CN109510832A - A kind of communication means based on dynamic blacklist mechanism - Google Patents
A kind of communication means based on dynamic blacklist mechanism Download PDFInfo
- Publication number
- CN109510832A CN109510832A CN201811441103.6A CN201811441103A CN109510832A CN 109510832 A CN109510832 A CN 109510832A CN 201811441103 A CN201811441103 A CN 201811441103A CN 109510832 A CN109510832 A CN 109510832A
- Authority
- CN
- China
- Prior art keywords
- node
- message
- path
- random number
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of communication means based on dynamic blacklist mechanism, networking is completed using dynamic blacklist mechanism, whether each node successfully judges whether the node is legal by the decryption to the data packet received, each node decryption success simultaneously, it can only obtain the corresponding random number of downstream node and IP address of present node, and the corresponding random number of upstream node and IP address, without knowing complete path, realizing route is anonymous, it can ensure anonymity of the user when accessing network, safety and high efficiency.
Description
Technical field
The invention belongs to anonymous communication network technique field more particularly to a kind of communication parties based on dynamic blacklist mechanism
Method.
Background technique
In Chaum in 1981, D.L. was put forward for the first time the concept of anonymous communication, from the point of view of domestic and international current situation at present, ground
The application and the anonymous communication system that can be deployed on network for studying carefully the anonymous communication technology under large-scale network environment have very much
It is necessary.By research Anonymizing networks communication, the nets such as national military field, security fields and emphasis basic environment field can be enhanced
The ability of network attack resistance can also safeguard the right of privacy of user in the realistic communication world, can be with the network of effective protection user
Certain positive influence is finally played the role of safely in commercial transport and behavior to internet Global Information.
The free-revving engine of anonymous communication is the identity of Communication hiding participant, prevents from being sent out by its affiliate and its third party
It is existing, so that the individual privacy of user and the safety of Content of Communication are more preferably protected.In general, in a communication process
In, there are three types of anonymities: the anonymity communicated to connect between sender anonymity, recipient's anonymity and sender and recipient.Example
Such as: user a and b is communicated by certain network communication mode, if the user on b and network does not know the identity of a, that
Such case is exactly sender anonymity.If the other users on network do not know the identity of b, such case and are exactly
Recipient is anonymous.If the user on network does not know that sender a and recipient b have carried out a message hair and received, this
Kind situation is exactly the anonymity communicated to connect between sender and recipient.
In modern technologies more famous anonymous communication technology be called Onion Routing (The onion routing,
Tor), in onion routing network, the message from sender finally reaches purpose receiving end by a succession of agency, this
Middle-agent is referred to as ONION ROUTER.Tor system first has to the void electricity for establishing one by open network before user communicates
Road, the forward node in virtual circuit only knows the direct precursor and immediate successor of oneself, without knowing other nodes in path,
The address in IP data packet that external observation person sees not is communication initiator and the address of recipient, but front and back in path
Address of node, thus communication initiator and recipient are anonymous.
Since Tor system is open system, the form that member is added is not limited using stringent authentication mechanism,
That is arbitrary node is by becoming as the member in Tor anonymous systems after signature authentication.From the point of view of theoretically, passes through and be
System LIST SERVER can find any one chartered entity information for participating in node, the in fact publication of system resource
Mechanism can not provide any protection to the global anonymity of nodal information, and any user can obtain the anonymity under current state
The all-network communication resource that network provides.Therefore, it will result in this way in system it is very likely that there is a part of malice member
A possibility that many anonymous communication systems are by attack.
Summary of the invention
To solve the above problems, the present invention provides a kind of communication means based on dynamic blacklist mechanism, use can be ensured
Anonymity of the family when accessing network, safety and high efficiency.
A kind of communication means based on dynamic blacklist mechanism, comprising the following steps:
Establish forward-path, wherein first node of the forward-path is Ingress node, centre is in more than two
Intermediate node, the last one node are Egress node, and the IP address of the Ingress node, intermediate node and Egress node is distinguished
A corresponding random number;
The corresponding random number of nodes all on forward-path is successively attached to according to the sequence opposite on path with it
The head for the raw data packets that user sends to Ingress node, obtains message, wherein the random number of Egress node is attached to original
The number of plies of data packet header is two layers;
After the message is transmitted to Egress node by the intermediate node of forward-path by Ingress node, Egress node will disappear
Breath is sent to target, realizes communication;
Wherein, the Ingress node, intermediate node and Egress node are provided with respective private key, the Ingress node and
Egress node is also equipped with a pair of symmetrical code key, and the Ingress node, intermediate node and Egress node are receiving the message
Later and before message forwards, the detection operation of dynamic blacklist is executed;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: such as
Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address
It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address
Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution
Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained
The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address
It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if
It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution
Message after close is transmitted to target, if not, the message of layer is transmitted to downstream node where stripping current first random number.
Further, it is described establish forward-path the following steps are included:
S201: user chooses a forward-path, and Ingress node executes cryptographic operation and obtains path initial message,
In, the cryptographic operation specifically:
Ingress node encrypts the upper of each intermediate node using the public key of each intermediate node itself on the forward-path
The corresponding random number of node and IP address and the corresponding random number of downstream node and IP address are swum, the road of each intermediate node is obtained
Section encrypted result;
Ingress node use forward-path middle outlet node itself public key, encrypt the last one intermediate node it is corresponding with
The corresponding random number sequence of all nodes, obtains on machine number and IP address, the symmetrical code key of Ingress node and the forward-path
To the section encrypted result of Egress node;
Ingress node successively carries out the section encrypted result of each intermediate node and the section encrypted result of Egress node
Splicing, obtains path initial message;
S202: path initial message is transmitted to first intermediate node by Ingress node, and first intermediate node uses
The private key of itself decrypts first section encrypted result of the path initial message, obtains the upstream of first intermediate node
The random number and IP address, the random number of downstream node and IP address of node, then turn the path initial message after decryption
Issue downstream node;And so on, the private key that itself is respectively adopted in the subsequent node of forward-path decrypts the path initialization
Each section encrypted result of message, until all nodes are obtained from the random number and IP address of body upstream node, downstream node
Random number and IP address, Egress node by feedback information that forward-path is successfully established against the forward-path be sent into
Mouth node, completes the foundation of forward-path.
Further, if the Ingress node in the forward-path is combined with Egress node for first time, the entrance
Before node execution cryptographic operation obtains path initial message, following steps are also executed:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node
Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature
The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet
The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random
Code key.
Further, after the Ingress node establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message
It is close, and the message after decryption is transmitted to target, specifically:
Egress node is sent to target and is communicated using the raw data packets in the symmetrical code key decryption message of Ingress node
Request;
The message is received after intended recipient to the communication request and generates target response, then by the target response
It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response
Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption
It is sent to user, realizes communication.
The utility model has the advantages that
The present invention provides a kind of communication means based on dynamic blacklist mechanism, completes group using dynamic blacklist mechanism
Net, whether each node successfully judges whether the node is legal by the decryption to the data packet received, while each section
Point successful decryption, can only obtain present node the corresponding random number of downstream node and IP address and upstream node it is corresponding
Random number and IP address, without knowing complete path, realizing route is anonymous, can ensure anonymity of the user when accessing network
Property, safety and high efficiency.
Detailed description of the invention
Fig. 1 is network communication path schematic diagram provided by the invention;
Fig. 2 is that a kind of dynamic blacklist provided by the invention detects operational flowchart;
Fig. 3 is the flow chart that operation is established in path provided by the invention;
Fig. 4 is the process schematic that path provided by the invention is established;
Fig. 5 is that a kind of data packet provided by the invention forwards schematic diagram;
Fig. 6 is the signaling that point-to-point negotiation encryption is carried out between a kind of Ingress node and Egress node provided by the invention
Figure.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described.
Embodiment one
A kind of communication means based on dynamic blacklist mechanism, comprising the following steps:
S1: forward-path is established, wherein first node of the forward-path is Ingress node, centre is more than two
Intermediate node, the last one node be Egress node, and the IP address of the Ingress node, intermediate node and Egress node
Respectively correspond a random number;
S2: the corresponding random number of nodes all on forward-path is successively added according to the sequence opposite on path with it
On the head for the raw data packets that user sends to Ingress node, message is obtained, wherein the random number of Egress node is attached to original
The number of plies of beginning data packet header is two layers;
S3: after the message is transmitted to Egress node by the intermediate node of forward-path by Ingress node, Egress node
Target is transmitted the message to, realizes communication.
Wherein, the Ingress node, intermediate node and Egress node are provided with respective public key and private key, the entrance
Node and Egress node are also equipped with a pair of symmetrical code key, and the Ingress node, intermediate node and Egress node disappear described
Before breath forwards, the detection operation of dynamic blacklist is executed.
Referring to Fig. 1, which is network communication path schematic diagram provided in this embodiment.When being transmitted, user a is to entering
Mouth node sends message, and after the message is transmitted to Egress node by A node and B node by Ingress node, Egress node will
Message is sent to target a, realizes communication.In transmission process, each node on path, not needing to obtain in advance can be with it
The legitimate list of communication, but legitimate verification is completed by dynamic blacklist mechanism.
Referring to fig. 2, which is a kind of dynamic blacklist detection operational flowchart provided in this embodiment.The black name of dynamic
Single detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist, such as
Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address
It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address
Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution
Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained
The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address
It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if
It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution
Message after close is transmitted to target, if not, the message of layer is transmitted to downstream node where stripping current first random number.
It should be noted that in step S2, by the corresponding random number of nodes all on forward-path according to it in path
Upper opposite sequence is successively attached to the head for the raw data packets that user sends to Ingress node, and the one kind for obtaining message is specific
Implementation are as follows:
All intermediate nodes and the corresponding random number of Egress node on forward-path are obtained, the symmetrical code key is then used
Raw data packets are encrypted, obtain data packet X, then each random number is opposite on forward-path according to its corresponding node
Sequence is successively attached to the head of data packet X, and the every additional layer random number in head of data packet X, just carries out one to data packet X
Secondary encryption obtains message after being sequentially completed the encryption for the data packet that attached each layer random number;
It is further, described to be sequentially completed the encryption that attached the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, in data packet X
After the random number of upper additional first layer Egress node, private key using the Egress node is to attached first layer Egress node
The data packet X of random number is encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key pair of the last one intermediate node
The data packet X1 that attached the random number of second layer Egress node is encrypted, and data packet X2 is obtained;
After adding the random number of the last one intermediate node on data packet X2, using the private of penultimate intermediate node
Key encrypts the data packet X2 that attached the last one intermediate node random number, obtains data packet X3;
And so on, until the private key encryption using Ingress node attached the data packet of first intermediate node random number
Xn completes the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
It should be noted that since the head in raw data packets attached the corresponding random number of two layers of Egress node, then
Egress node first layer random number is stripped in the last one intermediate node, the last one intermediate node is exported according to decryption
The random number of node obtains the corresponding IP address of the random number, will strip first layer Egress node random number according to the IP address
Message be transmitted to Egress node, at this time Egress node using itself private key decrypt message, obtain second layer Egress node
Random number, then the corresponding IP address of the random number of second layer Egress node is current hosts, i.e. IP corresponding to Egress node
Address, that is to say, that message has been forwarded to Egress node;Then it is random using symmetrical secret key pair to have stripped each layer for Egress node
Several message are decrypted, and the message after decryption is finally transmitted to target.
It should be noted that frequently processing can consume a large amount of performances due to negotiating to use RSA mode, therefore limit each
Source IP handles the frequency of RSA decryption failure no more than 10 times/s, and one section of black hole is added to the excessive IP of the decryption frequency of failure
Time avoids malicious attack.
It can be seen that the present embodiment does not use convergence directory server to carry out tissue network, but from networking standpoint,
An anonymous communication network plan is constructed based on dynamic blacklist mechanism, and by the way of encrypting paragraph by paragraph, multistage network knot
The technologies such as structure, multi-layer security provide the availability in anonymous communication path, thus ensure anonymity of the user when accessing network,
Safety and high efficiency.
Embodiment two
Based on above embodiments, user wants and destinations traffic, needs selected Ingress node, Egress node and forwarding in advance
Path.Therefore, the present embodiment will provide a kind of method of determination of forward-path.
It is described to establish forward-path, comprising the following steps:
S201: user chooses a forward-path, and Ingress node executes cryptographic operation and obtains path initial message,
In, the cryptographic operation specifically:
Ingress node encrypts the upper of each intermediate node using the public key of each intermediate node itself on the forward-path
The corresponding random number of node and IP address and the corresponding random number of downstream node and IP address are swum, the road of each intermediate node is obtained
Section encrypted result;
Ingress node use forward-path middle outlet node itself public key, encrypt the last one intermediate node it is corresponding with
The corresponding random number sequence of all nodes, obtains on machine number and IP address, the symmetrical code key of Ingress node and the forward-path
To the section encrypted result of Egress node;
Ingress node successively carries out the section encrypted result of each intermediate node and the section encrypted result of Egress node
Splicing, obtains path initial message;
Wherein, the upstream node of first intermediate node is Ingress node, and the downstream node of the last one intermediate node is
Egress node.
S202: path initial message is transmitted to first intermediate node by Ingress node, and first intermediate node uses
The private key of itself decrypts first section encrypted result of the path initial message, obtains the upstream of first intermediate node
The random number and IP address, the random number of downstream node and IP address of node, then turn the path initial message after decryption
Issue downstream node;And so on, the private key that itself is respectively adopted in the subsequent node of forward-path decrypts the path initialization
Each section encrypted result of message, until all nodes are obtained from the random number and IP address of body upstream node, downstream node
Random number and IP address, Egress node by feedback information that forward-path is successfully established against the forward-path be sent into
Mouth node, completes the foundation of forward-path.
It should be noted that Ingress node it is first determined whether to select for the first time during establishing forward-path
The forward-path if it is not, then directly executing subsequent step, that is, executes if it is, executing above-mentioned steps S201~S202
Step S2~S3 in embodiment;That is, subsequent step is to press the corresponding random number of nodes all on forward-path
It is successively attached to the head for the raw data packets that user sends to Ingress node according to inverted order, obtains message, wherein forward-path is most
The number of plies that the random number of the latter node is attached to initial data packet header is two layers;Then Ingress node is according to the forwarding road
After the message is transmitted to Egress node by more than two sequentially connected intermediate nodes by diameter, Egress node sends message
To target, communication is realized.
Referring to Fig. 3, which is the flow chart that operation is established in path provided in this embodiment.The present embodiment is with the use in Fig. 1
Family a sends message to Ingress node, after the message is transmitted to Egress node by A node and B node by Ingress node, outlet
For node transmits the message to target a, the process established to path is described in detail.
User chooses a forward-path, and Ingress node first determines whether have built up the path before.If it is,
Continue to use original notice (node IP address, random number, port), i.e., all circuit corresponding nodes path gone and returned
Random number is placed on the initial data packet header of encryption, and is sent to A node;If it is not, then Ingress node uses the public key of A node
Encrypt the corresponding random number b of B node and IP address, the random number x of Ingress node and the IP address of Ingress node;Ingress node is adopted
With the corresponding random number a of public key encryption A node and IP address of B node, the IP of the random number d of Egress node and Ingress node
Location;Ingress node is symmetrical using the corresponding random number b of public key encryption B node and IP address, the AES of Ingress node of Egress node
The corresponding random number sequence xabd of all nodes in code key and the forward-path;Ingress node obtains above-mentioned cryptographic operation
Encrypted result spliced to obtain path initial message, path initial message is successively transmitted to described by Ingress node again
A node, B node and Egress node on forward-path.
It should be noted that present node by itself private key decrypt upstream node forwarding come path initialize disappear
Breath, obtains upstream node random number and IP address, the downstream node random number and IP address of present node, and by random number and IP
Address is added in the random number and IP address mapping table.In fact, the upstream node random number of present node and IP
Random number of the location corresponding relationship as the next node of a upper node is added to random number and IP address corresponding relationship
In table.
Referring to fig. 4, which is the process schematic that path provided in this embodiment is established.The present embodiment is with the use in Fig. 1
Family a sends message to Ingress node, after the message is transmitted to Egress node by A node and B node by Ingress node, outlet
For node transmits the message to target a, the process established to path is described in detail.
Each node can be designed to just know that oneself upstream node and downstream node.A node utilizes oneself
Path upstream nodal information (Ingress node IP address, random number x) and downstream node information (B node IP are obtained after private key decryption
Address, random number b), and remainder is continued to pass to B node.B node obtains in path after the private key decryption using oneself
Upstream node information (A node IP address, random number a) and downstream node information (Egress node IP address, random number d), and
Remainder is continued to pass to Egress node;Egress node obtains the upstream node in path after the private key decryption using oneself
Information (B node IP address, random number b), the key (AES key) of Ingress node, path sequence (xabd).Such whole network
In each node only be connected with limited upstream with downstream node.Each node just knows that the private key of oneself, certificate simultaneously
With the port of offer service, each node is designed to that the information needed more than oneself will not be received.
Referring to Fig. 5, which is a kind of message forwarding schematic diagram provided in this embodiment.After forward-path determines, entrance section
Point has been encrypted the message of user a by the AES symmetric key of Egress node, and by the sequence node on whole path
It is translated at corresponding path sequence, be attached on encrypted initial data packet header and be transmitted to A node.From data forwarding angle
Remaining data is transmitted to B node by identification path sequence by analysis, A node, and B node continues to forward, and reaches outlet section
When point, it is sent to target a after message is decrypted, and passage path sequence finds corresponding data return path in memory, will turn
The feedback information that hair path is successfully established is sent to Ingress node against the forward-path.
It should be noted that in the place nearest from initial data packet header, i.e. behind two layers of exit address random number, also
It is attached with one layer of path sequence xabd that will be made of the corresponding random number of nodes all on forward-path, then forward-path is established
Successful feedback information sends back Ingress node according to the corresponding IP address of random number dbax against the forward-path.
It can be seen that user encrypts message first with symmetric key, Ingress node in message transmitting procedure
The key of node each on path is successively encrypted again, such Data entries are voluntarily controlled by user, the centre in network
Node can not know the content of data, and data outlet can not know that data from which Data entries, provide very high for user
Safety and concealment.
Embodiment three
It is communicated between Ingress node and Egress node, i.e., message is passed through more than two middle nodes by Ingress node
When point is transmitted to Egress node, if the Ingress node in the forward-path is to combine for the first time with Egress node, Ingress node
Need to negotiate AES256 symmetric key with Egress node.Below based on above embodiments, Ingress node and outlet section is discussed in detail
Point negotiates the process of AES256 symmetric key.
Referring to Fig. 6, which is to carry out point-to-point negotiation between a kind of Ingress node and Egress node provided in this embodiment
The signaling diagram of encryption.
If the Ingress node in the forward-path is to combine for the first time with Egress node, the Ingress node, which executes, to be added
Before close operation obtains path initial message, following steps are also executed:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node
Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature
The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet
The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random
Code key.
Further, after the Ingress node establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message
It is close, and the message after decryption is transmitted to target, specifically:
Egress node is sent to target and is communicated using the raw data packets in the symmetrical code key decryption message of Ingress node
Request;
The message is received after intended recipient to the communication request and generates target response, then by the target response
It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response
Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption
It is sent to user, realizes communication.
Further, if Ingress node does not receive the target response of Egress node within the set time, Ingress node will be weighed
Set the code key state of the Egress node.
Further, the Ingress node will reset Egress node key state when externally sending message for the first time.
Certainly, the invention may also have other embodiments, without deviating from the spirit and substance of the present invention, ripe
Various corresponding changes and modifications can be made according to the present invention certainly by knowing those skilled in the art, but these it is corresponding change and
Deformation all should fall within the scope of protection of the appended claims of the present invention.
Claims (5)
1. a kind of communication means based on dynamic blacklist mechanism, which comprises the following steps:
Establish forward-path, wherein first node of the forward-path is Ingress node, centre is more than two middle nodes
Point, the last one node are Egress node, and the IP address of the Ingress node, intermediate node and Egress node respectively corresponds
One random number;
The corresponding random number of nodes all on forward-path is successively attached to user according to the sequence opposite on path with it
The head of the raw data packets sent to Ingress node, obtains message, wherein the random number of Egress node is attached to initial data
The number of plies of packet header is two layers;
After the message is transmitted to Egress node by the intermediate node of forward-path by Ingress node, Egress node sends out message
Target is given, realizes communication;
Wherein, the Ingress node, intermediate node and Egress node are provided with respective private key, the Ingress node and outlet
Node is also equipped with a pair of symmetrical code key, and the Ingress node, intermediate node and Egress node are after receiving the message
And before message forwards, the detection operation of dynamic blacklist is executed;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: if
It is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number and IP address mapping table
In, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number and IP address corresponding relationship
Table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if decryption is lost
It loses, then the blacklist is added in the source IP address of message;If successful decryption, the IP of the downstream node of present node is obtained
The corresponding random number in address, and then the IP address of the downstream node of present node is obtained, then random number and IP address are added
In the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if it is,
Illustrate that present node is Egress node, be then decrypted using the raw data packets in symmetrical secret key pair message, and will be after decryption
Data forwarding to target, if not, the message of layer is transmitted to downstream node where stripping current first random number.
2. a kind of communication means based on dynamic blacklist mechanism as described in claim 1, which is characterized in that described establish turns
Send out path the following steps are included:
S201: user chooses a forward-path, and Ingress node executes cryptographic operation and obtains path initial message, wherein institute
State cryptographic operation specifically:
Ingress node encrypts the upstream section of each intermediate node using the public key of each intermediate node itself on the forward-path
The corresponding random number of point and IP address and the corresponding random number of downstream node and IP address, the section for obtaining each intermediate node add
Close result;
Ingress node uses the public key of forward-path middle outlet node itself, encrypts the corresponding random number of the last one intermediate node
Random number sequence corresponding with nodes all on IP address, the symmetrical code key of Ingress node and the forward-path, is gone out
The section encrypted result of mouth node;
Ingress node successively splices the section encrypted result of the section encrypted result of each intermediate node and Egress node,
Obtain path initial message;
S202: path initial message is transmitted to first intermediate node by Ingress node, and first intermediate node uses itself
Private key decrypt first section encrypted result of the path initial message, obtain the upstream node of first intermediate node
Random number and IP address, the random number of downstream node and IP address, then the path initial message after decryption is transmitted to
Downstream node;And so on, the private key that itself is respectively adopted in the subsequent node of forward-path decrypts the path initial message
Each section encrypted result, until all nodes are obtained from the random number and IP address of body upstream node, downstream node with
Machine number and IP address, Egress node send entrance section against the forward-path for the feedback information that forward-path is successfully established
Point completes the foundation of forward-path.
3. a kind of communication means based on dynamic blacklist mechanism as claimed in claim 2, which is characterized in that if the forwarding
Ingress node in path with Egress node to combine for the first time, then it is initial to obtain path for the Ingress node execution cryptographic operation
Before changing message, following steps are also executed:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses the public affairs of Egress node
Key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, installs institute after Egress node verifying signature
Symmetrical code key is stated, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, Egress node
Private key signature;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random secret
Key.
4. a kind of communication means based on dynamic blacklist mechanism as described in claim 1, which is characterized in that the entrance section
After point establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
5. a kind of communication means based on dynamic blacklist mechanism as described in claim 1, which is characterized in that in step S104
The Egress node is decrypted using the raw data packets in symmetrical secret key pair message, and the message after decryption is transmitted to mesh
Mark, specifically:
Egress node is sent communication to target and is asked using the raw data packets in the symmetrical code key decryption message of Ingress node
It asks;
The message is received after intended recipient to the communication request and generates target response, then sends the target response
To Egress node;
Egress node encrypts the target response using itself symmetrical code key, and encrypted target response is then passed through middle node
Point is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then sends the target response after decryption
To user, communication is realized.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811441103.6A CN109510832A (en) | 2018-11-29 | 2018-11-29 | A kind of communication means based on dynamic blacklist mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811441103.6A CN109510832A (en) | 2018-11-29 | 2018-11-29 | A kind of communication means based on dynamic blacklist mechanism |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109510832A true CN109510832A (en) | 2019-03-22 |
Family
ID=65751163
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811441103.6A Pending CN109510832A (en) | 2018-11-29 | 2018-11-29 | A kind of communication means based on dynamic blacklist mechanism |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109510832A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111247818A (en) * | 2019-11-18 | 2020-06-05 | 深圳市汇顶科技股份有限公司 | Path selection method and BLE device |
CN112019501A (en) * | 2020-07-20 | 2020-12-01 | 北京邮电大学 | Anonymous communication method and device for user nodes |
CN112803599A (en) * | 2021-04-08 | 2021-05-14 | 南京远思智能科技有限公司 | Bullet train energy management system and management method thereof |
CN113114703A (en) * | 2021-05-14 | 2021-07-13 | 恒隆通信技术有限公司 | Data encryption method and system for networking communication |
CN113572727A (en) * | 2021-06-08 | 2021-10-29 | 深圳市国电科技通信有限公司 | Data security concealed transmission method and system based on P2P network routing node |
-
2018
- 2018-11-29 CN CN201811441103.6A patent/CN109510832A/en active Pending
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111247818A (en) * | 2019-11-18 | 2020-06-05 | 深圳市汇顶科技股份有限公司 | Path selection method and BLE device |
CN112019501A (en) * | 2020-07-20 | 2020-12-01 | 北京邮电大学 | Anonymous communication method and device for user nodes |
CN112803599A (en) * | 2021-04-08 | 2021-05-14 | 南京远思智能科技有限公司 | Bullet train energy management system and management method thereof |
CN113114703A (en) * | 2021-05-14 | 2021-07-13 | 恒隆通信技术有限公司 | Data encryption method and system for networking communication |
CN113114703B (en) * | 2021-05-14 | 2022-02-22 | 恒隆通信技术有限公司 | Data encryption method and system for networking communication |
CN113572727A (en) * | 2021-06-08 | 2021-10-29 | 深圳市国电科技通信有限公司 | Data security concealed transmission method and system based on P2P network routing node |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Chen et al. | HORNET: High-speed onion routing at the network layer | |
Wolinsky et al. | Dissent in numbers: Making strong anonymity scale | |
CN109510832A (en) | A kind of communication means based on dynamic blacklist mechanism | |
CN103703698B (en) | Machine-to-machine node wipes program | |
Danezis et al. | A survey of anonymous communication channels | |
CN114448730B (en) | Packet forwarding method and device based on block chain network and transaction processing method | |
Ma et al. | Distributed access control with adaptive privacy preserving property for wireless sensor networks | |
WO2019227225A1 (en) | Systems and methods for establishing communications via blockchain | |
CN109698791A (en) | A kind of anonymous cut-in method based on dynamic route | |
US8345878B2 (en) | Method for distributing cryptographic keys in a communication network | |
CN110392128A (en) | The quasi- zero-address IPv6 method and system for disclosing web services are provided | |
Li et al. | Privacy-aware secure anonymous communication protocol in CPSS cloud computing | |
Boussada et al. | PP-NDNoT: On preserving privacy in IoT-based E-health systems over NDN | |
Degabriele et al. | Untagging tor: a formal treatment of onion encryption | |
CN109413089A (en) | Distributed network anonymous communication method, device and storage medium | |
Cheng et al. | A fault‐tolerant group key agreement protocol exploiting dynamic setting | |
Song et al. | Review of network-based approaches for privacy | |
ShenTu et al. | Transaction remote release (TRR): A new anonymization technology for bitcoin | |
JP3789098B2 (en) | Network system, network access device, network server, and network access control method | |
Fanti et al. | Rangzen: Circumventing government-imposed communication blackouts | |
Lin et al. | Deanonymizing tor in a stealthy way | |
Chen | Infrastructure-based anonymous communication protocols in future internet architectures | |
Freedman | Design and analysis of an anonymous communication channel for the free haven project | |
Soltani et al. | Mid-defense: Mitigating protocol-level attacks in TOR using indistinguishability obfuscation | |
Bakiras et al. | An anonymous messaging system for delay tolerant networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Room 2351, floor 2, building 23, No. 18, anningzhuang East Road, Haidian District, Beijing 100085 Applicant after: Beijing Sixin Feiyang Information Technology Co., Ltd Address before: Room 203, 2nd floor, 3rd floor, Tiandi Neighboring Fengfeng Project, No. 1 North Yongtaizhuang Road, Haidian District, Beijing, 100192 Applicant before: BEIJING YUANTEK INFORMATION TECHNOLOGY Co.,Ltd. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190322 |
|
RJ01 | Rejection of invention patent application after publication |