CN107733929A - Authentication method and Verification System - Google Patents

Authentication method and Verification System Download PDF

Info

Publication number
CN107733929A
CN107733929A CN201711234947.9A CN201711234947A CN107733929A CN 107733929 A CN107733929 A CN 107733929A CN 201711234947 A CN201711234947 A CN 201711234947A CN 107733929 A CN107733929 A CN 107733929A
Authority
CN
China
Prior art keywords
authentication information
sdn
information
interchanger
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711234947.9A
Other languages
Chinese (zh)
Other versions
CN107733929B (en
Inventor
侯乐
徐雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201711234947.9A priority Critical patent/CN107733929B/en
Publication of CN107733929A publication Critical patent/CN107733929A/en
Application granted granted Critical
Publication of CN107733929B publication Critical patent/CN107733929B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Abstract

The invention discloses a kind of authentication method and Verification System.This method includes:First encrypted authentication information is decrypted SDN controllers, draws interchanger authentication information;Second encrypted authentication information is decrypted SDN switch, draws controller authentication information;SDN controllers compare the decryption interchanger authentication information drawn and whether the interchanger authentication information that obtains in advance identical and SDN switch whether compare the controller authentication information decrypted the controller authentication information drawn and obtained in advance identical;If if SDN controllers compare that the interchanger authentication information that draws of decryption is identical with the interchanger authentication information obtained in advance and SDN switch compare controller authentication information that decryption is drawn it is identical with the controller authentication information obtained in advance when, SDN controllers are proved to be successful information to SDN switch return and SDN switch is proved to be successful information to the return of SDN controllers.The security of south orientation channel transmission data has been effectively ensured in the present invention.

Description

Authentication method and Verification System
Technical field
The present invention relates to communication technical field, more particularly to a kind of authentication method and Verification System.
Background technology
Current software defines south orientation communication protocols of the network SDN using OpenFlow as its main flow, is responsible for controller with handing over Communication between changing planes.Interchanger is established by two ways and controller and connected, and one kind is to establish connection based on TLS modes, Another kind is to establish connection by TCP modes.
In order to ensure southbound interface safety, prior art realizes safety certification function, the party using TLS connected modes Case depends on the certificate file that security authentication center is issued.When interchanger and controller, which are established, to be connected, it is exchanged with each other in certification It is decrypted by the key of authentication center after obtaining certificate file by the certificate file of heart distribution, certification both sides, Ran Houtong The information after verification is decrypted is crossed to judge whether the identity for being currently accessed interchanger is effective.Used for current OpenFlow TLS connected modes are, it is necessary to which the certificate of authority for having Third Party Authentication center can just ensure the safety of channel.First, should at some With in scene, such as under group private network environment, interchanger access network be user be not intended to by authentication center to its Certificate, and certificate is copied in the interchanger or controller;Secondly, the OpenFlow agreements of version simply will at present For TLS connected modes as option, attacker can still specify carries out false access with general T CP connected mode.
For general T CP connected modes, established and pacified by TCP connections between the interchanger and controller of OpenFlow agreements Full tunnel, this mode is although efficient and relatively reliable, but effective measures do not ensure the peace of south orientation channel transmission data Quan Xing.
The content of the invention
The present invention provides a kind of authentication method and Verification System, for ensureing the security of south orientation channel transmission data.
To achieve the above object, the invention provides a kind of authentication method, including:
First encrypted authentication information is decrypted SDN controllers, draws interchanger authentication information;
Second encrypted authentication information is decrypted SDN switch, draws controller authentication information;
SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information that obtains in advance whether phase With and SDN switch compares the decryption controller authentication information drawn and whether the controller authentication information that obtains in advance identical;
If SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information phase obtained in advance With and SDN switch if to compare the controller authentication information that draws of decryption identical with the controller authentication information obtained in advance When, SDN controllers are proved to be successful information to SDN switch return and SDN switch returns to SDN controllers and is proved to be successful letter Breath.
Alternatively, in addition to:
If the SDN controllers compare the decryption interchanger authentication information drawn and the interchanger certification obtained in advance letter Breath is different and/or SDN switch compares the decryption controller authentication information drawn and the controller authentication information obtained in advance Difference, SDN controllers return to authentication failed information and/or SDN switch to SDN switch and return to checking mistake to SDN controllers Information is lost, and SDN controllers connect with the separated TCP of SDN switch.
Alternatively, the SDN controllers return to SDN switch is proved to be successful information and SDN switch is to SDN controllers Return also includes after being proved to be successful information:
SDN controllers send parameter acquiring request to SDN switch;
SDN switch sends return information to SDN controllers, and the return information includes the identification information of SND interchangers;
The identification information of SND interchangers is sent to authentication database by SDN controllers;
Whether authentication data library inquiry is locally stored with the identification information of the SND interchangers;
If authentication database inquires the identification information that the SND interchangers are locally stored, mistake is returned to SDN controllers Information;
If authentication database inquires the local identification information for not being stored with the SDN switch, the SDN switch is stored Identification information, and return to correct information to SDN controllers.
Alternatively, the first encrypted authentication information is decrypted the SDN controllers, before drawing interchanger authentication information Including:
Interchanger authentication information is encrypted using the first public key for SDN switch, generates the first encrypted authentication information;
SDN switch sends the first encrypted authentication information to SDN controllers;
Second encrypted authentication information is decrypted the SDN switch, includes before drawing controller authentication information:
Controller authentication information is encrypted using the second public key for SDN controllers, generates the second encrypted authentication information;
SDN controllers send the second encrypted authentication information to SDN switch.
Alternatively, interchanger authentication information is encrypted using the first public key for the SDN switch, the encryption of generation first Include before authentication information:
SDN controllers send the first public key of SDN controllers to SDN switch;
Controller authentication information is encrypted using the second public key for the SDN controllers, the encryption certification letter of generation second Include before breath:
SDN switch sends the second public key of SDN switch to SDN controllers.
Alternatively, the first encrypted authentication information is decrypted the SDN controllers, draws interchanger authentication information bag Include:
The first encrypted authentication information is decrypted using the first private key for SDN controllers, draws interchanger authentication information;
Second encrypted authentication information is decrypted the SDN switch, show that controller authentication information includes:
The second encrypted authentication information is decrypted using the second private key for SDN switch, draws controller authentication information.
Alternatively, the first encrypted authentication information is decrypted the SDN controllers, before drawing interchanger authentication information Including:
TCP connections are established between SDN controllers and SDN switch.
To achieve the above object, the invention provides a kind of Verification System, including:SDN controllers and SDN switch;
SDN controllers, for the first encrypted authentication information to be decrypted, draw interchanger authentication information;Compare decryption Whether the interchanger authentication information drawn and the interchanger authentication information obtained in advance are identical;If compare the exchange that decryption is drawn Machine authentication information is identical with the interchanger authentication information obtained in advance and if SDN switch compares the controller that decryption is drawn and recognized When card information is identical with the controller authentication information obtained in advance, is returned to SDN switch and be proved to be successful information;
SDN switch, for the second encrypted authentication information to be decrypted, draw controller authentication information;Compare decryption Whether the controller authentication information drawn and the controller authentication information obtained in advance are identical;If compare the control that decryption is drawn When device authentication information is identical with the controller authentication information obtained in advance and SDN controllers compare the interchanger that decryption is drawn and recognized When card information is identical with the interchanger authentication information obtained in advance, is returned to SDN controllers and be proved to be successful information.
Alternatively, if the SDN controllers are additionally operable to compare interchanger authentication information and the acquisition in advance that decryption is drawn Interchanger authentication information is different and/or SDN switch is additionally operable to compare controller authentication information that decryption draws and in advance The controller authentication information of acquisition is different, SDN controllers to SDN switch return authentication failed information and/or SDN switch to SDN controllers return to authentication failed information, and SDN controllers connect with the separated TCP of SDN switch.
Alternatively, in addition to:Authentication database;
SDN controllers are additionally operable to send parameter acquiring request to SDN switch;The identification information of SND interchangers is sent To authentication database;
SDN switch is additionally operable to send return information to SDN controllers, and the return information includes the mark of SND interchangers Information;
Authentication database, for inquiring about the local identification information for whether being stored with the SND interchangers;If inquire local deposit The identification information of the SND interchangers is contained, error message is returned to SDN controllers;If inquire the local SDN that is not stored with to hand over The identification information changed planes, the identification information of the SDN switch is stored, and correct information is returned to SDN controllers.
The invention has the advantages that:
In the technical scheme of authentication method and Verification System provided by the invention, SDN controllers compare the friendship that decryption is drawn Change planes authentication information and whether the interchanger authentication information that obtains in advance is identical and SDN switch compares the controller that decryption is drawn Whether authentication information and the controller authentication information obtained in advance are identical, if SDN controllers compare the interchanger that decryption is drawn Authentication information is identical with the interchanger authentication information obtained in advance and if SDN switch compares the controller certification that decryption is drawn When information is identical with the controller authentication information obtained in advance, SDN controllers to SDN switch return be proved to be successful information and SDN switch returns to SDN controllers and is proved to be successful information, realizes and carries out body between SDN controllers and SDN switch mutually Part legitimate verification, so as to which the security of south orientation channel transmission data be effectively ensured.
Brief description of the drawings
Fig. 1 is a kind of flow chart for authentication method that the embodiment of the present invention one provides;
Fig. 2 is a kind of flow chart for authentication method that the embodiment of the present invention two provides;
Fig. 3 is a kind of structural representation for Verification System that the embodiment of the present invention three provides.
Embodiment
To make those skilled in the art more fully understand technical scheme, the present invention is carried below in conjunction with the accompanying drawings The authentication method and Verification System of confession are described in detail.
Fig. 1 is a kind of flow chart for authentication method that the embodiment of the present invention one provides, as shown in figure 1, this method includes:
The first encrypted authentication information is decrypted for step 101, SDN controllers, draws interchanger authentication information.
The second encrypted authentication information is decrypted for step 102, SDN switch, draws controller authentication information.
Step 103, SDN controllers compare the decryption interchanger authentication information drawn and the interchanger certification obtained in advance letter Whether the controller authentication information that identical and SDN switch compares the decryption controller authentication information drawn and obtained in advance is breath It is no identical, if SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information phase obtained in advance With and SDN switch if to compare the controller authentication information that draws of decryption identical with the controller authentication information obtained in advance When, perform step 104;If it is different with the interchanger authentication information obtained in advance to compare the interchanger authentication information that decryption is drawn And/or, the execution step different with the controller authentication information obtained in advance that compare the controller authentication information that draws of decryption 105。
Step 104, SDN controllers are proved to be successful information to SDN switch return and SDN switch is returned to SDN controllers Return and be proved to be successful information, flow terminates.
Step 105, SDN controllers return to authentication failed information and/or SDN switch to SDN controllers to SDN switch Return to authentication failed information.
The execution sequence of each step can change as needed in the present embodiment, for example, step 102 is held before step 101 OK.
In the technical scheme for the authentication method that the present embodiment provides, SDN controllers compare the interchanger certification that decryption is drawn Information and whether the interchanger authentication information obtained in advance identical and SDN switch compares the controller authentication information that decryption is drawn Whether the controller authentication information obtained in advance is identical, if SDN controllers compare the interchanger authentication information that decryption is drawn The interchanger authentication information obtained in advance is identical and if SDN switch compares controller authentication information that decryption draws and pre- When the controller authentication information first obtained is identical, SDN controllers return to SDN switch and are proved to be successful information and SDN switch Returned to SDN controllers and be proved to be successful information, realized and carry out identity legitimacy between SDN controllers and SDN switch mutually Checking, so as to which the security of south orientation channel transmission data be effectively ensured.
Fig. 2 is a kind of flow chart for authentication method that the embodiment of the present invention two provides, as shown in Fig. 2 this method includes:
Establish TCP connections between step 201, SDN controllers and SDN switch, and SDN controllers and SDN switch it Between mutually send Hello message.
Step 202, SDN controllers generate the first private key.
In the present embodiment, the first private key is the SDN controllers private key of itself, and the first private key is RSA key.
Step 203, SDN switch generate the second private key.
In the present embodiment, the second private key is the private key of SDN switch itself, and the second private key is RSA key.
Step 204, SDN controllers send the first public key of SDN controllers to SDN switch.
In the present embodiment, the first public key (Publickey_c) is the public key of SDN controllers, and the first public key is RSA public keys.
Step 205, SDN switch send the second public key of SDN switch to SDN controllers.
In the present embodiment, the second public key (Publickey_s) is the public key of SDN switch, and the second public key is RSA public keys.
Interchanger authentication information is encrypted using the first public key for step 206, SDN switch, and the encryption of generation first is recognized Demonstrate,prove information.
In the present embodiment, SDN switch can be carried out by RSA cryptographic algorithms using the first public key to interchanger authentication information Encryption, the first encrypted authentication information of generation (cert_c).
Controller authentication information is encrypted using the second public key for step 207, SDN controllers, and the encryption of generation second is recognized Demonstrate,prove information.
In the present embodiment, SDN controllers are added by RSA cryptographic algorithms using the second public key to controller authentication information It is close, the second encrypted authentication information of generation (cert_s)
Step 208, SDN switch send the first encrypted authentication information to SDN controllers.
Step 209, SDN controllers send the second encrypted authentication information to SDN switch.
The first encrypted authentication information is decrypted using the first private key for step 210, SDN controllers, show that interchanger is recognized Demonstrate,prove information.
In the present embodiment, SDN controllers are carried out by RSA cryptographic algorithms using the first private key to the first encrypted authentication information Decryption, draws interchanger authentication information.
The second encrypted authentication information is decrypted using the second private key for step 211, SDN switch, show that controller is recognized Demonstrate,prove information.
In the present embodiment, SDN switch is carried out by RSA cryptographic algorithms using the second private key to the second encrypted authentication information Decryption, draws controller authentication information.
Step 212, SDN controllers compare the decryption interchanger authentication information drawn and the interchanger certification obtained in advance letter Whether the controller authentication information that identical and SDN switch compares the decryption controller authentication information drawn and obtained in advance is breath It is no identical, if it is identical with the interchanger authentication information obtained in advance and compare to compare the interchanger authentication information that draws of decryption It is identical with the controller authentication information obtained in advance to decrypt the controller authentication information drawn, performs step 214;If compare solution The close interchanger authentication information drawn is different with the interchanger authentication information obtained in advance and/or compares the control that decryption is drawn Device authentication information is different with the controller authentication information obtained in advance, performs step 213.
In the present embodiment, keeper can pre-set interchanger authentication information in SDN controllers, so that SDN controllers Interchanger authentication information is obtained in advance;Keeper can pre-set controller authentication information in SDN switch, so that SDN is handed over Change planes and obtain controller authentication information in advance.
Step 213, SDN controllers return to authentication failed information and/or SDN switch to SDN controllers to SDN switch Authentication failed information is returned, and SDN controllers connect with the separated TCP of SDN switch, and flow terminates.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance Machine authentication information is different, and authentication failed information is returned to SDN switch;If SDN switch compares the controller that decryption is drawn Authentication information is different with the controller authentication information obtained in advance, and authentication failed information is returned to SDN controllers.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance Machine authentication information is different, and authentication failed information is returned to SDN switch;If SDN switch compares the controller that decryption is drawn Authentication information is identical with the controller authentication information obtained in advance, is returned to SDN controllers and is proved to be successful information.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance Machine authentication information is identical, is returned to SDN switch and is proved to be successful information;If SDN switch compares the controller that decryption is drawn Authentication information is different with the controller authentication information obtained in advance, and authentication failed information is returned to SDN controllers.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance Machine authentication information is different, the TCP connections between SDN switch is disconnected, so as to realize between SDN controllers and SDN switch Disconnect TCP connections.
In the present embodiment, if SDN switch compares the decryption controller authentication information drawn and the control obtained in advance Device authentication information is different, the TCP connections between SDN controllers is disconnected, so as to realize between SDN controllers and SDN switch Disconnect TCP connections.
Step 214, SDN controllers are proved to be successful information to SDN switch return and SDN switch is returned to SDN controllers Return and be proved to be successful information.
In the present embodiment, if SDN controllers compare the decryption interchanger authentication information drawn and the exchange obtained in advance Machine authentication information is identical, is returned to SDN switch and is proved to be successful information.
In the present embodiment, if SDN switch compares the decryption controller authentication information drawn and the control obtained in advance Device authentication information is identical, is returned to SDN controllers and is proved to be successful information.
Step 215, SDN controllers send parameter acquiring request to SDN switch.
Step 216, SDN switch send return information to SDN controllers, and the return information includes the mark of SND interchangers Know information.
In the present embodiment, the identification information of SDN switch can be the unique mark of SDN switch, and the identification information can For identifying SDN switch.
The identification information of SND interchangers is sent to authentication database by step 217, SDN controllers.
Whether step 218, authentication data library inquiry are locally stored with the identification information of the SND interchangers, if so, then performing Step 219;If otherwise perform step 220.
Step 219, authentication database return to error message to SDN controllers, and flow terminates.
The identification information of step 220, the authentication data library storage SDN switch, and return to SDN controllers and just firmly believing Breath.
Step 215 prevents the SDN of unauthorized by authentication database into the technical scheme of step 220 in the present embodiment The Replay Attack of interchanger, attacker is avoided using authentication information is reset and carries out false access, so as to further ensure south To the security of channel transmission data.
The execution sequence of each step can change as needed in the present embodiment, and step shown in the present embodiment order should not be into For limiting the scope of the invention.
In the technical scheme for the authentication method that the present embodiment provides, SDN controllers compare the interchanger certification that decryption is drawn Information and whether the interchanger authentication information obtained in advance identical and SDN switch compares the controller authentication information that decryption is drawn Whether the controller authentication information obtained in advance is identical, if SDN controllers compare the interchanger authentication information that decryption is drawn The interchanger authentication information obtained in advance is identical and if SDN switch compares controller authentication information that decryption draws and pre- When the controller authentication information first obtained is identical, SDN controllers return to SDN switch and are proved to be successful information and SDN switch Returned to SDN controllers and be proved to be successful information, realized and carry out identity legitimacy between SDN controllers and SDN switch mutually Checking, so as to which the security of south orientation channel transmission data be effectively ensured.RSA rivest, shamir, adelmans are used in the present embodiment, So as to ensure that the security of ciphertext.
Fig. 3 is a kind of structural representation for Verification System that the embodiment of the present invention three provides, as shown in figure 3, the system bag Include:SDN controllers 1 and SDN switch 2.
SDN controllers 1 are used to the first encrypted authentication information be decrypted, and draw interchanger authentication information;Compare decryption Whether the interchanger authentication information drawn and the interchanger authentication information obtained in advance are identical;If compare the exchange that decryption is drawn Machine authentication information is identical with the interchanger authentication information obtained in advance and if SDN switch 2 compares the controller that decryption is drawn When authentication information is identical with the controller authentication information obtained in advance, is returned to SDN switch 2 and be proved to be successful information;
SDN switch 2 is used to the second encrypted authentication information be decrypted, and draws controller authentication information;Compare decryption Whether the controller authentication information drawn and the controller authentication information obtained in advance are identical;If compare the control that decryption is drawn When device authentication information is identical with the controller authentication information obtained in advance and SDN controllers 1 compare the interchanger that decryption is drawn When authentication information is identical with the interchanger authentication information obtained in advance, is returned to SDN controllers 1 and be proved to be successful information.
Further, if SDN controllers 1 are additionally operable to what is compared the decryption interchanger authentication information drawn and obtain in advance Interchanger authentication information is different and/or SDN switch 2 is additionally operable to compare and decrypts the controller authentication information drawn and obtain in advance The controller authentication information taken is different, and SDN controllers 1 return to authentication failed information and/or SDN switch 2 to SDN switch 2 Authentication failed information is returned to SDN controllers 1, and SDN controllers 1 connect with the separated TCP of SDN switch 2.
Further, the system also includes:Authentication database 3.
SDN controllers 1 are additionally operable to send parameter acquiring request to SDN switch 2;The identification information of SND interchangers is sent out Give authentication database 3.
SDN switch 2 is additionally operable to send return information to SDN controllers 1, and the return information includes the mark of SND interchangers Know information.
Authentication database 3 is used to inquire about the local identification information for whether being stored with the SND interchangers;If inquire local deposit The identification information of the SND interchangers is contained, error message is returned to SDN controllers 1;The SDN is not locally stored with if inquiring The identification information of interchanger 2, the identification information of the SDN switch is stored, and correct information is returned to SDN controllers 1.
In the technical scheme for the Verification System that the present embodiment provides, SDN controllers compare the interchanger certification that decryption is drawn Information and whether the interchanger authentication information obtained in advance identical and SDN switch compares the controller authentication information that decryption is drawn Whether the controller authentication information obtained in advance is identical, if SDN controllers compare the interchanger authentication information that decryption is drawn The interchanger authentication information obtained in advance is identical and if SDN switch compares controller authentication information that decryption draws and pre- When the controller authentication information first obtained is identical, SDN controllers return to SDN switch and are proved to be successful information and SDN switch Returned to SDN controllers and be proved to be successful information, realized and carry out identity legitimacy between SDN controllers and SDN switch mutually Checking, so as to which the security of south orientation channel transmission data be effectively ensured.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses Mode, but the invention is not limited in this.For those skilled in the art, the essence of the present invention is not being departed from In the case of refreshing and essence, various changes and modifications can be made therein, and these variations and modifications are also considered as protection scope of the present invention.

Claims (10)

  1. A kind of 1. authentication method, it is characterised in that including:
    First encrypted authentication information is decrypted SDN controllers, draws interchanger authentication information;
    Second encrypted authentication information is decrypted SDN switch, draws controller authentication information;
    SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information that obtains in advance it is whether identical and Whether the controller authentication information that SDN switch compares the decryption controller authentication information drawn and obtained in advance is identical;
    If SDN controllers compare the interchanger authentication information that draws of decryption it is identical with the interchanger authentication information obtained in advance and If SDN switch compare the controller authentication information that draws of decryption it is identical with the controller authentication information obtained in advance when, SDN Controller is proved to be successful information to SDN switch return and SDN switch returns to SDN controllers and is proved to be successful information.
  2. 2. authentication method according to claim 1, it is characterised in that also include:
    If the SDN controllers compare the decryption interchanger authentication information drawn and the interchanger authentication information obtained in advance not With and/or SDN switch to compare the controller authentication information that draws of decryption different with the controller authentication information obtained in advance, SDN controllers return to authentication failed information and/or SDN switch to SDN switch and return to authentication failed letter to SDN controllers Breath, and SDN controllers connect with the separated TCP of SDN switch.
  3. 3. authentication method according to claim 1, it is characterised in that the SDN controllers are returned to SDN switch and verified Successful information and SDN switch return to be proved to be successful after information to SDN controllers also to be included:
    SDN controllers send parameter acquiring request to SDN switch;
    SDN switch sends return information to SDN controllers, and the return information includes the identification information of SND interchangers;
    The identification information of SND interchangers is sent to authentication database by SDN controllers;
    Whether authentication data library inquiry is locally stored with the identification information of the SND interchangers;
    If authentication database inquires the identification information that the SND interchangers are locally stored, mistake letter is returned to SDN controllers Breath;
    If authentication database inquires the local identification information for not being stored with the SDN switch, the mark of the SDN switch is stored Information, and return to correct information to SDN controllers.
  4. 4. authentication method according to claim 1, it is characterised in that the SDN controllers are to the first encrypted authentication information It is decrypted, includes before drawing interchanger authentication information:
    Interchanger authentication information is encrypted using the first public key for SDN switch, generates the first encrypted authentication information;
    SDN switch sends the first encrypted authentication information to SDN controllers;
    Second encrypted authentication information is decrypted the SDN switch, includes before drawing controller authentication information:
    Controller authentication information is encrypted using the second public key for SDN controllers, generates the second encrypted authentication information;
    SDN controllers send the second encrypted authentication information to SDN switch.
  5. 5. authentication method according to claim 4, it is characterised in that the SDN switch is using the first public key to exchanging Machine authentication information is encrypted, and includes before the first encrypted authentication information of generation:
    SDN controllers send the first public key of SDN controllers to SDN switch;
    Controller authentication information is encrypted using the second public key for the SDN controllers, generation the second encrypted authentication information it Before include:
    SDN switch sends the second public key of SDN switch to SDN controllers.
  6. 6. authentication method according to claim 4, it is characterised in that the SDN controllers are to the first encrypted authentication information It is decrypted, show that interchanger authentication information includes:
    The first encrypted authentication information is decrypted using the first private key for SDN controllers, draws interchanger authentication information;
    Second encrypted authentication information is decrypted the SDN switch, show that controller authentication information includes:
    The second encrypted authentication information is decrypted using the second private key for SDN switch, draws controller authentication information.
  7. 7. authentication method according to claim 1, it is characterised in that the SDN controllers are to the first encrypted authentication information It is decrypted, includes before drawing interchanger authentication information:
    TCP connections are established between SDN controllers and SDN switch.
  8. A kind of 8. Verification System, it is characterised in that including:SDN controllers and SDN switch;
    SDN controllers, for the first encrypted authentication information to be decrypted, draw interchanger authentication information;Compare decryption to draw Interchanger authentication information and the interchanger authentication information that obtains in advance it is whether identical;If compare the interchanger that decryption is drawn to recognize Card information is identical with the interchanger authentication information obtained in advance and if SDN switch compares the controller certification letter that decryption is drawn When breath is identical with the controller authentication information obtained in advance, is returned to SDN switch and be proved to be successful information;
    SDN switch, for the second encrypted authentication information to be decrypted, draw controller authentication information;Compare decryption to draw Controller authentication information and the controller authentication information that obtains in advance it is whether identical;If compare the controller that decryption is drawn to recognize When card information is identical with the controller authentication information obtained in advance and SDN controllers compare the interchanger certification letter that decryption is drawn When breath is identical with the interchanger authentication information obtained in advance, is returned to SDN controllers and be proved to be successful information.
  9. 9. Verification System according to claim 8, it is characterised in that if the SDN controllers are additionally operable to compare decryption The interchanger authentication information drawn is different with the interchanger authentication information obtained in advance and/or SDN switch is additionally operable to compare The controller authentication information that decryption is drawn is different with the controller authentication information obtained in advance, and SDN controllers return to SDN switch Return authentication failed information and/or SDN switch and return to authentication failed information to SDN controllers, and SDN controllers and SDN are handed over The separated TCP connections changed planes.
  10. 10. Verification System according to claim 8, it is characterised in that also include:Authentication database;
    SDN controllers are additionally operable to send parameter acquiring request to SDN switch;The identification information of SND interchangers is sent to and recognized Demonstrate,prove database;
    SDN switch is additionally operable to send return information to SDN controllers, and the return information includes the identification information of SND interchangers;
    Authentication database, for inquiring about the local identification information for whether being stored with the SND interchangers;It has been locally stored if inquiring The identification information of the SND interchangers, error message is returned to SDN controllers;The SDN switch is not locally stored with if inquiring Identification information, store the identification information of the SDN switch, and correct information is returned to SDN controllers.
CN201711234947.9A 2017-11-30 2017-11-30 Authentication method and authentication system Active CN107733929B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711234947.9A CN107733929B (en) 2017-11-30 2017-11-30 Authentication method and authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711234947.9A CN107733929B (en) 2017-11-30 2017-11-30 Authentication method and authentication system

Publications (2)

Publication Number Publication Date
CN107733929A true CN107733929A (en) 2018-02-23
CN107733929B CN107733929B (en) 2020-04-10

Family

ID=61220707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711234947.9A Active CN107733929B (en) 2017-11-30 2017-11-30 Authentication method and authentication system

Country Status (1)

Country Link
CN (1) CN107733929B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768932A (en) * 2018-04-09 2018-11-06 中国电信股份有限公司上海分公司 A kind of secure connection method of lightweight SDN switch and controller
CN110719301A (en) * 2019-11-19 2020-01-21 武汉思普崚技术有限公司 Attack defense method and system for flow adaptive scheduling

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104185972A (en) * 2012-03-05 2014-12-03 日本电气株式会社 Network system, switch, and network building method
CN104702607A (en) * 2015-03-12 2015-06-10 杭州华三通信技术有限公司 Access authentication method, device and system of SDN (Software Defined Network)
CN104780069A (en) * 2015-04-16 2015-07-15 中国科学院计算技术研究所 SDN-oriented self-configuration method and system for communication channel between control layer and data layer
US9210615B2 (en) * 2012-09-17 2015-12-08 Brocade Communications Systems, Inc. Method and system for elastic and resilient 3G/4G mobile packet networking for subscriber data flow using virtualized switching and forwarding
CN105471845A (en) * 2015-11-16 2016-04-06 数据通信科学技术研究所 Communication method and communication system for preventing man-in-the-middle attack
CN105933125A (en) * 2016-07-07 2016-09-07 北京邮电大学 Method and device for southing security authentication in software-defined networking

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104185972A (en) * 2012-03-05 2014-12-03 日本电气株式会社 Network system, switch, and network building method
US9210615B2 (en) * 2012-09-17 2015-12-08 Brocade Communications Systems, Inc. Method and system for elastic and resilient 3G/4G mobile packet networking for subscriber data flow using virtualized switching and forwarding
CN104702607A (en) * 2015-03-12 2015-06-10 杭州华三通信技术有限公司 Access authentication method, device and system of SDN (Software Defined Network)
CN104780069A (en) * 2015-04-16 2015-07-15 中国科学院计算技术研究所 SDN-oriented self-configuration method and system for communication channel between control layer and data layer
CN105471845A (en) * 2015-11-16 2016-04-06 数据通信科学技术研究所 Communication method and communication system for preventing man-in-the-middle attack
CN105933125A (en) * 2016-07-07 2016-09-07 北京邮电大学 Method and device for southing security authentication in software-defined networking

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768932A (en) * 2018-04-09 2018-11-06 中国电信股份有限公司上海分公司 A kind of secure connection method of lightweight SDN switch and controller
CN110719301A (en) * 2019-11-19 2020-01-21 武汉思普崚技术有限公司 Attack defense method and system for flow adaptive scheduling

Also Published As

Publication number Publication date
CN107733929B (en) 2020-04-10

Similar Documents

Publication Publication Date Title
CN111835752B (en) Lightweight authentication method based on equipment identity and gateway
CN110035433B (en) Verification method and device adopting shared secret key, public key and private key
US10015159B2 (en) Terminal authentication system, server device, and terminal authentication method
CN107800539B (en) Authentication method, authentication device and authentication system
CN111416807B (en) Data acquisition method, device and storage medium
CN108366063B (en) Data communication method and device of intelligent equipment and equipment thereof
US10581589B2 (en) Method for the authentication of a first electronic entity by a second electronic entity, and electronic entity implementing such a method
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
CN109155732B (en) Method and apparatus for establishing secure communications between network devices
CN105245341A (en) Remote identity authentication method and system and remote account opening method and system
CN108347404B (en) Identity authentication method and device
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
CN111181723B (en) Method and device for offline security authentication between Internet of things devices
JP2002344438A (en) Key sharing system, key sharing device and program thereof
CN112351037B (en) Information processing method and device for secure communication
CN101102186A (en) Method for implementing general authentication framework service push
CN110808991B (en) Method, system, electronic device and storage medium for secure communication connection
CN110690966B (en) Method, system, equipment and storage medium for connecting terminal and service server
WO2018127118A1 (en) Identity authentication method and device
CN110913390A (en) Anti-quantum computing vehicle networking method and system based on identity secret sharing
CN105142134A (en) Parameter obtaining and transmission methods/devices
CN110493177B (en) Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number
CN107733929A (en) Authentication method and Verification System
CN108932425B (en) Offline identity authentication method, authentication system and authentication equipment
CN114760046A (en) Identity authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant