CN109698791A - A kind of anonymous cut-in method based on dynamic route - Google Patents

A kind of anonymous cut-in method based on dynamic route Download PDF

Info

Publication number
CN109698791A
CN109698791A CN201811441363.3A CN201811441363A CN109698791A CN 109698791 A CN109698791 A CN 109698791A CN 201811441363 A CN201811441363 A CN 201811441363A CN 109698791 A CN109698791 A CN 109698791A
Authority
CN
China
Prior art keywords
node
path
random number
message
egress
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811441363.3A
Other languages
Chinese (zh)
Other versions
CN109698791B (en
Inventor
王凯峰
许云飞
王志飞
魏川鸿
明树新
贾夺元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Tianyuan Te Tong Science And Technology Ltd
Original Assignee
Beijing Tianyuan Te Tong Science And Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Tianyuan Te Tong Science And Technology Ltd filed Critical Beijing Tianyuan Te Tong Science And Technology Ltd
Priority to CN201811441363.3A priority Critical patent/CN109698791B/en
Publication of CN109698791A publication Critical patent/CN109698791A/en
Application granted granted Critical
Publication of CN109698791B publication Critical patent/CN109698791B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/16Multipoint routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Abstract

The present invention provides a kind of anonymous cut-in method based on dynamic route, and the message of terminal transmission is forwarded in a network with the forward-path that routing server is established, and is finally sent to target;Since path planning server is during path is established, the update response that can be fed back to by each agent node judges delay time and the transmission speed of each agent node, so it is that communication quality is best that path planning server, which is the forward-path that terminal is established, the path that i.e. delay time is most short and transmission speed is most fast, therefore the present invention can guarantee the transmission speed of node data;Furthermore, path planning server is during path is established, the corresponding random number of the IP address of upper level agent node connected with itself, the corresponding random number return path of the IP address of next stage agent node are planned server by each agent node, therefore, path planning server can obtain the specifying information in path, realize the control transmitted to message.

Description

A kind of anonymous cut-in method based on dynamic route
Technical field
The invention belongs to anonymous communication network technique field more particularly to a kind of anonymous access sides based on dynamic route Method.
Background technique
In open network environment, the network terminal needs to carry out the authentication of terminal in access, if terminal is used Family is not intended to the identity to stick one's chin out, that is just needed while accessing website, allow other side with can not judging your actual physical Location.Currently used anonymity access way is onion routing (Tor), and user carries out anonymous access by Tor on the internet. Tor user runs an onion proxy server in the machine, and exchanging with other Tor servers for period is constituted in Tor network Virtual loop.Tor server is provided from Internet user oneself, client random selection, and randomness is very strong.Information is from visitor After the Tor server at family end issues, it oneself is Ingress node which, which does not know, has just known that request needs to establish link, Transmittance process later is also that equally, can not judge the identity information of requestor.Information enters in Tor loop, and encryption information exists It is transmitted between the Tor server of virtual loop, after reaching Egress node, clear data is sent to destination server from the node.
It can be seen that the anonymous cut-in method of onion routing, there is following shortcoming:
1, due to jumping the Tor server that node is other users, the transmission speed of node data is not can guarantee.
2, due to jumping the randomized policy of use, it is unable to get the specifying information in path, can not accomplish to be transmitted across data The control of journey.
Summary of the invention
To solve the above problems, the present invention provides a kind of anonymous cut-in method based on dynamic route, it can guarantee node The transmission speed of data realizes the control transmitted to message.
A kind of anonymous cut-in method based on dynamic route, comprising the following steps:
Path planning server establishes forward-path, wherein first node of the forward-path is Ingress node, centre It is Egress node for more than two intermediate nodes, the last one node, and the Ingress node, intermediate node and outlet save The IP address of point respectively corresponds a random number;The Ingress node and Egress node are also equipped with a pair of symmetrical code key;
Forward-path is sent to terminal by Relay Server, terminal obtains all intermediate nodes on forward-path and goes out The corresponding random number of mouth node, is then encrypted using the symmetrical secret key pair raw data packets, obtains data packet X, then will Each random number is successively attached to the head of data packet X, and data packet X according to its corresponding node sequence opposite on forward-path The every additional layer random number in head, just to data packet X carry out primary encryption, be sequentially completed the data that attached each layer random number After the encryption of packet, message is obtained;
The message is forwarded to the Ingress node of the forward-path by terminal by Relay Server, and the message is led to again The intermediate nodes at different levels for crossing forward-path are transmitted to Egress node, and Egress node is decrypted to obtain original number using the symmetrical code key According to packet, target is sent it to, realizes anonymous access;
Wherein, the Ingress node, intermediate node and Egress node are agent node, the path planning server Establish forward-path specifically:
Terminal, which is updated every setting duration to path planning server transmitting path, requests;
After the path planning server receives the routing update request, sent out to all Ingress nodes connected to it More new information is sent, then the more new information is forwarded to next stage agent node connected to it by each Ingress node, with such It pushes away, until institute's agent node receives the more new information;
Agent nodes at different levels generate after receiving the more new information updates response, upper one then will connect with itself The corresponding random number of IP address, the corresponding random number of IP address of next stage agent node and the update response of grade agent node Along more new information it is next when path send back path planning server;Wherein, the connection relationship between agent nodes at different levels determines All possible path;
The path planning server is responded according to the update received, judges delay time and the transmission of each agent node Speed completes forwarding using the path that delay time is most short in all possible path and transmission speed is most fast as forward-path The foundation in path.
It is further, described to be sequentially completed the encryption that attached the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, in data packet X After the random number of upper additional first layer Egress node, private key using the Egress node is to attached first layer Egress node The data packet X of random number is encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key pair of the last one intermediate node The data packet X1 that attached the random number of second layer Egress node is encrypted, and data packet X2 is obtained;
After adding the random number of the last one intermediate node on data packet X2, using the private of penultimate intermediate node Key encrypts the data packet X2 that attached the last one intermediate node random number, obtains data packet X3;
And so on, until the private key encryption using Ingress node attached the data packet of first intermediate node random number Xn completes the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
Further, it is two that the random number of the Egress node of the forward-path, which is attached to the number of plies of initial data packet header, Layer, and the Ingress node, intermediate node and Egress node are provided with respective private key, the Ingress node and Egress node Be also equipped with a pair of symmetrical code key, then the Ingress node, intermediate node and Egress node after receiving the message and Before the message forwards, the detection operation of dynamic blacklist is executed;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: such as Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution Data forwarding after close is to target, if not, the message of layer where stripping current first random number is transmitted to currently at random The corresponding downstream node of number.
Further, it if the Ingress node in the forward-path is combined with Egress node for first time, is advised in path It draws after server establishes forward-path, and before forward-path is sent to terminal by Relay Server, the Ingress node Also execute following steps:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random Code key.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message It is close, and the message after decryption is transmitted to target, specifically:
Egress node is sent to target and is communicated using the raw data packets in the symmetrical code key decryption message of Ingress node Request;
The message is received after intended recipient to the communication request and generates target response, then by the target response It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption It is sent to user, realizes anonymous access.
Further, the Ingress node in a manner of breadth traversal by the more new information be forwarded to it is connected to it under First-level agent's node.
The utility model has the advantages that
1, the present invention provides a kind of anonymous cut-in method based on dynamic route, and the message of terminal transmission is in a network with road The forward-path that diameter planning server is established is forwarded, and is finally sent to target;Since path planning server is built in path In vertical process, the update response that can be fed back to by each agent node judges delay time and the transmission speed of each agent node Degree, then it is that communication quality is best that path planning server, which is the forward-path that terminal is established, i.e., delay time is most short and transmission is fast Most fast path is spent, therefore the present invention can guarantee the transmission speed of node data;In addition, path planning server is built in path In vertical process, each agent node is by the corresponding random number of the IP address of upper level agent node connected with itself, next stage The corresponding random number return path of the IP address of agent node plans server, and therefore, path planning server can obtain road The specifying information of diameter realizes the control transmitted to message.
2, the present invention provides a kind of anonymous cut-in method based on dynamic route, completes group using dynamic blacklist mechanism Net, whether each node successfully judges whether the node is legal by the decryption to the data packet received, while each section Point successful decryption, can only obtain present node the corresponding random number of downstream node and IP address and upstream node it is corresponding Random number and IP address, without knowing complete path, realizing route is anonymous, can ensure anonymity of the user when accessing network Property, safety and high efficiency.
Detailed description of the invention
Fig. 1 is a kind of network topology structure schematic diagram of the anonymous cut-in method based on dynamic route provided by the invention;
Fig. 2 is that a kind of dynamic blacklist provided by the invention detects operational flowchart;
Fig. 3 is the signaling that point-to-point negotiation encryption is carried out between a kind of Ingress node and Egress node provided by the invention Figure.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described.
Embodiment one
Referring to Fig. 1, which is a kind of network topology of anonymous cut-in method based on dynamic route provided in this embodiment Structural schematic diagram.A kind of anonymous cut-in method based on dynamic route, comprising the following steps:
Path planning server establishes forward-path, wherein first node of the forward-path is Ingress node, centre It is Egress node for more than two intermediate nodes, the last one node, and the Ingress node, intermediate node and outlet save The IP address of point respectively corresponds a random number;The Ingress node and Egress node are also equipped with a pair of symmetrical code key;
Forward-path is sent to terminal by Relay Server, terminal obtains all intermediate nodes on forward-path and goes out The corresponding random number of mouth node, is then encrypted using the symmetrical secret key pair raw data packets, obtains data packet X, then will Each random number is successively attached to the head of data packet X, and data packet X according to its corresponding node sequence opposite on forward-path The every additional layer random number in head, just to data packet X carry out primary encryption, be sequentially completed the data that attached each layer random number After the encryption of packet, message is obtained;
The message is forwarded to the Ingress node of the forward-path by terminal by Relay Server, and the message is led to again The intermediate nodes at different levels for crossing forward-path are transmitted to Egress node, and Egress node is decrypted to obtain original number using the symmetrical code key According to packet, target is sent it to, realizes anonymous access;
Wherein, the Ingress node, intermediate node and Egress node are agent node, the path planning server Establish forward-path specifically:
Terminal, which is updated every setting duration to path planning server transmitting path, requests;
After the path planning server receives the routing update request, sent out to all Ingress nodes connected to it More new information is sent, then the more new information is forwarded to next stage agent node connected to it by each Ingress node, with such It pushes away, until institute's agent node receives the more new information;
Agent nodes at different levels generate after receiving the more new information updates response, upper one then will connect with itself The corresponding random number of IP address, the corresponding random number of IP address of next stage agent node and the update response of grade agent node Along more new information it is next when path send back path planning server;Wherein, the connection relationship between agent nodes at different levels determines All possible path;
The path planning server is responded according to the update received, judges delay time and the transmission of each agent node Speed completes forwarding using the path that delay time is most short in all possible path and transmission speed is most fast as forward-path The foundation in path.
It should be noted that described be sequentially completed the encryption that attached the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, in data packet X After the random number of upper additional first layer Egress node, private key using the Egress node is to attached first layer Egress node The data packet X of random number is encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key pair of the last one intermediate node The data packet X1 that attached the random number of second layer Egress node is encrypted, and data packet X2 is obtained;
After adding the random number of the last one intermediate node on data packet X2, using the private of penultimate intermediate node Key encrypts the data packet X2 that attached the last one intermediate node random number, obtains data packet X3;
And so on, until the private key encryption using Ingress node attached the data packet of first intermediate node random number Xn completes the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
Embodiment two
Anonymous cut-in method based on above embodiments, the present embodiment provides another kind based on dynamic route.It is passed in message During defeated, each node on path does not need to obtain the legitimate list that can be communicated in advance, but black by dynamic Name single-unit completes legitimate verification.Specifically, the random number of the Egress node of the forward-path is attached to initial data The number of plies of packet header is two layers, and the Ingress node, intermediate node and Egress node are provided with respective private key, it is described enter Mouth node and Egress node are also equipped with a pair of symmetrical code key, then the Ingress node, intermediate node and Egress node are receiving After the message and before the message forwards, the detection operation of dynamic blacklist is executed.
Referring to fig. 2, which is a kind of dynamic blacklist detection operational flowchart provided in this embodiment.The black name of dynamic Single detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist, such as Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution Data forwarding after close is to target, if not, the message of layer where stripping current first random number is transmitted to currently at random The corresponding downstream node of number.
It should be noted that since the head in raw data packets attached the corresponding random number of two layers of Egress node, then Egress node first layer random number is stripped with the latter intermediate node, the last one intermediate node goes out according to what decryption obtained The random number of mouth node, obtains the corresponding IP address of the random number, it is random to strip first layer Egress node according to the IP address Several message is transmitted to Egress node, and Egress node decrypts message using the private key of itself at this time, obtains second layer Egress node Random number, then the corresponding IP address of the random number of second layer Egress node is current hosts, i.e., host where Egress node IP address, that is to say, that message has been forwarded to Egress node;Then Egress node has stripped each layer using symmetrical secret key pair The message of random number is decrypted, and the message after decryption is finally transmitted to target.
It should be noted that frequently processing can consume a large amount of performances due to negotiating to use RSA mode, therefore limit each Source IP handles the frequency of RSA decryption failure no more than 10 times/s, and one section of black hole is added to the excessive IP of the decryption frequency of failure Time avoids malicious attack.
It can be seen that the present embodiment does not use convergence directory server to carry out tissue network, but from networking standpoint, An anonymous communication network plan is constructed based on dynamic blacklist mechanism, and by the way of encrypting paragraph by paragraph, multistage network knot The technologies such as structure, multi-layer security provide the availability in anonymous communication path, thus ensure anonymity of the user when accessing network, Safety and high efficiency.
Embodiment three
Based on above embodiments, the present embodiment sends message, entrance section to Ingress node by Relay Server with terminal a It is right for Egress node transmits the message to target a after the message is transmitted to Egress node by A node and B node by point The corresponding random number of nodes all on forward-path is successively attached to the head of raw data packets by terminal according to inverted order, is disappeared The process of breath is described in detail.
Each node can be designed to just know that oneself upstream node and downstream node.For example, the upstream of A node Nodal information be Ingress node IP address, random number x, downstream node information be B node IP address, random number b, B node it is upper Trip nodal information is A node IP address, random number a, and downstream node information is Egress node IP address, random number d, Egress node Upstream node information be B node IP address, random number b;It can thus be concluded that the corresponding random number sequence of path sequence is xabd, then According to the sequence of ddbax, random number is successively added in the head of raw data packets, that is to say, that message is from outermost layer in most The random number of layer is respectively xabdd.
It can be seen that each node is only connected with limited upstream node with downstream node in whole network.It is every simultaneously One node just knows that the private key of oneself, and the port of certificate and offer service, each node, which is designed to receive, to be more than The information that oneself is needed.In message transmitting procedure, terminal successively encrypts the key of node each on path, in this way number It is voluntarily controlled according to entrance by user, the intermediate node in network can not know the content of data, and data outlet can not know data From which Data entries, very high safety and concealment are provided for user.
Example IV
It is communicated between Ingress node and Egress node, i.e., message is passed through more than two middle nodes by Ingress node When point is transmitted to Egress node, if the Ingress node in the forward-path is to combine for the first time with Egress node, Ingress node Need to negotiate AES256 symmetric key with Egress node.Below based on above embodiments, Ingress node and outlet section is discussed in detail Point negotiates the process of AES256 symmetric key.
Referring to Fig. 3, which is to carry out point-to-point negotiation between a kind of Ingress node and Egress node provided in this embodiment The signaling diagram of encryption.
If the Ingress node in the forward-path is to combine for the first time with Egress node, built in path planning server After vertical forward-path, and before forward-path is sent to terminal by Relay Server, the Ingress node also executes following Step:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random Code key.
Further, after the Ingress node establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message It is close, and the message after decryption is transmitted to target, specifically:
Egress node decrypts message using the symmetrical code key of Ingress node, and sends communication request to target;
The message is received after intended recipient to the communication request and generates target response, then by the target response It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption It is sent to user, realizes communication.
Further, if Ingress node does not receive the target response of Egress node within the set time, Ingress node will be weighed Set the code key state of the Egress node.
Further, the Ingress node will reset Egress node key state when externally sending message for the first time.
Certainly, the invention may also have other embodiments, without deviating from the spirit and substance of the present invention, ripe Various corresponding changes and modifications can be made according to the present invention certainly by knowing those skilled in the art, but these it is corresponding change and Deformation all should fall within the scope of protection of the appended claims of the present invention.

Claims (6)

1. a kind of anonymous cut-in method based on dynamic route, which comprises the following steps:
Path planning server establishes forward-path, wherein first node of the forward-path is Ingress node, centre two A above intermediate node, the last one node are Egress node, and the Ingress node, intermediate node and Egress node IP address respectively corresponds a random number;The Ingress node and Egress node are also equipped with a pair of symmetrical code key;
Forward-path is sent to terminal by Relay Server, terminal obtains all intermediate nodes and outlet section on forward-path The corresponding random number of point, is then encrypted using the symmetrical secret key pair raw data packets, obtains data packet X, then will respectively with Machine number is successively attached to the head of data packet X, and the head of data packet X according to its corresponding node sequence opposite on forward-path The every additional layer random number in portion just carries out primary encryption to data packet X, is sequentially completed the data packet that attached each layer random number After encryption, message is obtained;
The message is forwarded to the Ingress node of the forward-path by terminal by Relay Server, and the message passes through again to be turned The intermediate nodes at different levels in hair path are transmitted to Egress node, and Egress node is decrypted to obtain initial data using the symmetrical code key Packet sends it to target, realizes anonymous access;
Wherein, the Ingress node, intermediate node and Egress node are agent node, and the path planning server is established Forward-path specifically:
Terminal, which is updated every setting duration to path planning server transmitting path, requests;
After the path planning server receives the routing update request, sent more to all Ingress nodes connected to it New information, then the more new information is forwarded to next stage agent node connected to it by each Ingress node, and so on, directly The more new information is received to institute's agent node;
Agent nodes at different levels generate after receiving the more new information updates response, the upper level generation that then will be connect with itself The corresponding random number of IP address, the corresponding random number of IP address of next stage agent node and update response of node are managed along more New information it is next when path send back path planning server;Wherein, the connection relationship between agent nodes at different levels has determined institute Possible path;
The path planning server is responded according to the update received, judges delay time and the transmission speed of each agent node Degree completes forwarding road using the path that delay time is most short in all possible path and transmission speed is most fast as forward-path The foundation of diameter.
2. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that described to be sequentially completed It attached the encryption of the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, attached on data packet X After the random number for adding first layer Egress node, private key using the Egress node is to attached the random of first layer Egress node Several data packet X are encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key of the last one intermediate node to additional The data packet X1 of the random number of second layer Egress node is encrypted, and obtains data packet X2;
After adding the random number of the last one intermediate node on data packet X2, using the private key pair of penultimate intermediate node The data packet X2 that attached the last one intermediate node random number is encrypted, and data packet X3 is obtained;
And so on, until using the private key encryption of Ingress node to attached the data packet Xn of first intermediate node random number, Complete the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
3. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that the entrance section Point, intermediate node and Egress node execute the black name of dynamic after receiving the message and before the message forwards Single detection operation;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: if It is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number and IP address mapping table In, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number and IP address corresponding relationship Table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if decryption is lost It loses, then the blacklist is added in the source IP address of message;If successful decryption, the IP of the downstream node of present node is obtained The corresponding random number in address, and then the IP address of the downstream node of present node is obtained, then random number and IP address are added In the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if it is, Illustrate that present node is Egress node, be then decrypted using the raw data packets in symmetrical secret key pair message, and will be after decryption Data forwarding to target, if not, the message of layer is transmitted to current random number institute where stripping current first random number Corresponding downstream node.
4. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that if the forwarding road Ingress node in diameter to combine for the first time, then after path planning server establishes forward-path, and is being incited somebody to action with Egress node Before forward-path is sent to terminal by Relay Server, the Ingress node also executes following steps:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses the public affairs of Egress node Key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, installs institute after Egress node verifying signature Symmetrical code key is stated, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, Egress node Private key signature;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random secret Key.
5. a kind of anonymous cut-in method based on dynamic route as claimed in claim 3, which is characterized in that institute in step S104 It states Egress node to be decrypted using the raw data packets in symmetrical secret key pair message, and the message after decryption is transmitted to mesh Mark, specifically:
Egress node is sent communication to target and is asked using the raw data packets in the symmetrical code key decryption message of Ingress node It asks;
The message is received after intended recipient to the communication request and generates target response, then sends the target response To Egress node;
Egress node encrypts the target response using itself symmetrical code key, and encrypted target response is then passed through middle node Point is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then sends the target response after decryption To user, anonymous access is realized.
6. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that the Ingress node The more new information is forwarded to next stage agent node connected to it in a manner of breadth traversal.
CN201811441363.3A 2018-11-29 2018-11-29 Anonymous access method based on dynamic path Active CN109698791B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811441363.3A CN109698791B (en) 2018-11-29 2018-11-29 Anonymous access method based on dynamic path

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811441363.3A CN109698791B (en) 2018-11-29 2018-11-29 Anonymous access method based on dynamic path

Publications (2)

Publication Number Publication Date
CN109698791A true CN109698791A (en) 2019-04-30
CN109698791B CN109698791B (en) 2021-05-11

Family

ID=66230244

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811441363.3A Active CN109698791B (en) 2018-11-29 2018-11-29 Anonymous access method based on dynamic path

Country Status (1)

Country Link
CN (1) CN109698791B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314336A (en) * 2020-02-11 2020-06-19 中国科学院信息工程研究所 Dynamic transmission path construction method and system for anti-tracking network
CN111970245A (en) * 2020-07-20 2020-11-20 北京邮电大学 Heterogeneous layered anonymous communication network construction method and device
CN111970244A (en) * 2020-07-20 2020-11-20 北京邮电大学 Method for constructing anonymous communication network and forwarding message based on ring-shaped architecture
CN113572727A (en) * 2021-06-08 2021-10-29 深圳市国电科技通信有限公司 Data security concealed transmission method and system based on P2P network routing node
CN115514520A (en) * 2022-08-11 2022-12-23 北京天元特通科技有限公司 Network transmission method and related equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873216A (en) * 2010-07-08 2010-10-27 布日古德 Host authentication method, data packet transmission method and receiving method
US20120096541A1 (en) * 1998-10-30 2012-04-19 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
US20140029619A1 (en) * 2012-07-30 2014-01-30 Burson Keith Patton Policy based routing
CN103906046A (en) * 2014-04-17 2014-07-02 上海电机学院 Safe point-to-point on-demand routing method based on identity hiding
CN106936833A (en) * 2017-03-15 2017-07-07 广东工业大学 A kind of content center network method for secret protection based on Hybrid Encryption and anonymous group
CN108566337A (en) * 2018-03-21 2018-09-21 常熟理工学院 A kind of generation information network implementation method based on big data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120096541A1 (en) * 1998-10-30 2012-04-19 Virnetx, Inc. System and method employing an agile network protocol for secure communications using secure domain names
CN101873216A (en) * 2010-07-08 2010-10-27 布日古德 Host authentication method, data packet transmission method and receiving method
US20140029619A1 (en) * 2012-07-30 2014-01-30 Burson Keith Patton Policy based routing
CN103906046A (en) * 2014-04-17 2014-07-02 上海电机学院 Safe point-to-point on-demand routing method based on identity hiding
CN106936833A (en) * 2017-03-15 2017-07-07 广东工业大学 A kind of content center network method for secret protection based on Hybrid Encryption and anonymous group
CN108566337A (en) * 2018-03-21 2018-09-21 常熟理工学院 A kind of generation information network implementation method based on big data

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314336A (en) * 2020-02-11 2020-06-19 中国科学院信息工程研究所 Dynamic transmission path construction method and system for anti-tracking network
CN111970245A (en) * 2020-07-20 2020-11-20 北京邮电大学 Heterogeneous layered anonymous communication network construction method and device
CN111970244A (en) * 2020-07-20 2020-11-20 北京邮电大学 Method for constructing anonymous communication network and forwarding message based on ring-shaped architecture
CN111970245B (en) * 2020-07-20 2021-07-20 北京邮电大学 Heterogeneous layered anonymous communication network construction method and device
CN111970244B (en) * 2020-07-20 2022-06-03 北京邮电大学 Method for constructing anonymous communication network and forwarding message based on ring-shaped architecture
CN113572727A (en) * 2021-06-08 2021-10-29 深圳市国电科技通信有限公司 Data security concealed transmission method and system based on P2P network routing node
CN115514520A (en) * 2022-08-11 2022-12-23 北京天元特通科技有限公司 Network transmission method and related equipment
CN115514520B (en) * 2022-08-11 2023-09-22 北京天元特通科技有限公司 Network transmission method, device, equipment and medium

Also Published As

Publication number Publication date
CN109698791B (en) 2021-05-11

Similar Documents

Publication Publication Date Title
US10033843B2 (en) Network device and method for processing a session using a packet signature
CN109698791A (en) A kind of anonymous cut-in method based on dynamic route
CN103701700B (en) Node discovery method in a kind of communication network and system
US10091247B2 (en) Apparatus and method for using certificate data to route data
CN103685467A (en) Interconnection and internetworking platform of Internet of things, and communication method thereof
CN104917605B (en) The method and apparatus of key agreement during a kind of terminal device switching
JP2005236939A (en) Method for verifying and constructing highly secure anonymous communication channel in peer-to-peer type anonymous proxy
CN101867473B (en) Connection establishment method and access authentication system for blocking-attacking resistant shared media terminal
CN102132532A (en) Method and apparatus for avoiding unwanted data packets
CN109510832A (en) A kind of communication means based on dynamic blacklist mechanism
Recabarren et al. Tithonus: A bitcoin based censorship resilient system
JP2009501454A (en) Link management system
CN109005179A (en) Network security tunnel establishing method based on port controlling
Boussada et al. PP-NDNoT: On preserving privacy in IoT-based E-health systems over NDN
JP7056740B2 (en) Blockchain system, blockchain management device, network control device, method and program
Selvakumar et al. Secure group key management protocol for mobile ad hoc networks
CN102469063B (en) Routing protocol security alliance management method, Apparatus and system
CN107171786A (en) Network agent account control method
CN101827079A (en) Blocking and attacking-resistant terminal connection building method and terminal access authenticating system
CN111541710B (en) Authentication and authorization method for data content in network and computer readable storage medium
WO2021223097A1 (en) Authentication and authorization method for data content in network and computer readable storage medium
CN114614984A (en) Time-sensitive network secure communication method based on state cryptographic algorithm
CN107135226B (en) Transport layer proxy communication method based on socks5
Liyanage Enhancing security and scalability of virtual private lan services
Small Patterns in network security: An analysis of architectural complexity in securing recursive inter-network architecture networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant