CN110677424B - Electric power firewall falsification addressing filtering method based on Hash algorithm - Google Patents

Electric power firewall falsification addressing filtering method based on Hash algorithm Download PDF

Info

Publication number
CN110677424B
CN110677424B CN201910944495.6A CN201910944495A CN110677424B CN 110677424 B CN110677424 B CN 110677424B CN 201910944495 A CN201910944495 A CN 201910944495A CN 110677424 B CN110677424 B CN 110677424B
Authority
CN
China
Prior art keywords
message
firewall
mac1
address
mac2
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910944495.6A
Other languages
Chinese (zh)
Other versions
CN110677424A (en
Inventor
王智东
张紫凡
王玕
李志锋
郭琳
李玉姣
冯瑞珏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou College of South China University of Technology
Original Assignee
Guangzhou College of South China University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou College of South China University of Technology filed Critical Guangzhou College of South China University of Technology
Priority to CN201910944495.6A priority Critical patent/CN110677424B/en
Publication of CN110677424A publication Critical patent/CN110677424A/en
Application granted granted Critical
Publication of CN110677424B publication Critical patent/CN110677424B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a false addressing filtering method of an electric firewall based on a hash algorithm, belonging to the technical field of false addressing filtering of a firewall, wherein a receiver side obtains an electric message at a sender side from a communication network, extracts a related electric message tuple T according to a preset filtering rule, and performs hash operation on the electric message tuple T and a preset password K to obtain a verification code MAC2, namely MAC2= hash (K ^ T), wherein ^ indicates a forward connection, extracts MAC1 attached to an original electric message, compares the consistency of MAC1 and MAC2, if the two are not equal, indicates that the electric message is not from an authorized party, and directly blocks the message, if the two are equal, the MAC2 value is used as an address of a firewall list, addresses a corresponding firewall action, and adopts a passing or intercepting action to the message according to the firewall action corresponding to the addressing, thereby realizing that a key verification function is increased, increasing the difficulty of false addressing of the message, and improving the safety of the firewall filtering message.

Description

Electric power firewall falsification addressing filtering method based on Hash algorithm
Technical Field
The invention relates to an addressing and filtering method for an electric firewall, in particular to an electric firewall forged addressing and filtering method based on a Hash algorithm, and belongs to the technical field of addressing and filtering of electric firewalls.
Background
The current electric firewall filters the message, and basically adopts the direct filtering of the message based on the tuple. If the packet filtering method is based on the quintuple, if the firewall adopts the filtering strategy: the method comprises the steps of extracting a source ip address, a destination ip address, a source port, a destination port and a message type of a message captured on an electric power communication network, and comparing the source ip address, the destination ip address, the source port, the destination port and the message type with a firewall list to determine whether the message can pass through the firewall.
There are four-tuple (using quaternary information of source IP address, destination IP address, source port, destination port), five-tuple (using quaternary information of source IP address, destination IP address, protocol number, source port, destination port), seven-tuple (using quaternary information of source IP address, destination IP address, protocol number, source port, destination port, service type, and interface index) despite the difference in tuple selection.
The firewall filtering method has the following basic premises: if the malicious attacker does not master the information of the power communication network, the malicious attacker does not have the capability of forging the message which can pass through the firewall. In the current firewall, if a malicious attacker masters relevant tuple information of the communication network, a forged message can be injected into the communication network, and the firewall does not have the capability of identifying the forged message, so that the electric firewall forged addressing filtering method based on the hash algorithm is designed to improve the problems.
Disclosure of Invention
The invention mainly aims to provide a power firewall forgery addressing filtering method based on a hash algorithm, wherein a receiver side obtains a power message of a sender side from a communication network, extracts a related power message tuple T according to a preset filtering rule, and performs hash operation on the power message tuple T and a preset password K to obtain a verification code MAC2, namely MAC2= hash (K ^ T), wherein ^ indicates a direct connection, extracts MAC1 attached to an original power message, compares the consistency of the MAC1 and the MAC2, if the two are not equal, the power message is not from an authorized party and directly stops the message, if the two are equal, the MAC2 value is used as an address of a firewall list, addresses a corresponding firewall action, and adopts a passing or intercepting action to the message according to the firewall action corresponding to the addressing, so that the key verification function is increased, the message forgery difficulty is increased, and the safety of the firewall filtering message is improved.
The purpose of the invention can be achieved by adopting the following technical scheme:
the method for forging, addressing and filtering the electric firewall based on the Hash algorithm comprises the following steps of:
s1: obtaining a power message of a sender side from a communication network;
s2: extracting related electric power message tuples according to a filter rule agreed in advance;
s3: performing hash operation on the electric power message tuple and a password which is contracted in advance to obtain MAC2;
s4: extracting MAC1 attached to the original power message, and comparing the consistency of the MAC1 and the MAC2;
s5: using the MAC2 value as the address of a firewall list, and addressing the corresponding firewall action;
s6: if the two are the same, the message is subjected to a passing action according to the firewall action corresponding to the addressing.
Preferably, after the step 4, when the consistency of the MAC1 of the original power message is different from that of the MAC2, the MAC2 value is used as the address of the firewall list, and the corresponding firewall action is addressed to intercept the message.
Preferably, the sending side message sending in step 1 includes the following steps:
s1: organizing power messages to be sent;
s2: extracting related electric power message ancestors according to a filter rule agreed in advance;
s3: performing hash operation on the electric power message tuple and a password which is contracted in advance to obtain MAC1;
s4: MAC1 is appended to the original power message and transmitted together.
Preferably, the sender side and the receiver side have a secret key agreed in advance, the secret key adopts a symmetric secret key mode, the sender side and the receiver side of the message have the same secret key and keep secret for a third party, and the encryption and decryption processing is simple by adopting the symmetric secret key mode.
Preferably, the sender side and the receiver side negotiate the tuple related to the power message filtering rule in advance, and the sender side and the receiver side filter the power message by adopting the tuple with the same rule, so that the message received by the receiver is more accurate.
Preferably, the tuple includes a quadruplet, a quintuple or a heptatuple, the quadruplet is quaternary information of a source IP address, a destination IP address, a source port and a destination port, the quintuple uses the information of the source IP address, the destination IP address, a protocol number, the source port and the destination port, and the heptatuple uses the information of the source IP address, the destination IP address, the protocol number, the source port and the destination port, the service type and the interface index.
Preferably, the hash algorithm is MD5, SHA1 or SHA256.
Preferably, on the side of the sender, based on the organized power message P to be sent, the relevant power message tuple T is extracted according to a predetermined filtering rule, the power message tuple T and a predetermined password K are subjected to hash operation to obtain an authentication code MAC1, that is, MAC1= hash (K/T), where/is a forward connection, and finally the obtained MAC1 is appended behind the original power message and sent together, and the sender adopts the same algorithm and password to perform encryption processing and then sends together with the original message, so as to prevent the convenience in extracting MAC1.
The invention has the beneficial technical effects that:
the invention provides a forgery, addressing and filtering method of an electric firewall based on a hash algorithm, which is characterized in that a receiver side obtains an electric message of a sender side from a communication network, extracts a related electric message tuple T according to a preset filtering rule, and carries out hash operation on the electric message tuple T and a preset password K to obtain a verification code MAC2, namely MAC2= hash (K & ltT), wherein &representsa forward connection, extracts MAC1 attached to the original electric message, compares the consistency of the MAC1 and the MAC2, if the two are not equal, the electric message is not from an authorized party and directly stops the message, if the two are equal, the MAC2 value is used as an address of a firewall list, addresses a corresponding firewall action, and adopts a passing or intercepting action to the message according to the firewall action corresponding to the addressing, thereby realizing the increase of a key verification function, increasing the message forgery difficulty and improving the safety of the filtering message.
Drawings
FIG. 1 is a flow chart of a receiver-side process of a preferred embodiment of a hash algorithm based power firewall spoofing addressing filtering method in accordance with the present invention;
fig. 2 is a flowchart of a sender-side program of a preferred embodiment of the hash algorithm-based power firewall spoofing addressing filtering method according to the present invention.
Detailed Description
In order to make the technical solutions of the present invention more clear and definite for those skilled in the art, the present invention is further described in detail below with reference to the examples and the accompanying drawings, but the embodiments of the present invention are not limited thereto.
As shown in fig. 1, the method for filtering forged addressing of a power firewall based on a hash algorithm according to this embodiment includes the following steps:
s1: obtaining a power message of a sender side from a communication network;
s2: extracting related electric power message tuples according to a filter rule agreed in advance;
s3: carrying out hash operation on the power message tuple and a password which is contracted in advance to obtain MAC2;
s4: extracting MAC1 attached to the original power message and comparing the consistency of the MAC1 and the MAC2;
s5: the MAC2 value is used as an address of a firewall list, and a corresponding firewall action is addressed;
s6: if the two are the same, the message is subjected to a passing action according to the firewall action corresponding to the addressing.
In this embodiment, after the step 4, when the MAC1 of the original power packet is different from the MAC2, the MAC2 value is used as an address of a firewall list, and a corresponding firewall action is addressed to intercept the packet.
In this embodiment, as shown in fig. 2, the sending side message sending in step 1 includes the following steps:
s1: organizing power messages to be sent;
s2: extracting related electric power message primitive progenitors according to a filter rule agreed in advance;
s3: carrying out hash operation on the electric power message tuple and a password which is contracted in advance to obtain MAC1;
s4: and adding the MAC1 to the back of the original power message and sending the message together.
In this embodiment, the sender side and the receiver side have agreed a secret key in advance, the secret key adopts a symmetric secret key mode, and the sender side and the receiver side of the message have the same secret key and keep secret to a third party.
In this embodiment, the sender side and the receiver side negotiate the tuple related to the power packet filtering rule in advance.
In this embodiment, the tuple includes a quadruplet, a quintuple, or a heptatuple, where the quadruplet is information of a source IP address, a destination IP address, a source port, and a destination port, the quintuple is information of the source IP address, the destination IP address, a protocol number, the source port, and the destination port, and the heptatuple is information of the source IP address, the destination IP address, the protocol number, the source port, the destination port, a service type, and an interface index.
In this embodiment, the hash algorithm may be MD5, SHA1, SHA256.
In this embodiment, on the sender side, based on the organized power packet P to be sent, the relevant power packet T is extracted according to the predetermined filtering rule, and the power packet T and the predetermined password K are hashed to obtain the verification code MAC1, that is, MAC1= hash (K/T), where/is a forward connection, and finally the obtained MAC1 is appended to the back of the original power packet and sent together.
In summary, the receiver side obtains the power packet from the communication network, extracts the relevant power packet tuple T according to the predetermined filtering rule, and performs hash operation on the power packet tuple T and the predetermined password K to obtain the verification code MAC2, i.e. MAC2= hash (K × T), where ×, indicates a direct connection, extracts the MAC1 attached to the original power packet, compares the consistency of MAC1 and MAC2, if the two are not equal, it indicates that the power packet is not from the authorized party, and directly blocks the packet, if the two are equal, the MAC2 value is used as the address of the firewall list, addresses the corresponding firewall action, and according to the firewall action corresponding to the addressing, the packet is passed or intercepted, thereby increasing the key verification function, increasing the packet forgery difficulty, and improving the security of the firewall filtering packet.
The above description is only for the purpose of illustrating the present invention and is not intended to limit the scope of the present invention, and any person skilled in the art can substitute or change the technical solution of the present invention and its conception within the scope of the present invention.

Claims (4)

1. The electric firewall forgery addressing filtering method based on the Hash algorithm is characterized by comprising the following steps of:
step 1: the sender side and the receiver side negotiate the tuple related to the power message filtering rule in advance; the sender side and the receiver side adopt the same regular tuple to filter the power message; the tuple comprises a quadruplet, a quintuple or a heptatuple, wherein the quadruplet adopts quaternary information of a source IP address, a destination IP address, a source port and a destination port, the quintuple adopts information of the source IP address, the destination IP address, a protocol number, the source port and the destination port, and the heptatuple adopts information of the source IP address, the destination IP address, the protocol number, the source port and the destination port, service type and interface index;
on the side of a sender, extracting a related electric power message tuple T according to a preset filtering rule based on an organized electric power message P to be sent, carrying out hash operation on the electric power message tuple T and a preset password K to obtain a verification code MAC1, namely MAC1= hash (K/T), wherein/is a forward connection, and finally adding the obtained MAC1 behind the original electric power message for sending together; the receiver side obtains the power message of the sender side from the communication network;
step 2: the receiver side extracts related power message tuples according to a filter rule agreed in advance;
and 3, step 3: performing hash operation on the electric power message tuple and a password which is contracted in advance to obtain MAC2;
and 4, step 4: extracting MAC1 attached to the original power message, and comparing the consistency of the MAC1 and the MAC2;
and 5: using the MAC2 value as the address of a firewall list, and addressing the corresponding firewall action;
step 6: if the consistency of the MAC1 and the MAC2 is different, the power message is not from the authorized party, and the message is directly prevented; if the MAC2 value and the firewall name list are equal, the MAC2 value is used as the address of the firewall name list, the corresponding firewall action is addressed, according to the firewall action corresponding to the addressing, the key verification function is added to the message by adopting the action of passing or intercepting, the message counterfeiting difficulty is increased, and the safety of the firewall for filtering the message is improved.
2. The hash algorithm-based power firewall spoofing addressing filtering method of claim 1, wherein: the sender side message sending in the step 1 comprises the following steps:
step 1: organizing power messages to be sent;
step 2: extracting related electric power message primitive progenitors according to a filter rule agreed in advance;
and 3, step 3: performing hash operation on the electric power message tuple and a password which is contracted in advance to obtain MAC1;
and 4, step 4: and adding the MAC1 to the back of the original power message and sending the message together.
3. The hash algorithm-based power firewall spoofing addressing filtering method of claim 1, wherein: the sender side and the receiver side decide a secret key in advance, the secret key adopts a symmetric secret key mode, the sender side and the receiver side of the message have the same secret key, and the secret key keeps secret for a third party.
4. The hash algorithm-based power firewall spoofing addressing filtering method of claim 1, wherein: the hash algorithm is MD5, SHA1 or SHA256.
CN201910944495.6A 2019-09-30 2019-09-30 Electric power firewall falsification addressing filtering method based on Hash algorithm Active CN110677424B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910944495.6A CN110677424B (en) 2019-09-30 2019-09-30 Electric power firewall falsification addressing filtering method based on Hash algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910944495.6A CN110677424B (en) 2019-09-30 2019-09-30 Electric power firewall falsification addressing filtering method based on Hash algorithm

Publications (2)

Publication Number Publication Date
CN110677424A CN110677424A (en) 2020-01-10
CN110677424B true CN110677424B (en) 2023-01-10

Family

ID=69078757

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910944495.6A Active CN110677424B (en) 2019-09-30 2019-09-30 Electric power firewall falsification addressing filtering method based on Hash algorithm

Country Status (1)

Country Link
CN (1) CN110677424B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113904798B (en) * 2021-08-27 2024-03-22 长沙星融元数据技术有限公司 Multi-group filtering method, system, equipment and storage medium for IP message

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921488A (en) * 2006-09-19 2007-02-28 清华大学 Method for preventing forgery of source address based on signature authentication inside IPv6 sub network
CN101707619A (en) * 2009-12-10 2010-05-12 福建星网锐捷网络有限公司 Message filtering method, device and network device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10015140B2 (en) * 2005-02-03 2018-07-03 International Business Machines Corporation Identifying additional firewall rules that may be needed
CN103916389B (en) * 2014-03-19 2017-08-08 汉柏科技有限公司 Defend the method and fire wall of HttpFlood attacks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921488A (en) * 2006-09-19 2007-02-28 清华大学 Method for preventing forgery of source address based on signature authentication inside IPv6 sub network
CN101707619A (en) * 2009-12-10 2010-05-12 福建星网锐捷网络有限公司 Message filtering method, device and network device

Also Published As

Publication number Publication date
CN110677424A (en) 2020-01-10

Similar Documents

Publication Publication Date Title
CN101141244B (en) Network enciphered data virus detection and elimination system and proxy server and method
JP4855147B2 (en) Client device, mail system, program, and recording medium
US20130103944A1 (en) Hypertext Link Verification In Encrypted E-Mail For Mobile Devices
CN111797431B (en) Encrypted data anomaly detection method and system based on symmetric key system
CN111988289B (en) EPA industrial control network security test system and method
Morsy et al. D-arp: An efficient scheme to detect and prevent arp spoofing
CN113824705A (en) Safety reinforcement method for Modbus TCP (transmission control protocol)
CN110971616B (en) Connection establishing method based on secure transport layer protocol, client and server
CN115549932A (en) Safety access system and access method for massive heterogeneous Internet of things terminals
CN110677424B (en) Electric power firewall falsification addressing filtering method based on Hash algorithm
CN102957704A (en) Method, device and system for determining MITM (Man-In-The-Middle) attack
CN111224968B (en) Secure communication method for randomly selecting transfer server
CA2793422C (en) Hypertext link verification in encrypted e-mail for mobile devices
CN112291248A (en) Method and equipment for protecting HTTPS DDoS attack
CN112202773A (en) Computer network information security monitoring and protection system based on internet
CN116471008A (en) Interface access security control method and system based on hybrid encryption
CN115801442A (en) Encrypted traffic detection method, security system and agent module
Schulz et al. d 2 Deleting Diaspora: Practical attacks for profile discovery and deletion
CN112995140B (en) Safety management system and method
CN111310210B (en) Double-authentication symmetric searchable encryption method based on password and secret signcryption
CN111464387B (en) Method, device, system and equipment for detecting security of SSL/TLS configuration of terminal
CN113225298A (en) Message verification method and device
CN112333146B (en) ARP security defense method for intelligent power transformation gateway and intelligent power transformation gateway
CN111385250B (en) Safe access method and system for equipment port
Liubinskii The Great Firewall’s active probing circumvention technique with port knocking and SDN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant