CN111371786A - Encryption method and device for clock synchronization messages between Ethernet devices - Google Patents
Encryption method and device for clock synchronization messages between Ethernet devices Download PDFInfo
- Publication number
- CN111371786A CN111371786A CN202010143032.2A CN202010143032A CN111371786A CN 111371786 A CN111371786 A CN 111371786A CN 202010143032 A CN202010143032 A CN 202010143032A CN 111371786 A CN111371786 A CN 111371786A
- Authority
- CN
- China
- Prior art keywords
- esmc message
- esmc
- message
- network switch
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04J—MULTIPLEX COMMUNICATION
- H04J3/00—Time-division multiplex systems
- H04J3/02—Details
- H04J3/06—Synchronising arrangements
- H04J3/0635—Clock or time synchronisation in a network
- H04J3/0638—Clock or time synchronisation among nodes; Internode synchronisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses an encryption method and device of clock synchronization messages among Ethernet devices, wherein the method comprises the steps that a main network switch sends expanded first ESMC messages, the first network switch encrypts expanded bytes of the first ESMC messages and sends out encrypted second ESMC messages, the second network switch decrypts the second ESMC messages to obtain the expanded bytes of the first ESMC messages, and whether the first ESMC messages are modified or not is judged according to configuration information of the second ESMC messages. The invention ensures the safe communication of the network, and ensures that the clock frequency synchronization is safer.
Description
Technical Field
The present invention relates to ethernet clock synchronization technologies, and in particular, to a method and an apparatus for encrypting a clock synchronization packet between ethernet devices.
Background
The existing ethernet clock synchronization realizes clock frequency synchronization by sending and receiving Ethernet Synchronization Messaging Channel (ESMC) messages. However, the ESMC message is easily attacked and tampered with the protocol content, and the clock synchronization switch at the receiving end cannot judge whether the message is true or not when receiving the message, so that the clock synchronization switch is easily misled to synchronize the wrong time frequency, and the accuracy and precision of clock synchronization are further affected.
Therefore, a clock frequency information protection method and a switch system are needed.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method and a device for encrypting clock synchronization messages between Ethernet equipment.
In order to achieve the purpose, the invention provides the following technical scheme: a method for encrypting clock synchronization messages between Ethernet devices comprises the following steps:
s1, the main network switch starts a clock frequency synchronization function, starts an expansion mode and sends a first ESMC message;
s2, the first network switch connected with the main network switch encrypts the expansion byte of the first ESMC message to form an encryption field to be written into the first ESMC message to form a second ESMC message, and the second ESMC message is sent out from the port of the first network switch with the clock frequency synchronization function;
s3, the second network switch connected with the first network switch decrypts the second ESMC message to obtain the expansion byte of the first ESMC message, verifies whether the expansion byte of the first ESMC message meets the requirement according to the configuration information of the second ESMC message, and judges whether the first ESMC message is modified according to the verification result.
Preferably, in S2, the encrypting the extension byte of the first ESMC message includes: performing MD5 encryption operation on the content of a designated area in the first ESMC message to obtain a first MD5 key, generating an ESMC message encryption field according to the first MD5 key, and filling extension bytes of the first ESMC message with the ESMC message encryption field, wherein the designated area is a TLV information character string.
Preferably, in S3, the process of decrypting the second ESMC message includes: and performing MD5 inverse operation on the second ESMC message to obtain the unencrypted extension byte of the first ESMC message.
Preferably, in S3, the process of decrypting the second ESMC message includes: performing a first MD5 inverse operation on the second ESMC message to obtain a first value; performing key operation on the first value and the first MD5 to obtain a second value; and performing a second MD5 inverse operation on the second value, and decrypting to obtain the content extracted from the specified area of the first ESMC message, wherein the specified area is a TLV information character string.
Preferably, the first value is divided by the first MD5 key to obtain a second value.
Preferably, in S3, if the extension byte of the first ESMC message is consistent with the configuration information in the second network switch, it is determined that the first ESMC message is not modified; otherwise, the first ESMC message is judged to be modified.
The invention also discloses another technical scheme: an encryption device for clock synchronization messages between Ethernet devices comprises:
the main network switch is used for starting a clock frequency synchronization function, starting an expansion mode and sending a first ESMC message;
the first network switch is connected with the main network switch and used for encrypting the expansion bytes of the first ESMC message, forming an encryption field to be written in the first ESMC message to form a second ESMC message and sending the second ESMC message from a port of the first network switch with a clock frequency synchronization function;
and the second network switch is connected with the first network switch and used for decrypting the second ESMC message to obtain the expansion bytes of the first ESMC message, verifying whether the expansion bytes of the first ESMC message meet the requirement or not according to the configuration information of the second network switch, and judging whether the first ESMC message is modified or not according to the verification result.
Preferably, the process of encrypting the extension byte of the first ESMC message by the first network switch includes: performing MD5 encryption operation on the content of a designated area in the first ESMC message to obtain a first MD5 key, generating an ESMC message encryption field according to the first MD5 key, and filling extension bytes of the first ESMC message with the ESMC message encryption field, wherein the designated area is a TLV information character string.
Preferably, the process of decrypting, by the second network switch, the second ESMC message includes: and performing MD5 inverse operation on the second ESMC message to obtain the unencrypted extension byte of the first ESMC message.
Preferably, the process of decrypting, by the second network switch, the second ESMC message includes: performing a first MD5 inverse operation on the second ESMC message to obtain a first value; performing key operation on the first value and the first MD5 to obtain a second value; and performing a second MD5 inverse operation on the second value, and decrypting to obtain the content extracted from the specified area of the first ESMC message, wherein the specified area is a TLV information character string.
The invention has the beneficial effects that: the invention utilizes the internal extension bit of the ESMC message to carry out secondary processing on the protocol content, and after the switch at the receiving end receives the processed ESMC message, the switch at the receiving end discriminates the encrypted content by utilizing the information of the internal extension bit, thereby judging whether the ESMC message is falsified.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a format of a standard QL TLV frame of the present invention;
fig. 3 is the format of the QL TLV frame after the extension of the present invention.
Detailed Description
The technical solution of the embodiment of the present invention will be clearly and completely described below with reference to the accompanying drawings of the present invention.
According to the encryption method and device for the clock synchronization message between the Ethernet devices, disclosed by the invention, whether the ESMC message is tampered or not is judged by encrypting the internal extension bit of the ESMC message and verifying the encrypted content, so that the accuracy and precision of clock synchronization are improved.
Referring to fig. 1, a method for encrypting a clock synchronization packet between ethernet devices disclosed by the present invention includes the following steps:
and S1, the main network switch starts a clock frequency synchronization function and an expansion mode and sends a first ESMC message.
Specifically, in this embodiment, when the expansion mode is not turned on, the format of the QL TLV frame in the ethernet SSM (synchronous status message) frame is, as shown in fig. 2, and the format of the expanded QL TLV frame is, as shown in fig. 3, added with the Type field Type of 8bits of data, the Length field Length of 16bits of data, and the clock ID field of 48bits of data. The sent first ESMC message is provided with the expanded QL TLV frame, and the expanded QL TLV frame is an expanded byte of the first ESMC message.
S2, the first network switch connected with the main network switch encrypts the expansion byte of the first ESMC message to form an encryption field to be written into the first ESMC message to form a second ESMC message, and the second ESMC message is sent out from the port of the first network switch with the clock frequency synchronization function.
Specifically, the first network switch is connected with the main network switch, receives the first ESMC message received by the main network switch, and then encrypts the content of the extension byte of the first ESMC message to form an ESMC message encryption field.
In this embodiment, the process of the first network switch performing encryption processing on the content of the extension byte of the first ESMC message specifically includes: performing MD5 encryption operation on the content of a designated area in a first ESMC message, wherein the designated area is specifically the Type field Type of 8-bit data, the Length field of 16-bit data and the clock ID field of 48-bit data in the QL TLV frame of the first ESMC message, namely the field of 72-bit, performing MD5 encryption operation on the field of 72-bit to obtain a first MD5 key, and generating a 4-byte (namely 32-bit) ESMC message encryption field according to the first MD5 key.
And then filling extension bytes of the first ESMC message by using the ESMC message encryption field, namely completing encryption processing on the extension bytes of the first ESMC message, and defining the encrypted first ESMC message as a second ESMC message. And then sending the second ESMC message out from the port of the first network switch with the clock frequency synchronization function.
S3, the second network switch connected with the first network switch decrypts the second ESMC message to obtain the expansion byte of the first ESMC message, verifies whether the expansion byte of the first ESMC message meets the requirement according to the configuration information of the second ESMC message, and judges whether the first ESMC message is modified according to the verification result.
Specifically, the decryption process of the second ESMC message by the second network switch is opposite to the encryption process in step S2, and the specific process includes: when the second network switch receives the second ESMC message, the second network switch performs the inverse operation of MD5 on the ESMC message encryption field in the received second ESMC message to obtain a first value, which is marked as a value a. Dividing the value A by the first MD5 key calculated in the step S2 to obtain a second value, such as a value B; and finally, performing MD5 inverse operation on the value B, and decrypting to obtain an expansion byte of the first ESMC message, specifically, the content taken out of the specified area of the first ESMC message, namely the Type field Type of the 8-bits data, the Length field of the 16-bits data, and the clock ID field of 48-bits.
Then judging whether the expansion bytes of the first ESMC message are consistent with the information configured in the second network switch or not, if so, judging that the first ESMC message is not modified and can be processed; otherwise, if the first ESMC message is modified, the first ESMC message is discarded.
The invention discloses an encryption device of clock synchronization messages between Ethernet devices, which comprises:
and the at least one main network switch is used for starting a clock frequency synchronization function, starting an expansion mode and sending a first ESMC message.
And the first network switch is connected with the main network switch and used for encrypting the expansion bytes of the first ESMC message, forming an encryption field to be written into the first ESMC message, forming a second ESMC message and sending the second ESMC message out from the port of the first network switch with the clock frequency synchronization function.
Specifically, the process of encrypting the extension byte of the first ESMC message by the first network switch includes: performing MD5 encryption operation on the content of a designated area in the first ESMC message to obtain a first MD5 key, generating an ESMC message encryption field according to the first MD5 key, and filling extension bytes of the first ESMC message with the ESMC message encryption field, wherein the designated area is a TLV information character string. The specific principle can refer to the description in step S2 above.
And the at least one second network switch is connected with the first network switch and used for decrypting the second ESMC message to obtain the expansion bytes of the first ESMC message, verifying whether the expansion bytes of the first ESMC message meet the requirement according to the configuration information of the second ESMC message, and judging whether the first ESMC message is modified according to the verification result.
Specifically, the process of decrypting, by the second network switch, the second ESMC message includes: performing a first MD5 inverse operation on the second ESMC message to obtain a first value; performing key operation on the first value and the first MD5 to obtain a second value; and performing a second MD5 inverse operation on the second value, and decrypting to obtain the content extracted from the specified area of the first ESMC message, wherein the specified area is a TLV information character string. The specific principle can refer to the description in step S3 above.
The invention utilizes the internal extension bit of the ESMC message to carry out secondary processing on the protocol content, and after the switch at the receiving end receives the processed ESMC message, the switch at the receiving end discriminates the encrypted content by utilizing the information of the internal extension bit, thereby judging whether the ESMC message is falsified.
Therefore, the scope of the present invention should not be limited to the disclosure of the embodiments, but includes various alternatives and modifications without departing from the scope of the present invention, which is defined by the claims of the present patent application.
Claims (10)
1. A method for encrypting clock synchronization messages between Ethernet devices is characterized by comprising the following steps:
s1, the main network switch starts a clock frequency synchronization function, starts an expansion mode and sends a first ESMC message;
s2, the first network switch connected with the main network switch encrypts the expansion byte of the first ESMC message to form an encryption field to be written into the first ESMC message to form a second ESMC message, and the second ESMC message is sent out from the port of the first network switch with the clock frequency synchronization function;
s3, the second network switch connected with the first network switch decrypts the second ESMC message to obtain the expansion byte of the first ESMC message, verifies whether the expansion byte of the first ESMC message meets the requirement according to the configuration information of the second ESMC message, and judges whether the first ESMC message is modified according to the verification result.
2. The method according to claim 1, wherein in S2, the process of encrypting the extension byte of the first ESMC message includes: performing MD5 encryption operation on the content of a designated area in the first ESMC message to obtain a first MD5 key, generating an ESMC message encryption field according to the first MD5 key, and filling extension bytes of the first ESMC message with the ESMC message encryption field, wherein the designated area is a TLV information character string.
3. The method according to claim 1, wherein in S3, the process of decrypting the second ESMC message includes: and performing MD5 inverse operation on the second ESMC message to obtain the unencrypted extension byte of the first ESMC message.
4. The method according to claim 2, wherein in S3, the process of decrypting the second ESMC message includes: performing a first MD5 inverse operation on the second ESMC message to obtain a first value; performing key operation on the first value and the first MD5 to obtain a second value; and performing a second MD5 inverse operation on the second value, and decrypting to obtain the content extracted from the specified area of the first ESMC message, wherein the specified area is a TLV information character string.
5. The method according to claim 4, wherein the first value is divided by the first MD5 key to obtain the second value.
6. The method according to claim 1, wherein in S3, if the extended byte of the first ESMC message is consistent with the configuration information in the second network switch, it is determined that the first ESMC message is not modified; otherwise, the first ESMC message is judged to be modified.
7. An encryption apparatus for clock synchronization messages between ethernet devices, the apparatus comprising:
the main network switch is used for starting a clock frequency synchronization function, starting an expansion mode and sending a first ESMC message;
the first network switch is connected with the main network switch and used for encrypting the expansion bytes of the first ESMC message, forming an encryption field to be written in the first ESMC message to form a second ESMC message and sending the second ESMC message from a port of the first network switch with a clock frequency synchronization function;
and the second network switch is connected with the first network switch and used for decrypting the second ESMC message to obtain the expansion bytes of the first ESMC message, verifying whether the expansion bytes of the first ESMC message meet the requirement or not according to the configuration information of the second network switch, and judging whether the first ESMC message is modified or not according to the verification result.
8. The apparatus according to claim 7, wherein the process of encrypting the extended bytes of the first ESMC message by the first network switch includes: performing MD5 encryption operation on the content of a designated area in the first ESMC message to obtain a first MD5 key, generating an ESMC message encryption field according to the first MD5 key, and filling extension bytes of the first ESMC message with the ESMC message encryption field, wherein the designated area is a TLV information character string.
9. The apparatus according to claim 7, wherein the process of decrypting the second ESMC message by the second network switch comprises: and performing MD5 inverse operation on the second ESMC message to obtain the unencrypted extension byte of the first ESMC message.
10. The apparatus according to claim 8, wherein the process of decrypting the second ESMC message by the second network switch comprises: performing a first MD5 inverse operation on the second ESMC message to obtain a first value; performing key operation on the first value and the first MD5 to obtain a second value; and performing a second MD5 inverse operation on the second value, and decrypting to obtain the content extracted from the specified area of the first ESMC message, wherein the specified area is a TLV information character string.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010143032.2A CN111371786A (en) | 2020-03-04 | 2020-03-04 | Encryption method and device for clock synchronization messages between Ethernet devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010143032.2A CN111371786A (en) | 2020-03-04 | 2020-03-04 | Encryption method and device for clock synchronization messages between Ethernet devices |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111371786A true CN111371786A (en) | 2020-07-03 |
Family
ID=71211778
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010143032.2A Pending CN111371786A (en) | 2020-03-04 | 2020-03-04 | Encryption method and device for clock synchronization messages between Ethernet devices |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111371786A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115175177A (en) * | 2022-06-16 | 2022-10-11 | 烽火通信科技股份有限公司 | Message transmission method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441983A (en) * | 2013-07-11 | 2013-12-11 | 盛科网络(苏州)有限公司 | Information protection method and device based on link layer discovery protocol |
| CN103581173A (en) * | 2013-09-11 | 2014-02-12 | 北京东土科技股份有限公司 | Safe data transmission method, system and device based on industrial Ethernet |
| CN105072104A (en) * | 2015-07-30 | 2015-11-18 | 积成电子股份有限公司 | Switch system having anti-IEE1588 falsification function and processing method |
-
2020
- 2020-03-04 CN CN202010143032.2A patent/CN111371786A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441983A (en) * | 2013-07-11 | 2013-12-11 | 盛科网络(苏州)有限公司 | Information protection method and device based on link layer discovery protocol |
| CN103581173A (en) * | 2013-09-11 | 2014-02-12 | 北京东土科技股份有限公司 | Safe data transmission method, system and device based on industrial Ethernet |
| CN105072104A (en) * | 2015-07-30 | 2015-11-18 | 积成电子股份有限公司 | Switch system having anti-IEE1588 falsification function and processing method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115175177A (en) * | 2022-06-16 | 2022-10-11 | 烽火通信科技股份有限公司 | Message transmission method and device |
| CN115175177B (en) * | 2022-06-16 | 2024-04-16 | 烽火通信科技股份有限公司 | Message transmission method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11335144B2 (en) | Method for unlocking intelligent lock, mobile terminal, intelligent lock and server | |
| CN105516139B (en) | A kind of transmission method of network data, apparatus and system | |
| CN101258706B (en) | Methods for secure and bandwidth efficient cryptographic synchronization | |
| CN105430640B (en) | A kind of SMS encryption authentication method, terminal and system | |
| JP2012501108A (en) | Method and apparatus for integrating precision time protocol and media access control security into network elements | |
| CN103581173A (en) | Safe data transmission method, system and device based on industrial Ethernet | |
| KR20010051041A (en) | Automatic resynchronization of crypto-sync information | |
| CN103414842A (en) | Image data encryption method and system and image data decryption method and system | |
| WO2021244489A1 (en) | Method and apparatus for transmitting encryption control overhead in optical transport network | |
| CN104717220A (en) | Control signaling secure transmission method based on hardware encryption | |
| US20130136145A1 (en) | Time message processing method, apparatus and system | |
| JP2006217100A (en) | Decoding processing system and method thereof, and mobile communication system using same | |
| CN108848413B (en) | System, method and device for preventing video from replay attack and storage medium | |
| CA2467522A1 (en) | Synchronization of encryption in a wireless communication system | |
| CN115174520B (en) | Network address information hiding method and system | |
| CN111371786A (en) | Encryption method and device for clock synchronization messages between Ethernet devices | |
| JP3627623B2 (en) | Cryptographic communication system and mobile communication system | |
| CN108134777B (en) | Communication encryption system based on timestamp | |
| CN114386049A (en) | Encryption method, decryption method, device and equipment | |
| JP2005244986A (en) | Method for generating cryptosync | |
| CN105072104B (en) | The switch system and processing method of function are distorted with anti-IEEE1588 | |
| CN115348081A (en) | Method, device, system, equipment and medium for checking safe transmission | |
| JP2006311394A (en) | Radio communication equipment | |
| WO2015035576A1 (en) | Secure data transmission method, system and device based on industrial ethernet | |
| CN111444202A (en) | Information processing method, device, equipment and storage medium for decentralized application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 215101 unit 13 / 16, 4th floor, building B, No. 5, Xinghan street, Suzhou Industrial Park, Jiangsu Province Applicant after: Suzhou Shengke Communication Co.,Ltd. Address before: Unit 13 / 16, 4th floor, building B, No.5 Xinghan street, Suzhou Industrial Park, 215000 Jiangsu Province Applicant before: CENTEC NETWORKS (SUZHOU) Co.,Ltd. |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200703 |