CN111010410A - Mimicry defense system based on certificate identity authentication and certificate signing and issuing method - Google Patents

Mimicry defense system based on certificate identity authentication and certificate signing and issuing method Download PDF

Info

Publication number
CN111010410A
CN111010410A CN202010155356.8A CN202010155356A CN111010410A CN 111010410 A CN111010410 A CN 111010410A CN 202010155356 A CN202010155356 A CN 202010155356A CN 111010410 A CN111010410 A CN 111010410A
Authority
CN
China
Prior art keywords
certificate
intermediate controller
heterogeneous
issuing center
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010155356.8A
Other languages
Chinese (zh)
Other versions
CN111010410B (en
Inventor
陈垚
王泽雨
赵海宁
羊子煜
郁晨
陈立全
冯海生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Red Array Network Security Technology Research Institute Co Ltd
Original Assignee
Nanjing Red Array Network Security Technology Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Red Array Network Security Technology Research Institute Co Ltd filed Critical Nanjing Red Array Network Security Technology Research Institute Co Ltd
Priority to CN202010155356.8A priority Critical patent/CN111010410B/en
Publication of CN111010410A publication Critical patent/CN111010410A/en
Priority to PCT/CN2020/094474 priority patent/WO2021179449A1/en
Application granted granted Critical
Publication of CN111010410B publication Critical patent/CN111010410B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a mimicry defense system based on certificate identity authentication and a certificate signing method, which are applied to the technical field of network security, wherein the system comprises bottom equipment, an intermediate controller and a certificate signing and issuing center, wherein the intermediate controller and the certificate signing and issuing center are respectively provided with a unique certificate, a public key of the certificate is stored in the certificate, and a corresponding private key is privately stored by each equipment and is not disclosed to the outside; in the method, equipment sends a certificate request file to an intermediate controller, the intermediate controller applies for a certificate to a certificate issuing center after verifying the identity, the certificate issuing center sends the certificate to bottom equipment through the intermediate controller, and the bottom equipment installs the certificate. The intermediate controller adopting the mimicry structure can effectively resist the attack of an attacker, and meanwhile, if the output results of the heterogeneous executors are inconsistent when the arbitration module works, whether the heterogeneous executors are attacked or not can be judged in time, and the system is maintained in time.

Description

Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
Technical Field
The invention relates to the technical field of network security, in particular to a mimicry defense system based on certificate identity authentication and a certificate issuing method.
Background
The cyberspace mimicry defense theory is an active defense theory and is used for dealing with unknown threats based on unknown bugs, backdoors, viruses or trojans and the like in different fields of the cyberspace and related application levels.
Fig. 1 is a typical dynamic heterogeneous redundancy architecture of a mimicry defense system, when a message is input, the message is transmitted to each heterogeneous executive in a heterogeneous pool through an input agent, all the heterogeneous executors process the message and then transmit the result to a multi-mode arbitration module, if the result is consistent, the result is output, and if the result is inconsistent, the exception of the message output by a certain executive can be identified, so that the security defense of the system is realized.
X.509 is an important standard regarding a certificate structure and an authentication protocol, can identify the identity of a communication partner, is frequently used in a network information interaction system, and has become an indispensable part. A standard x.509 certificate contains the following: the certificate information includes version information of the certificate, serial number of the certificate, signature algorithm used by the certificate, issuing authority name of the certificate, validity period of the certificate, name of the certificate owner, public key of the certificate owner, and signature of the certificate issuer on the certificate.
In a system for issuing certificates, a mimicry defense idea is introduced, a certificate controller adopting a mimicry structure can greatly improve the safety of the system in theory, and when the system is attacked, the system can feed back the information in time. How to apply for a certificate from a certificate issuing center through an intermediate controller, issue a certificate from the certificate issuing center to a bottom layer device, and store the certificate in the intermediate controller on the basis of mimicry defense by a device needing to install the certificate is urgent to need an improved method for issuing the certificate to the device on the premise of ensuring safety.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the defect that a certificate cannot be issued to equipment in mimicry defense on the premise of safety in the prior art, the invention discloses a mimicry defense system based on certificate identity authentication and a certificate issuing method, wherein the mimicry defense system comprises bottom equipment, a middle controller and a certificate issuing center; the intermediate controller adopting the mimicry structure can effectively resist the attack of attackers, the backdoors of all heterogeneous executors are different, the attackers cannot find out the property of the isomers to carry out targeted attack, and each heterogeneous execution manages a certificate revocation list, so that the safety is greatly improved.
The technical scheme is as follows: the invention discloses a mimicry defense system based on certificate identity authentication, which comprises bottom equipment, an intermediate controller and a certificate issuing center, wherein the bottom equipment is connected with the intermediate controller; the intermediate controller and the certificate issuing center are respectively provided with a unique certificate, a public key of the intermediate controller and the certificate issuing center is stored in the certificate, and a corresponding private key is stored privately by each device and is not disclosed to the outside;
the device is a device needing to be accessed to a network and comprises a certificate request module, wherein the certificate request module is used for generating a public-private key pair, encrypting and decrypting, generating a certificate request file and installing a certificate;
the intermediate controller comprises a controller processing module, the controller processing module comprises a mimicry security module and a random number module, the mimicry security module is a typical dynamic heterogeneous redundancy architecture of a mimicry defense system, and the random number module is used for providing the same timestamp for heterogeneous executors;
the mimicry security module of the intermediate controller comprises a decision module, a heterogeneous pool and a plurality of heterogeneous executives in the heterogeneous pool; the heterogeneous executive body is used for verifying identity, recording and distributing certificates, and the arbitration module is used for arbitrating heterogeneous executive body output; the heterogeneous executive bodies store intermediate controller certificates, certificate signing and issuing center certificates and certificates of all managed devices, self public keys are stored in the intermediate controller certificates, and each heterogeneous executive body stores an intermediate controller private key;
the certificate signing and issuing center comprises a certificate signing and issuing module, wherein the certificate signing and issuing module is used for managing certificates of all equipment and the intermediate controller and generating and sending a certificate when receiving a certificate request file; and storing corresponding public keys in the certificates of all the devices and the intermediate controller.
Preferably, the device is a router, a PC end or a mobile phone which needs to access a network.
Preferably, the number of the heterogeneous executors is one, and the heterogeneous executors are used as the intermediate controller.
A certificate signing and issuing method of a mimicry defense system based on certificate identity authentication comprises the following steps:
s1, the device sends the certificate request file to the intermediate controller: the equipment needing the certificate generates a public-private key pair and then generates a certificate request file, and the equipment sends the certificate request file to the intermediate controller;
s2, the intermediate controller receives the certificate request file and transmits the certificate request file into the heterogeneous pool: the intermediate controller receives a certificate request file sent by the equipment, verifies the equipment identity, and transmits the certificate request file into the heterogeneous pool after the identity is successfully verified;
s3, the heterogeneous pool receives the certificate request file and the intermediate controller sends a first adjudication result to the certificate issuing center: the heterogeneous pool receives a certificate request file sent by the intermediate controller, all heterogeneous executors in the heterogeneous pool read a certificate issuing center certificate to acquire a public key of the certificate issuing center, and the heterogeneous executors encrypt the certificate request file and send a processed first arbitration result to the certificate issuing center through the intermediate controller;
s4, the certificate issuing center receives and verifies the first sanction result and sends the encrypted certificate to the intermediate controller: the certificate signing and issuing center receives the first judgment result, firstly decrypts the first judgment result by using a private key of the certificate signing and issuing center, then performs signature verification by using a public key of the intermediate controller, acquires a certificate request file after the decryption and the verification are successful, generates a corresponding certificate according to the certificate request file, updates and inputs the newly generated certificate into a certificate management library of the certificate signing and issuing center, encrypts the new certificate by using the public key of the intermediate controller, and sends the encrypted certificate to the intermediate controller;
s5, the intermediate controller receives the encrypted certificate and sends a second sanction result to the equipment: the intermediate controller receives the encrypted certificate and sends the encrypted certificate to each heterogeneous executive body in the heterogeneous pool, the heterogeneous executive bodies process the encrypted certificate and send a second arbitration result to the intermediate controller, and the intermediate controller sends the second arbitration result to the equipment;
s6, the device receives the second judgment result and installs the certificate: and the equipment receives the second judgment result, decrypts by using a private key thereof to obtain the certificate authenticated by the intermediate controller and the certificate issuing center, and installs the certificate after obtaining the certificate.
Preferably, the encrypting all the heterogeneous executors in the heterogeneous pool in S3 to the certificate request file specifically includes:
the heterogeneous pool receives a certificate request file sent by the intermediate controller, each heterogeneous executive body in the heterogeneous pool completes bidirectional authentication between the intermediate controller and the certificate issuing center, after the authentication is successful, the heterogeneous executive bodies conduct intermediate controller private key signature and certificate issuing center public key encryption on the certificate request file, and the heterogeneous executive bodies conduct judgment on an encryption result and output a first judgment result.
Preferably, each heterogeneous executive body in the heterogeneous pool completes bidirectional authentication between the intermediate controller and the certificate issuing center, and specifically includes:
s3-1, each heterogeneous executive in the heterogeneous pool sends an intermediate controller identity verification request to the certificate issuing center: the heterogeneous executive body encrypts the word sequence by using a private key of the intermediate controller, applies a first time stamp to the random digital module, packages the encrypted word sequence, the intermediate controller certificate and the first time stamp through the arbitration module, and sends the intermediate controller identity verification request to the certificate issuing center as an intermediate controller identity verification request;
s3-2, after receiving and verifying the message, the certificate issuing center sends the certificate of the certificate issuing center and a second timestamp to the intermediate controller: after receiving the message, the certificate issuing center calls a certificate of a corresponding intermediate controller from the certificate management library of the certificate issuing center, compares the certificate with a certificate in the identity verification request of the intermediate controller, and after the comparison is consistent, takes out a public key of the intermediate controller from the certificate of the intermediate controller to decrypt the encrypted word sequence to obtain a plaintext word, namely the verification is successful, the certificate issuing center sends the certificate issuing center of the certificate issuing center and a second timestamp to the intermediate controller, wherein only the public key of the certificate issuing center is stored in the sent certificate of the certificate issuing center;
s3-3, the heterogeneous executive body receives and verifies the information: and each heterogeneous executive body in the intermediate controller receives the certificate and the second timestamp of the certificate issuing center, judges whether the second timestamp is behind the first timestamp, compares the received certificate of the certificate issuing center with the stored certificate to complete verification, and realizes the mutual authentication between the intermediate controller and the certificate issuing center after the verification is not wrong.
Preferably, the step of the heterogeneous executor processing the encrypted certificate and sending the second arbitration result to the intermediate controller in S5 specifically includes:
each heterogeneous executive body decrypts the encrypted certificate by using a private key of the intermediate controller to obtain the certificate, manages a certificate revocation list, encrypts the certificate by using the equipment public key, and arbitrates the encryption result and outputs a second arbitration result to the intermediate controller.
Preferably, the determining, by the heterogeneous executor, the encryption result specifically includes:
the heterogeneous executives send the output results to the arbitration module, if the output results of the heterogeneous executives are consistent, the arbitration module outputs corresponding arbitration results, otherwise, the system is judged to be attacked, and the intermediate controller sends the corresponding arbitration results to the certificate issuing center.
Has the advantages that:
1. in the invention, the intermediate controller adopts a mimicry structure which can effectively resist the attack of an attacker, the backdoors of all heterogeneous executives are different, the attacker cannot find out the property of the isomers to carry out targeted attack, each heterogeneous execution manages a certificate revocation list, and when the arbitration module works, if the output results of the heterogeneous executives are inconsistent, the heterogeneous executives can be judged to be attacked in time, so that the system can be repaired in time to work;
2. the intermediate controller firstly uses the private key of the intermediate controller to sign and then uses the public key of the certificate issuing center to encrypt, the transmission security of the ciphertext is high, and the certificate issuing center can also achieve the purpose of verifying the source of the message when decrypting, and the encryption workload is not increased;
3. the invention has very high safety performance, can be applied to all systems needing hierarchical management certificates and all systems using mimicry defense equipment to finish the issuing of the certificates for the equipment; and all the general systems needing certificate issuance can be used only by changing the number of heterogeneous executors in the scheme to 1 when the mimicry intermediate controller cannot be added due to equipment limitation.
Drawings
FIG. 1 is a typical dynamic heterogeneous redundancy architecture of a mimicry defense system;
FIG. 2 is a typical dynamic heterogeneous redundancy architecture for a mimicry defense system applying the present invention;
FIG. 3 is an overall functional block diagram of the certificate issuing method in the mimicry defense of the present invention;
FIG. 4 is a flowchart of a certificate issuing method for devices in a mimicry defense according to the present invention;
FIG. 5 is a flowchart illustrating a sub-routine of step S3 according to the present invention.
Detailed Description
The present solution is further illustrated and explained below with reference to the accompanying drawings.
As shown in fig. 2 and fig. 3, a mimicry defense system based on certificate identity authentication includes a bottom device requiring certificate installation, an intermediate controller and a certificate issuing center, wherein the intermediate controller and the certificate issuing center are respectively provided with a unique certificate, a public key of the intermediate controller and the certificate issuing center is stored in the certificate, and a corresponding private key is stored by each device in a private manner and is not disclosed to the outside.
The device is a device which needs to access a network, such as a router, a PC terminal, a mobile phone and the like, and comprises a certificate request module which is used for generating a public-private key pair, encrypting and decrypting, generating a certificate request file and installing a certificate.
The intermediate controller comprises a controller processing module, the controller processing module comprises a mimicry security module and a random number module, the mimicry security module is a typical dynamic heterogeneous redundancy architecture of a mimicry defense system, and the random number module is used for providing the same timestamp for heterogeneous executors. The mimicry security module comprises a decision module, a heterogeneous pool and a plurality of heterogeneous executives in the heterogeneous pool, wherein the heterogeneous executives are used for verifying identity, recording and distributing certificates, and the decision module is used for deciding the output of the heterogeneous executives; the heterogeneous executive bodies store intermediate controller certificates, certificate signing and issuing center certificates and certificates of all managed devices, self public keys are stored in the intermediate controller certificates, and each heterogeneous executive body stores an intermediate controller private key; the intermediate controller can be a mimicry wireless controller, a certificate is pre-installed when the intermediate controller is produced and delivered from a factory, and the certificate is directly managed in a certificate issuing center. Fig. 1 is a typical dynamic heterogeneous redundancy architecture of a mimicry defense system, in the scheme, a random number module is added on the basis of fig. 1 and is specially used for providing uniform timestamps for all heterogeneous executors, and a structural model is shown in fig. 2. The invention has very high safety performance, can be applied to all systems needing hierarchical management certificates and all systems using mimicry defense equipment to finish the issuing of the certificates for the equipment; and all general systems requiring certificate issuance can be used only by changing the number of heterogeneous executors to 1 when the mimicry intermediate controller cannot be added due to equipment limitation, that is, a controller with a non-mimicry defense structure can be regarded as an intermediate controller with only one heterogeneous executer, and the heterogeneous executers can be used as intermediate controllers.
The certificate issuing center comprises a certificate issuing module, the certificate issuing module is used for managing certificates of all the devices and the intermediate controller, generating and sending the certificates when receiving the certificate request file, and corresponding public keys are stored in the certificates of all the devices and the intermediate controller. The certificate pre-installed by the intermediate controller when leaving the factory is registered in the certificate signing and issuing module. Certainly, the devices produced in the same factory can also adopt a pre-installation and registration mode, when new devices require to join the network, the devices request the certificate issuing center through the affiliated intermediate controller to issue the certificate, the certificate issuing module of the certificate issuing center issues the certificate, and finally the certificate is transmitted back to the devices to be installed. The overall system module is shown in fig. 3.
In the invention, the intermediate controller adopts a mimicry structure which can effectively resist the attack of attackers, the backdoors of all heterogeneous executors are different, the attackers cannot know the property of isomers to carry out targeted attack, and each heterogeneous execution manages a certificate revocation list to provide system security.
All encryption and decryption algorithms are public key encryption algorithms so as to achieve the purpose of safely realizing confidential information exchange and identity authentication. Public key encryption algorithms are also known as asymmetric encryption algorithms. The public key encryption algorithm requires two keys, a public key and a private key. The public key and the private key are a pair, and if the data is encrypted using the public key, only the corresponding private key can be decrypted. The basic process of realizing confidential information exchange by the public key encryption algorithm is as follows:
firstly, a first party generates a pair of public and private key keys, the public key is pub _ key, the private key is pri _ key, and the public key is published;
then, encryption is carried out: the party B needing to send information to the party A encrypts the information M by using the public key pub _ key of the party A, and the encryption algorithm is E, namely
Figure 651956DEST_PATH_IMAGE001
And finally, decryption: the party A receives the ciphertext and decrypts the ciphertext by using the private key pri _ key to obtain the plaintext M, namely
Figure 124526DEST_PATH_IMAGE002
The basic process of realizing identity authentication by a public key encryption algorithm is as follows:
firstly, a first party generates a pair of public and private key keys, the public key is pub _ key, the private key is pri _ key, and the public key is published;
and secondly, encryption is carried out: the first party uses the private key pri _ key of the first party to encrypt the confidential information N and then sends the information to the second party, namely
Figure 175659DEST_PATH_IMAGE003
And finally, decryption: after receiving the ciphertext, the party B decrypts the ciphertext by using the public key pub _ key of the party A, and if the confidential information can be correctly decrypted, the identity authentication is finished, namely
Figure 100889DEST_PATH_IMAGE004
The public key encryption algorithm has the characteristics of complex algorithm strength and dependence on the algorithm and a secret key for safety. The symmetric encryption algorithm has only one secret key and is not public, and if the secret key is known by the opposite party to be decrypted, the security of the public key encryption algorithm is much larger compared with the public key encryption algorithm.
As shown in fig. 4, a certificate issuing method of a mimicry defense system based on certificate identity authentication includes the following steps:
s1, the device sends the certificate request file to the intermediate controller: generating a certificate request file after a device needing a certificate generates a public-private key pair; the public key is pub _ device, the private key is pri _ device, and the certificate request file is req.csr;
s2, the intermediate controller receives the certificate request file req.csr and transmits the certificate request file into the heterogeneous pool: the intermediate controller receives a certificate request file req.csr sent by equipment and verifies the identity of the equipment, the judgment standard of the process is whether the unique equipment identification code in the certificate request file has the authority of adding into a network, and the certificate request file req.csr is transmitted into a heterogeneous pool after the identity verification is successful;
s3, the heterogeneous pool receives the certificate request file req.csr and the intermediate controller sends a first arbitration result to the certificate issuing center: the heterogeneous pool receives a certificate request file req.csr sent by the intermediate controller, each heterogeneous executive body in the heterogeneous pool completes bidirectional authentication between the intermediate controller and the certificate issuing center, after the authentication is successful, the heterogeneous executive bodies conduct intermediate controller private key signature and certificate issuing center public key encryption on the certificate request file, the heterogeneous executive bodies judge the encryption result and output a first judgment result
Figure 512148DEST_PATH_IMAGE005
And sending the first adjudication result to the certificate issuing center through the intermediate controller
Figure 573645DEST_PATH_IMAGE005
(ii) a The intermediate controller firstly uses the private key of the intermediate controller to sign and then uses the public key of the certificate issuing center to encrypt, the transmission security of the ciphertext is high, and the certificate issuing center can also achieve the purpose of verifying the source of the message when decrypting, and the encryption workload is not increased;
as shown in fig. 5, each heterogeneous executive in the heterogeneous pool in S3 performs bidirectional authentication between the intermediate controller and the certificate issuing authority, which specifically includes:
s3-1, each heterogeneous executive in the heterogeneous pool sends an intermediate controller identity verification request to the certificate issuing center: the heterogeneous executive body encrypts the word sequence request by using a private key of the intermediate controller, and applies a first time stamp to the random digital module
Figure 857996DEST_PATH_IMAGE006
The encrypted word sequence is processed by the arbitration module
Figure 208206DEST_PATH_IMAGE007
Intermediate controller certificate cert _ mid and first timestamp
Figure 236204DEST_PATH_IMAGE006
Packaged and used as an intermediate controller identity verification request, i.e.
Figure 103273DEST_PATH_IMAGE008
Sending the intermediate controller identity authentication request to a certificate issuing center;
s3-2, after receiving and verifying the message, the certificate signing and issuing center sends its own certificate cert _ center and second time stamp to the middle controller
Figure 292946DEST_PATH_IMAGE009
: after receiving the message, the certificate issuing center calls corresponding intermediate from the certificate management libraryThe certificate cert _ mid of the controller is compared with the certificate in the intermediate controller identity verification request, and after the certificate cert _ mid of the controller is compared and consistent with the certificate in the intermediate controller identity verification request, the intermediate controller public key pub _ mid is taken out from the intermediate controller certificate cert _ mid to decrypt the encrypted word sequence, namely the encrypted word sequence is decrypted, namely the intermediate controller public key pub _ mid is taken out from the intermediate controller certificate cert _ mid
Figure 130452DEST_PATH_IMAGE010
If the plaintext word request is obtained, the verification is successful, and the certificate issuing center sends the certificate of the certificate issuing center and a second time stamp to the intermediate controller, namely
Figure 696562DEST_PATH_IMAGE011
(ii) a Wherein
Figure 185181DEST_PATH_IMAGE009
A time stamp generated by a random number generator provided for the certificate issuing center;
s3-3, the heterogeneous executive body receives and verifies the information: each heterogeneous executive body in the intermediate controller receives the self certificate and the second time stamp of the certificate issuing center
Figure 545756DEST_PATH_IMAGE011
And judging whether the second time stamp is behind the first time stamp or not, comparing the received certificate of the certificate issuing center with the stored certificate to finish verification, and realizing the bidirectional authentication between the intermediate controller and the certificate issuing center after the verification is error-free.
S4, the certificate issuing center receives and verifies the first sanction result
Figure 932875DEST_PATH_IMAGE012
And sending the encryption certificate to the intermediate controller: the certificate issuing center receives the first arbitration result
Figure 240359DEST_PATH_IMAGE012
Firstly, the private key is used for decryption to obtain
Figure 130955DEST_PATH_IMAGE013
Then the public key of the intermediate controller is used for signature verification
Figure 616425DEST_PATH_IMAGE014
And after decryption and verification are successful, a certificate request file req.csr is obtained, and the identity of the intermediate controller is decrypted twice and verified. The certificate signing and issuing center generates a corresponding certificate cert _ device according to the certificate request file, updates and inputs the newly generated certificate cert _ device into a certificate management library of the certificate signing and issuing center, and encrypts the certificate cert _ device by using a public key of an intermediate controller to obtain the certificate cert _ device
Figure 225261DEST_PATH_IMAGE015
And sending the data to the intermediate controller;
s5, the intermediate controller receives the encrypted certificate and sends a second sanction result to the equipment: the intermediate controller receives the encrypted certificate and sends the encrypted certificate to each heterogeneous executive body in the heterogeneous pool, and each heterogeneous executive body decrypts the encrypted certificate by using a private key of the intermediate controller and obtains the certificate
Figure 336436DEST_PATH_IMAGE016
Managing certificate revocation list, and encrypting the certificate by using equipment public key to obtain
Figure 347118DEST_PATH_IMAGE017
The heterogeneous executive body arbitrates the encryption result and outputs a second arbitration result
Figure 315074DEST_PATH_IMAGE017
The intermediate controller sends the second adjudication result to the certificate issuing center
Figure 598156DEST_PATH_IMAGE017
S6, the device receives the second judgment result
Figure 309760DEST_PATH_IMAGE017
And install the certificate device: the device receives the second adjudication result
Figure 112631DEST_PATH_IMAGE017
Decrypting by using a private key of the device to obtain a certificate authenticated by an intermediate controller and a certificate issuing center
Figure 251489DEST_PATH_IMAGE018
And the equipment acquires the certificate and then installs the certificate device.
In the method, the judgment of the encryption result by the heterogeneous executive body specifically comprises the following steps:
the heterogeneous executives send the output results to the arbitration module, if the output results of the heterogeneous executives are consistent, the arbitration module outputs corresponding arbitration results, otherwise, the system is judged to be attacked, and the intermediate controller sends the corresponding arbitration results to the certificate issuing center. When the judgment module works, if the output results of the heterogeneous executives are inconsistent, the judgment module can judge that the heterogeneous executives are attacked in time, and then the system can be repaired in time to work.
The above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the invention and these are intended to be within the scope of the invention.

Claims (8)

1. A mimicry defense system based on certificate identity authentication is characterized in that: the mimicry defense system comprises bottom equipment, an intermediate controller and a certificate issuing center; the intermediate controller and the certificate issuing center are respectively provided with a unique certificate, a public key of the intermediate controller and the certificate issuing center is stored in the certificate, and a corresponding private key is stored privately by each device and is not disclosed to the outside;
the device is a device needing to be accessed to a network and comprises a certificate request module, wherein the certificate request module is used for generating a public-private key pair, encrypting and decrypting, generating a certificate request file and installing a certificate;
the intermediate controller comprises a controller processing module, the controller processing module comprises a mimicry security module and a random number module, the mimicry security module is a typical dynamic heterogeneous redundancy architecture of a mimicry defense system, and the random number module is used for providing the same timestamp for heterogeneous executors;
the mimicry security module of the intermediate controller comprises a decision module, a heterogeneous pool and a plurality of heterogeneous executives in the heterogeneous pool; the heterogeneous executive body is used for verifying identity, recording and distributing certificates, and the arbitration module is used for arbitrating heterogeneous executive body output; the heterogeneous executive bodies store intermediate controller certificates, certificate signing and issuing center certificates and certificates of all managed devices, self public keys are stored in the intermediate controller certificates, and each heterogeneous executive body stores an intermediate controller private key;
the certificate signing and issuing center comprises a certificate signing and issuing module, wherein the certificate signing and issuing module is used for managing certificates of all equipment and the intermediate controller and generating and sending a certificate when receiving a certificate request file; and storing corresponding public keys in the certificates of all the devices and the intermediate controller.
2. The mimicry defense system based on certificate identity authentication according to claim 1, wherein: the equipment is a router, a PC end or a mobile phone which needs to be accessed into a network.
3. The mimicry defense system based on certificate identity authentication according to claim 1, wherein: and when the number of the heterogeneous executors is one, the heterogeneous executors are used as the intermediate controllers.
4. The certificate issuing method of the mimicry defense system based on certificate identity authentication according to any one of claims 1-3, characterized by comprising the following steps:
s1, the device sends the certificate request file to the intermediate controller: the equipment needing the certificate generates a public-private key pair and then generates a certificate request file, and the equipment sends the certificate request file to the intermediate controller;
s2, the intermediate controller receives the certificate request file and transmits the certificate request file into the heterogeneous pool: the intermediate controller receives a certificate request file sent by the equipment, verifies the equipment identity, and transmits the certificate request file into the heterogeneous pool after the identity is successfully verified;
s3, the heterogeneous pool receives the certificate request file and the intermediate controller sends a first adjudication result to the certificate issuing center: the heterogeneous pool receives the certificate request file, all heterogeneous executives in the heterogeneous pool read the certificate of the certificate issuing center to obtain a public key of the certificate issuing center, and the heterogeneous executives encrypt the certificate request file and send a processed first arbitration result to the certificate issuing center through the intermediate controller;
s4, the certificate issuing center receives and verifies the first sanction result and sends the encrypted certificate to the intermediate controller: the certificate signing and issuing center receives the first judgment result, firstly decrypts the first judgment result by using a private key of the certificate signing and issuing center, then performs signature verification by using a public key of the intermediate controller, acquires a certificate request file after the decryption and the verification are successful, generates a corresponding certificate according to the certificate request file, updates and inputs the newly generated certificate into a certificate management library of the certificate signing and issuing center, encrypts the new certificate by using the public key of the intermediate controller, and sends the encrypted certificate to the intermediate controller;
s5, the intermediate controller receives the encrypted certificate and sends a second sanction result to the equipment: the intermediate controller receives the encrypted certificate and transmits the encrypted certificate to each heterogeneous executive body in the heterogeneous pool, the heterogeneous executive bodies process the encrypted certificate and obtain a second arbitration result through the arbitration module, and the intermediate controller transmits the second arbitration result to the equipment;
s6, the device receives the second judgment result and installs the certificate: and the equipment receives the second judgment result, decrypts by using a private key thereof to obtain the certificate authenticated by the intermediate controller and the certificate issuing center, and installs the certificate after obtaining the certificate.
5. The certificate issuing method of the mimicry defense system based on certificate identity authentication according to claim 4, wherein: the encrypting all the heterogeneous executors in the heterogeneous pool in S3 for the certificate request file specifically includes:
the heterogeneous pool receives a certificate request file sent by the intermediate controller, each heterogeneous executive body in the heterogeneous pool completes bidirectional authentication between the intermediate controller and the certificate issuing center, after the authentication is successful, the heterogeneous executive bodies conduct intermediate controller private key signature and certificate issuing center public key encryption on the certificate request file, and the encryption result of the heterogeneous executive bodies passes through the arbitration module and outputs a first arbitration result.
6. The certificate issuing method of the mimicry defense system based on certificate identity authentication according to claim 5, wherein: each heterogeneous executive body in the heterogeneous pool completes the bidirectional authentication between the intermediate controller and the certificate issuing center, and the bidirectional authentication specifically comprises the following steps:
s3-1, each heterogeneous executive in the heterogeneous pool sends an intermediate controller identity verification request to the certificate issuing center: the heterogeneous executive body encrypts the word sequence by using a private key of the intermediate controller, applies a first time stamp to the random digital module, packages the encrypted word sequence, the intermediate controller certificate and the first time stamp through the arbitration module, and sends the intermediate controller identity verification request to the certificate issuing center as an intermediate controller identity verification request;
s3-2, after receiving and verifying the message, the certificate issuing center sends the certificate of the certificate issuing center and a second timestamp to the intermediate controller: after receiving the message, the certificate issuing center calls a certificate of a corresponding intermediate controller from the certificate management library of the certificate issuing center, compares the certificate with a certificate in the identity verification request of the intermediate controller, and after the comparison is consistent, takes out a public key of the intermediate controller from the certificate of the intermediate controller to decrypt the encrypted word sequence to obtain a plaintext word, namely the verification is successful, the certificate issuing center sends the certificate issuing center of the certificate issuing center and a second timestamp to the intermediate controller, wherein only the public key of the certificate issuing center is stored in the sent certificate of the certificate issuing center;
s3-3, the heterogeneous executive body receives and verifies the information: and each heterogeneous executive body in the intermediate controller receives the certificate and the second timestamp of the certificate issuing center, judges whether the second timestamp is behind the first timestamp, compares the received certificate of the certificate issuing center with the stored certificate to complete verification, and realizes the mutual authentication between the intermediate controller and the certificate issuing center after the verification is not wrong.
7. The certificate issuing method of the mimicry defense system based on certificate identity authentication according to claim 4, wherein: the step of processing the encrypted certificate and outputting the second arbitration result by the heterogeneous executor in S5 specifically includes:
each heterogeneous executive body decrypts the encrypted certificate by using a private key of the intermediate controller to obtain the certificate, manages a certificate revocation list, encrypts the certificate by using the equipment public key, and arbitrates the encryption result and outputs a second arbitration result to the intermediate controller.
8. The certificate issuing method of the mimicry defense system based on certificate identity authentication according to claim 4, wherein: the determining, by the heterogeneous executor, the encryption result specifically includes:
the heterogeneous executives send the output results to the arbitration module, if the output results of the heterogeneous executives are consistent, the arbitration module outputs corresponding arbitration results, otherwise, the system is judged to be attacked, and the intermediate controller sends the corresponding arbitration results to the certificate issuing center.
CN202010155356.8A 2020-03-09 2020-03-09 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method Active CN111010410B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010155356.8A CN111010410B (en) 2020-03-09 2020-03-09 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
PCT/CN2020/094474 WO2021179449A1 (en) 2020-03-09 2020-06-04 Mimic defense system based on certificate identity authentication, and certificate issuing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010155356.8A CN111010410B (en) 2020-03-09 2020-03-09 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method

Publications (2)

Publication Number Publication Date
CN111010410A true CN111010410A (en) 2020-04-14
CN111010410B CN111010410B (en) 2020-06-16

Family

ID=70120979

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010155356.8A Active CN111010410B (en) 2020-03-09 2020-03-09 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method

Country Status (2)

Country Link
CN (1) CN111010410B (en)
WO (1) WO2021179449A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111475831A (en) * 2020-06-22 2020-07-31 南京红阵网络安全技术研究院有限公司 Data access control method and system based on mimicry defense
CN111478928A (en) * 2020-06-22 2020-07-31 南京红阵网络安全技术研究院有限公司 Mimicry defense construction method and system for edge computing cloud center
CN111669436A (en) * 2020-05-21 2020-09-15 河南信大网御科技有限公司 SSH remote connection method of mimicry system, mimicry architecture and readable storage medium
CN111741008A (en) * 2020-07-08 2020-10-02 南京红阵网络安全技术研究院有限公司 Two-way anonymous authentication system and method based on mimicry defense principle
CN111865661A (en) * 2020-06-16 2020-10-30 中国人民解放军战略支援部队信息工程大学 Abnormal configuration detection device and method for network equipment management protocol
WO2021179449A1 (en) * 2020-03-09 2021-09-16 南京红阵网络安全技术研究院有限公司 Mimic defense system based on certificate identity authentication, and certificate issuing method
CN113904805A (en) * 2021-09-06 2022-01-07 河南信大网御科技有限公司 Mimicry communication method and system based on authentication unloading
CN115102791A (en) * 2022-08-24 2022-09-23 南京华盾电力信息安全测评有限公司 Password service monitoring system and method based on mimicry defense
CN115225415A (en) * 2022-09-21 2022-10-21 南京华盾电力信息安全测评有限公司 Password application platform for new energy centralized control system and monitoring and early warning method
CN116668201A (en) * 2023-07-31 2023-08-29 北京小米移动软件有限公司 System for allocating production resources, transmission method and equipment for production resources

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363048B (en) * 2021-12-31 2023-07-07 河南信大网御科技有限公司 Mimicry unknown threat discovery system
CN114338552B (en) * 2021-12-31 2023-07-07 河南信大网御科技有限公司 System for determining delay mimicry
CN115086447B (en) * 2022-04-30 2023-11-17 河南信大网御科技有限公司 Mimicry system based on foreground and background presentation modes
CN114780569B (en) * 2022-06-22 2022-09-16 之江实验室 Input and output proxy method and device of mimicry redis database
CN115580410B (en) * 2022-10-19 2024-03-29 中国石油大学(华东) Terminal information jump active defense method based on authentication synchronization
CN116015978B (en) * 2023-02-13 2023-12-05 中国南方电网有限责任公司 Heterogeneous redundant flow detection system based on mimicry safety technology
CN116471116A (en) * 2023-05-15 2023-07-21 嵩山实验室 Endophytic security cloud platform and construction method
CN117234857B (en) * 2023-11-10 2024-01-26 之江实验室 Endophytic security architecture system and anomaly detection method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5586204A (en) * 1994-06-30 1996-12-17 Hughes Electronics Integrity checking procedure for high throughput data transformations
CN102143218A (en) * 2011-01-24 2011-08-03 上海红神信息技术有限公司 Web access cloud architecture and access method
WO2015168913A1 (en) * 2014-05-08 2015-11-12 华为技术有限公司 Certificate acquisition method and device
CN109067737A (en) * 2018-07-28 2018-12-21 中国人民解放军战略支援部队信息工程大学 A kind of mimicry judgment device and method exported under asynchronous Keep-order requirements
CN109525553A (en) * 2018-10-12 2019-03-26 上海拟态数据技术有限公司 A kind of transmission protecting of URL request, intermediate equipment, server and system
CN110691107A (en) * 2019-12-11 2020-01-14 南京红阵网络安全技术研究院有限公司 Endogenous safety user access authentication management system and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302544B (en) * 2017-08-15 2019-09-13 迈普通信技术股份有限公司 Certificate request method, wireless access control equipment and wireless access point device
WO2020093201A1 (en) * 2018-11-05 2020-05-14 北京大学深圳研究生院 Security modeling quantisation method for cyberspace mimic defence based on gspn and martingale theory
CN110750802B (en) * 2019-10-14 2023-01-10 创元网络技术股份有限公司 Framework for protecting key data based on mimicry defense
CN111010410B (en) * 2020-03-09 2020-06-16 南京红阵网络安全技术研究院有限公司 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5586204A (en) * 1994-06-30 1996-12-17 Hughes Electronics Integrity checking procedure for high throughput data transformations
CN102143218A (en) * 2011-01-24 2011-08-03 上海红神信息技术有限公司 Web access cloud architecture and access method
WO2015168913A1 (en) * 2014-05-08 2015-11-12 华为技术有限公司 Certificate acquisition method and device
CN109067737A (en) * 2018-07-28 2018-12-21 中国人民解放军战略支援部队信息工程大学 A kind of mimicry judgment device and method exported under asynchronous Keep-order requirements
CN109525553A (en) * 2018-10-12 2019-03-26 上海拟态数据技术有限公司 A kind of transmission protecting of URL request, intermediate equipment, server and system
CN110691107A (en) * 2019-12-11 2020-01-14 南京红阵网络安全技术研究院有限公司 Endogenous safety user access authentication management system and method

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021179449A1 (en) * 2020-03-09 2021-09-16 南京红阵网络安全技术研究院有限公司 Mimic defense system based on certificate identity authentication, and certificate issuing method
CN111669436A (en) * 2020-05-21 2020-09-15 河南信大网御科技有限公司 SSH remote connection method of mimicry system, mimicry architecture and readable storage medium
CN111669436B (en) * 2020-05-21 2022-12-13 河南信大网御科技有限公司 SSH remote connection method of mimicry system, mimicry system and readable storage medium
CN111865661A (en) * 2020-06-16 2020-10-30 中国人民解放军战略支援部队信息工程大学 Abnormal configuration detection device and method for network equipment management protocol
CN111865661B (en) * 2020-06-16 2022-11-11 中国人民解放军战略支援部队信息工程大学 Abnormal configuration detection device and method for network equipment management protocol
CN111478928A (en) * 2020-06-22 2020-07-31 南京红阵网络安全技术研究院有限公司 Mimicry defense construction method and system for edge computing cloud center
CN111475831A (en) * 2020-06-22 2020-07-31 南京红阵网络安全技术研究院有限公司 Data access control method and system based on mimicry defense
CN111741008A (en) * 2020-07-08 2020-10-02 南京红阵网络安全技术研究院有限公司 Two-way anonymous authentication system and method based on mimicry defense principle
CN113904805B (en) * 2021-09-06 2023-09-08 河南信大网御科技有限公司 Mimicry communication method and mimicry communication system based on authentication unloading
CN113904805A (en) * 2021-09-06 2022-01-07 河南信大网御科技有限公司 Mimicry communication method and system based on authentication unloading
CN115102791A (en) * 2022-08-24 2022-09-23 南京华盾电力信息安全测评有限公司 Password service monitoring system and method based on mimicry defense
CN115102791B (en) * 2022-08-24 2023-01-03 南京华盾电力信息安全测评有限公司 Password service monitoring system and method based on mimicry defense
CN115225415A (en) * 2022-09-21 2022-10-21 南京华盾电力信息安全测评有限公司 Password application platform for new energy centralized control system and monitoring and early warning method
CN115225415B (en) * 2022-09-21 2023-01-24 南京华盾电力信息安全测评有限公司 Password application platform for new energy centralized control system and monitoring and early warning method
CN116668201A (en) * 2023-07-31 2023-08-29 北京小米移动软件有限公司 System for allocating production resources, transmission method and equipment for production resources
CN116668201B (en) * 2023-07-31 2023-10-20 北京小米移动软件有限公司 System for allocating production resources, transmission method and equipment for production resources

Also Published As

Publication number Publication date
CN111010410B (en) 2020-06-16
WO2021179449A1 (en) 2021-09-16

Similar Documents

Publication Publication Date Title
CN111010410B (en) Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
CN110784491B (en) Internet of things safety management system
US9912485B2 (en) Method and apparatus for embedding secret information in digital certificates
CN110750803B (en) Method and device for providing and fusing data
KR100827650B1 (en) Methods for authenticating potential members invited to join a group
CN101828357B (en) Credential provisioning method and device
US7516326B2 (en) Authentication system and method
CN101212293B (en) Identity authentication method and system
US20080010242A1 (en) Device authentication method using broadcast encryption (BE)
JP2008507203A (en) Method for transmitting a direct proof private key in a signed group to a device using a distribution CD
JP2009519687A (en) Authentication and distributed system and method for replacing cryptographic keys
JP2008506338A (en) A method for directly distributing a certification private key to a device using a distribution CD
KR20200080441A (en) Distributed device authentication protocol in internet of things blockchain environment
US20220247576A1 (en) Establishing provenance of applications in an offline environment
Kukkala et al. SEDAN: Security-aware design of time-critical automotive networks
AU2019285822A1 (en) Decentralised authentication
Fuchs et al. HIP: HSM-based identities for plug-and-charge
CN106992978B (en) Network security management method and server
Larsen et al. Direct anonymous attestation on the road: Efficient and privacy-preserving revocation in c-its
WO2017008556A1 (en) Authentication method and device for wireless access point and management platform
JP2014022920A (en) Electronic signature system, electronic signature method, and electronic signature program
US11570008B2 (en) Pseudonym credential configuration method and apparatus
JP5393594B2 (en) Efficient mutual authentication method, program, and apparatus
CN113709734A (en) Unmanned aerial vehicle distributed identity authentication method based on block chain
CN113162762B (en) Key authorization method, encryption machine, terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant