CN109510832A - A kind of communication means based on dynamic blacklist mechanism - Google Patents

A kind of communication means based on dynamic blacklist mechanism Download PDF

Info

Publication number
CN109510832A
CN109510832A CN201811441103.6A CN201811441103A CN109510832A CN 109510832 A CN109510832 A CN 109510832A CN 201811441103 A CN201811441103 A CN 201811441103A CN 109510832 A CN109510832 A CN 109510832A
Authority
CN
China
Prior art keywords
node
message
path
random number
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811441103.6A
Other languages
Chinese (zh)
Inventor
匡凡
张晓宁
赵恩让
陈文贤
杨金良
贾强
张子中
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Tianyuan Texin Information Technology Co Ltd
Original Assignee
Beijing Tianyuan Texin Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Tianyuan Texin Information Technology Co Ltd filed Critical Beijing Tianyuan Texin Information Technology Co Ltd
Priority to CN201811441103.6A priority Critical patent/CN109510832A/en
Publication of CN109510832A publication Critical patent/CN109510832A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of communication means based on dynamic blacklist mechanism, networking is completed using dynamic blacklist mechanism, whether each node successfully judges whether the node is legal by the decryption to the data packet received, each node decryption success simultaneously, it can only obtain the corresponding random number of downstream node and IP address of present node, and the corresponding random number of upstream node and IP address, without knowing complete path, realizing route is anonymous, it can ensure anonymity of the user when accessing network, safety and high efficiency.

Description

A kind of communication means based on dynamic blacklist mechanism
Technical field
The invention belongs to anonymous communication network technique field more particularly to a kind of communication parties based on dynamic blacklist mechanism Method.
Background technique
In Chaum in 1981, D.L. was put forward for the first time the concept of anonymous communication, from the point of view of domestic and international current situation at present, ground The application and the anonymous communication system that can be deployed on network for studying carefully the anonymous communication technology under large-scale network environment have very much It is necessary.By research Anonymizing networks communication, the nets such as national military field, security fields and emphasis basic environment field can be enhanced The ability of network attack resistance can also safeguard the right of privacy of user in the realistic communication world, can be with the network of effective protection user Certain positive influence is finally played the role of safely in commercial transport and behavior to internet Global Information.
The free-revving engine of anonymous communication is the identity of Communication hiding participant, prevents from being sent out by its affiliate and its third party It is existing, so that the individual privacy of user and the safety of Content of Communication are more preferably protected.In general, in a communication process In, there are three types of anonymities: the anonymity communicated to connect between sender anonymity, recipient's anonymity and sender and recipient.Example Such as: user a and b is communicated by certain network communication mode, if the user on b and network does not know the identity of a, that Such case is exactly sender anonymity.If the other users on network do not know the identity of b, such case and are exactly Recipient is anonymous.If the user on network does not know that sender a and recipient b have carried out a message hair and received, this Kind situation is exactly the anonymity communicated to connect between sender and recipient.
In modern technologies more famous anonymous communication technology be called Onion Routing (The onion routing, Tor), in onion routing network, the message from sender finally reaches purpose receiving end by a succession of agency, this Middle-agent is referred to as ONION ROUTER.Tor system first has to the void electricity for establishing one by open network before user communicates Road, the forward node in virtual circuit only knows the direct precursor and immediate successor of oneself, without knowing other nodes in path, The address in IP data packet that external observation person sees not is communication initiator and the address of recipient, but front and back in path Address of node, thus communication initiator and recipient are anonymous.
Since Tor system is open system, the form that member is added is not limited using stringent authentication mechanism, That is arbitrary node is by becoming as the member in Tor anonymous systems after signature authentication.From the point of view of theoretically, passes through and be System LIST SERVER can find any one chartered entity information for participating in node, the in fact publication of system resource Mechanism can not provide any protection to the global anonymity of nodal information, and any user can obtain the anonymity under current state The all-network communication resource that network provides.Therefore, it will result in this way in system it is very likely that there is a part of malice member A possibility that many anonymous communication systems are by attack.
Summary of the invention
To solve the above problems, the present invention provides a kind of communication means based on dynamic blacklist mechanism, use can be ensured Anonymity of the family when accessing network, safety and high efficiency.
A kind of communication means based on dynamic blacklist mechanism, comprising the following steps:
Establish forward-path, wherein first node of the forward-path is Ingress node, centre is in more than two Intermediate node, the last one node are Egress node, and the IP address of the Ingress node, intermediate node and Egress node is distinguished A corresponding random number;
The corresponding random number of nodes all on forward-path is successively attached to according to the sequence opposite on path with it The head for the raw data packets that user sends to Ingress node, obtains message, wherein the random number of Egress node is attached to original The number of plies of data packet header is two layers;
After the message is transmitted to Egress node by the intermediate node of forward-path by Ingress node, Egress node will disappear Breath is sent to target, realizes communication;
Wherein, the Ingress node, intermediate node and Egress node are provided with respective private key, the Ingress node and Egress node is also equipped with a pair of symmetrical code key, and the Ingress node, intermediate node and Egress node are receiving the message Later and before message forwards, the detection operation of dynamic blacklist is executed;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: such as Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution Message after close is transmitted to target, if not, the message of layer is transmitted to downstream node where stripping current first random number.
Further, it is described establish forward-path the following steps are included:
S201: user chooses a forward-path, and Ingress node executes cryptographic operation and obtains path initial message, In, the cryptographic operation specifically:
Ingress node encrypts the upper of each intermediate node using the public key of each intermediate node itself on the forward-path The corresponding random number of node and IP address and the corresponding random number of downstream node and IP address are swum, the road of each intermediate node is obtained Section encrypted result;
Ingress node use forward-path middle outlet node itself public key, encrypt the last one intermediate node it is corresponding with The corresponding random number sequence of all nodes, obtains on machine number and IP address, the symmetrical code key of Ingress node and the forward-path To the section encrypted result of Egress node;
Ingress node successively carries out the section encrypted result of each intermediate node and the section encrypted result of Egress node Splicing, obtains path initial message;
S202: path initial message is transmitted to first intermediate node by Ingress node, and first intermediate node uses The private key of itself decrypts first section encrypted result of the path initial message, obtains the upstream of first intermediate node The random number and IP address, the random number of downstream node and IP address of node, then turn the path initial message after decryption Issue downstream node;And so on, the private key that itself is respectively adopted in the subsequent node of forward-path decrypts the path initialization Each section encrypted result of message, until all nodes are obtained from the random number and IP address of body upstream node, downstream node Random number and IP address, Egress node by feedback information that forward-path is successfully established against the forward-path be sent into Mouth node, completes the foundation of forward-path.
Further, if the Ingress node in the forward-path is combined with Egress node for first time, the entrance Before node execution cryptographic operation obtains path initial message, following steps are also executed:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random Code key.
Further, after the Ingress node establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message It is close, and the message after decryption is transmitted to target, specifically:
Egress node is sent to target and is communicated using the raw data packets in the symmetrical code key decryption message of Ingress node Request;
The message is received after intended recipient to the communication request and generates target response, then by the target response It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption It is sent to user, realizes communication.
The utility model has the advantages that
The present invention provides a kind of communication means based on dynamic blacklist mechanism, completes group using dynamic blacklist mechanism Net, whether each node successfully judges whether the node is legal by the decryption to the data packet received, while each section Point successful decryption, can only obtain present node the corresponding random number of downstream node and IP address and upstream node it is corresponding Random number and IP address, without knowing complete path, realizing route is anonymous, can ensure anonymity of the user when accessing network Property, safety and high efficiency.
Detailed description of the invention
Fig. 1 is network communication path schematic diagram provided by the invention;
Fig. 2 is that a kind of dynamic blacklist provided by the invention detects operational flowchart;
Fig. 3 is the flow chart that operation is established in path provided by the invention;
Fig. 4 is the process schematic that path provided by the invention is established;
Fig. 5 is that a kind of data packet provided by the invention forwards schematic diagram;
Fig. 6 is the signaling that point-to-point negotiation encryption is carried out between a kind of Ingress node and Egress node provided by the invention Figure.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described.
Embodiment one
A kind of communication means based on dynamic blacklist mechanism, comprising the following steps:
S1: forward-path is established, wherein first node of the forward-path is Ingress node, centre is more than two Intermediate node, the last one node be Egress node, and the IP address of the Ingress node, intermediate node and Egress node Respectively correspond a random number;
S2: the corresponding random number of nodes all on forward-path is successively added according to the sequence opposite on path with it On the head for the raw data packets that user sends to Ingress node, message is obtained, wherein the random number of Egress node is attached to original The number of plies of beginning data packet header is two layers;
S3: after the message is transmitted to Egress node by the intermediate node of forward-path by Ingress node, Egress node Target is transmitted the message to, realizes communication.
Wherein, the Ingress node, intermediate node and Egress node are provided with respective public key and private key, the entrance Node and Egress node are also equipped with a pair of symmetrical code key, and the Ingress node, intermediate node and Egress node disappear described Before breath forwards, the detection operation of dynamic blacklist is executed.
Referring to Fig. 1, which is network communication path schematic diagram provided in this embodiment.When being transmitted, user a is to entering Mouth node sends message, and after the message is transmitted to Egress node by A node and B node by Ingress node, Egress node will Message is sent to target a, realizes communication.In transmission process, each node on path, not needing to obtain in advance can be with it The legitimate list of communication, but legitimate verification is completed by dynamic blacklist mechanism.
Referring to fig. 2, which is a kind of dynamic blacklist detection operational flowchart provided in this embodiment.The black name of dynamic Single detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist, such as Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution Message after close is transmitted to target, if not, the message of layer is transmitted to downstream node where stripping current first random number.
It should be noted that in step S2, by the corresponding random number of nodes all on forward-path according to it in path Upper opposite sequence is successively attached to the head for the raw data packets that user sends to Ingress node, and the one kind for obtaining message is specific Implementation are as follows:
All intermediate nodes and the corresponding random number of Egress node on forward-path are obtained, the symmetrical code key is then used Raw data packets are encrypted, obtain data packet X, then each random number is opposite on forward-path according to its corresponding node Sequence is successively attached to the head of data packet X, and the every additional layer random number in head of data packet X, just carries out one to data packet X Secondary encryption obtains message after being sequentially completed the encryption for the data packet that attached each layer random number;
It is further, described to be sequentially completed the encryption that attached the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, in data packet X After the random number of upper additional first layer Egress node, private key using the Egress node is to attached first layer Egress node The data packet X of random number is encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key pair of the last one intermediate node The data packet X1 that attached the random number of second layer Egress node is encrypted, and data packet X2 is obtained;
After adding the random number of the last one intermediate node on data packet X2, using the private of penultimate intermediate node Key encrypts the data packet X2 that attached the last one intermediate node random number, obtains data packet X3;
And so on, until the private key encryption using Ingress node attached the data packet of first intermediate node random number Xn completes the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
It should be noted that since the head in raw data packets attached the corresponding random number of two layers of Egress node, then Egress node first layer random number is stripped in the last one intermediate node, the last one intermediate node is exported according to decryption The random number of node obtains the corresponding IP address of the random number, will strip first layer Egress node random number according to the IP address Message be transmitted to Egress node, at this time Egress node using itself private key decrypt message, obtain second layer Egress node Random number, then the corresponding IP address of the random number of second layer Egress node is current hosts, i.e. IP corresponding to Egress node Address, that is to say, that message has been forwarded to Egress node;Then it is random using symmetrical secret key pair to have stripped each layer for Egress node Several message are decrypted, and the message after decryption is finally transmitted to target.
It should be noted that frequently processing can consume a large amount of performances due to negotiating to use RSA mode, therefore limit each Source IP handles the frequency of RSA decryption failure no more than 10 times/s, and one section of black hole is added to the excessive IP of the decryption frequency of failure Time avoids malicious attack.
It can be seen that the present embodiment does not use convergence directory server to carry out tissue network, but from networking standpoint, An anonymous communication network plan is constructed based on dynamic blacklist mechanism, and by the way of encrypting paragraph by paragraph, multistage network knot The technologies such as structure, multi-layer security provide the availability in anonymous communication path, thus ensure anonymity of the user when accessing network, Safety and high efficiency.
Embodiment two
Based on above embodiments, user wants and destinations traffic, needs selected Ingress node, Egress node and forwarding in advance Path.Therefore, the present embodiment will provide a kind of method of determination of forward-path.
It is described to establish forward-path, comprising the following steps:
S201: user chooses a forward-path, and Ingress node executes cryptographic operation and obtains path initial message, In, the cryptographic operation specifically:
Ingress node encrypts the upper of each intermediate node using the public key of each intermediate node itself on the forward-path The corresponding random number of node and IP address and the corresponding random number of downstream node and IP address are swum, the road of each intermediate node is obtained Section encrypted result;
Ingress node use forward-path middle outlet node itself public key, encrypt the last one intermediate node it is corresponding with The corresponding random number sequence of all nodes, obtains on machine number and IP address, the symmetrical code key of Ingress node and the forward-path To the section encrypted result of Egress node;
Ingress node successively carries out the section encrypted result of each intermediate node and the section encrypted result of Egress node Splicing, obtains path initial message;
Wherein, the upstream node of first intermediate node is Ingress node, and the downstream node of the last one intermediate node is Egress node.
S202: path initial message is transmitted to first intermediate node by Ingress node, and first intermediate node uses The private key of itself decrypts first section encrypted result of the path initial message, obtains the upstream of first intermediate node The random number and IP address, the random number of downstream node and IP address of node, then turn the path initial message after decryption Issue downstream node;And so on, the private key that itself is respectively adopted in the subsequent node of forward-path decrypts the path initialization Each section encrypted result of message, until all nodes are obtained from the random number and IP address of body upstream node, downstream node Random number and IP address, Egress node by feedback information that forward-path is successfully established against the forward-path be sent into Mouth node, completes the foundation of forward-path.
It should be noted that Ingress node it is first determined whether to select for the first time during establishing forward-path The forward-path if it is not, then directly executing subsequent step, that is, executes if it is, executing above-mentioned steps S201~S202 Step S2~S3 in embodiment;That is, subsequent step is to press the corresponding random number of nodes all on forward-path It is successively attached to the head for the raw data packets that user sends to Ingress node according to inverted order, obtains message, wherein forward-path is most The number of plies that the random number of the latter node is attached to initial data packet header is two layers;Then Ingress node is according to the forwarding road After the message is transmitted to Egress node by more than two sequentially connected intermediate nodes by diameter, Egress node sends message To target, communication is realized.
Referring to Fig. 3, which is the flow chart that operation is established in path provided in this embodiment.The present embodiment is with the use in Fig. 1 Family a sends message to Ingress node, after the message is transmitted to Egress node by A node and B node by Ingress node, outlet For node transmits the message to target a, the process established to path is described in detail.
User chooses a forward-path, and Ingress node first determines whether have built up the path before.If it is, Continue to use original notice (node IP address, random number, port), i.e., all circuit corresponding nodes path gone and returned Random number is placed on the initial data packet header of encryption, and is sent to A node;If it is not, then Ingress node uses the public key of A node Encrypt the corresponding random number b of B node and IP address, the random number x of Ingress node and the IP address of Ingress node;Ingress node is adopted With the corresponding random number a of public key encryption A node and IP address of B node, the IP of the random number d of Egress node and Ingress node Location;Ingress node is symmetrical using the corresponding random number b of public key encryption B node and IP address, the AES of Ingress node of Egress node The corresponding random number sequence xabd of all nodes in code key and the forward-path;Ingress node obtains above-mentioned cryptographic operation Encrypted result spliced to obtain path initial message, path initial message is successively transmitted to described by Ingress node again A node, B node and Egress node on forward-path.
It should be noted that present node by itself private key decrypt upstream node forwarding come path initialize disappear Breath, obtains upstream node random number and IP address, the downstream node random number and IP address of present node, and by random number and IP Address is added in the random number and IP address mapping table.In fact, the upstream node random number of present node and IP Random number of the location corresponding relationship as the next node of a upper node is added to random number and IP address corresponding relationship In table.
Referring to fig. 4, which is the process schematic that path provided in this embodiment is established.The present embodiment is with the use in Fig. 1 Family a sends message to Ingress node, after the message is transmitted to Egress node by A node and B node by Ingress node, outlet For node transmits the message to target a, the process established to path is described in detail.
Each node can be designed to just know that oneself upstream node and downstream node.A node utilizes oneself Path upstream nodal information (Ingress node IP address, random number x) and downstream node information (B node IP are obtained after private key decryption Address, random number b), and remainder is continued to pass to B node.B node obtains in path after the private key decryption using oneself Upstream node information (A node IP address, random number a) and downstream node information (Egress node IP address, random number d), and Remainder is continued to pass to Egress node;Egress node obtains the upstream node in path after the private key decryption using oneself Information (B node IP address, random number b), the key (AES key) of Ingress node, path sequence (xabd).Such whole network In each node only be connected with limited upstream with downstream node.Each node just knows that the private key of oneself, certificate simultaneously With the port of offer service, each node is designed to that the information needed more than oneself will not be received.
Referring to Fig. 5, which is a kind of message forwarding schematic diagram provided in this embodiment.After forward-path determines, entrance section Point has been encrypted the message of user a by the AES symmetric key of Egress node, and by the sequence node on whole path It is translated at corresponding path sequence, be attached on encrypted initial data packet header and be transmitted to A node.From data forwarding angle Remaining data is transmitted to B node by identification path sequence by analysis, A node, and B node continues to forward, and reaches outlet section When point, it is sent to target a after message is decrypted, and passage path sequence finds corresponding data return path in memory, will turn The feedback information that hair path is successfully established is sent to Ingress node against the forward-path.
It should be noted that in the place nearest from initial data packet header, i.e. behind two layers of exit address random number, also It is attached with one layer of path sequence xabd that will be made of the corresponding random number of nodes all on forward-path, then forward-path is established Successful feedback information sends back Ingress node according to the corresponding IP address of random number dbax against the forward-path.
It can be seen that user encrypts message first with symmetric key, Ingress node in message transmitting procedure The key of node each on path is successively encrypted again, such Data entries are voluntarily controlled by user, the centre in network Node can not know the content of data, and data outlet can not know that data from which Data entries, provide very high for user Safety and concealment.
Embodiment three
It is communicated between Ingress node and Egress node, i.e., message is passed through more than two middle nodes by Ingress node When point is transmitted to Egress node, if the Ingress node in the forward-path is to combine for the first time with Egress node, Ingress node Need to negotiate AES256 symmetric key with Egress node.Below based on above embodiments, Ingress node and outlet section is discussed in detail Point negotiates the process of AES256 symmetric key.
Referring to Fig. 6, which is to carry out point-to-point negotiation between a kind of Ingress node and Egress node provided in this embodiment The signaling diagram of encryption.
If the Ingress node in the forward-path is to combine for the first time with Egress node, the Ingress node, which executes, to be added Before close operation obtains path initial message, following steps are also executed:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random Code key.
Further, after the Ingress node establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message It is close, and the message after decryption is transmitted to target, specifically:
Egress node is sent to target and is communicated using the raw data packets in the symmetrical code key decryption message of Ingress node Request;
The message is received after intended recipient to the communication request and generates target response, then by the target response It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption It is sent to user, realizes communication.
Further, if Ingress node does not receive the target response of Egress node within the set time, Ingress node will be weighed Set the code key state of the Egress node.
Further, the Ingress node will reset Egress node key state when externally sending message for the first time.
Certainly, the invention may also have other embodiments, without deviating from the spirit and substance of the present invention, ripe Various corresponding changes and modifications can be made according to the present invention certainly by knowing those skilled in the art, but these it is corresponding change and Deformation all should fall within the scope of protection of the appended claims of the present invention.

Claims (5)

1. a kind of communication means based on dynamic blacklist mechanism, which comprises the following steps:
Establish forward-path, wherein first node of the forward-path is Ingress node, centre is more than two middle nodes Point, the last one node are Egress node, and the IP address of the Ingress node, intermediate node and Egress node respectively corresponds One random number;
The corresponding random number of nodes all on forward-path is successively attached to user according to the sequence opposite on path with it The head of the raw data packets sent to Ingress node, obtains message, wherein the random number of Egress node is attached to initial data The number of plies of packet header is two layers;
After the message is transmitted to Egress node by the intermediate node of forward-path by Ingress node, Egress node sends out message Target is given, realizes communication;
Wherein, the Ingress node, intermediate node and Egress node are provided with respective private key, the Ingress node and outlet Node is also equipped with a pair of symmetrical code key, and the Ingress node, intermediate node and Egress node are after receiving the message And before message forwards, the detection operation of dynamic blacklist is executed;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: if It is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number and IP address mapping table In, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number and IP address corresponding relationship Table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if decryption is lost It loses, then the blacklist is added in the source IP address of message;If successful decryption, the IP of the downstream node of present node is obtained The corresponding random number in address, and then the IP address of the downstream node of present node is obtained, then random number and IP address are added In the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if it is, Illustrate that present node is Egress node, be then decrypted using the raw data packets in symmetrical secret key pair message, and will be after decryption Data forwarding to target, if not, the message of layer is transmitted to downstream node where stripping current first random number.
2. a kind of communication means based on dynamic blacklist mechanism as described in claim 1, which is characterized in that described establish turns Send out path the following steps are included:
S201: user chooses a forward-path, and Ingress node executes cryptographic operation and obtains path initial message, wherein institute State cryptographic operation specifically:
Ingress node encrypts the upstream section of each intermediate node using the public key of each intermediate node itself on the forward-path The corresponding random number of point and IP address and the corresponding random number of downstream node and IP address, the section for obtaining each intermediate node add Close result;
Ingress node uses the public key of forward-path middle outlet node itself, encrypts the corresponding random number of the last one intermediate node Random number sequence corresponding with nodes all on IP address, the symmetrical code key of Ingress node and the forward-path, is gone out The section encrypted result of mouth node;
Ingress node successively splices the section encrypted result of the section encrypted result of each intermediate node and Egress node, Obtain path initial message;
S202: path initial message is transmitted to first intermediate node by Ingress node, and first intermediate node uses itself Private key decrypt first section encrypted result of the path initial message, obtain the upstream node of first intermediate node Random number and IP address, the random number of downstream node and IP address, then the path initial message after decryption is transmitted to Downstream node;And so on, the private key that itself is respectively adopted in the subsequent node of forward-path decrypts the path initial message Each section encrypted result, until all nodes are obtained from the random number and IP address of body upstream node, downstream node with Machine number and IP address, Egress node send entrance section against the forward-path for the feedback information that forward-path is successfully established Point completes the foundation of forward-path.
3. a kind of communication means based on dynamic blacklist mechanism as claimed in claim 2, which is characterized in that if the forwarding Ingress node in path with Egress node to combine for the first time, then it is initial to obtain path for the Ingress node execution cryptographic operation Before changing message, following steps are also executed:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses the public affairs of Egress node Key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, installs institute after Egress node verifying signature Symmetrical code key is stated, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, Egress node Private key signature;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random secret Key.
4. a kind of communication means based on dynamic blacklist mechanism as described in claim 1, which is characterized in that the entrance section After point establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
5. a kind of communication means based on dynamic blacklist mechanism as described in claim 1, which is characterized in that in step S104 The Egress node is decrypted using the raw data packets in symmetrical secret key pair message, and the message after decryption is transmitted to mesh Mark, specifically:
Egress node is sent communication to target and is asked using the raw data packets in the symmetrical code key decryption message of Ingress node It asks;
The message is received after intended recipient to the communication request and generates target response, then sends the target response To Egress node;
Egress node encrypts the target response using itself symmetrical code key, and encrypted target response is then passed through middle node Point is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then sends the target response after decryption To user, communication is realized.
CN201811441103.6A 2018-11-29 2018-11-29 A kind of communication means based on dynamic blacklist mechanism Pending CN109510832A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811441103.6A CN109510832A (en) 2018-11-29 2018-11-29 A kind of communication means based on dynamic blacklist mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811441103.6A CN109510832A (en) 2018-11-29 2018-11-29 A kind of communication means based on dynamic blacklist mechanism

Publications (1)

Publication Number Publication Date
CN109510832A true CN109510832A (en) 2019-03-22

Family

ID=65751163

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811441103.6A Pending CN109510832A (en) 2018-11-29 2018-11-29 A kind of communication means based on dynamic blacklist mechanism

Country Status (1)

Country Link
CN (1) CN109510832A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111247818A (en) * 2019-11-18 2020-06-05 深圳市汇顶科技股份有限公司 Path selection method and BLE device
CN112019501A (en) * 2020-07-20 2020-12-01 北京邮电大学 Anonymous communication method and device for user nodes
CN112803599A (en) * 2021-04-08 2021-05-14 南京远思智能科技有限公司 Bullet train energy management system and management method thereof
CN113114703A (en) * 2021-05-14 2021-07-13 恒隆通信技术有限公司 Data encryption method and system for networking communication
CN113572727A (en) * 2021-06-08 2021-10-29 深圳市国电科技通信有限公司 Data security concealed transmission method and system based on P2P network routing node

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111247818A (en) * 2019-11-18 2020-06-05 深圳市汇顶科技股份有限公司 Path selection method and BLE device
CN112019501A (en) * 2020-07-20 2020-12-01 北京邮电大学 Anonymous communication method and device for user nodes
CN112803599A (en) * 2021-04-08 2021-05-14 南京远思智能科技有限公司 Bullet train energy management system and management method thereof
CN113114703A (en) * 2021-05-14 2021-07-13 恒隆通信技术有限公司 Data encryption method and system for networking communication
CN113114703B (en) * 2021-05-14 2022-02-22 恒隆通信技术有限公司 Data encryption method and system for networking communication
CN113572727A (en) * 2021-06-08 2021-10-29 深圳市国电科技通信有限公司 Data security concealed transmission method and system based on P2P network routing node

Similar Documents

Publication Publication Date Title
Chen et al. HORNET: High-speed onion routing at the network layer
Wolinsky et al. Dissent in numbers: Making strong anonymity scale
CN109510832A (en) A kind of communication means based on dynamic blacklist mechanism
CN103703698B (en) Machine-to-machine node wipes program
Danezis et al. A survey of anonymous communication channels
CN114448730B (en) Packet forwarding method and device based on block chain network and transaction processing method
Ma et al. Distributed access control with adaptive privacy preserving property for wireless sensor networks
WO2019227225A1 (en) Systems and methods for establishing communications via blockchain
CN109698791A (en) A kind of anonymous cut-in method based on dynamic route
US8345878B2 (en) Method for distributing cryptographic keys in a communication network
CN110392128A (en) The quasi- zero-address IPv6 method and system for disclosing web services are provided
Li et al. Privacy-aware secure anonymous communication protocol in CPSS cloud computing
Boussada et al. PP-NDNoT: On preserving privacy in IoT-based E-health systems over NDN
Degabriele et al. Untagging tor: a formal treatment of onion encryption
CN109413089A (en) Distributed network anonymous communication method, device and storage medium
Cheng et al. A fault‐tolerant group key agreement protocol exploiting dynamic setting
Song et al. Review of network-based approaches for privacy
ShenTu et al. Transaction remote release (TRR): A new anonymization technology for bitcoin
JP3789098B2 (en) Network system, network access device, network server, and network access control method
Fanti et al. Rangzen: Circumventing government-imposed communication blackouts
Lin et al. Deanonymizing tor in a stealthy way
Chen Infrastructure-based anonymous communication protocols in future internet architectures
Freedman Design and analysis of an anonymous communication channel for the free haven project
Soltani et al. Mid-defense: Mitigating protocol-level attacks in TOR using indistinguishability obfuscation
Bakiras et al. An anonymous messaging system for delay tolerant networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 2351, floor 2, building 23, No. 18, anningzhuang East Road, Haidian District, Beijing 100085

Applicant after: Beijing Sixin Feiyang Information Technology Co., Ltd

Address before: Room 203, 2nd floor, 3rd floor, Tiandi Neighboring Fengfeng Project, No. 1 North Yongtaizhuang Road, Haidian District, Beijing, 100192

Applicant before: BEIJING YUANTEK INFORMATION TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
RJ01 Rejection of invention patent application after publication

Application publication date: 20190322

RJ01 Rejection of invention patent application after publication