CN109428867A - A kind of message encipher-decipher method, network equipment and system - Google Patents
A kind of message encipher-decipher method, network equipment and system Download PDFInfo
- Publication number
- CN109428867A CN109428867A CN201710763841.1A CN201710763841A CN109428867A CN 109428867 A CN109428867 A CN 109428867A CN 201710763841 A CN201710763841 A CN 201710763841A CN 109428867 A CN109428867 A CN 109428867A
- Authority
- CN
- China
- Prior art keywords
- network equipment
- key
- sub
- field
- sequence number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Abstract
A kind of message encipher-decipher method, network equipment and system, this method comprises: first network equipment and second network equipment are negotiated to determine primary key in advance, then first network equipment utilization primary key generates sub-key set, and then a sub-key is determined from sub-key set, and the first field of the sequence number of the data message generated using this sub-key with itself is encrypted, to generate encrypted fields, this encrypted fields of first network equipment utilization replace the first field of the sequence number, then modified data message is obtained, modified data message is sent to second network equipment, because the sequence number in data message is encrypted, so attacker can not decrypt to obtain original sequence number having intercepted data message, thus effectively pre- anti-replay-attack the problem of.
Description
Technical field
This application involves information technology field more particularly to a kind of message encipher-decipher methods, network equipment and system.
Background technique
Currently, as network communication is in the extensive use of more and more government departments and enterprise institution, shared information with
Operational line is continuously increased, and network attack and criminal activity are rampant.How to prevent in network the leakage of confidential information and distort,
It prevents and hits Information Crimes, Logistics networks and information security, to there has been proposed stern challenges.Network communication all face daily
Face the attack of a large amount of various modes, attack can be divided into active attack and passive attack.Active attack refers to various sides
Formula selectively destroys information, such as modification, delete, forge, addition, resetting, random ordering is pretended to be.Passive attack, which refers to, not to be interfered
In the case that network system works normally, carries out detecing receipts, intercept and capture, steal, decoding.Wherein, playback is a kind of important attack
Means.
Replay Attack refers to that attacker passes through the data packet of network intercept communication equity both sides' normal communication first, then will
Data packet remains untouched or modified, after waiting a period of time, then issues the recipient of data packet, i.e., " resets ".Weight
The purpose put is to pretend to be legal a side and another party to communicate.Why using reset by the way of rather than directly hair
The data packet for sending forgery is because partial information can be encrypted and be authenticated by the system having, and the data packet of forgery is possibly can not
The trust of data packet recipient is obtained, and then can achieve this purpose using originally legal data packet is reset.
The prior art is in order to solve the problems, such as Replay Attack, in each security network agreement (internet protocol
Security, IPSec) in header, a unique and monotonically increasing sequence number is all contained, each data packet is passed through
Sequence number and one " sliding " reception window actively filter out playback message, but due to sequence number monotonic increase, easily
Conjecture, be easy to cause anti-replay mechanism to fail.
Summary of the invention
In view of this, this application provides a kind of message encipher-decipher method, the network equipment and systems, to solve effectively
The problem of pre- anti-replay-attack.
In a first aspect, the embodiment of the present application provides a kind of message encryption method, this method comprises: first network equipment with
Second network equipment is negotiated to determine primary key in advance, and then first network equipment utilization primary key generates sub-key set,
And then a sub-key is determined from sub-key set, and utilize the sequence number of this sub-key and the data message of generation
First field is encrypted, to generate encrypted fields, this encrypted fields of first network equipment utilization replace the data
First field of the sequence number of message, then obtains modified data message, and modified data message is sent to second
The network equipment.
Because the sequence number in data message is encrypted, attacker can not decrypt having intercepted data message
Obtain original sequence number, it is possible to effectively the problem of pre- anti-replay-attack.
Wherein, first network equipment and second network equipment negotiate to determine that in advance the mode of primary key mainly uses
Ike negotiation, negotiations process are that first network equipment is requested to second network equipment transmission the Internet Key Exchange ike negotiation
Message, wherein the value instruction first network equipment of the predetermined marker in ike negotiation request message is supported to pass serial number encryption
It is defeated;Then second network equipment sends ike negotiation response message to first network equipment, wherein in ike negotiation response message
The value of predetermined marker indicates that second network equipment is supported to transmit serial number encryption, and using close in negotiations process
Key seed generates a primary key.
In turn, the primary key for negotiating determination with second network equipment is split as N number of field by first network equipment,
Then N number of field is copied into M field, and generates the sub-key set being made of M field, why done so,
It is the randomness and complexity in order to increase sub-key, avoids being guessed by attacker and.
In a kind of possible design, first network equipment determines that the method for a sub-key can from sub-key set
To be that the second field for including is obtained modulus value to M modulus by first network equipment in the sequence number of the data message;Then with
The modulus value finds the corresponding sub-key of the index value as index value from the sub-key set.What is done so is good
Place is that sequence number is different so the corresponding modulus value of modulus is not also identical, therefore the sub-key determined is also dynamic, so attacking
Person is difficult to crack to obtain sub-key, therefore improves the reliability of encryption method.
Wherein, the first network equipment is to there are many encryption methods of data message, in a kind of possible design, the first net
The first field for including in the sequence number of data message and the sub-key determined are carried out xor operation by network equipment, are obtained
Encrypted fields.Generally, in order to which the length for guaranteeing data message is as constant as possible, the byte number of sub-key generally with the first field
Number it is identical.If data message length will increase expense, it is easy to be cracked by attacker if shortening, needs to illustrate
Be, above-mentioned encryption method can also using with or substitution, i.e., by the first field for including in the sequence number of data message and described
The sub-key determined is carried out with or is operated, and obtains encrypted fields.In comparison, exclusive or cipher mode does not have to as same or operation
It is first negated in decryption, therefore decrypting process relative ease is some.
In addition, the first field above can be the upper byte part of sequence number, it is also possible to low byte part, it is assumed that
Say that sequence number includes L byte, then the first field can be L/2 byte of the sequence number upper byte part, second
Field is then the low byte part of L/2 byte of the sequence number;Or first field can be the sequence number L/2
The low byte part of a byte, then the second field is the upper byte part of L/2 byte of the sequence number.
Second aspect, corresponding with encryption method above, the embodiment of the present invention further provides a kind of message decryption side
Method, this method include second network equipment after the data message for receiving the transmission of first network equipment, according to the first net
The identical mode of network equipment determines a sub-key, then using the sub-key to sequence number in the data message received into
Row decryption, decryption method is corresponding with encryption method, i.e., the first field that will include in the sequence number for the data message that received
It is decrypted with the sub-key determined, obtains decryption field, the decryption field is recycled to replace the data
The first field in the sequence number of message, thus the message after being decrypted.
Accordingly even when sequence number in data message is encrypted, second network equipment can according to decryption method to its into
Row is decrypted correctly, and obtains original sequence number, and attacker can not decrypt to obtain original sequence number having intercepted data message,
So can effectively pre- anti-replay-attack the problem of.
Certainly, second network equipment performs the ike negotiation process with first network equipment in advance, negotiations process and above
Unanimously, therefore at this it repeats no more.In addition, generating the mode of sub-key set and determining sub-key from sub-key set
Process also with above it is consistent.
Second network equipment be to the decryption method of message it is corresponding with encryption method, in a kind of possible design,
If the cryptographic operation that first network equipment uses is exclusive or, then second network equipment is by the sequence number of the data message received
In include the first field and the sub-key determined carry out xor operation, obtain decryption field;Alternatively possible
In design, if the cryptographic operation that first network equipment uses is with or, so second network equipment first takes received sequence number
Instead, the first field for including in the sequence number of received data message and the sub-key determined then are subjected to exclusive or behaviour
Make, so that it may obtain decryption field.In comparison, exclusive or cipher mode, without first being negated as same or operation in decryption, therefore
Decrypting process relative ease is some.
The third aspect, the embodiment of the present application also provides a kind of network equipment, which, which has, realizes above-mentioned first
The function of message encryption behavior in aspect method example.The function can also be executed by hardware realization by hardware
Corresponding software realization.The hardware or the software include one or more modules corresponding with above-mentioned function.
It include determination unit, encryption unit, processing list in the structure of the network equipment in a possible design
Member, transmission unit, these units can execute corresponding function in above method example, referring specifically to retouching in method example in detail
It states, is not repeated herein.
Fourth aspect, the embodiment of the present application also provides a kind of first network equipment, which, which has, is realized
The function of message encryption behavior in above-mentioned first aspect method example.The function can pass through hardware realization.First net
It include communication interface, processor and memory in the structure of network equipment, wherein the processor calling is stored in described deposit
Instruction in reservoir executes following processing:
A sub-key is determined from sub-key set, the first word that will include in the sequence number of the data message of generation
Section and the sub-key determined are encrypted, and obtain encrypted fields, and replace the number using the encrypted fields
According to the first field in the sequence number of message, to obtain modified data message;Then it will be wrapped by the communication interface
Data message containing the sequence number ciphertext is sent to second network equipment.
Because the sequence number in data message is encrypted, attacker can not decrypt having intercepted data message
Obtain original sequence number, it is possible to effectively the problem of pre- anti-replay-attack.
Wherein, first network equipment and second network equipment negotiate to determine that in advance the mode of primary key mainly uses
Ike negotiation, negotiations process are, before determining sub-key, the processor is also used to: by the communication interface to described
The Internet Key Exchange ike negotiation request message that two network equipments are sent, the predetermined mark in the ike negotiation request message
The value of position is the first value, wherein the instruction of the first value is supported to transmit serial number encryption;Described the is received by the communication interface
The ike negotiation response message that two network equipments are sent, wherein the predetermined marker in ike negotiation response message is also the first value
In the case of, processor determines that second network equipment is supported to transmit serial number encryption.And using close in negotiations process
Key seed generates a primary key.
In turn, the primary key for negotiating determination with second network equipment is split as N number of field by processor;It will be described
N number of field is copied into M field, and generates the sub-key set being made of M field.Why do so, is to increase
The randomness and complexity of sub-key avoid being guessed by attacker and.
In a kind of possible design, the second field for including in the sequence number is obtained modulus value to M modulus by processor;
Then using the modulus value as index value, the corresponding sub-key of the index value is found from the sub-key set.
Wherein, to there are many encryption methods of message, in a kind of possible design, processor is by the sequence of data message
The first field and the sub-key determined for including in number carry out xor operation, obtain encrypted fields.Generally, in order to guarantee
The length of data message is as constant as possible, and the byte number of sub-key is generally identical as the number of the first field.
In addition, the first field above can be the upper byte part of sequence number, it is also possible to low byte part, it is assumed that
Say that sequence number includes L byte, then the first field can be L/2 byte of the sequence number upper byte part, second
Field is then the low byte part of L/2 byte of the sequence number;Or first field can be the sequence number L/2
The low byte part of a byte, then the second field is the upper byte part of L/2 byte of the sequence number.
5th aspect, the embodiment of the present application also provides a kind of second network equipment, which, which has, is realized
The function of message decryption behavior in above-mentioned second aspect method example.The function can also be passed through by hardware realization
Hardware executes corresponding software realization.The hardware or the software include one or more moulds corresponding with above-mentioned function
Block.
It include determination unit, receiving unit, decryption in the structure of second network equipment in a possible design
Unit, processing unit, these units can execute corresponding function in above method example, referring specifically to detailed in method example
Description, is not repeated herein.
6th aspect, the embodiment of the present application also provides a kind of another structure of second network equipment, second networks
Equipment has the function of realizing message decryption behavior in above-mentioned second aspect method example.The function can pass through hardware reality
It is existing.It include communication interface, processor and memory in the structure of the network equipment, wherein the processor and described deposit
Reservoir is connected by bus;The processor calls the instruction of storage in the memory, executes the above method, at this no longer
It repeats.
In terms of 7th, a kind of computer storage medium is also provided in the embodiment of the present application, stores software in the storage medium
Program, the software program can realize first aspect or above-mentioned first aspect when being read and executed by one or more processors
The method that any one design provides.
Eighth aspect also provides a kind of computer storage medium in the embodiment of the present application, stores software in the storage medium
Program, the software program can realize second aspect or above-mentioned second aspect when being read and executed by one or more processors
The method that any one design provides.
9th aspect, present invention also provides a kind of computer program products comprising instruction, when it is transported on computers
When row, so that computer executes message encryption method described in above-mentioned various aspects or various possible implementations.
Tenth aspect, present invention also provides a kind of computer programs, when run on a computer, so that computer
Execute message decryption method described in above-mentioned various aspects or various possible implementations.
In the application, because sub-key negotiates determining encrypted tunnel between first network equipment and second network equipment
Middle transmission, and be dynamic change, the encrypted data message is highly-safe, is in addition encrypted to sequence number close
Key determines that, so randomness is high, encrypted sequence number can not be guessed by way of modulus, therefore can be effectively prevented weight
Put attack.
Detailed description of the invention
Fig. 1 is a kind of system architecture schematic diagram provided by the embodiments of the present application;
Fig. 2 is a kind of system architecture schematic diagram based on ike negotiation provided by the embodiments of the present application;
Fig. 3 is a kind of flow diagram of message encryption method provided by the embodiments of the present application;
Fig. 4 is ike negotiation provided by the embodiments of the present application interaction schematic diagram;
Fig. 5 a~Fig. 5 b is message reserved field position view provided by the embodiments of the present application;
Fig. 6 is a kind of flow diagram of message decryption method provided by the embodiments of the present application;
Fig. 7 is a kind of schematic device one of network equipment provided by the embodiments of the present application;
Fig. 8 is a kind of schematic device two of network equipment provided by the embodiments of the present application;
Fig. 9 is a kind of structural schematic diagram of network equipment provided by the embodiments of the present application.
Specific embodiment
The application is described in further detail below in conjunction with attached drawing.
Message encipher-decipher method in the application is applicable to multiple systems framework, and Fig. 1 is the germline that the application is applicable in
System configuration diagram.As shown in Figure 1, including: transmitting terminal server 101, transmitting terminal gateway 102, receiving end in the system architecture
Gateway 103, receiving end server 104.
Wherein, in order to guarantee that transmitting terminal gateway 102 and receiving end gateway 103 transmit the safety of data packet, transmitting terminal net
It closes and uses ipsec protocol transmitting message between 102 and receiving end gateway 103.
It should be noted that IPSec is Internet engineering task force (the internet engineering
Task force, IETF) formulate be guarantee on the internet transmit data security performance three layer tunnel encryption association
View.IPSec provides security service to IP packet in network layer (internet protocol, IP).Ipsec protocol itself defines
How to increase field in IP data packet to guarantee the integrality, private ownership and authenticity of IP data packet, and how to encrypt
Data packet.Using IPsec, data can be safely in public transfers on network.IPsec provides between two hosts, two peaces
Protection between full gateway or between host and security gateway.
IPSec includes authentication of message head agreement (authentication header, AH) (protocol number 51) and message safety
Tunneling (encapsulated security payload, ESP) (protocol number 50) two agreements.AH can provide data source
Verifying and data integrity verifying function;ESP is also provided to IP packet in addition to it can provide data verification and completeness check function
Encryption function.The safety feature of ipsec protocol is 1, data confidentiality, i.e., IPSec sender is before through network transmission package
Packet is encrypted.2, data integrity, i.e. IPSec recipient authenticate the packet that sender sends, to ensure data
It is not tampered in transmission process.3, data origin authentication, i.e. IPSec recipient authenticate the source address of IPSec packet.
This service is based on data integrity service.4, anti-Replay Attack, i.e. IPSec recipient can detect and reject it is out-of-date or again
Multiple message.
So-called Replay Attack refers to that attacker passes through the data packet of network intercept communication equity both sides' normal communication first, so
Data packet is remained untouched or modified afterwards, after waiting a period of time, then issues the recipient of data packet, is i.e. " weight
It puts ".The purpose of playback is to pretend to be legal a side and another party to communicate.Why attacker is by the way of resetting
Rather than the data packet of forgery is directly transmitted, it is the number of forgery because partial information can be encrypted and be authenticated by the system having
The trust of data packet recipient possibly can not be obtained according to packet, and then can achieve this mesh using originally legal data packet is reset
's.Such as in mobile IP, when mobile node find its network from a link switching to another chain road when
It waits it is necessary to be registered.The purpose of registration, the routing for the Foreign Agent that on the one hand mobile node can be made to obtain on foreign link
Service, on the other hand can notify home agent mobile node Care-of Address.Registration message is a User Datagram Protocol
(User Datagram Protocol, UDP) data packet is included in IP data packet.If there is attacker has intercepted this number
According to packet, care-of address field is then modified, then retransmits this message again, then attacker has just been registered to delivering for a forgery
Address.That that all data packets for being sent to mobile node can all be forwarded to attacker's registration in network after so is delivered
Address there, mobile node receive any information never again.
Although recipient can detect and reject out-of-date or duplicate message, centainly using ipsec protocol transmitting message
Replay Attack can be prevented in degree, but because the sequence number of the message of ipsec protocol transmission is that in plain text, sequence number has single
The characteristics of being incremented by or successively decreasing is adjusted, so attacker has once intercepted a message, it is easy to guess according to the sequence number of the message
The sequence number of subsequent packet is surveyed, and then sender is pretended to be to communicate with recipient, and recipient passes through merely parsing sequence number,
If it is determined that not being repetition or out-of-date, it just will be considered that message is legal, so can not accurately identify attacker's
Invalid packet be easy to cause the anti-replay of ipsec protocol to act on failure in this way.
Also there is newly-increased check field to carry out additional verification mode, such attacker to the sequence number of message in the prior art
Available effective sequence number, but can not by authentication of message, it is done so that the shortcomings that be due to new in heading
Increase field, so needing to adjust the length of message, brings additional expense larger.
In view of existing IPSec message also includes the Internet Key Exchange (internet key exchange, IKE) association
View, the major function of ike negotiation are that communicating pair realizes key agreement, and process can verify the identity of communicating pair through consultation
It is whether legal, and IPsec Security Association (Security Association, SA) is established in the case where legal.Based on above-mentioned
Reason, the embodiment of the present application provide a kind of message encipher-decipher method, and this method has been combined ike negotiation mechanism, by using
The key seed that ike negotiation determines generates key, and utilizes the key by the serial number encryption of plaintext at ciphertext, attacks in this way
Person because can not breaking cryptographic keys even if attacker has intercepted data message can not also guess subsequent sequence number, therefore
It can effectively pre- anti-replay-attack.
Specifically, IKE agreement its major function that IPSec message is included be exactly on unsafe network safely
Negotiate, distribute, manages key, verify identity, establish Security Association.SA is the agreement that communicating pair is reached, and is only known
The all information of agreement just can be carried out correct IPSec processing.It is packaged for example, reaching an agreement on using ESP mode, it cannot
It is decapsulated using AH mode;Equally, it reaches an agreement on using 3DES encryption, AES mode cannot be used to decrypt.
To ensure to go on smoothly IPSec communication, IKE agreement executes dual-stage and negotiates.The two stages are holotype respectively
(Main Mode) negotiates and quick mode (Quick Mode) negotiates.
1, holotype (also referred to as the 1st stage) ike negotiation establishes a referred to as ISAKMP SA's between two computers
Exit passageway.The exit passageway is mainly used for protecting security negotiation.
2, quick mode (also referred to as the 2nd stage) ike negotiation establishes a channel between two computers to protect number
According to.Since this stage is related to the creation of SA, the SA established during quick mode is known as IPSec SA.In quick mode
Period, encrypted material will be refreshed, or generate new key if necessary.Can also select during this period one for protect it is specific
The protection suite of IP flow.
By the way that a shared key material i.e. key seed (SKEYSEED) can be generated after above-mentioned negotiation.Key seed
Calculation formula is as follows:
SKEYSEED=prf (Ni | Nr, gΛIr) ... ... ... ... ... formula [1]
SKEYSEED=SK_d | and SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr }
=prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) ... ... ... formula [2]
Wherein, SK_d is used for second stage expanded keys (only it is regardless of direction), and SK_ai and SK_ar are used respectively
Make the MAC key of initiator and responder, SK_ei and SK_er are used separately as the encryption key of initiator and responder, SK_pi
The certification LOAD FOR of initiator and responder are used for SK_pr.
In addition, both sides can determine subsequent in the datagram for receiving other side's transmission according to negotiation result by above-mentioned negotiation
Wen Shi, if needs are decrypted, for example, negotiation result is that other side does not support to encrypt, then sender would not be to be sent
Data message encryption, but directly sent to receiving side, while receiving side receives data message without decryption oprerations, but
Sequence number is directly acquired to be verified.Certainly, if negotiation result is that other side supports encryption, sender will be to be sent
Data message encryption, encrypted data message is then sent to receiving side, while receiving side receives data message progress
Decryption oprerations.
Specifically, message encipher-decipher method provided by the embodiments of the present application includes message encryption method and message decryption side
Method is applicable in the communication system of message encipher-decipher method provided by the embodiments of the present application as shown in Fig. 2, mainly comprising as follows in Fig. 2
Process: the SA that IKE is first established between transmitting terminal gateway 102 and receiving end gateway 103 negotiates, and then transmitting terminal gateway 102 utilizes
Negotiate determining Encryption Algorithm to encrypt IPSec message, generates encrypted IPSec message, it then will be encrypted
IPSec message is sent to receiving end gateway 103, wherein receiving end gateway 103 is with the determining decipherment algorithm of negotiation to encrypted
Data message decryption, reduction obtain the sequence number of original IPSec message.
Hereafter dismantling is that ciphering process and decrypting process the two processes are respectively described in detail it.
As shown in figure 3, a kind of flow diagram of message encryption method provided by the embodiments of the present application, specific steps are such as
Under:
Step 301, first network equipment generates a data message.
Step 302, the first network equipment determines a sub-key from sub-key set.For example, first network
Equipment can be the transmitting terminal gateway 102 in attached drawing 2.
Step 303, the first network equipment by the first field for including in the sequence number of message to be sent and it is described really
The sub-key made is encrypted, and obtains encrypted fields.
Step 304, encrypted fields described in the first network equipment utilization are replaced in the sequence number of the data message
First field, to obtain modified data message.
Step 305, the first network equipment sends the modified data message to second network equipment.For example,
Second network equipment can be the receiving end gateway 103 in attached drawing 2.
Need to illustrate before executing step 301, first network equipment is it needs to be determined that second network equipment of opposite end is
Support encrypted transmission, that is to say, that second network equipment receives encrypted data message and it can be decrypted.Cause
This needs first to carry out ike negotiation process before executing step 301 between first network equipment and second network equipment, negotiate
Interaction schematic diagram it is as shown in Figure 4, comprising:
Step 401, first network equipment sends ike negotiation request message to second network equipment.
Step 402, first network equipment receives the ike negotiation response message that second network equipment is sent.
Wherein, the ike negotiation request message that first network equipment is sent carries predetermined marker, and predetermined marker is
First value, the first value indicate that first network equipment is supported to the encrypted transmission of sequence number, if second network equipment is also supported pair
The encrypted transmission of sequence number then also carries the predetermined marker in the ike negotiation response message of second network equipment feedback, and pre-
Surely the value being identified as also is the first value.In this way, first network equipment is according to of the marker in the ike negotiation response message
One value can determine that second network equipment is supported to transmit serial number encryption.
After first network equipment determines that second network equipment of opposite end supports encrypted transmission, then first network equipment logarithm
Ciphering process described in above-mentioned Fig. 3 is executed according to message, then sends encrypted data message to second network equipment;Otherwise,
First network equipment omits ciphering process, and the data message of unencryption is directly sent to second network equipment.Doing so can be simultaneous
Hold the network equipment for not supporting encrypted transmission, avoids the problem that communication failure occurs.
Wherein, marker used by first network equipment and second network equipment is the guarantor being not used by IKE message
It writes down characters section, for example, first network equipment uses in Security Association payload (Security Association load) head
The first bit in the 7bit of RESERVED (reserved field) identifies whether first network equipment is supported to add sequence number
Close, occupy-place is 10bit in entire Payload (load) head.As shown in Figure 5 a, E indicates used marker, the mark
The value of position is that 0 expression is not supported to encrypt sequence number, and the value of the marker is that 1 expression is supported to encrypt sequence number.
In this way, when second network equipment receives the ike negotiation request message, to Security Association payload (safety
Alliance's load) the first bit in head in RESERVED (reserved field) carries out analysis judgment, if value is 1, then it is assumed that the first net
Network equipment is supported to data message encryption, subsequent when receiving the data message of first network equipment transmission, is carried out first to it
Decryption oprerations.
Alternatively, it is also possible to as shown in Figure 5 b, E indicates used marker, and be worth indicates not supporting to carry out sequence number for 0
Encryption, be worth indicates to support to encrypt sequence number for 1.Second network equipment receives ike negotiation request message, judges in load
Marker value, if value be 1, then it is assumed that first network equipment support to data message encryption, it is subsequent to receive the first net
When the data message that network equipment is sent, it is decrypted first operation.
In addition, determining that opposite end supports encryption to pass when second network equipment of first network equipment and opposite end completes ike negotiation
After defeated, first network equipment generates primary key first with determining key seed formula is negotiated, and recycles primary key
Generate sub-key set.Specifically, the first network equipment will negotiate determining primary key with second network equipment
It is split as N number of field;Then N number of field is copied into M field by the first network equipment, and then is generated by M word
The sub-key set of Duan Zucheng, general M can be greater than N.
Such as say, the primary key Key value in table one is split as 82 bytes, by this 82 bytes according to value from greatly to
Small sequence arrangement, circuits sequentially and fills up Key table shown in the table two that a length is 100.
Table one
| 0x2fe0 | 0x1fd9 | 0x1ee1 | 0x1fe5 | 0x1fa0 | 0x11a1 | 0x21c3 | 0x1fe9 |
Table two
| 0x2fe0 | 0x21c3 | 0x1fe9 | 0x1fe5 | 0x1fd9 | 0x1fa0 | 0x1ee1 |
| …… | 0x1fe5 | 0x1fd9 | 0x1fa0 | 0x1ee1 |
In addition, after the primary key Key value in table one is split as 82 bytes, it can also be to 2 word each in table one
Section is deformed, then generates Key table with deformed 2 byte, and deformation method, which can be, adds 1 or other existing methods, herein
It repeats no more.
In a kind of possible design, first network equipment determines a sub-key, determination side from sub-key set
Method can be the first network equipment and the second field for including in the sequence number of data message obtained modulus value to M modulus;Institute
First network equipment is stated using the modulus value as index value, the corresponding son of the index value is found from the sub-key set
Key.
Such as low 16 0x1b21 of sequence number 0xefac 0x1b21 are obtained into mould to M (such as M is 100) modulus
Value 45, the 45th sub-key 0x1fd9 in Key table in look-up table two.Certainly, in addition to this, can also in the ike negotiation stage,
It is sub-key that one network equipment and second network equipment, which negotiate specified some call number of sub-key set, such as specified table two
The 45th value 0x1fd9 in middle KEY table is as sub-key.Obviously, it can more be dynamically determined out in the way of modulus sub close
Key, it is not easy to be cracked by attacker.
After determining sub-key, so that it may be encrypted using the sub-key determined to sequence number, in one kind
In possible design, first network equipment is close by the first field for including in the sequence number of data message and the son determined
Key carries out xor operation, obtains encrypted fields.For example, high 16 0xefac of sub-key 0x1fd9 and sequence number are carried out exclusive or
Operation, obtains new secret value 0xf075, new with obtaining after high 16 0xefac of new secret value 0xf075 replacement sequence number
Sequence number 0xf075 0x1b21, replace the sequence number in former data message with new sequence number 0xf075 0x1b21, will replace
Data message after alternatively is sent to second network equipment of opposite end.In this way, second network equipment still uses xor operation can
To restore former sequence number, decipherment algorithm is also very easy.
Generally, in order to which the length for guaranteeing data message is as constant as possible, the byte number of sub-key generally with the first field
Number it is identical.On the one hand, it is convenient for xor operation, another aspect data message length will increase expense, if shortening
It is then easy to be cracked by attacker.It should be noted that above-mentioned encryption method can also be using same or substitution, i.e., by data message
The first field and the sub-key determined for including in sequence number are carried out with or are operated, and obtain encrypted fields.Compared to exclusive or
Cipher mode, using same or operation, second network equipment just needs first to negate in decryption, then carries out xor operation, decrypted
Journey is more relative complex.
In previous example, the first field is high 16 0xefac of sequence number, and the second field is low 16 0x1b21, is needed
Illustrate, in other possible designs, the first field may not be a nibble of sequence number, such as sequence number is 4
Pair byte, the first field are 1 byte sections, and the second field is 3 byte sections, and divide also may be implemented the above method in this way, i.e.,
Second field modulus determines sub-key, then carries out cryptographic calculation.Similarly, in previous example, the first field is also possible to sequence
Low 16 0x1b21 of row number, the second field are that high 16 0xefac that is, to high 16 modulus obtain modulus value, then low 16
Key value corresponding with modulus value carries out cryptographic calculation.
It is corresponding with above-mentioned message encryption method, the embodiment of the present application further to the detailed process of message decryption method into
Row is described in detail, and specific steps are as shown in Figure 6.
Step 601, second network equipment receives the data message that first network equipment is sent.For example, first network equipment
It can be the transmitting terminal gateway 102 in attached drawing 2, second network equipment can be the receiving end gateway 103 in attached drawing 2.
Step 602, second network equipment determines a sub-key from sub-key set.
Step 602, second network equipment receives the message that the first network equipment is sent.
Step 603, second network equipment is by the first field for including in the sequence number of received data message and institute
It states the sub-key determined to be decrypted, obtains decryption field.
Step 604, second network equipment is replaced in the sequence number of the data message using the decryption field
First field, thus the data message after being decrypted.
Similar with above-mentioned message encryption method, second network equipment is in the data message for receiving the transmission of first network equipment
Before, be over first network equipment ike negotiation, using determining key seed formula is negotiated, generates primary key, then
Sub-key set is generated using primary key, wherein the generating mode of sub-key set is same as above, therefore no longer superfluous herein
It states.
That is, second network equipment determines sub-key set also according to method identical with first network equipment,
A sub-key is further determined from sub-key set according still further to the rule as first network equipment, such as, the
One network equipment is to determine sub-key using modulus value as index value to the second field modulus, then second network equipment
It is to determine sub-key according to identical rule.
In a kind of possible design, second network equipment will include in the sequence number of the data message second
Field obtains modulus value to M modulus;Second network equipment is looked into from the sub-key set using the modulus value as index value
Find the corresponding sub-key of the index value.
Such as still by taking sequence number 0xefac 0x1b21 as an example, hereinbefore, first network sets the Key of backing sheet 2
The 45th sub-key 0x1fd9 encrypts it to obtain new sequence number 0xf075 0x1b21 in table, then the second network is set
It is standby to receive the data message comprising sequence number 0xf075 0x1b21, still using the 45th sub-key 0x1fd9 to 0xf075
High 16 0xf075 of 0x1b21 carry out xor operation, will obtain new decrypted value 0xefac, are replaced with new decrypted value 0xefac
New sequence number 0xefac 0x1b21 is obtained after changing high 16 0xf075 of sequence number, i.e. reduction obtains first network equipment institute
The corresponding original sequence number of the data message of transmission.Certainly, if first network equipment takes other rules to determine sub-key,
And sequence number is encrypted using sub-key, such as xor operation is carried out to low byte part, new secret value is obtained, this
When second network equipment be also to low byte part carry out xor operation, obtain new decrypted value.
In alternatively possible design, if the first field that first network equipment will include in the sequence number of data message
It carries out with or operates with the sub-key determined, obtain encrypted fields, then second network equipment is just needed in decryption
It first negates, then carries out xor operation.For example, the 45th sub-key 0x1fd9 of first network equipment utilization is to 0xf075 0x1b21
High 16 0xf075 carry out with or operation, then, second network equipment just needs the first sequence number 0xf075 to data message
0x1b21 is first negated, and is then decrypted again to the sequence number after negating according to the method in above example.
For above method process, the application provides a kind of network equipment, and the specific execution content of the network equipment can join
According to above-mentioned message encryption method corresponding embodiment.
Fig. 7 is a kind of structural schematic diagram of first network equipment provided by the present application, as shown in fig. 7, the first network
Equipment includes:
Generation unit 701, for generating a data message.
Determination unit 702, for determining a sub-key from sub-key set, the sub-key set includes M
Sub-key, the M sub-key are that the N number of field split according to primary key generates, and the original code key is described
First network equipment and second network equipment negotiate determination in advance, and M is more than or equal to N.
Encryption unit 703, the first field and the son determined for including in the sequence number by data message are close
Key is encrypted, and obtains encrypted fields, wherein includes multiple fields in the sequence number.
Processing unit 704, the first field in sequence number for replacing the data message using the encrypted fields,
To obtain modified data message.
Transmission unit 705, for sending the modified data message to second network equipment.
Optionally, the determination unit 702 is specifically used for: the second field for including in the sequence number obtains M modulus
To modulus value;Using the modulus value as index value, the corresponding sub-key of the index value is found from the sub-key set.
Optionally, the encryption unit 703 is specifically used for: by the first field for including in the sequence number of data message and institute
State the sub-key determined and carry out xor operation, obtain encrypted fields, wherein the byte number of the sub-key determined with
The byte number of first field is identical.
Wherein, the sequence number includes L byte, then first field is the high position of L/2 byte of the sequence number
Byte sections, second field are the low byte part of L/2 byte of the sequence number;Or first field is institute
The low byte part of L/2 byte of sequence number is stated, second field is the upper byte portion of L/2 byte of the sequence number
Point.
The first network equipment further include: generation unit 701, for determination will to be negotiated with second network equipment
Primary key is split as N number of field;N number of field is copied into M field, and generates the sub-key being made of M field
Set.
Optionally, the transmission unit 705 is also used to: second network equipment of Xiang Suoshu sends the Internet Key Exchange IKE
Message of negotiation request, the value of the marker in the ike negotiation request message indicate itself to support to transmit serial number encryption;
The network equipment further include: receiving unit 706 is also used to receive the IKE association that second network equipment is sent
Quotient's response message;
Optionally, the determination unit 702 is also used to true according to the value of the marker in the ike negotiation response message
Fixed second network equipment is supported to transmit serial number encryption.
Fig. 8 is the structural schematic diagram of second network equipment corresponding with message decryption method provided by the present application, such as Fig. 8
Shown, second network equipment comprises determining that unit 801, receiving unit 802, decryption unit 803 and processing unit 804;Tool
Body:
Receiving unit 801, for receiving the data message of first network equipment transmission.
Determination unit 802, for determining a sub-key from sub-key set, the sub-key set includes M
Sub-key, the M sub-key are that the N number of field split according to primary key generates, and the original code key is first
The network equipment and second network equipment negotiate determination in advance, and M is more than or equal to N.
Decryption unit 803, the first field for that will include in the sequence number of received data message and described is determined
Sub-key be decrypted, obtain decryption field, wherein in the sequence number include multiple fields.
Processing unit 804, for replacing the first field in the sequence number of the data message using the decryption field,
Thus the message after being decrypted.
Optionally, the determination unit 802 is specifically used for: the second field for including in the sequence number obtains M modulus
To modulus value;Using the modulus value as index value, the corresponding sub-key of the index value is found from the sub-key set.
Optionally, the decryption unit 803 is specifically used for: the first word that will include in the sequence number of received data message
Section and the sub-key determined carry out xor operation, obtain decryption field, wherein the byte of the sub-key determined
Number is identical as the byte number of first field.
Wherein, the sequence number includes L byte, then first field is the high position of L/2 byte of the sequence number
Byte sections, second field are the low byte part of L/2 byte of the sequence number;Or first field is institute
The low byte part of L/2 byte of sequence number is stated, second field is the upper byte portion of L/2 byte of the sequence number
Point.
Second network equipment further include:
Generation unit 805 is split as N number of field for will negotiate determining primary key with the first network equipment;
And N number of field is copied into M field, and generate the sub-key set being made of M field.
Optionally, the receiving unit 802 is also used to receive the ike negotiation request report that the first network equipment is sent
Text, the value of the marker in the ike negotiation request message indicate that the first network equipment is supported to transmit serial number encryption;
Second network equipment further include:
Transmission unit 806, for sending ike negotiation response message to the first network equipment, wherein the IKE association
The value of the marker in quotient's response message indicates that second network equipment supports the encrypted transmission to sequence number.
Fig. 9 is the structural schematic diagram of another network equipment provided by the present application, which can execute above-mentioned report
Literary encryption method or message decryption method, as shown in figure 9, the network equipment 900 includes: communication interface 901, processor
902, memory 903 and bus system 904;
Wherein, memory 903, for storing program.Specifically, program may include program code, and program code includes
Computer operation instruction.Memory 903 may be random access memory (random-access memory, RAM), it is also possible to
For nonvolatile memory (non-volatile memory, NVM), for example, at least a magnetic disk storage.It is illustrated only in figure
One memory, certainly, memory also can according to need, and be set as multiple.Memory 903 is also possible in processor 902
Memory.
Memory 903 stores following element, executable modules or data structures perhaps their subset or
Their superset:
Operational order: including various operational orders, for realizing various operations.
Operating system: including various system programs, for realizing various basic businesses and the hardware based task of processing.
Processor 902 control the network equipment 900 operation, processor 902 can also be known as central processing unit (English:
Central processing unit, CPU).In specific application, the various components of the network equipment 900 pass through bus system
904 are coupled, wherein bus system 904 except include data/address bus in addition to, can also include power bus, control bus and
Status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as bus system 904 in figure.For convenient for
It indicates, is only schematically drawn in Fig. 9.
Specifically, if method performed by the network equipment 900 is message encryption method, the network equipment 900 is just
Transmitting terminal gateway 102 in corresponding diagram 2, for Fig. 3, communication interface 901 is for executing step 305, i.e., to the second network
Equipment sends the modified data message.If method performed by the network equipment 900 is message decryption method, net
Network equipment 900 is with regard to the receiving end gateway 103 in corresponding diagram 2, and for Fig. 6, communication interface 901 is for executing step 601, i.e.,
Receive the data message that first network equipment is sent.
Similarly, if method performed by the network equipment 900 is message encryption method, processor 902 is just used for
The step 301 in Fig. 3 is executed to step 304.If method performed by the network equipment 900 is message decryption method, locate
Reason device 902 is just for executing the step 602 in Fig. 6 to step 604.About side before the execution detail with reference of processor 902
Description in method embodiment, is no longer described in detail herein.
Wherein, processor 902 may be a kind of IC chip, the processing capacity with signal.During realization,
Each step of the above method can be complete by the integrated logic circuit of the hardware in processor 902 or the instruction of software form
At.Above-mentioned processor 902 can be general processor, digital signal processor (DSP), specific integrated circuit (ASIC), show
Field programmable gate array (FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware
Component.It may be implemented or execute disclosed each method, step and the logic diagram in the embodiment of the present application.General processor can
To be that microprocessor or the processor are also possible to any conventional processor etc..The side in conjunction with disclosed in the embodiment of the present application
The step of method, can be embodied directly in hardware decoding processor and execute completion, or with the hardware and software mould in decoding processor
Block combination executes completion.Software module can be located at random access memory, flash memory, read-only memory, programmable read only memory or
In the storage medium of this fields such as person's electrically erasable programmable memory, register maturation.The storage medium is located at memory
903, processor 902 reads the information in memory 903, executes above method step in conjunction with its hardware.
It can be seen from the above: in the embodiment of the present application, because sub-key is in first network equipment and the second network
To negotiate to transmit in determining encrypted tunnel between equipment, and is dynamic change, the encrypted data message is highly-safe,
In addition the sub-key encrypted to sequence number determines that, so randomness is high, encrypted sequence number is not by way of modulus
It can guess, therefore Replay Attack can be effectively prevented;First network equipment and second network equipment, which are used only, to be not used by
Whether reserved field identifies itself to data message encryption, therefore not will increase the length of data message, and there is no increase for expense
Add.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as the production of method, system or computer program
Product.Therefore, in terms of the embodiment of the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware
Embodiment form.Moreover, it wherein includes computer available programs generation that the embodiment of the present invention, which can be used in one or more,
The meter implemented in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of code
The form of calculation machine program product.
The embodiment of the present invention be referring to according to the method for the embodiment of the present invention, equipment (system) and computer program product
Flowchart and/or the block diagram describe.It should be understood that can be realized by computer program instructions in flowchart and/or the block diagram
The combination of process and/or box in each flow and/or block and flowchart and/or the block diagram.It can provide these calculating
Processing of the machine program instruction to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices
Device is to generate a machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute
For realizing the function of being specified in one or more flows of the flowchart and/or one or more blocks of the block diagram
Device.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Obviously, those skilled in the art can carry out various modification and variations without departing from this Shen to the embodiment of the present invention
Range please.In this way, if these modifications and variations of the embodiment of the present invention belong to the claim of this application and its equivalent technologies
Within the scope of, then the application is also intended to include these modifications and variations.
Claims (17)
1. a kind of message encryption method, which is characterized in that this method comprises:
First network equipment generates a data message;
The first network equipment determines a sub-key from sub-key set, and the sub-key set includes that M son is close
Key, the M sub-key are that the N number of field split according to primary key generates, and the original code key is described first
The network equipment and second network equipment negotiate determination in advance, and M is more than or equal to N;
The first network equipment is close by the first field for including in the sequence number of the data message and the son determined
Key is encrypted, and obtains encrypted fields, wherein includes multiple fields in the sequence number;
Encrypted fields described in the first network equipment utilization replace the first field in the sequence number of the data message, thus
Obtain modified data message;
The first network equipment sends the modified data message to second network equipment.
2. the method according to claim 1, wherein the sub-key set further includes that each sub-key is corresponding
Index value, the first network equipment determine a sub-key from sub-key set, comprising:
The second field for including in the sequence number is obtained modulus value to M modulus by the first network equipment;
The first network equipment finds the index value pair from the sub-key set using the modulus value as index value
The sub-key answered.
3. method according to claim 1 or 2, which is characterized in that the first network equipment is by the data message
The first field and the sub-key determined for including in sequence number are encrypted, and obtain encrypted fields, comprising:
The first network equipment is close by the first field for including in the sequence number of the data message and the son determined
Key carries out xor operation, obtains encrypted fields, wherein the byte number of the sub-key determined and first field
Byte number is identical.
4. method according to any one of claims 1 to 3, which is characterized in that the first network equipment is from sub-key collection
Before determining the first sub-key in conjunction, further includes:
The first network equipment sends the Internet Key Exchange ike negotiation request message to second network equipment, described
The value of predetermined marker in ike negotiation request message is arranged to the first value, and the first value instruction is supported to add sequence number
Close transmission;
The first network equipment receives the ike negotiation response message that second network equipment is sent, the ike negotiation response
The value of predetermined marker in message is arranged to first value;
The first network equipment determines second network according to the value of the predetermined marker in the ike negotiation response message
Equipment is supported to transmit serial number encryption.
5. a kind of message decryption method, which is characterized in that this method comprises:
Second network equipment receives the data message that first network equipment is sent;
Second network equipment determines a sub-key from sub-key set, and the sub-key set includes that M son is close
Key, the M sub-key are that the N number of field split according to primary key generates, and the original code key is described first
The network equipment and second network equipment negotiate determination in advance, and M is more than or equal to N;
Second network equipment is by the first field for including in the sequence number of the data message received and described determines
Sub-key is decrypted, and obtains decryption field, wherein includes multiple fields in the sequence number;
Second network equipment replaces the first field in the sequence number of the data message using the decryption field, thus
Data message after being decrypted.
6. according to the method described in claim 5, it is characterized in that, the sub-key set further includes that each sub-key is corresponding
Index value, second network equipment determine a sub-key from sub-key set, comprising:
The second field for including in the sequence number of the data message is obtained modulus value to M modulus by second network equipment;
Second network equipment finds the index value pair from the sub-key set using the modulus value as index value
The sub-key answered.
7. method according to claim 5 or 6, which is characterized in that second network equipment is by the data message
The first field and the sub-key determined for including in sequence number are decrypted, and obtain decryption field, comprising:
Second network equipment is close by the first field for including in the sequence number of the data message and the son determined
Key carries out xor operation, obtains decryption field, wherein the byte number of the sub-key determined and first field
Byte number is identical.
8. according to the described in any item methods of claim 5 to 7, which is characterized in that second network equipment is from sub-key collection
Before determining the first sub-key in conjunction, further includes:
Second network equipment receives the Internet Key Exchange ike negotiation request message that the first network equipment is sent,
The value of predetermined marker in the ike negotiation request message is arranged to the first value, and the first value instruction is supported to sequence
Number encrypted transmission;
If second network equipment is supported to transmit serial number encryption, second network equipment is to the first network
Equipment sends ike negotiation response message, wherein the value of the predetermined marker in the ike negotiation response message is set
For first value.
9. a kind of first network equipment, which is characterized in that the first network equipment includes: communication interface, processor and storage
Device;
The processor calls the instruction of storage in the memory, executes following processing:
Generate a data message;
A sub-key is determined from sub-key set, the sub-key set includes M sub-key, the M sub-key
It is that the N number of field split according to primary key generates, the original code key is the first network equipment and the second net
Network equipment negotiates determination in advance, and M is more than or equal to N;
The first field for including in the sequence number of the data message and the sub-key determined are encrypted, obtained
To encrypted fields, wherein include multiple fields in the sequence number;
The first field in the sequence number of the data message is replaced using the encrypted fields, to obtain modified data
Message;
The modified data message is sent to second network equipment by the communication interface.
10. the network equipment according to claim 9, which is characterized in that the processor is specifically used for:
The second field for including in the sequence number is obtained into modulus value to M modulus;
Using the modulus value as index value, the corresponding sub-key of the index value is found from the sub-key set.
11. the network equipment according to claim 9 or 10, which is characterized in that the processor is specifically used for:
The first field for including in the sequence number of the data message and the sub-key determined are subjected to xor operation, obtained
To encrypted fields, wherein the byte number of the sub-key determined is identical as the byte number of first field.
12. according to the described in any item network equipments of claim 9 to 11, which is characterized in that the processor is also used to:
The Internet Key Exchange ike negotiation request message sent by the communication interface to second network equipment, institute
The value for stating the predetermined marker in ike negotiation request message is arranged to the first value, and the first value instruction is supported to sequence number
Encrypted transmission;
The ike negotiation response message that second network equipment is sent, the ike negotiation response are received by the communication interface
The value of predetermined marker in message is arranged to first value;
Determine that second network equipment is supported to sequence number according to the value of the predetermined marker in the ike negotiation response message
Encrypted transmission.
13. a kind of second network equipment, which is characterized in that second network equipment includes: communication interface, processor and storage
Device;
The processor calls the instruction of storage in the memory, executes following processing:
The data message that first network equipment is sent is received by the communication interface;
A sub-key is determined from sub-key set, the sub-key set includes M sub-key, the M sub-key
It is that the N number of field split according to primary key generates, the original code key is the first network equipment and described the
Two network equipments negotiate determination in advance, and M is more than or equal to N;
Place is decrypted in the first field for including in the sequence number of the data message received and the sub-key determined
Reason obtains decryption field, wherein includes multiple fields in the sequence number;
The first field in the sequence number of the data message is replaced using the decryption field, thus the data after being decrypted
Message.
14. the network equipment according to claim 13, which is characterized in that the processor is specifically used for:
The second field for including in the sequence number of the data message is obtained into modulus value to M modulus;
Using the modulus value as index value, the corresponding sub-key of the index value is found from the sub-key set.
15. the network equipment described in 3 or 14 according to claim 1, which is characterized in that the processor is specifically used for:
The first field for including in the sequence number of the data message and the sub-key determined are subjected to xor operation, obtained
To decryption field, wherein the byte number of the sub-key determined is identical as the byte number of first field.
16. 3 to 15 described in any item network equipments according to claim 1, which is characterized in that
The Internet Key Exchange ike negotiation request message that the first network equipment is sent is received by the communication interface,
The value of predetermined marker in the ike negotiation request message is arranged to the first value, and the first value instruction is supported to sequence
Number encrypted transmission;
If supporting to transmit serial number encryption, ike negotiation is sent to the first network equipment by the communication interface
Response message, wherein the value of the predetermined marker in the ike negotiation response message is arranged to first value.
17. a kind of communication system, which is characterized in that including executing first network equipment described in the claims 9 to 12, with
And execute second network equipment described in the claims 13 to 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710763841.1A CN109428867B (en) | 2017-08-30 | 2017-08-30 | Message encryption and decryption method, network equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710763841.1A CN109428867B (en) | 2017-08-30 | 2017-08-30 | Message encryption and decryption method, network equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109428867A true CN109428867A (en) | 2019-03-05 |
| CN109428867B CN109428867B (en) | 2020-08-25 |
Family
ID=65502143
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710763841.1A Active CN109428867B (en) | 2017-08-30 | 2017-08-30 | Message encryption and decryption method, network equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109428867B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138750A (en) * | 2019-04-23 | 2019-08-16 | 上海数据交易中心有限公司 | Encryption method, apparatus and system, storage medium, the terminal of configuration file |
| CN110635908A (en) * | 2019-09-29 | 2019-12-31 | 杭州尚尚签网络科技有限公司 | Management method for supporting billions of keys for electronic contract |
| CN110730071A (en) * | 2019-10-29 | 2020-01-24 | 南方电网科学研究院有限责任公司 | Power distribution communication equipment safety access authentication method, device and equipment |
| CN110798316A (en) * | 2019-09-20 | 2020-02-14 | 西安瑞思凯微电子科技有限公司 | Encryption key generation method, decryption key generation method, encryption key generation program, decryption key generation program, and decryption program |
| CN111556075A (en) * | 2020-05-14 | 2020-08-18 | 中国人民解放军国防科技大学 | Data transmission path restoration method and system based on non-interactive key negotiation |
| CN112134884A (en) * | 2020-09-23 | 2020-12-25 | 普联技术有限公司 | Message serial number updating method |
| CN112332940A (en) * | 2020-11-06 | 2021-02-05 | 北京东土科技股份有限公司 | Data transmission method based on time synchronization network and related equipment |
| CN112511548A (en) * | 2020-12-02 | 2021-03-16 | 中电科鹏跃电子科技有限公司 | Method and device for preventing replay attack |
| CN113810363A (en) * | 2021-07-29 | 2021-12-17 | 蜂巢能源科技有限公司 | Message encryption and decryption method and electronic equipment |
| CN114285675A (en) * | 2022-03-07 | 2022-04-05 | 杭州优云科技有限公司 | Message forwarding method and device |
| CN114329104A (en) * | 2021-12-23 | 2022-04-12 | 珠海市鸿瑞信息技术股份有限公司 | Message encryption transmission system and method based on electric power distribution |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040258078A1 (en) * | 2003-06-20 | 2004-12-23 | Shiuh-Pyng Shieh | Synchronous system and method for processing a packet |
| US7298847B2 (en) * | 2002-02-07 | 2007-11-20 | Nokia Inc. | Secure key distribution protocol in AAA for mobile IP |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
| CN101471784A (en) * | 2007-12-29 | 2009-07-01 | 北京天融信网络安全技术有限公司 | Method for implementing IPSEC resistance of replay aggression |
| CN102075427A (en) * | 2011-01-18 | 2011-05-25 | 中兴通讯股份有限公司 | Security association-based IPSec message processing method and device |
| CN102843235A (en) * | 2012-09-06 | 2012-12-26 | 汉柏科技有限公司 | Message encrypting/decrypting method |
| US20150033014A1 (en) * | 2013-07-24 | 2015-01-29 | Cisco Technology, Inc. | Compact and Efficient Communication Security through Combining Anti-Replay with Encryption |
| CN105071987A (en) * | 2015-07-28 | 2015-11-18 | 中国工程物理研究院计算机应用研究所 | Path quality analysis method of encrypted network based on flow analysis |
| CN106788989A (en) * | 2016-11-30 | 2017-05-31 | 华为技术有限公司 | A kind of method and apparatus for setting up safe encryption channel |
-
2017
- 2017-08-30 CN CN201710763841.1A patent/CN109428867B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7298847B2 (en) * | 2002-02-07 | 2007-11-20 | Nokia Inc. | Secure key distribution protocol in AAA for mobile IP |
| US20040258078A1 (en) * | 2003-06-20 | 2004-12-23 | Shiuh-Pyng Shieh | Synchronous system and method for processing a packet |
| CN101471784A (en) * | 2007-12-29 | 2009-07-01 | 北京天融信网络安全技术有限公司 | Method for implementing IPSEC resistance of replay aggression |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
| CN102075427A (en) * | 2011-01-18 | 2011-05-25 | 中兴通讯股份有限公司 | Security association-based IPSec message processing method and device |
| CN102843235A (en) * | 2012-09-06 | 2012-12-26 | 汉柏科技有限公司 | Message encrypting/decrypting method |
| US20150033014A1 (en) * | 2013-07-24 | 2015-01-29 | Cisco Technology, Inc. | Compact and Efficient Communication Security through Combining Anti-Replay with Encryption |
| CN105071987A (en) * | 2015-07-28 | 2015-11-18 | 中国工程物理研究院计算机应用研究所 | Path quality analysis method of encrypted network based on flow analysis |
| CN106788989A (en) * | 2016-11-30 | 2017-05-31 | 华为技术有限公司 | A kind of method and apparatus for setting up safe encryption channel |
Non-Patent Citations (2)
| Title |
|---|
| XIANGYANG ZHANG ET AL: "IPsec anti-replay algorithm without bit-shifting", 《IETF DRAFT-ZHANG-IPSECME-ANTI-REPLAY-07》 * |
| 丛延奇: "IPSEC的抗重放原理及其实现", 《湖南工程学院学报》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138750A (en) * | 2019-04-23 | 2019-08-16 | 上海数据交易中心有限公司 | Encryption method, apparatus and system, storage medium, the terminal of configuration file |
| CN110798316A (en) * | 2019-09-20 | 2020-02-14 | 西安瑞思凯微电子科技有限公司 | Encryption key generation method, decryption key generation method, encryption key generation program, decryption key generation program, and decryption program |
| CN110635908A (en) * | 2019-09-29 | 2019-12-31 | 杭州尚尚签网络科技有限公司 | Management method for supporting billions of keys for electronic contract |
| CN110635908B (en) * | 2019-09-29 | 2023-03-24 | 杭州尚尚签网络科技有限公司 | Management method for supporting billions of keys for electronic contract |
| CN110730071A (en) * | 2019-10-29 | 2020-01-24 | 南方电网科学研究院有限责任公司 | Power distribution communication equipment safety access authentication method, device and equipment |
| CN111556075A (en) * | 2020-05-14 | 2020-08-18 | 中国人民解放军国防科技大学 | Data transmission path restoration method and system based on non-interactive key negotiation |
| CN112134884A (en) * | 2020-09-23 | 2020-12-25 | 普联技术有限公司 | Message serial number updating method |
| CN112134884B (en) * | 2020-09-23 | 2022-10-14 | 普联技术有限公司 | Message serial number updating method |
| CN112332940A (en) * | 2020-11-06 | 2021-02-05 | 北京东土科技股份有限公司 | Data transmission method based on time synchronization network and related equipment |
| CN112332940B (en) * | 2020-11-06 | 2024-03-12 | 北京东土科技股份有限公司 | Data transmission method based on time synchronization network and related equipment |
| CN112511548B (en) * | 2020-12-02 | 2022-09-16 | 中电科鹏跃电子科技有限公司 | Method and device for preventing replay attack |
| CN112511548A (en) * | 2020-12-02 | 2021-03-16 | 中电科鹏跃电子科技有限公司 | Method and device for preventing replay attack |
| CN113810363A (en) * | 2021-07-29 | 2021-12-17 | 蜂巢能源科技有限公司 | Message encryption and decryption method and electronic equipment |
| CN114329104B (en) * | 2021-12-23 | 2022-07-08 | 珠海市鸿瑞信息技术股份有限公司 | Message encryption transmission system and method based on electric power distribution |
| CN114329104A (en) * | 2021-12-23 | 2022-04-12 | 珠海市鸿瑞信息技术股份有限公司 | Message encryption transmission system and method based on electric power distribution |
| CN114285675B (en) * | 2022-03-07 | 2022-07-12 | 杭州优云科技有限公司 | Message forwarding method and device |
| CN114285675A (en) * | 2022-03-07 | 2022-04-05 | 杭州优云科技有限公司 | Message forwarding method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109428867B (en) | 2020-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109428867A (en) | A kind of message encipher-decipher method, network equipment and system | |
| US8000467B2 (en) | Data parallelized encryption and integrity checking method and device | |
| US8250356B2 (en) | Method to construct a high-assurance IPSec gateway using an unmodified commercial implementation | |
| KR101608815B1 (en) | Method and system for providing service encryption in closed type network | |
| US10715332B2 (en) | Encryption for transactions in a memory fabric | |
| CN107918731A (en) | Method and apparatus for controlling the authority to access to open interface | |
| CN109309566B (en) | Authentication method, device, system, equipment and storage medium | |
| CN101677269A (en) | Method and system for transmitting keys | |
| CN109379345B (en) | Sensitive information transmission method and system | |
| CN114448624A (en) | Transparent Internet of things secure transmission method and device based on white-box cryptographic service | |
| CN111130775A (en) | Key negotiation method, device and equipment | |
| CN114143117B (en) | Data processing method and device | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| Appelbaum et al. | Tiny wireguard tweak | |
| Panda et al. | A modified PKM environment for the security enhancement of IEEE 802.16 e | |
| CN108701195B (en) | Data security protection method and device | |
| CN114866244A (en) | Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption | |
| CN102647428A (en) | Encrypting and decrypting system and method adopting trusteeship control based on communication network | |
| CN112910630A (en) | Method and device for replacing expanded key | |
| Bonde | Wireless Security | |
| CN115460020B (en) | Data sharing method, device, equipment and storage medium | |
| Hartl et al. | Subverting Counter Mode Encryption for Hidden Communication in High-Security Infrastructures | |
| Gupta et al. | Security mechanisms of Internet of things (IoT) for reliable communication: a comparative review | |
| JP2014220668A (en) | Transmission side device and reception side device | |
| Junaid et al. | Per packet authentication for IEEE 802.11 wireless LAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |