CN111431889B - Communication protection method for lightweight control channel in OpenFlow network - Google Patents
Communication protection method for lightweight control channel in OpenFlow network Download PDFInfo
- Publication number
- CN111431889B CN111431889B CN202010197174.7A CN202010197174A CN111431889B CN 111431889 B CN111431889 B CN 111431889B CN 202010197174 A CN202010197174 A CN 202010197174A CN 111431889 B CN111431889 B CN 111431889B
- Authority
- CN
- China
- Prior art keywords
- message
- openflow
- encrypted
- security
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/64—Routing or path finding of packets in data switching networks using an overlay routing layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2212/00—Encapsulation of packets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a communication protection method of a lightweight control channel in an OpenFlow network, and relates to the field of communication. A communication protection method of a lightweight control channel in an OpenFlow network is applied to communication among OpenFlow devices, and comprises the following steps: (1) presetting a unique seed value for the OpenFlow device; (2) Hashing the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; (3) The device public key is hashed to generate a device identity; (4) Packaging the content sent by the OpenFlow device through the device identity to encrypt; (5) And restoring the content of the OpenFlow device through the device identity to decrypt. The method and the device solve the problems of low communication security and high energy consumption of the OpenFlow network.
Description
Technical Field
The invention relates to the field of communication, in particular to a communication protection method of a lightweight control channel in an OpenFlow network.
Background
In conventional networks, a control plane integrating multiple network functions and a data plane responsible for forwarding data packets are tightly coupled and typically embedded in a proprietary device, which severely limits the potential for flexible management of the network and network service innovation. Software defined networking (Software-Defined Networking, hereinafter simply "SDN"), provides a method of implementing a "programmable network" by decoupling the control plane from the data plane, as a very promising network architecture. SDN enables network operators to flexibly, quickly manage, configure, and optimize network resources using dynamic, automated, and device-independent applications.
In SDN, due to decoupling of the control plane and the data plane, communication between the two is transformed from inter-process communication inside a single system to remote communication between two independent systems. Thus, a number of communication protocols are widely proposed, such as OpenFlow, netconf and OVSDB. Among them, openFlow has been successfully applied to many commercial deployments, such as Google B4, as a virtually standard protocol. In OpenFlow, a logically centralized control plane (controller) establishes connections with a plurality of OpenFlow switches, and exchanges control messages with each other to realize network management. Wherein the connection between the controller and the switch is referred to as a control channel. Currently, openFlow provides two types of control channels: a control channel based on TCP protocol and a control channel based on SSL/TLS security protocol. The TCP-based control channel enables reliable propagation of control messages between the controller and the switch, but it does not prevent control messages from being sniffed and tampered with by an attacker. It has been demonstrated through current research that TCP-based control channels can destroy network service availability (e.g., tamper firewall policies and network topology views) by maliciously manipulating control messages. Because of the low security of TCP-based control channels, sensitive network information or control messages of important control decisions are easily corrupted or compromised.
In order to improve the security of the control channel, the control channel based on SSL/TLS is used as a default mechanism of SDN deployment, so that confidentiality and integrity of the control message can be fully protected. However, such encryption channels are not widely used due to high performance overhead. For example, an SDN controller in a modern data center typically needs to respond to millions of flow requests per second from hundreds of switches, and due to the addition of security operations (such as encryption and decryption), a significant amount of computing resources in the controller are consumed, thereby reducing the throughput of the controller to process the flow requests. Thus, network administrators often disable such encryption channels to meet network performance requirements. Therefore, there is a need for a communication protection method for a lightweight control channel in an OpenFlow network that improves security and performance and can be widely used.
Disclosure of Invention
The invention aims to provide a communication protection method for a lightweight control channel in an OpenFlow network, which can solve the problems of low safety, high performance consumption and incapability of being widely used of the current control channel.
Embodiments of the present invention are implemented as follows:
a communication protection method of a lightweight control channel in an OpenFlow network is applied to communication among OpenFlow devices, and comprises the following steps: (1) presetting a unique seed value for the OpenFlow device; (2) Hashing the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; (3) The device public key is hashed to generate a device identity; (4) Packaging the content sent by the OpenFlow device through the device identity to encrypt; (5) And restoring the content of the OpenFlow device through the device identity to decrypt.
In some embodiments of the present invention, the OpenFlow device includes an OpenFlow controller and an OpenFlow switch; the OpenFlow controller is used for receiving an administrator request and converting the administrator request into a control message; in the step (4) of the lightweight in the OpenFlow network, the control message is encapsulated into a security message by the device identity of the OpenFlow controller, and the security message is sent to the OpenFlow switch.
In some embodiments of the present invention, the step (5) includes intercepting the secure message, restoring the secure message through the device id of the OpenFlow controller, and determining whether the secure message can be restored to the control message; and sending the secure message to the OpenFlow switch when the control message can be restored, and discarding the secure message when the control message cannot be restored.
In some embodiments of the present invention, step (6) is further included, namely, sending a security response message to the OpenFlow controller after the OpenFlow switch executes the security message.
In some embodiments of the present invention, the security response message is encapsulated by the device identity of the OpenFlow switch; in the step (6), the method further includes restoring the security response message through the device identity of the OpenFlow switch, judging whether the security response message can be restored to the security message, and sending the security response message to the OpenFlow controller when the security response message can be restored to the security message, and discarding the security response message when the security response message cannot be restored to the security message.
In some embodiments of the present invention, in the step (3), the method further includes generating a shared key by the OpenFlow controller and the device public key and the device private key of the OpenFlow switch using a key negotiation algorithm; in the step (4), intercepting the secure message, and encapsulating the secure message into an encrypted message by the shared public key of the OpenFlow controller; and sent to the OpenFlow switch.
In some embodiments of the present invention, the step (5) includes intercepting the secure message, restoring the encrypted message through the device id and the shared key of the OpenFlow controller, and determining whether the encrypted message can be restored to the control message; and sending the encrypted message to the OpenFlow switch when the encrypted message can be restored to the control message, and discarding the encrypted message when the encrypted message cannot be restored to the control message.
In some embodiments of the present invention, step (6) is further included, namely, sending an encryption response message to the OpenFlow controller after the OpenFlow switch executes the encryption message.
In some embodiments of the present invention, the encrypted response message is encapsulated by the device identifier of the OpenFlow switch; in the step (6), the method further includes restoring the encrypted response message through the device id of the OpenFlow switch, judging whether the encrypted response message can be restored to the encrypted message, and sending the encrypted response message to the OpenFlow controller when the encrypted response message can be restored to the encrypted message, and discarding the encrypted response message when the encrypted response message cannot be restored to the encrypted message.
The embodiment of the invention has at least the following advantages or beneficial effects:
1. the device private key is generated through the seed value preset by the OpenFlow device, so that the content from the OpenFlow device can be authenticated through the device private key, the safety of communication is improved, and the OpenFlow device can be widely used;
the device private key of the OpenFlow device generates the device public key through the asymmetric cryptographic algorithm, so that the device public key of the OpenFlow device can analyze the content authenticated by the device private key, and the communication security between the OpenFlow devices is improved;
3. the device public key is hashed to generate the device identity, so that the device identity is conveniently sent to verify the sent message when the OpenFlow devices communicate, the message is prevented from being tampered after other devices invade, the integrity of the message in the communication process is protected, and the communication safety is improved;
4. all messages sent by the OpenFlow devices are identified through the device identity to execute encryption operation, and all messages received by the OpenFlow devices after the identification are restored through the device identity to execute decryption operation, so that the safety of communication between different OpenFlow devices is improved, and compared with the operation of encrypting and decrypting each message respectively, the energy consumption is reduced, the communication performance of an OpenFlow network is improved, and the OpenFlow device can be widely used.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a communication protection method of a lightweight control channel in an OpenFlow network according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the embodiments of the present invention, it should be noted that, if the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. indicate an azimuth or a positional relationship based on that shown in the drawings, or an azimuth or a positional relationship in which the product of the present invention is conventionally put when used, it is merely for convenience of describing the present invention and simplifying the description, and it does not indicate or imply that the apparatus or element to be referred to must have a specific azimuth, be configured and operated in a specific azimuth, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
Furthermore, the terms "horizontal," "vertical," "overhang" and the like, if any, do not denote a requirement that the component be absolutely horizontal or overhang, but rather may be slightly inclined. As "horizontal" merely means that its direction is more horizontal than "vertical", and does not mean that the structure must be perfectly horizontal, but may be slightly inclined.
In the description of the embodiments of the present invention, "plurality" means at least 2.
In the description of the embodiments of the present invention, it should also be noted that, unless explicitly specified and limited otherwise, the terms "disposed," "mounted," "connected," and "connected" should be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.
Examples
Referring to fig. 1, fig. 1 shows a communication protection method of a lightweight control channel in an OpenFlow network, which is applied to communication between OpenFlow devices, and includes the following steps: (1) presetting a unique seed value for an OpenFlow device; (2) hashing the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; (3) Hashing the device public key to generate a device identity; (4) Packaging the content sent by the OpenFlow device through the device identity to encrypt; (5) And restoring the content of the OpenFlow device through the device identity to decrypt.
In detail, step (1) distinguishes device identities of different OpenFlow devices by presetting a unique seed value, so that secure communication among a plurality of OpenFlow devices is facilitated. Optionally, the unique seed value is built in when leaving the factory through the OpenFlow device. Alternatively, a pseudo-random number generator is used to obtain the initial seed value of the device.
In detail, step (2) hashes various seed values to generate a device private key, so as to facilitate verification of a message sent by the device. The device private key calculates a device public key corresponding to the device private key using an asymmetric algorithm. In step (3), the public key of the equipment is hashed to generate an equipment identity. In the step (4), the sent content is uniformly identified and encrypted through the equipment identity of the OpenFlow equipment, and the content from different equipment after the OpenFlow equipment authentication identification is convenient to decrypt in the step (4), so that the lightweight safety communication is realized. The SHA256 hash algorithm is selected to respectively set unique device private keys and device identity marks for different penFlow devices.
As a preferred embodiment, the OpenFlow device includes an OpenFlow controller and an OpenFlow switch; the OpenFlow controller is configured to receive an administrator request to convert the administrator request into a control message. In step (4), the control message is encapsulated into a security message by the equipment identity of the OpenFlow controller, and the security message is sent to the OpenFlow switch.
In detail, it is known in the art that the OpenFlow controller converts the received administrator request into a control message, and the details are not necessary here. And (4) encapsulating the control message through the equipment identity, thereby generating a security message to be sent to the OpenFlow switch. Thereby, the source of the control message is authenticated through the equipment identity, and the integrity of the control message is protected.
As a preferred embodiment, step (5) includes intercepting the secure message, restoring the secure message by using the device id of the OpenFlow controller, and determining whether the secure message can be restored to the control message; and send a secure message to the OpenFlow switch when the control message can be restored, and discard the secure message when the control message cannot be restored.
In detail, the secure message generated by encrypting the control message through the device identity of the OpenFlow controller is intercepted before being sent to the OpenFlow switch, and the secure message is restored by utilizing the device identity of the OpenFlow controller to execute decryption operation. And thus, whether the security message is invaded by other devices to tamper with or steal the content is obtained by judging whether the security message can be restored to the control message. The device identification and the control message are acquired through the OpenFlow controller and the device for packaging the control message so as to judge. When the secure message can be restored into the control message, the source of the device is determined to be legal and the control message is complete, and the secure message is continuously sent to the OpenFlow switch, so that the communication security is improved. If the security information can not be analyzed through the equipment identity mark or is different from the control information after being analyzed, the security information is maliciously tampered in the transmission process or is falsified by other illegal equipment. At this time, the illegal secure message is discarded, and the OpenFlow switch does not receive the secure message without the execution permission.
As a preferred embodiment, the method further includes step (6) of sending a security response message to the OpenFlow controller after the OpenFlow switch executes the security message.
As a preferred implementation mode, the security response message is formed by packaging a security message through an identification mark of an OpenFlow switch; in step (6), the method further comprises the steps of restoring the security response message through the equipment identity of the OpenFlow switch, judging whether the security response message can be restored to the security message, sending the security response message to the OpenFlow controller when the security response message can be restored to the security message, and discarding the security response message when the security response message cannot be restored to the security message.
In detail, after the OpenFlow switch executes the security message, the security message is encapsulated through the device identity of the OpenFlow switch to generate a security response message, so as to send a signal that the security message is executed successfully to the OpenFlow controller. And acquiring the equipment identity identification and the security message of the OpenFlow switch through the OpenFlow switch and the equipment for packaging the control message so as to judge. When the security response message is restored into the security message through the device identity of the OpenFlow switch, the security response message is indicated not to be invaded or tampered by other illegal devices, namely the OpenFlow switch successfully executes the security message. When the security response message cannot be restored to the security message through the device identity of the OpenFlow switch, the security response message is invaded or tampered by other illegal devices, and the OpenFlow switch cannot be ensured to successfully execute the security message, so that the security response message is discarded in order to ensure the security of the communication network and the devices.
As a preferred embodiment, in step (3), the device public key and the device private key of the OpenFlow controller and the OpenFlow switch generate the shared key by using a key negotiation algorithm; in the step (4), the method further comprises intercepting the secure message, and encapsulating the secure message into an encrypted message through a shared public key of the OpenFlow controller; and sent to the OpenFlow switch.
In detail, an elliptic curve Diffie-Hellman algorithm is adopted as a key negotiation algorithm to calculate the shared key. The shared key may be composed of a device public key of the OpenFlow controller and a device private key of the OpenFlow switch, or may be composed of a device private key of the OpenFlow controller and a device public key of the OpenFlow switch. I.e. shared key=ecdh (controller private key, switch public key) =ecdh (controller public key, switch private key). Alternatively, the shared key may comprise a combination of the two to either set the security policy or to randomly select one of them. The security message is encapsulated by the shared key, thereby improving the confidentiality of the control message.
As a preferred embodiment, step (5) includes intercepting the secure message, restoring the encrypted message by using the device id and the shared key of the OpenFlow controller, and determining whether the encrypted message can be restored to the control message; and sending the encrypted message to the OpenFlow switch when the control message can be restored, and discarding the encrypted message when the control message cannot be restored.
In detail, the encrypted message generated by encrypting the control message through the equipment identity of the OpenFlow controller and the shared key is intercepted before being sent to the OpenFlow switch, and the encrypted message is restored by utilizing the equipment identity of the OpenFlow controller and the shared key to execute decryption operation. And thus, the result of whether the encrypted message is hacked by other devices to tamper with or steal the content is obtained by judging whether the encrypted message can be restored to the control message. The device identification and the control message are acquired by the OpenFlow controller or the device for packaging the control message so as to judge. When the encrypted message can be restored into the control message, the source of the device is determined to be legal and the control message is complete, and the encrypted message is continuously sent to the OpenFlow switch, so that the safety of communication is improved. If the encrypted message cannot be analyzed through the shared key and the equipment identity of the OpenFlow controller or is different from the control message after being analyzed, the encrypted message is maliciously tampered in the transmission process or is falsified by other illegal equipment. At this time, the illegal encrypted message is discarded, and the OpenFlow switch does not receive the encrypted message without the execution permission.
As a preferred embodiment, the method further includes step (6) of sending an encryption response message to the OpenFlow controller after the OpenFlow switch performs the encryption message.
As a preferred implementation manner, the encryption response message is formed by encapsulating the encryption message by the equipment identity of the OpenFlow switch; in step (6), the method further comprises restoring the encrypted response message through the equipment identity of the OpenFlow switch, judging whether the encrypted response message can be restored to the encrypted message, sending the encrypted response message to the OpenFlow controller when the encrypted response message can be restored to the encrypted message, and discarding the encrypted response message when the encrypted response message cannot be restored to the encrypted message.
In detail, after the OpenFlow switch executes the encrypted message, the secure message is encapsulated through the device identity of the OpenFlow switch to generate an encrypted response message, so as to send a signal that the encrypted message is executed successfully to the OpenFlow controller. The device identification of the OpenFlow switch and the encrypted message are acquired through the OpenFlow switch and the device for packaging the control message so as to judge. When the encryption response message is restored into the encryption message through the equipment identity of the OpenFlow switch, the encryption response message is not invaded or tampered by other illegal equipment, namely the OpenFlow switch successfully executes the encryption message. When the encrypted response message cannot be restored to the encrypted message through the device identity of the OpenFlow switch, the encrypted response message is invaded or tampered by other illegal devices, and the OpenFlow switch cannot be ensured to successfully execute the encrypted message, so that the encrypted response message is discarded in order to ensure the safety of the communication network and the devices.
As a preferred embodiment, the device identity handles the hash value generated by the device public key of the OpenFlow device by means of a hash function.
In detail, the device identity includes a controller authentication code of the OpenFlow controller and a switch authentication code of the OpenFlow switch. The device public key of the OpenFlow controller is used as a controller authentication code by a hash value obtained through hash function processing, and the device public key of the OpenFlow switch is used as a switch authentication code by a hash value obtained through hash function processing.
According to the communication protection method for the lightweight control channel in the OpenFlow network, the seed values of the OpenFlow controller and the OpenFlow switch are hashed respectively to generate the device private key, and the device public key is generated through the asymmetric algorithm, so that each device is provided with the corresponding device private key and the device public key. By hashing the device public key of the OpenFlow controller to obtain a hash value as a controller authentication code, illegal devices are prevented from being tampered maliciously, and the integrity of control messages sent by the OpenFlow controller is conveniently authenticated. The shared secret key is generated by hashing the device public key and the device private key, and the control message sent by the OpenFlow controller is packaged by the shared secret key, so that confidentiality of the control message is conveniently authenticated. The switch authentication code of the OpenFlow switch is convenient for authenticating and executing the execution process of the control message encrypted by the security message, thereby preventing illegal equipment from being tampered maliciously and ensuring the security of communication.
In summary, by presetting a unique seed value for the OpenFlow devices, the method is convenient for distinguishing different OpenFlow device identities when a plurality of OpenFlow devices communicate, and is convenient for wide use; hashing the seed value to generate a device private key of the OpenFlow device, so as to facilitate verification of the sent message, thereby improving communication security; the device private key calculates a device public key by using an asymmetric cryptographic algorithm, so that the safety of device communication is improved, the device public key is hashed to generate a device identity, and the message sent by the OpenFlow device is uniformly identified by the device identity; compared with the operation of decrypting different messages respectively, the method improves the communication performance of the OpenFlow network and improves the safety of communication between devices through the message received by the device identity restoration device.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (1)
1. A communication protection method of a lightweight control channel in an OpenFlow network is applied to communication among OpenFlow devices, and is characterized by comprising the following steps: step (1) presetting a unique seed value for the OpenFlow device; step (2) hash the seed value to generate a device private key; the device private key calculates a device public key by using an asymmetric cryptographic algorithm; the public key of the equipment is hashed to generate an equipment identity; step (4) encapsulating the content sent by the OpenFlow device through the device identity to encrypt; restoring the content of the OpenFlow device through the device identity to decrypt;
the OpenFlow device comprises an OpenFlow controller and an OpenFlow switch; the OpenFlow controller is used for receiving an administrator request and converting the administrator request into a control message; in the step (4) of the lightweight class in the OpenFlow network, the step includes encapsulating the control message into a security message by the device identity of the OpenFlow controller, and sending the security message to the OpenFlow switch;
in the step (5), intercepting the secure message, restoring the secure message through the equipment identity of the OpenFlow controller, and judging whether the secure message can be restored into the control message; and sending the secure message to the OpenFlow switch when the control message can be restored, and discarding the secure message when the control message cannot be restored;
the method also comprises a step (6) of sending a security response message to the OpenFlow controller after the OpenFlow switch executes the security message;
in the step (6), the method further includes restoring the security response message through the device identity of the OpenFlow switch, judging whether the security response message can be restored to the security message, and sending the security response message to the OpenFlow controller when the security response message can be restored to the security message, and discarding the security response message when the security response message cannot be restored to the security message;
in the step (3), the method further includes generating a shared key by using a key negotiation algorithm by using the OpenFlow controller and the device public key and the device private key of the OpenFlow switch; in the step (4), intercepting the secure message, and encapsulating the secure message into an encrypted message through the shared key of the OpenFlow controller; and send to the OpenFlow switch;
in the step (5), intercepting the secure message, restoring the encrypted message through the device identity of the OpenFlow controller and the shared key, and judging whether the encrypted message can be restored into the control message; and sending the encrypted message to the OpenFlow switch when the encrypted message can be restored to the control message, and discarding the encrypted message when the encrypted message cannot be restored to the control message;
step (6) is also included, namely, after the OpenFlow switch executes the encryption message, an encryption response message is sent to the OpenFlow controller;
the encryption response message is formed by packaging the encryption message through the equipment identity of the OpenFlow switch; in the step (6), the method further includes restoring the encrypted response message through the device id of the OpenFlow switch, judging whether the encrypted response message can be restored to the encrypted message, and sending the encrypted response message to the OpenFlow controller when the encrypted response message can be restored to the encrypted message, and discarding the encrypted response message when the encrypted response message cannot be restored to the encrypted message;
the equipment identity mark processes a hash value generated by the equipment public key of the OpenFlow equipment through a hash function;
specifically, the device identity comprises a controller authentication code of the OpenFlow controller and a switch authentication code of the OpenFlow switch, wherein a hash value obtained by processing a device public key of the OpenFlow controller through a hash function is used as the controller authentication code, and a hash value obtained by processing the device public key of the OpenFlow switch through the hash function is used as the switch authentication code;
the seed values of the OpenFlow controller and the OpenFlow switch are hashed respectively to generate a device private key, the device public key is generated through an asymmetric algorithm, each device is provided with the corresponding device private key and the corresponding device public key, the hash value is obtained by hashing the device public key of the OpenFlow controller to serve as a controller authentication code, illegal devices are prevented from being tampered maliciously, the device public key and the device private key are hashed to generate a shared key, and control information sent by the OpenFlow controller is packaged through the shared key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010197174.7A CN111431889B (en) | 2020-03-19 | 2020-03-19 | Communication protection method for lightweight control channel in OpenFlow network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010197174.7A CN111431889B (en) | 2020-03-19 | 2020-03-19 | Communication protection method for lightweight control channel in OpenFlow network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111431889A CN111431889A (en) | 2020-07-17 |
| CN111431889B true CN111431889B (en) | 2023-08-08 |
Family
ID=71547475
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010197174.7A Active CN111431889B (en) | 2020-03-19 | 2020-03-19 | Communication protection method for lightweight control channel in OpenFlow network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111431889B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104780069A (en) * | 2015-04-16 | 2015-07-15 | 中国科学院计算技术研究所 | SDN-oriented self-configuration method and system for communication channel between control layer and data layer |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN106790250A (en) * | 2017-01-24 | 2017-05-31 | 郝孟 | Data processing, encryption, integrity checking method and authentication identifying method and system |
| CN109428712A (en) * | 2017-08-24 | 2019-03-05 | 上海复旦微电子集团股份有限公司 | Data Encrypt and Decrypt method and data Encrypt and Decrypt system |
| CN109921996A (en) * | 2018-12-29 | 2019-06-21 | 长沙理工大学 | A kind of virtual flow stream searching method of high performance OpenFlow |
| CN110830236A (en) * | 2019-11-14 | 2020-02-21 | 湖南盾神科技有限公司 | Identity-based encryption method based on global hash |
| CN110839036A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack detection method and system for SDN (software defined network) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7992193B2 (en) * | 2005-03-17 | 2011-08-02 | Cisco Technology, Inc. | Method and apparatus to secure AAA protocol messages |
-
2020
- 2020-03-19 CN CN202010197174.7A patent/CN111431889B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104780069A (en) * | 2015-04-16 | 2015-07-15 | 中国科学院计算技术研究所 | SDN-oriented self-configuration method and system for communication channel between control layer and data layer |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN106790250A (en) * | 2017-01-24 | 2017-05-31 | 郝孟 | Data processing, encryption, integrity checking method and authentication identifying method and system |
| CN109428712A (en) * | 2017-08-24 | 2019-03-05 | 上海复旦微电子集团股份有限公司 | Data Encrypt and Decrypt method and data Encrypt and Decrypt system |
| CN109921996A (en) * | 2018-12-29 | 2019-06-21 | 长沙理工大学 | A kind of virtual flow stream searching method of high performance OpenFlow |
| CN110830236A (en) * | 2019-11-14 | 2020-02-21 | 湖南盾神科技有限公司 | Identity-based encryption method based on global hash |
| CN110839036A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack detection method and system for SDN (software defined network) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111431889A (en) | 2020-07-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dey et al. | Session-key establishment and authentication in a smart home network using public key cryptography | |
| US9935954B2 (en) | System and method for securing machine-to-machine communications | |
| US8281127B2 (en) | Method for digital identity authentication | |
| US20200162434A1 (en) | Secure and encrypted heartbeat protocol | |
| EP1394982A1 (en) | Methods and apparatus for secure data communication links | |
| US20160255504A1 (en) | Authentication Module | |
| CN103155512A (en) | System and method for providing secured access to services | |
| US11658944B2 (en) | Methods and apparatus for encrypted communication | |
| CN108809907B (en) | Certificate request message sending method, receiving method and device | |
| Zelle et al. | Analyzing and securing SOME/IP automotive services with formal and practical methods | |
| CN112205018B (en) | Method and device for monitoring encrypted connections in a network | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| Rosborough et al. | All about eve: comparing DNP3 secure authentication with standard security technologies for SCADA communications | |
| CN110892695A (en) | Method, device and computer program product for checking connection parameters of a password-protected communication connection during the establishment of a connection | |
| Esiner et al. | Message authentication and provenance verification for industrial control systems | |
| CN111431889B (en) | Communication protection method for lightweight control channel in OpenFlow network | |
| CN112995119A (en) | Data monitoring method and device | |
| CN112995120A (en) | Data monitoring method and device | |
| CN111404947B (en) | Lightweight control channel communication protection method and system in OpenFlow network | |
| CN113765900A (en) | Protocol interaction information output transmission method, adapter device and storage medium | |
| CN113572755A (en) | Intelligent media terminal data secure transmission method | |
| CN115567195A (en) | Secure communication method, client, server, terminal and network side equipment | |
| Abare et al. | A proposed model for enhanced security against key reinstallation attack on wireless networks | |
| AU2021106427A4 (en) | System and Method for achieving cyber security of Internet of Things (IoT) devices using embedded recognition token | |
| Oberle et al. | Integrity based relationships and trustworthy communication between network participants |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |