CN111431586B - Satellite network safety communication method - Google Patents
Satellite network safety communication method Download PDFInfo
- Publication number
- CN111431586B CN111431586B CN202010310110.3A CN202010310110A CN111431586B CN 111431586 B CN111431586 B CN 111431586B CN 202010310110 A CN202010310110 A CN 202010310110A CN 111431586 B CN111431586 B CN 111431586B
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- data
- response
- control center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B7/00—Radio transmission systems, i.e. using radiation field
- H04B7/14—Relay systems
- H04B7/15—Active relay systems
- H04B7/185—Space-based or airborne stations; Stations for satellite systems
- H04B7/1853—Satellite systems for providing telephony service to a mobile station, i.e. mobile satellite service
- H04B7/18565—Arrangements for preventing unauthorised access or for providing user protection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
The invention provides a satellite network safety communication method, which comprises the following steps: step A: the access application sent by the user side is subjected to two-stage authentication along a reverse link and a forward link respectively, and the user is allowed to access the network if the authentication is passed; and B: and authenticating the data sent by the network access user along the reverse link, and storing the authenticated data. The satellite network safety communication method provided by the invention has the advantages that: the user identity is verified through bidirectional authentication, so that the possibility that an illegal user hijacks authentication information at any stage is avoided; for the legal user passing the verification, only the transmitted message of the reverse link is authenticated and verified, so that the resource occupation of the forward link is reduced, and the channel resource is released under the condition of ensuring the communication safety.
Description
Technical Field
The invention relates to the technical field of satellite communication, in particular to a satellite network safety communication method.
Background
In recent years, in the field of satellite communication, with the explosive growth of high, medium and low orbit spacecrafts in scale, network access of a large number of spacecraft users gradually becomes a technical problem to be solved urgently in the field of satellite communication.
In a satellite network, the return link is a user-to-satellite-to-ground station link and the forward link is a ground station-to-satellite-to-user link. In some satellite networks, the user return traffic demand is greater than the forward traffic demand, and is further limited by the power resources of the satellite, which all result in asymmetric forward return link resources, i.e., limited forward link beam resources. With the more and more frequent invasion of illegal users, the space of a reverse link is further squeezed, the resource occupation of a normal forward link is increased, and the communication content has potential safety hazards.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a satellite network secure communication method for limiting illegal user access and reducing occupation of forward link resources.
The invention solves the technical problems through the following technical scheme: a satellite network security communication method comprises the following steps:
step A: the access application sent by the user side is subjected to two-stage authentication along a reverse link and a forward link respectively, and the user is allowed to access the network if the authentication is passed;
and B: and authenticating the data sent by the network access user along the reverse link, and storing the authenticated data.
The invention verifies the user identity through bidirectional authentication, and avoids the possibility that an illegal user hijacks authentication information at any stage; for the legal user passing the verification, only the transmitted message of the reverse link is authenticated and verified, so that the resource occupation of the forward link is reduced, and the channel resource is released under the condition of ensuring the communication safety.
Preferably, the user side stores a user side private key and a control center public key; the control center stores a control center private key and a user public key;
the two-stage authentication in the step A comprises the following steps:
step i: the user end processes the identity information to generate a request code, encrypts the identity information of the user end, the request code and the request sending time through a private key of the user end, and generates an authentication request message;
step ii: the authentication request message is transmitted to a control center after being transferred by a communication satellite along a reverse link, the control center uses a user side public key to decrypt the authentication request message, processes the decrypted identity information to obtain a verification code, and records the request receiving time;
step iii: if the request code is equal to the verification code and the difference value between the request receiving time and the request sending time is within the allowable range, the control center successfully authenticates the user side, generates a random number to calculate to obtain an expected response, and encrypts the expected response and the current response sending time by using a control center private key to obtain a response message; otherwise, authentication fails;
step iv: the response message is sent to the user side along the forward link, the user side uses the public key of the control center to decrypt to obtain the random number and the response sending time, the random number is calculated to obtain a response vector, if the response vector is the same as the expected response and the difference value between the response receiving time and the response sending time is in an allowable range, the authentication is successful, and the network access confirmation message is fed back to the control center; otherwise, the authentication fails.
Preferably, the user side identity information in step i includes a user ID and a mac address.
Preferably, the method for authenticating the data sending behavior of the network access user in step B is as follows:
step I: based on the current random number, using the authentication algorithm in the prior art to generate a response, intercepting the first 16 bits of the response to perform XOR operation with CRC, encrypting the XOR operation result and message data, and then sending the result and the message data to a control center along a reverse link; after the data is sent, updating the current random number by using the appointed time and the mac address of the user;
step II: the encrypted data of the user end is sent to a control center along a reverse link, the control center sends out time calculation appointed time according to a request sent by a user during access authentication, random numbers are calculated by combining with a mac address of the user, expected response is generated locally based on the calculated random numbers, the first 16 bits of the expected response and the second 16 bits of received data are intercepted, XOR operation is carried out on the XOR result and the received data, CRC (cyclic redundancy check) check is carried out on the XOR result and the received data, if the check is passed, correct data sent by a legal user is judged, a decryption key generated by the previous random number is used for decrypting the data and uploading a data packet to a high layer, and if the check is not passed, the data is incorrect and/or the user is illegal, and the received data is discarded.
Preferably, the method for the control center to calculate the appointed time comprises the following steps: calculating transmission time delay according to the user request sending time and the request receiving time when the authentication is accessed, and calculating the appointed time according to the subtraction of the transmission time delay from the receiving time of the current message.
Preferably, the method for the control center to calculate the random number includes: and updating the random number stored in the previous communication according to the calculated appointed time and the mac address of the user to calculate the random number corresponding to the current message.
The satellite network safety communication method provided by the invention has the advantages that: the user identity is verified through bidirectional authentication, so that the possibility that an illegal user hijacks authentication information at any stage is avoided; for the legal user passing the verification, only the transmitted message of the reverse link is authenticated and verified, so that the resource occupation of the forward link is reduced, and the channel resource is released under the condition of ensuring the communication safety.
Drawings
Fig. 1 is a schematic view illustrating an access application authentication of a satellite network secure communication method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an authentication request message according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an authentication response message provided by an embodiment of the present invention;
fig. 4 is a flowchart of a message transmission authentication method according to an embodiment of the present invention;
fig. 5 is a schematic diagram of message transmission authentication information according to an embodiment of the present invention.
Detailed Description
In order that the objects, technical solutions and advantages of the present invention will become more apparent, the present invention will be further described in detail with reference to the accompanying drawings in conjunction with the following specific embodiments.
The embodiment provides a satellite network security communication method, a user communicates with a control center through a communication satellite transfer signal, fig. 1 shows an access application authentication message flow based on a two-step handshake idea, which specifically includes the following steps:
step A: the access application sent by the user side is subjected to two-stage authentication along a reverse link and a forward link respectively, and the user is allowed to access the network if the authentication is passed;
and B: and authenticating the data sent by the network access user along the reverse link, and storing the authenticated data.
The embodiment verifies the user identity through bidirectional authentication, and avoids the possibility that an illegal user hijacks authentication information at any stage; for the legal user passing the verification, only the transmitted message of the reverse link is authenticated and verified, so that the resource occupation of the forward link is reduced, and the channel resource is released under the condition of ensuring the communication safety.
The magnitude authentication in the step A specifically comprises the following steps:
step i: the user side carries out operation based on the identity information to generate a request code, and encrypts the identity information of the user side, the request sending time and the request code through a private key of the user side to generate an authentication request message; the user side identity information at least comprises a user ID and a mac address; the structure of the generated authentication request message is shown in fig. 2, wherein the request issuing time adopts GPS time.
Step ii: the authentication request message is transmitted to a control center after being transferred by a communication satellite along a reverse link, the control center decrypts the authentication request message by using a user side public key, the decrypted identity information is operated to obtain a verification code, the rule for generating the verification code is the same as the rule for generating the request code, and the request receiving time is recorded;
step iii: if the request code is equal to the verification code and the difference between the request receiving time and the request sending time is within the allowable range, the control center successfully authenticates the user side, generates a random number to calculate an expected response, and encrypts the expected response and the current response sending time by using a control center private key to obtain a response message shown in fig. 3; otherwise, authentication fails;
step iv: the response message is sent to the user side along a forward link, the user side uses a public key of the control center to decrypt to obtain a random number and response sending time, the random number is calculated to obtain a response vector, the rule for calculating the response vector is the same as the rule for calculating the expected response, if the response vector is the same as the expected response and the difference value between the response receiving time and the response sending time is in an allowed range, authentication is successful, and the user feeds back a network access confirmation message to the control center; otherwise, the authentication fails.
After the network is successfully accessed, the user needs to send the short message service to the control center, and because the user only sends data and does not need to feed back by the control center, only one-way authentication is performed on the sending process in order to reduce the occupation of forward link resources.
Referring to fig. 4, the method for authenticating the data transmission behavior of the network access user in step B includes:
step I: generating a Response (RES) by using an authentication algorithm in the prior art based on a current random number, intercepting the first 16 bits of the response to perform an exclusive or operation with a Cyclic Redundancy Check (CRC), encrypting an exclusive or operation result and message data, and then sending the encrypted result and the encrypted message data to a control center along a reverse link, wherein the structure of a sent data packet is shown in fig. 5; and after the data is sent, updating the current random number by using the appointed time of the user and the mac address, wherein the appointed time is the time for the user to send the data.
The key used for encrypting the message is a key generated by using the current random number, the key is updated after the random number is updated, the key used for the current message is a key corresponding to the random number updated after the previous message, and the key used for the first message is a key generated by the random number fed back by the control center during access authentication.
Step II: the method comprises the steps that data encrypted by a user side are sent to a control center along a reverse link, the control center calculates appointed time according to request sending time sent by a user during access authentication, the specific method comprises the steps of calculating transmission delay according to the user request sending time and request receiving time during access authentication, and calculating the appointed time according to the fact that the transmission delay is subtracted from the receiving time of a current message; updating the random number stored in the previous communication according to the calculated appointed time and the mac address of the user to calculate the random number corresponding to the current message, regenerating the expected response locally, intercepting the first 16 bits of the expected response and the second 16 bits of the received data to perform exclusive OR operation, performing CRC (cyclic redundancy check) on the exclusive OR result and the received data, judging the data to be correct data sent by a legal user if the check is passed, decrypting the data by using a decryption key generated by the previous random number and uploading a data packet, and discarding the received data if the check is not passed, wherein the data is incorrect and/or the user is illegal.
Claims (5)
1. A satellite network security communication method is characterized in that: the method comprises the following steps:
step A: the access application sent by the user side is subjected to two-stage authentication along a reverse link and a forward link respectively, and the user is allowed to access the network if the authentication is passed;
the two-stage authentication comprises the following steps:
step i: the user end processes the identity information to generate a request code, encrypts the identity information of the user end through a private key of the user end, requests the sending time and the request code, and generates an authentication request message;
step ii: the authentication request message is transmitted to a control center after being transferred by a communication satellite along a reverse link, the control center uses a user side public key to decrypt the authentication request message, processes the decrypted identity information to obtain a verification code, and records the request receiving time;
step iii: if the request code is equal to the verification code and the difference value between the request receiving time and the request sending time is within the allowable range, the control center successfully authenticates the user side, generates a random number to calculate to obtain an expected response, and encrypts the expected response and the current response sending time by using a control center private key to obtain a response message; otherwise, authentication fails;
step iv: the response message is sent to the user side along the forward link, the user side uses the public key of the control center to decrypt to obtain the random number and the response sending time, the random number is calculated to obtain a response vector, if the response vector is the same as the expected response and the difference value between the response receiving time and the response sending time is in an allowable range, the authentication is successful, and the network access confirmation message is fed back to the control center; otherwise, authentication fails;
and B: and authenticating the data sent by the network access user along the reverse link, and storing the authenticated data.
2. The satellite network secure communication method as claimed in claim 1, wherein: the user side identity information in the step i at least comprises a user ID and a mac address.
3. The satellite network secure communication method as claimed in claim 1, wherein: the method for authenticating the data sending behavior of the network access user in the step B comprises the following steps:
step I: based on the current random number, using the authentication algorithm in the prior art to generate a response, intercepting the first 16 bits of the response to perform XOR operation with CRC, encrypting the XOR operation result and message data, and then sending the result and the message data to a control center along a reverse link; after the data is sent, updating the current random number by using the appointed time and the mac address of the user;
step II: the encrypted data of the user end is sent to a control center along a reverse link, the control center sends out time calculation appointed time according to a request sent by a user during access authentication, random numbers are calculated by combining with a mac address of the user, expected response is generated locally based on the calculated random numbers, the first 16 bits of the expected response and the second 16 bits of received data are intercepted, XOR operation is carried out on the XOR result and the received data, CRC (cyclic redundancy check) check is carried out on the XOR result and the received data, if the check is passed, correct data sent by a legal user is judged, a decryption key generated by the previous random number is used for decrypting the data and uploading a data packet to a high layer, and if the check is not passed, the data is incorrect and/or the user is illegal, and the received data is discarded.
4. The satellite network secure communication method as claimed in claim 3, wherein: the method for calculating the appointed time by the control center comprises the following steps: calculating transmission time delay according to the user request sending time and the request receiving time when the authentication is accessed, and calculating the appointed time according to the subtraction of the transmission time delay from the receiving time of the current message.
5. The satellite network secure communication method as claimed in claim 3, wherein: the method for calculating the random number by the control center comprises the following steps: and updating the random number stored in the previous communication according to the calculated appointed time and the mac address of the user to calculate the random number corresponding to the current message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010310110.3A CN111431586B (en) | 2020-04-17 | 2020-04-17 | Satellite network safety communication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010310110.3A CN111431586B (en) | 2020-04-17 | 2020-04-17 | Satellite network safety communication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111431586A CN111431586A (en) | 2020-07-17 |
| CN111431586B true CN111431586B (en) | 2021-09-21 |
Family
ID=71558190
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010310110.3A Active CN111431586B (en) | 2020-04-17 | 2020-04-17 | Satellite network safety communication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111431586B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113015111B (en) * | 2021-02-23 | 2022-03-29 | 中国人民解放军火箭军工程大学 | Short message encryption communication method based on dynamic timestamp and national encryption algorithm |
| CN113660026B (en) * | 2021-07-26 | 2022-08-16 | 长光卫星技术股份有限公司 | Satellite security management method based on multi-user autonomous access control |
| CN113923057B (en) * | 2021-12-15 | 2022-03-01 | 北京航天驭星科技有限公司 | Data processing method and device for satellite measurement, operation and control platform, electronic equipment and medium |
| CN114827998B (en) * | 2022-03-17 | 2023-11-17 | 北京航天科工世纪卫星科技有限公司 | Satellite terminal network access authentication device based on encryption chip |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101375284A (en) * | 2004-10-25 | 2009-02-25 | 里克·L·奥尔西尼 | Secure data parser method and system |
| CN109039436A (en) * | 2018-10-23 | 2018-12-18 | 中国科学院信息工程研究所 | A kind of method and system of safety satellite access authentication |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009155002A2 (en) * | 2008-05-27 | 2009-12-23 | Viasat, Inc. | Time of day encryption using tdma timing |
| CN102378170B (en) * | 2010-08-27 | 2014-12-10 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN103415008A (en) * | 2013-07-24 | 2013-11-27 | 牟大同 | Encryption communication method and encryption communication system |
| CN104038937A (en) * | 2014-06-24 | 2014-09-10 | 中国科学院软件研究所 | Network access authentication method applicable to satellite mobile communication network |
| CN105323754B (en) * | 2014-07-29 | 2019-02-22 | 北京信威通信技术股份有限公司 | A kind of distributed method for authenticating based on wildcard |
| CN105827304B (en) * | 2016-03-21 | 2018-11-09 | 南京邮电大学 | Satellite network anonymous authentication method based on gateway station |
| CA3052982A1 (en) * | 2017-02-10 | 2018-08-16 | Hughes Network Systems, Llc | Enhanced paging in 4g lte mobile satellite systems |
| CN107508796B (en) * | 2017-07-28 | 2019-01-04 | 北京明朝万达科技股份有限公司 | A kind of data communications method and device |
-
2020
- 2020-04-17 CN CN202010310110.3A patent/CN111431586B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101375284A (en) * | 2004-10-25 | 2009-02-25 | 里克·L·奥尔西尼 | Secure data parser method and system |
| CN109039436A (en) * | 2018-10-23 | 2018-12-18 | 中国科学院信息工程研究所 | A kind of method and system of safety satellite access authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111431586A (en) | 2020-07-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111431586B (en) | Satellite network safety communication method | |
| US8838975B2 (en) | System and method for protecting a password against brute force attacks | |
| US7181015B2 (en) | Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique | |
| US8788802B2 (en) | Constrained cryptographic keys | |
| US6633979B1 (en) | Methods and arrangements for secure linking of entity authentication and ciphering key generation | |
| US20100135491A1 (en) | Authentication method | |
| CN101340443A (en) | Session key negotiating method, system and server in communication network | |
| WO2005008950A1 (en) | Secure seed generation protocol | |
| CN113765664B (en) | Block chain network secure communication method based on quantum key | |
| CN113079022B (en) | Secure transmission method and system based on SM2 key negotiation mechanism | |
| CN112073115B (en) | Lora-based low-orbit satellite Internet of things registration security verification method, Internet of things terminal, network server and user server | |
| CN113452687B (en) | Method and system for encrypting sent mail based on quantum security key | |
| CN110868398A (en) | Data frame encryption method, data frame decryption method and data frame decryption device | |
| US20130010953A1 (en) | Encryption and decryption method | |
| CN114499857B (en) | Method for realizing data correctness and consistency in encryption and decryption of large data quanta | |
| CN117098123B (en) | Quantum key-based Beidou short message encryption communication system | |
| CN107104888B (en) | Safe instant messaging method | |
| CN116318739B (en) | Electronic data exchange method and system | |
| CN114765543A (en) | Encryption communication method and system of quantum cryptography network expansion equipment | |
| CN111770494A (en) | Beidou RDSS user identity authentication and live wire registration method and device based on mobile phone number | |
| CN113438074B (en) | Decryption method of received mail based on quantum security key | |
| KR20190115489A (en) | IOT equipment certification system utilizing security technology | |
| CN112822015A (en) | Information transmission method and related device | |
| CN117459325B (en) | Three-party data communication method combining quantum communication and conventional communication | |
| US11876789B2 (en) | Encrypted data communication and gateway device for encrypted data communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |