CN109698791A - A kind of anonymous cut-in method based on dynamic route - Google Patents
A kind of anonymous cut-in method based on dynamic route Download PDFInfo
- Publication number
- CN109698791A CN109698791A CN201811441363.3A CN201811441363A CN109698791A CN 109698791 A CN109698791 A CN 109698791A CN 201811441363 A CN201811441363 A CN 201811441363A CN 109698791 A CN109698791 A CN 109698791A
- Authority
- CN
- China
- Prior art keywords
- node
- path
- random number
- message
- egress
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/16—Multipoint routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/63—Routing a service request depending on the request content or context
Abstract
The present invention provides a kind of anonymous cut-in method based on dynamic route, and the message of terminal transmission is forwarded in a network with the forward-path that routing server is established, and is finally sent to target;Since path planning server is during path is established, the update response that can be fed back to by each agent node judges delay time and the transmission speed of each agent node, so it is that communication quality is best that path planning server, which is the forward-path that terminal is established, the path that i.e. delay time is most short and transmission speed is most fast, therefore the present invention can guarantee the transmission speed of node data;Furthermore, path planning server is during path is established, the corresponding random number of the IP address of upper level agent node connected with itself, the corresponding random number return path of the IP address of next stage agent node are planned server by each agent node, therefore, path planning server can obtain the specifying information in path, realize the control transmitted to message.
Description
Technical field
The invention belongs to anonymous communication network technique field more particularly to a kind of anonymous access sides based on dynamic route
Method.
Background technique
In open network environment, the network terminal needs to carry out the authentication of terminal in access, if terminal is used
Family is not intended to the identity to stick one's chin out, that is just needed while accessing website, allow other side with can not judging your actual physical
Location.Currently used anonymity access way is onion routing (Tor), and user carries out anonymous access by Tor on the internet.
Tor user runs an onion proxy server in the machine, and exchanging with other Tor servers for period is constituted in Tor network
Virtual loop.Tor server is provided from Internet user oneself, client random selection, and randomness is very strong.Information is from visitor
After the Tor server at family end issues, it oneself is Ingress node which, which does not know, has just known that request needs to establish link,
Transmittance process later is also that equally, can not judge the identity information of requestor.Information enters in Tor loop, and encryption information exists
It is transmitted between the Tor server of virtual loop, after reaching Egress node, clear data is sent to destination server from the node.
It can be seen that the anonymous cut-in method of onion routing, there is following shortcoming:
1, due to jumping the Tor server that node is other users, the transmission speed of node data is not can guarantee.
2, due to jumping the randomized policy of use, it is unable to get the specifying information in path, can not accomplish to be transmitted across data
The control of journey.
Summary of the invention
To solve the above problems, the present invention provides a kind of anonymous cut-in method based on dynamic route, it can guarantee node
The transmission speed of data realizes the control transmitted to message.
A kind of anonymous cut-in method based on dynamic route, comprising the following steps:
Path planning server establishes forward-path, wherein first node of the forward-path is Ingress node, centre
It is Egress node for more than two intermediate nodes, the last one node, and the Ingress node, intermediate node and outlet save
The IP address of point respectively corresponds a random number;The Ingress node and Egress node are also equipped with a pair of symmetrical code key;
Forward-path is sent to terminal by Relay Server, terminal obtains all intermediate nodes on forward-path and goes out
The corresponding random number of mouth node, is then encrypted using the symmetrical secret key pair raw data packets, obtains data packet X, then will
Each random number is successively attached to the head of data packet X, and data packet X according to its corresponding node sequence opposite on forward-path
The every additional layer random number in head, just to data packet X carry out primary encryption, be sequentially completed the data that attached each layer random number
After the encryption of packet, message is obtained;
The message is forwarded to the Ingress node of the forward-path by terminal by Relay Server, and the message is led to again
The intermediate nodes at different levels for crossing forward-path are transmitted to Egress node, and Egress node is decrypted to obtain original number using the symmetrical code key
According to packet, target is sent it to, realizes anonymous access;
Wherein, the Ingress node, intermediate node and Egress node are agent node, the path planning server
Establish forward-path specifically:
Terminal, which is updated every setting duration to path planning server transmitting path, requests;
After the path planning server receives the routing update request, sent out to all Ingress nodes connected to it
More new information is sent, then the more new information is forwarded to next stage agent node connected to it by each Ingress node, with such
It pushes away, until institute's agent node receives the more new information;
Agent nodes at different levels generate after receiving the more new information updates response, upper one then will connect with itself
The corresponding random number of IP address, the corresponding random number of IP address of next stage agent node and the update response of grade agent node
Along more new information it is next when path send back path planning server;Wherein, the connection relationship between agent nodes at different levels determines
All possible path;
The path planning server is responded according to the update received, judges delay time and the transmission of each agent node
Speed completes forwarding using the path that delay time is most short in all possible path and transmission speed is most fast as forward-path
The foundation in path.
It is further, described to be sequentially completed the encryption that attached the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, in data packet X
After the random number of upper additional first layer Egress node, private key using the Egress node is to attached first layer Egress node
The data packet X of random number is encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key pair of the last one intermediate node
The data packet X1 that attached the random number of second layer Egress node is encrypted, and data packet X2 is obtained;
After adding the random number of the last one intermediate node on data packet X2, using the private of penultimate intermediate node
Key encrypts the data packet X2 that attached the last one intermediate node random number, obtains data packet X3;
And so on, until the private key encryption using Ingress node attached the data packet of first intermediate node random number
Xn completes the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
Further, it is two that the random number of the Egress node of the forward-path, which is attached to the number of plies of initial data packet header,
Layer, and the Ingress node, intermediate node and Egress node are provided with respective private key, the Ingress node and Egress node
Be also equipped with a pair of symmetrical code key, then the Ingress node, intermediate node and Egress node after receiving the message and
Before the message forwards, the detection operation of dynamic blacklist is executed;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: such as
Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address
It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address
Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution
Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained
The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address
It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if
It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution
Data forwarding after close is to target, if not, the message of layer where stripping current first random number is transmitted to currently at random
The corresponding downstream node of number.
Further, it if the Ingress node in the forward-path is combined with Egress node for first time, is advised in path
It draws after server establishes forward-path, and before forward-path is sent to terminal by Relay Server, the Ingress node
Also execute following steps:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node
Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature
The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet
The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random
Code key.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message
It is close, and the message after decryption is transmitted to target, specifically:
Egress node is sent to target and is communicated using the raw data packets in the symmetrical code key decryption message of Ingress node
Request;
The message is received after intended recipient to the communication request and generates target response, then by the target response
It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response
Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption
It is sent to user, realizes anonymous access.
Further, the Ingress node in a manner of breadth traversal by the more new information be forwarded to it is connected to it under
First-level agent's node.
The utility model has the advantages that
1, the present invention provides a kind of anonymous cut-in method based on dynamic route, and the message of terminal transmission is in a network with road
The forward-path that diameter planning server is established is forwarded, and is finally sent to target;Since path planning server is built in path
In vertical process, the update response that can be fed back to by each agent node judges delay time and the transmission speed of each agent node
Degree, then it is that communication quality is best that path planning server, which is the forward-path that terminal is established, i.e., delay time is most short and transmission is fast
Most fast path is spent, therefore the present invention can guarantee the transmission speed of node data;In addition, path planning server is built in path
In vertical process, each agent node is by the corresponding random number of the IP address of upper level agent node connected with itself, next stage
The corresponding random number return path of the IP address of agent node plans server, and therefore, path planning server can obtain road
The specifying information of diameter realizes the control transmitted to message.
2, the present invention provides a kind of anonymous cut-in method based on dynamic route, completes group using dynamic blacklist mechanism
Net, whether each node successfully judges whether the node is legal by the decryption to the data packet received, while each section
Point successful decryption, can only obtain present node the corresponding random number of downstream node and IP address and upstream node it is corresponding
Random number and IP address, without knowing complete path, realizing route is anonymous, can ensure anonymity of the user when accessing network
Property, safety and high efficiency.
Detailed description of the invention
Fig. 1 is a kind of network topology structure schematic diagram of the anonymous cut-in method based on dynamic route provided by the invention;
Fig. 2 is that a kind of dynamic blacklist provided by the invention detects operational flowchart;
Fig. 3 is the signaling that point-to-point negotiation encryption is carried out between a kind of Ingress node and Egress node provided by the invention
Figure.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described.
Embodiment one
Referring to Fig. 1, which is a kind of network topology of anonymous cut-in method based on dynamic route provided in this embodiment
Structural schematic diagram.A kind of anonymous cut-in method based on dynamic route, comprising the following steps:
Path planning server establishes forward-path, wherein first node of the forward-path is Ingress node, centre
It is Egress node for more than two intermediate nodes, the last one node, and the Ingress node, intermediate node and outlet save
The IP address of point respectively corresponds a random number;The Ingress node and Egress node are also equipped with a pair of symmetrical code key;
Forward-path is sent to terminal by Relay Server, terminal obtains all intermediate nodes on forward-path and goes out
The corresponding random number of mouth node, is then encrypted using the symmetrical secret key pair raw data packets, obtains data packet X, then will
Each random number is successively attached to the head of data packet X, and data packet X according to its corresponding node sequence opposite on forward-path
The every additional layer random number in head, just to data packet X carry out primary encryption, be sequentially completed the data that attached each layer random number
After the encryption of packet, message is obtained;
The message is forwarded to the Ingress node of the forward-path by terminal by Relay Server, and the message is led to again
The intermediate nodes at different levels for crossing forward-path are transmitted to Egress node, and Egress node is decrypted to obtain original number using the symmetrical code key
According to packet, target is sent it to, realizes anonymous access;
Wherein, the Ingress node, intermediate node and Egress node are agent node, the path planning server
Establish forward-path specifically:
Terminal, which is updated every setting duration to path planning server transmitting path, requests;
After the path planning server receives the routing update request, sent out to all Ingress nodes connected to it
More new information is sent, then the more new information is forwarded to next stage agent node connected to it by each Ingress node, with such
It pushes away, until institute's agent node receives the more new information;
Agent nodes at different levels generate after receiving the more new information updates response, upper one then will connect with itself
The corresponding random number of IP address, the corresponding random number of IP address of next stage agent node and the update response of grade agent node
Along more new information it is next when path send back path planning server;Wherein, the connection relationship between agent nodes at different levels determines
All possible path;
The path planning server is responded according to the update received, judges delay time and the transmission of each agent node
Speed completes forwarding using the path that delay time is most short in all possible path and transmission speed is most fast as forward-path
The foundation in path.
It should be noted that described be sequentially completed the encryption that attached the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, in data packet X
After the random number of upper additional first layer Egress node, private key using the Egress node is to attached first layer Egress node
The data packet X of random number is encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key pair of the last one intermediate node
The data packet X1 that attached the random number of second layer Egress node is encrypted, and data packet X2 is obtained;
After adding the random number of the last one intermediate node on data packet X2, using the private of penultimate intermediate node
Key encrypts the data packet X2 that attached the last one intermediate node random number, obtains data packet X3;
And so on, until the private key encryption using Ingress node attached the data packet of first intermediate node random number
Xn completes the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
Embodiment two
Anonymous cut-in method based on above embodiments, the present embodiment provides another kind based on dynamic route.It is passed in message
During defeated, each node on path does not need to obtain the legitimate list that can be communicated in advance, but black by dynamic
Name single-unit completes legitimate verification.Specifically, the random number of the Egress node of the forward-path is attached to initial data
The number of plies of packet header is two layers, and the Ingress node, intermediate node and Egress node are provided with respective private key, it is described enter
Mouth node and Egress node are also equipped with a pair of symmetrical code key, then the Ingress node, intermediate node and Egress node are receiving
After the message and before the message forwards, the detection operation of dynamic blacklist is executed.
Referring to fig. 2, which is a kind of dynamic blacklist detection operational flowchart provided in this embodiment.The black name of dynamic
Single detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist, such as
Fruit is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number pass corresponding with IP address
It is in table, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number is corresponding with IP address
Relation table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if solution
Then the blacklist is added in the source IP address of message by close failure;If successful decryption, the downstream node of present node is obtained
The corresponding random number of IP address, and then the IP address of the downstream node of present node is obtained, then by random number and IP address
It is added in the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if
It is then to illustrate that present node is Egress node, is then decrypted using the raw data packets in symmetrical secret key pair message, and will solution
Data forwarding after close is to target, if not, the message of layer where stripping current first random number is transmitted to currently at random
The corresponding downstream node of number.
It should be noted that since the head in raw data packets attached the corresponding random number of two layers of Egress node, then
Egress node first layer random number is stripped with the latter intermediate node, the last one intermediate node goes out according to what decryption obtained
The random number of mouth node, obtains the corresponding IP address of the random number, it is random to strip first layer Egress node according to the IP address
Several message is transmitted to Egress node, and Egress node decrypts message using the private key of itself at this time, obtains second layer Egress node
Random number, then the corresponding IP address of the random number of second layer Egress node is current hosts, i.e., host where Egress node
IP address, that is to say, that message has been forwarded to Egress node;Then Egress node has stripped each layer using symmetrical secret key pair
The message of random number is decrypted, and the message after decryption is finally transmitted to target.
It should be noted that frequently processing can consume a large amount of performances due to negotiating to use RSA mode, therefore limit each
Source IP handles the frequency of RSA decryption failure no more than 10 times/s, and one section of black hole is added to the excessive IP of the decryption frequency of failure
Time avoids malicious attack.
It can be seen that the present embodiment does not use convergence directory server to carry out tissue network, but from networking standpoint,
An anonymous communication network plan is constructed based on dynamic blacklist mechanism, and by the way of encrypting paragraph by paragraph, multistage network knot
The technologies such as structure, multi-layer security provide the availability in anonymous communication path, thus ensure anonymity of the user when accessing network,
Safety and high efficiency.
Embodiment three
Based on above embodiments, the present embodiment sends message, entrance section to Ingress node by Relay Server with terminal a
It is right for Egress node transmits the message to target a after the message is transmitted to Egress node by A node and B node by point
The corresponding random number of nodes all on forward-path is successively attached to the head of raw data packets by terminal according to inverted order, is disappeared
The process of breath is described in detail.
Each node can be designed to just know that oneself upstream node and downstream node.For example, the upstream of A node
Nodal information be Ingress node IP address, random number x, downstream node information be B node IP address, random number b, B node it is upper
Trip nodal information is A node IP address, random number a, and downstream node information is Egress node IP address, random number d, Egress node
Upstream node information be B node IP address, random number b;It can thus be concluded that the corresponding random number sequence of path sequence is xabd, then
According to the sequence of ddbax, random number is successively added in the head of raw data packets, that is to say, that message is from outermost layer in most
The random number of layer is respectively xabdd.
It can be seen that each node is only connected with limited upstream node with downstream node in whole network.It is every simultaneously
One node just knows that the private key of oneself, and the port of certificate and offer service, each node, which is designed to receive, to be more than
The information that oneself is needed.In message transmitting procedure, terminal successively encrypts the key of node each on path, in this way number
It is voluntarily controlled according to entrance by user, the intermediate node in network can not know the content of data, and data outlet can not know data
From which Data entries, very high safety and concealment are provided for user.
Example IV
It is communicated between Ingress node and Egress node, i.e., message is passed through more than two middle nodes by Ingress node
When point is transmitted to Egress node, if the Ingress node in the forward-path is to combine for the first time with Egress node, Ingress node
Need to negotiate AES256 symmetric key with Egress node.Below based on above embodiments, Ingress node and outlet section is discussed in detail
Point negotiates the process of AES256 symmetric key.
Referring to Fig. 3, which is to carry out point-to-point negotiation between a kind of Ingress node and Egress node provided in this embodiment
The signaling diagram of encryption.
If the Ingress node in the forward-path is to combine for the first time with Egress node, built in path planning server
After vertical forward-path, and before forward-path is sent to terminal by Relay Server, the Ingress node also executes following
Step:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses Egress node
Public key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, is pacified after Egress node verifying signature
The symmetrical code key is filled, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, outlet
The private key signature of node;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random
Code key.
Further, after the Ingress node establishes forward-path, before obtaining message, following steps are also executed:
Ingress node encrypts the raw data packets using the symmetrical code key of itself.
Further, Egress node described in step S104 is solved using the raw data packets in symmetrical secret key pair message
It is close, and the message after decryption is transmitted to target, specifically:
Egress node decrypts message using the symmetrical code key of Ingress node, and sends communication request to target;
The message is received after intended recipient to the communication request and generates target response, then by the target response
It is sent to Egress node;
Egress node encrypts the target response using itself symmetrical code key, then passes through encrypted target response
Intermediate node is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then by the target response after decryption
It is sent to user, realizes communication.
Further, if Ingress node does not receive the target response of Egress node within the set time, Ingress node will be weighed
Set the code key state of the Egress node.
Further, the Ingress node will reset Egress node key state when externally sending message for the first time.
Certainly, the invention may also have other embodiments, without deviating from the spirit and substance of the present invention, ripe
Various corresponding changes and modifications can be made according to the present invention certainly by knowing those skilled in the art, but these it is corresponding change and
Deformation all should fall within the scope of protection of the appended claims of the present invention.
Claims (6)
1. a kind of anonymous cut-in method based on dynamic route, which comprises the following steps:
Path planning server establishes forward-path, wherein first node of the forward-path is Ingress node, centre two
A above intermediate node, the last one node are Egress node, and the Ingress node, intermediate node and Egress node
IP address respectively corresponds a random number;The Ingress node and Egress node are also equipped with a pair of symmetrical code key;
Forward-path is sent to terminal by Relay Server, terminal obtains all intermediate nodes and outlet section on forward-path
The corresponding random number of point, is then encrypted using the symmetrical secret key pair raw data packets, obtains data packet X, then will respectively with
Machine number is successively attached to the head of data packet X, and the head of data packet X according to its corresponding node sequence opposite on forward-path
The every additional layer random number in portion just carries out primary encryption to data packet X, is sequentially completed the data packet that attached each layer random number
After encryption, message is obtained;
The message is forwarded to the Ingress node of the forward-path by terminal by Relay Server, and the message passes through again to be turned
The intermediate nodes at different levels in hair path are transmitted to Egress node, and Egress node is decrypted to obtain initial data using the symmetrical code key
Packet sends it to target, realizes anonymous access;
Wherein, the Ingress node, intermediate node and Egress node are agent node, and the path planning server is established
Forward-path specifically:
Terminal, which is updated every setting duration to path planning server transmitting path, requests;
After the path planning server receives the routing update request, sent more to all Ingress nodes connected to it
New information, then the more new information is forwarded to next stage agent node connected to it by each Ingress node, and so on, directly
The more new information is received to institute's agent node;
Agent nodes at different levels generate after receiving the more new information updates response, the upper level generation that then will be connect with itself
The corresponding random number of IP address, the corresponding random number of IP address of next stage agent node and update response of node are managed along more
New information it is next when path send back path planning server;Wherein, the connection relationship between agent nodes at different levels has determined institute
Possible path;
The path planning server is responded according to the update received, judges delay time and the transmission speed of each agent node
Degree completes forwarding road using the path that delay time is most short in all possible path and transmission speed is most fast as forward-path
The foundation of diameter.
2. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that described to be sequentially completed
It attached the encryption of the data packet of each layer random number specifically:
The Ingress node, intermediate node and Egress node are provided with respective private key;
The number of plies that the random number of the Egress node of the forward-path is attached to the head data packet X is two layers, attached on data packet X
After the random number for adding first layer Egress node, private key using the Egress node is to attached the random of first layer Egress node
Several data packet X are encrypted, and data packet X1 is obtained;
On data packet X1 after the random number of additional second layer Egress node, using the private key of the last one intermediate node to additional
The data packet X1 of the random number of second layer Egress node is encrypted, and obtains data packet X2;
After adding the random number of the last one intermediate node on data packet X2, using the private key pair of penultimate intermediate node
The data packet X2 that attached the last one intermediate node random number is encrypted, and data packet X3 is obtained;
And so on, until using the private key encryption of Ingress node to attached the data packet Xn of first intermediate node random number,
Complete the encryption of each layer random number, wherein n is the sum of intermediate node and the number of Egress node.
3. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that the entrance section
Point, intermediate node and Egress node execute the black name of dynamic after receiving the message and before the message forwards
Single detection operation;
Dynamic blacklist detection operation the following steps are included:
S101: present node receives a message, detects the source IP address of the message received whether in blacklist: if
It is then to abandon the message;If it is not, then entering step S102, wherein initial blacklist is empty title list;
S102: inquiring current first random number that the message carries whether there is in random number and IP address mapping table
In, if not, S103 is entered step, if so, entering step S104;Wherein, initial random number and IP address corresponding relationship
Table is empty table;
S103: using the place layer of current first random number in the corresponding private key decryption message of present node: if decryption is lost
It loses, then the blacklist is added in the source IP address of message;If successful decryption, the IP of the downstream node of present node is obtained
The corresponding random number in address, and then the IP address of the downstream node of present node is obtained, then random number and IP address are added
In the random number and IP address mapping table, and the message after decryption is transmitted to downstream node;
S104: whether the corresponding IP address of detection first random number is IP address where present node, if it is,
Illustrate that present node is Egress node, be then decrypted using the raw data packets in symmetrical secret key pair message, and will be after decryption
Data forwarding to target, if not, the message of layer is transmitted to current random number institute where stripping current first random number
Corresponding downstream node.
4. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that if the forwarding road
Ingress node in diameter to combine for the first time, then after path planning server establishes forward-path, and is being incited somebody to action with Egress node
Before forward-path is sent to terminal by Relay Server, the Ingress node also executes following steps:
Ingress node is that Egress node generates a random symmetrical code key, wherein the symmetrical code key uses the public affairs of Egress node
Key encryption, Ingress node private key signature;
The symmetrical code key is sent to Egress node by intermediate node by Ingress node, installs institute after Egress node verifying signature
Symmetrical code key is stated, and generates a random secret key, wherein the random secret key uses the public key encryption of Ingress node, Egress node
Private key signature;
The random secret key is sent to Ingress node by intermediate node by Egress node, and Ingress node installation is described random secret
Key.
5. a kind of anonymous cut-in method based on dynamic route as claimed in claim 3, which is characterized in that institute in step S104
It states Egress node to be decrypted using the raw data packets in symmetrical secret key pair message, and the message after decryption is transmitted to mesh
Mark, specifically:
Egress node is sent communication to target and is asked using the raw data packets in the symmetrical code key decryption message of Ingress node
It asks;
The message is received after intended recipient to the communication request and generates target response, then sends the target response
To Egress node;
Egress node encrypts the target response using itself symmetrical code key, and encrypted target response is then passed through middle node
Point is sent to Ingress node;
Ingress node decrypts the target response using the symmetrical code key of Egress node, then sends the target response after decryption
To user, anonymous access is realized.
6. a kind of anonymous cut-in method based on dynamic route as described in claim 1, which is characterized in that the Ingress node
The more new information is forwarded to next stage agent node connected to it in a manner of breadth traversal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811441363.3A CN109698791B (en) | 2018-11-29 | 2018-11-29 | Anonymous access method based on dynamic path |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811441363.3A CN109698791B (en) | 2018-11-29 | 2018-11-29 | Anonymous access method based on dynamic path |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109698791A true CN109698791A (en) | 2019-04-30 |
CN109698791B CN109698791B (en) | 2021-05-11 |
Family
ID=66230244
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811441363.3A Active CN109698791B (en) | 2018-11-29 | 2018-11-29 | Anonymous access method based on dynamic path |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109698791B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111314336A (en) * | 2020-02-11 | 2020-06-19 | 中国科学院信息工程研究所 | Dynamic transmission path construction method and system for anti-tracking network |
CN111970245A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Heterogeneous layered anonymous communication network construction method and device |
CN111970244A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Method for constructing anonymous communication network and forwarding message based on ring-shaped architecture |
CN113572727A (en) * | 2021-06-08 | 2021-10-29 | 深圳市国电科技通信有限公司 | Data security concealed transmission method and system based on P2P network routing node |
CN115514520A (en) * | 2022-08-11 | 2022-12-23 | 北京天元特通科技有限公司 | Network transmission method and related equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101873216A (en) * | 2010-07-08 | 2010-10-27 | 布日古德 | Host authentication method, data packet transmission method and receiving method |
US20120096541A1 (en) * | 1998-10-30 | 2012-04-19 | Virnetx, Inc. | System and method employing an agile network protocol for secure communications using secure domain names |
US20140029619A1 (en) * | 2012-07-30 | 2014-01-30 | Burson Keith Patton | Policy based routing |
CN103906046A (en) * | 2014-04-17 | 2014-07-02 | 上海电机学院 | Safe point-to-point on-demand routing method based on identity hiding |
CN106936833A (en) * | 2017-03-15 | 2017-07-07 | 广东工业大学 | A kind of content center network method for secret protection based on Hybrid Encryption and anonymous group |
CN108566337A (en) * | 2018-03-21 | 2018-09-21 | 常熟理工学院 | A kind of generation information network implementation method based on big data |
-
2018
- 2018-11-29 CN CN201811441363.3A patent/CN109698791B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120096541A1 (en) * | 1998-10-30 | 2012-04-19 | Virnetx, Inc. | System and method employing an agile network protocol for secure communications using secure domain names |
CN101873216A (en) * | 2010-07-08 | 2010-10-27 | 布日古德 | Host authentication method, data packet transmission method and receiving method |
US20140029619A1 (en) * | 2012-07-30 | 2014-01-30 | Burson Keith Patton | Policy based routing |
CN103906046A (en) * | 2014-04-17 | 2014-07-02 | 上海电机学院 | Safe point-to-point on-demand routing method based on identity hiding |
CN106936833A (en) * | 2017-03-15 | 2017-07-07 | 广东工业大学 | A kind of content center network method for secret protection based on Hybrid Encryption and anonymous group |
CN108566337A (en) * | 2018-03-21 | 2018-09-21 | 常熟理工学院 | A kind of generation information network implementation method based on big data |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111314336A (en) * | 2020-02-11 | 2020-06-19 | 中国科学院信息工程研究所 | Dynamic transmission path construction method and system for anti-tracking network |
CN111970245A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Heterogeneous layered anonymous communication network construction method and device |
CN111970244A (en) * | 2020-07-20 | 2020-11-20 | 北京邮电大学 | Method for constructing anonymous communication network and forwarding message based on ring-shaped architecture |
CN111970245B (en) * | 2020-07-20 | 2021-07-20 | 北京邮电大学 | Heterogeneous layered anonymous communication network construction method and device |
CN111970244B (en) * | 2020-07-20 | 2022-06-03 | 北京邮电大学 | Method for constructing anonymous communication network and forwarding message based on ring-shaped architecture |
CN113572727A (en) * | 2021-06-08 | 2021-10-29 | 深圳市国电科技通信有限公司 | Data security concealed transmission method and system based on P2P network routing node |
CN115514520A (en) * | 2022-08-11 | 2022-12-23 | 北京天元特通科技有限公司 | Network transmission method and related equipment |
CN115514520B (en) * | 2022-08-11 | 2023-09-22 | 北京天元特通科技有限公司 | Network transmission method, device, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN109698791B (en) | 2021-05-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10033843B2 (en) | Network device and method for processing a session using a packet signature | |
CN109698791A (en) | A kind of anonymous cut-in method based on dynamic route | |
CN103701700B (en) | Node discovery method in a kind of communication network and system | |
US10091247B2 (en) | Apparatus and method for using certificate data to route data | |
CN103685467A (en) | Interconnection and internetworking platform of Internet of things, and communication method thereof | |
CN104917605B (en) | The method and apparatus of key agreement during a kind of terminal device switching | |
JP2005236939A (en) | Method for verifying and constructing highly secure anonymous communication channel in peer-to-peer type anonymous proxy | |
CN101867473B (en) | Connection establishment method and access authentication system for blocking-attacking resistant shared media terminal | |
CN102132532A (en) | Method and apparatus for avoiding unwanted data packets | |
CN109510832A (en) | A kind of communication means based on dynamic blacklist mechanism | |
Recabarren et al. | Tithonus: A bitcoin based censorship resilient system | |
JP2009501454A (en) | Link management system | |
CN109005179A (en) | Network security tunnel establishing method based on port controlling | |
Boussada et al. | PP-NDNoT: On preserving privacy in IoT-based E-health systems over NDN | |
JP7056740B2 (en) | Blockchain system, blockchain management device, network control device, method and program | |
Selvakumar et al. | Secure group key management protocol for mobile ad hoc networks | |
CN102469063B (en) | Routing protocol security alliance management method, Apparatus and system | |
CN107171786A (en) | Network agent account control method | |
CN101827079A (en) | Blocking and attacking-resistant terminal connection building method and terminal access authenticating system | |
CN111541710B (en) | Authentication and authorization method for data content in network and computer readable storage medium | |
WO2021223097A1 (en) | Authentication and authorization method for data content in network and computer readable storage medium | |
CN114614984A (en) | Time-sensitive network secure communication method based on state cryptographic algorithm | |
CN107135226B (en) | Transport layer proxy communication method based on socks5 | |
Liyanage | Enhancing security and scalability of virtual private lan services | |
Small | Patterns in network security: An analysis of architectural complexity in securing recursive inter-network architecture networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |