity legitimacy between SDN controllers and SDN switch mutually
Checking, so as to which the security of south orientation channel transmission data be effectively ensured.
Fig. 2 is a kind of flow chart for authentication method that the embodiment of the present invention two provides, as shown in Fig. 2 this method includes:
Establish TCP connections between step 201, SDN controllers and SDN switch, and SDN controllers and SDN switch it
Between mutually send Hello message.
Step 202, SDN controllers generate the first private key.
In the present embodiment, the first private key is the SDN controllers private key of itself, and the first private key is RSA key.
Step 203, SDN switch generate the second private key.
In the present embodiment, the second private key is the private key of SDN switch itself, and the second private key is RSA key.
Step 204, SDN controllers send the first public key of SDN controllers to SDN switch.
In the present embodiment, the first public key (Publickey_c) is the public key of SDN controllers, and the first public key is RSA public keys.
Step 205, SDN switch send the second public key of SDN switch to SDN controllers.
In the present embodiment, the second public key (Publickey_s) is the public key of SDN switch, and the second public key is RSA public keys.
Interchanger authentication information is encrypted using the first public key for step 206, SDN switch, and the encryption of generation first is recognized
Demonstrate,prove information.
In the present embodiment, SDN switch can be carried out by RSA cryptographic algorithms using the first public key to interchanger authentication information
Encryption, the first encrypted authentication information of generation (cert_c).
Controller authentication information is encrypted using the second public key for step 207, SDN controllers, and the encryption of generation second is recognized
Demonstrate,prove information.
In the present embodiment, SDN controllers are added by RSA cryptographic algorithms using the second public key to controller authentication information
It is close, the second encrypted authentication information of generation (cert_s)
Step 208, SDN switch send the first encrypted authentication information to SDN controllers.
Step 209, SDN controllers send the second encrypted authentication information to SDN switch.
The first encrypted authentication information is decrypted using the first private key for step 210, SDN controllers, show that interchanger is recognized
Demonstrate,prove information.
In the present embodiment, SDN controllers are carried out by RSA cryptographic algorithms using the first private key to the first encrypted authentication information
Decryption, draws interchanger authentication information.
The second encrypted authentication information is decrypted using the second private key for step 211, SDN switch, show that controller is recognized
Demonstrate,prove information.
In the present embodiment, SDN switch is carried out by RSA cryptographic algorithms using the second private key to the second encrypted authentication information
Decryption, draws controller authentication information.
Step 212, SDN controllers compare the decryption interchanger authentication information drawn and the interchanger certification obtained in advance letter
Whether the controller authentication information that identical and SDN switch compares the decryption controller authentication information drawn and obtained in advance is breath
It is no identical, if it is identical with the interchanger authentication information obtained in advance and compare to compare the interchanger authentication information that draws of decryption
It is identical with the controller authentication information obtained in advance to decrypt the controller authentication information drawn, performs step 214;If compare solution
The close interchanger authentication information drawn is different with the interchanger authentication information obtained in advance and/or compares the control that decryption is drawn
Device authentication information is different with the controller authentication information obtained in advance, performs step 213.
In the present embodiment, keeper can pre-set interchanger authentication information in SDN controllers, so that SDN controllers
Interchanger authentication information is obtained in advance;Keeper can pre-set controller authentication information in SDN switch, so that SDN is handed over
Change planes and obtain controller authentication information in advance.
Step 213, SDN controllers return to authentication failed information and/or SDN switch to SDN controllers to SDN switch
Authentication failed information is returned, and SDN controllers connect with the separated TCP of SDN switch, and flow terminates.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance
Machine authentication information is different, and authentication failed information is returned to SDN switch;If SDN switch compares the controller that decryption is drawn
Authentication information is different with the controller authentication information obtained in advance, and authentication failed information is returned to SDN controllers.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance
Machine authentication information is different, and authentication failed information is returned to SDN switch;If SDN switch compares the controller that decryption is drawn
Authentication information is identical with the controller authentication information obtained in advance, is returned to SDN controllers and is proved to be successful information.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance
Machine authentication information is identical, is returned to SDN switch and is proved to be successful information;If SDN switch compares the controller that decryption is drawn
Authentication information is different with the controller authentication information obtained in advance, and authentication failed information is returned to SDN controllers.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance
Machine authentication information is different, the TCP connections between SDN switch is disconnected, so as to realize between SDN controllers and SDN switch
Disconnect TCP connections.
In the present embodiment, if SDN switch compares the decryption controller authentication information drawn and the control obtained in advance
Device authentication information is different, the TCP connections between SDN controllers is disconnected, so as to realize between SDN controllers and SDN switch
Disconnect TCP connections.
Step 214, SDN controllers are proved to be successful information to SDN switch return and SDN switch is returned to SDN controllers
Return and be proved to be successful information.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance
Machine authentication information is identical, is returned to SDN switch and is proved to be successful information.
In the present embodiment, if SDN switch compares the decryption controller authentication information drawn and the control obtained in advance
Device authentication information is identical, is returned to SDN controllers and is proved to be successful information.
Step 215, SDN controllers send parameter acquiring request to SDN switch.
Step 216, SDN switch send return information to SDN controllers, and the return information includes the mark of SND interchangers
Know information.
In the present embodiment, the identification information of SDN switch can be the unique mark of SDN switch, and the identification information can
For identifying SDN switch.
The identification information of SND interchangers is sent to authentication database by step 217, SDN controllers.
Whether step 218, authentication data library inquiry are locally stored with the identification information of the SND interchangers, if so, then performing
Step 219;If otherwise perform step 220.
Step 219, authentication database return to error message to SDN controllers, and flow terminates.
The identification information of step 220, the authentication data library storage SDN switch, and return to SDN controllers and just firmly believing
Breath.
Step 215 prevents the SDN of unauthorized by authentication database into the technical scheme of step 220 in the present embodiment
The Replay Attack of interchanger, attacker is avoided using authentication information is reset and carries out false access, so as to further ensure south
To the security of channel transmission data.
The execution sequence of each step can change as needed in the present embodiment, and step shown in the present embodiment order should not be into
For limiting the scope of the invention.
In the technical scheme for the authentication method that the present embodiment provides, SDN controllers compare the interchanger certification that decryption is drawn
Information and whether the interchanger authentication information obtained in advance identical and SDN switch compares the controller authentication information that decryption is drawn
Whether the controller authentication information obtained in advance is identical, if SDN controllers compare the interchanger authentication information that decryption is drawn
The interchanger authentication information obtained in advance is identical and if SDN switch compares controller authentication information that decryption draws and pre-
When the controller authentication information first obtained is identical, SDN controllers return to SDN switch and are proved to be successful information and SDN switch
Returned to SDN controllers and be proved to be successful information, realized and carry out identity legitimacy between SDN controllers and SDN switch mutually
Checking, so as to which the security of south orientation channel transmission data be effectively ensured.RSA rivest, shamir, adelmans are used in the present embodiment,
So as to ensure that the security of ciphertext.
Fig. 3 is a kind of structural representation for Verification System that the embodiment of the present invention three provides, as shown in figure 3, the system bag
Include:SDN controllers 1 and SDN switch 2.
SDN controllers 1 are used to the first encrypted authentication information be decrypted, and draw interchanger authentication information;Compare decryption
Whether the interchanger authentication information drawn and the interchanger authentication information obtained in advance are identical;If compare the exchange that decryption is drawn
Machine authentication information is identical with the interchanger authentication information obtained in advance and if SDN switch 2 compares the controller that decryption is drawn
When authentication information is identical with the controller authentication information obtained in advance, is returned to SDN switch 2 and be proved to be successful information;
SDN switch 2 is used to the second encrypted authentication information be decrypted, and draws controller authentication information;Compare decryption
Whether the controller authentication information drawn and the controller authentication information obtained in advance are identical;If compare the control that decryption is drawn
When device authentication information is identical with the controller authentication information obtained in advance and SDN controllers 1 compare the interchanger that decryption is drawn
When authentication information is identical with the interchanger authentication information obtained in advance, is returned to SDN controllers 1 and be proved to be successful information.
Further, if SDN controllers 1 are additionally operable to what is compared the decryption interchanger authentication information drawn and obtain in advance
Interchanger authentication information is different and/or SDN switch 2 is additionally operable to compare and decrypts the controller authentication information drawn and obtain in advance
The controller authentication information taken is different, and SDN controllers 1 return to authentication failed information and/or SDN switch 2 to SDN switch 2
Authentication failed information is returned to SDN controllers 1, and SDN controllers 1 connect with the separated TCP of SDN switch 2.
Further, the system also includes:Authentication database 3.
SDN controllers 1 are additionally operable to send parameter acquiring request to SDN switch 2;The identification information of SND interchangers is sent out
Give authentication database 3.
SDN switch 2 is additionally operable to send return information to SDN controllers 1, and the return information includes the mark of SND interchangers
Know information.
Authentication database 3 is used to inquire about the local identification information for whether being stored with the SND interchangers;If inquire local deposit
The identification information of the SND interchangers is contained, error message is returned to SDN controllers 1;The SDN is not locally stored with if inquiring
The identification information of interchanger 2, the identification information of the SDN switch is stored, and correct information is returned to SDN controllers 1.
In the technical scheme for the Verification System that the present embodiment provides, SDN controllers compare the interchanger certification that decryption is drawn
Information and whether the interchanger authentication information obtained in advance identical and SDN switch compares the controller authentication information that decryption is drawn
Whether the controller authentication information obtained in advance is identical, if SDN controllers compare the interchanger authentication information that decryption is drawn
The interchanger authentication information obtained in advance is identical and if SDN switch compares controller authentication information that decryption draws and pre-
When the controller authentication information first obtained is identical, SDN controllers return to SDN switch and are proved to be successful information and SDN switch
Returned to SDN controllers and be proved to be successful information, realized and carry out identity legitimacy between SDN controllers and SDN switch mutually
Checking, so as to which the security of south orientation channel transmission data be effectively ensured.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses
Mode, but the invention is not limited in this.For those skilled in the art, the essence of the present invention is not being departed from
In the case of refreshing and essence, various changes and modifications can be made therein, and these variations and modifications are also considered as protection scope of the present invention.
Claims (10)
- A kind of 1. authentication method, it is characterised in that including:First encrypted authentication information is decrypted SDN controllers, draws interchanger authentication information;Second encrypted authentication information is decrypted SDN switch, draws controller authentication information;SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information that obtains in advance it is whether identical and Whether the controller authentication information that SDN switch compares the decryption controller authentication information drawn and obtained in advance is identical;If SDN controllers compare the interchanger authentication information that draws of decryption it is identical with the interchanger authentication information obtained in advance and If SDN switch compare the controller authentication information that draws of decryption it is identical with the controller authentication information obtained in advance when, SDN Controller is proved to be successful information to SDN switch return and SDN switch returns to SDN controllers and is proved to be successful information.
- 2. authentication method according to claim 1, it is characterised in that also include:If the SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information obtained in advance not With and/or SDN switch to compare the controller authentication information that draws of decryption different with the controller authentication information obtained in advance, SDN controllers return to authentication failed information and/or SDN switch to SDN switch and return to authentication failed letter to SDN controllers Breath, and SDN controllers connect with the separated TCP of SDN switch.
- 3. authentication method according to claim 1, it is characterised in that the SDN controllers are returned to SDN switch and verified Successful information and SDN switch return to be proved to be successful after information to SDN controllers also to be included:SDN controllers send parameter acquiring request to SDN switch;SDN switch sends return information to SDN controllers, and the return information includes the identification information of SND interchangers;The identification information of SND interchangers is sent to authentication database by SDN controllers;Whether authentication data library inquiry is locally stored with the identification information of the SND interchangers;If authentication database inquires the identification information that the SND interchangers are locally stored, mistake letter is returned to SDN controllers Breath;If authentication database inquires the local identification information for not being stored with the SDN switch, the mark of the SDN switch is stored Information, and return to correct information to SDN controllers.
- 4. authentication method according to claim 1, it is characterised in that the SDN controllers are to the first encrypted authentication information It is decrypted, includes before drawing interchanger authentication information:Interchanger authentication information is encrypted using the first public key for SDN switch, generates the first encrypted authentication information;SDN switch sends the first encrypted authentication information to SDN controllers;Second encrypted authentication information is decrypted the SDN switch, includes before drawing controller authentication information:Controller authentication information is encrypted using the second public key for SDN controllers, generates the second encrypted authentication information;SDN controllers send the second encrypted authentication information to SDN switch.
- 5. authentication method according to claim 4, it is characterised in that the SDN switch is using the first public key to exchanging Machine authentication information is encrypted, and includes before the first encrypted authentication information of generation:SDN controllers send the first public key of SDN controllers to SDN switch;Controller authentication information is encrypted using the second public key for the SDN controllers, generation the second encrypted authentication information it Before include:SDN switch sends the second public key of SDN switch to SDN controllers.
- 6. authentication method according to claim 4, it is characterised in that the SDN controllers are to the first encrypted authentication information It is decrypted, show that interchanger authentication information includes:The first encrypted authentication information is decrypted using the first private key for SDN controllers, draws interchanger authentication information;Second encrypted authentication information is decrypted the SDN switch, show that controller authentication information includes:The second encrypted authentication information is decrypted using the second private key for SDN switch, draws controller authentication information.
- 7. authentication method according to claim 1, it is characterised in that the SDN controllers are to the first encrypted authentication information It is decrypted, includes before drawing interchanger authentication information:TCP connections are established between SDN controllers and SDN switch.
- A kind of 8. Verification System, it is characterised in that including:SDN controllers and SDN switch;SDN controllers, for the first encrypted authentication information to be decrypted, draw interchanger authentication information;Compare decryption to draw Interchanger authentication information and the interchanger authentication information that obtains in advance it is whether identical;If compare the interchanger that decryption is drawn to recognize Card information is identical with the interchanger authentication information obtained in advance and if SDN switch compares the controller certification letter that decryption is drawn When breath is identical with the controller authentication information obtained in advance, is returned to SDN switch and be proved to be successful information;SDN switch, for the second encrypted authentication information to be decrypted, draw controller authentication information;Compare decryption to draw Controller authentication information and the controller authentication information that obtains in advance it is whether identical;If compare the controller that decryption is drawn to recognize When card information is identical with the controller authentication information obtained in advance and SDN controllers compare the interchanger certification letter that decryption is drawn When breath is identical with the interchanger authentication information obtained in advance, is returned to SDN controllers and be proved to be successful information.
- 9. Verification System according to claim 8, it is characterised in that if the SDN controllers are additionally operable to compare decryption The interchanger authentication information drawn is different with the interchanger authentication information obtained in advance and/or SDN switch is additionally operable to compare The controller authentication information that decryption is drawn is different with the controller authentication information obtained in advance, and SDN controllers return to SDN switch Return authentication failed information and/or SDN switch and return to authentication failed information to SDN controllers, and SDN controllers and SDN are handed over The separated TCP connections changed planes.
- 10. Verification System according to claim 8, it is characterised in that also include:Authentication database;SDN controllers are additionally operable to send parameter acquiring request to SDN switch;The identification information of SND interchangers is sent to and recognized Demonstrate,prove database;SDN switch is additionally operable to send return information to SDN controllers, and the return information includes the identification information of SND interchangers;Authentication database, for inquiring about the local identification information for whether being stored with the SND interchangers;It has been locally stored if inquiring The identification information of the SND interchangers, error message is returned to SDN controllers;The SDN switch is not locally stored with if inquiring Identification information, store the identification information of the SDN switch, and correct information is returned to SDN controllers.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711234947.9A CN107733929B (en) | 2017-11-30 | 2017-11-30 | Authentication method and authentication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711234947.9A CN107733929B (en) | 2017-11-30 | 2017-11-30 | Authentication method and authentication system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107733929A true CN107733929A (en) | 2018-02-23 |
CN107733929B CN107733929B (en) | 2020-04-10 |
Family
ID=61220707
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711234947.9A Active CN107733929B (en) | 2017-11-30 | 2017-11-30 | Authentication method and authentication system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107733929B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108768932A (en) * | 2018-04-09 | 2018-11-06 | 中国电信股份有限公司上海分公司 | A kind of secure connection method of lightweight SDN switch and controller |
CN110719301A (en) * | 2019-11-19 | 2020-01-21 | 武汉思普崚技术有限公司 | Attack defense method and system for flow adaptive scheduling |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104185972A (en) * | 2012-03-05 | 2014-12-03 | 日本电气株式会社 | Network system, switch, and network building method |
CN104702607A (en) * | 2015-03-12 | 2015-06-10 | 杭州华三通信技术有限公司 | Access authentication method, device and system of SDN (Software Defined Network) |
CN104780069A (en) * | 2015-04-16 | 2015-07-15 | 中国科学院计算技术研究所 | SDN-oriented self-configuration method and system for communication channel between control layer and data layer |
US9210615B2 (en) * | 2012-09-17 | 2015-12-08 | Brocade Communications Systems, Inc. | Method and system for elastic and resilient 3G/4G mobile packet networking for subscriber data flow using virtualized switching and forwarding |
CN105471845A (en) * | 2015-11-16 | 2016-04-06 | 数据通信科学技术研究所 | Communication method and communication system for preventing man-in-the-middle attack |
CN105933125A (en) * | 2016-07-07 | 2016-09-07 | 北京邮电大学 | Method and device for southing security authentication in software-defined networking |
-
2017
- 2017-11-30 CN CN201711234947.9A patent/CN107733929B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104185972A (en) * | 2012-03-05 | 2014-12-03 | 日本电气株式会社 | Network system, switch, and network building method |
US9210615B2 (en) * | 2012-09-17 | 2015-12-08 | Brocade Communications Systems, Inc. | Method and system for elastic and resilient 3G/4G mobile packet networking for subscriber data flow using virtualized switching and forwarding |
CN104702607A (en) * | 2015-03-12 | 2015-06-10 | 杭州华三通信技术有限公司 | Access authentication method, device and system of SDN (Software Defined Network) |
CN104780069A (en) * | 2015-04-16 | 2015-07-15 | 中国科学院计算技术研究所 | SDN-oriented self-configuration method and system for communication channel between control layer and data layer |
CN105471845A (en) * | 2015-11-16 | 2016-04-06 | 数据通信科学技术研究所 | Communication method and communication system for preventing man-in-the-middle attack |
CN105933125A (en) * | 2016-07-07 | 2016-09-07 | 北京邮电大学 | Method and device for southing security authentication in software-defined networking |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108768932A (en) * | 2018-04-09 | 2018-11-06 | 中国电信股份有限公司上海分公司 | A kind of secure connection method of lightweight SDN switch and controller |
CN110719301A (en) * | 2019-11-19 | 2020-01-21 | 武汉思普崚技术有限公司 | Attack defense method and system for flow adaptive scheduling |
Also Published As
Publication number | Publication date |
---|---|
CN107733929B (en) | 2020-04-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111835752B (en) | Lightweight authentication method based on equipment identity and gateway | |
CN110035433B (en) | Verification method and device adopting shared secret key, public key and private key | |
US10015159B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
CN107800539B (en) | Authentication method, authentication device and authentication system | |
CN111416807B (en) | Data acquisition method, device and storage medium | |
CN108366063B (en) | Data communication method and device of intelligent equipment and equipment thereof | |
US10581589B2 (en) | Method for the authentication of a first electronic entity by a second electronic entity, and electronic entity implementing such a method | |
CN108683501B (en) | Multiple identity authentication system and method with timestamp as random number based on quantum communication network | |
CN109155732B (en) | Method and apparatus for establishing secure communications between network devices | |
CN105245341A (en) | Remote identity authentication method and system and remote account opening method and system | |
CN108347404B (en) | Identity authentication method and device | |
CN108650028B (en) | Multiple identity authentication system and method based on quantum communication network and true random number | |
CN111181723B (en) | Method and device for offline security authentication between Internet of things devices | |
JP2002344438A (en) | Key sharing system, key sharing device and program thereof | |
CN112351037B (en) | Information processing method and device for secure communication | |
CN101102186A (en) | Method for implementing general authentication framework service push | |
CN110808991B (en) | Method, system, electronic device and storage medium for secure communication connection | |
CN110690966B (en) | Method, system, equipment and storage medium for connecting terminal and service server | |
WO2018127118A1 (en) | Identity authentication method and device | |
CN110913390A (en) | Anti-quantum computing vehicle networking method and system based on identity secret sharing | |
CN105142134A (en) | Parameter obtaining and transmission methods/devices | |
CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
CN107733929A (en) | Authentication method and Verification System | |
CN108932425B (en) | Offline identity authentication method, authentication system and authentication equipment | |
CN114760046A (en) | Identity authentication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |