CN112583584B - Service monitoring system and method based on random number - Google Patents

Service monitoring system and method based on random number Download PDF

Info

Publication number
CN112583584B
CN112583584B CN202011370430.4A CN202011370430A CN112583584B CN 112583584 B CN112583584 B CN 112583584B CN 202011370430 A CN202011370430 A CN 202011370430A CN 112583584 B CN112583584 B CN 112583584B
Authority
CN
China
Prior art keywords
random number
monitoring
information
management server
monitoring node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011370430.4A
Other languages
Chinese (zh)
Other versions
CN112583584A (en
Inventor
佘鹏飞
王晓峰
周小欠
张永强
周吉祥
荆豪明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xinda Jiean Information Technology Co Ltd
Original Assignee
Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Xinda Jiean Information Technology Co Ltd filed Critical Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority to CN202011370430.4A priority Critical patent/CN112583584B/en
Publication of CN112583584A publication Critical patent/CN112583584A/en
Application granted granted Critical
Publication of CN112583584B publication Critical patent/CN112583584B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a service monitoring system and method based on random numbers, which comprises a distributed random number generator for generating random numbers, and completes monitoring node identity authentication and monitoring node acquisition monitoring information reporting by combining the connection relation between a monitoring node and a monitoring management server through a Hash-based message authentication code algorithm (HMAC). The invention effectively solves the problems of safety identification of the monitoring management server to the monitoring node and replay attack prevention by utilizing the characteristics of the distributed random number generator, and effectively limits the rate of information reporting by the monitoring node aiming at the lack of information reporting time sequence design of the monitoring node in the reporting stage, thereby improving the safety of the service monitoring system and improving the information collecting and reporting efficiency.

Description

Service monitoring system and method based on random number
Technical Field
The invention relates to the technical field of service monitoring, in particular to a service monitoring system and method based on random numbers.
Background
The service monitoring comprises two aspects, namely, completing identity authentication of the monitoring management server to the monitoring node, and completing monitoring information report of the monitoring node. In the identity authentication process of the traditional message authentication code algorithm HMAC based on the Hash, a random number is generally generated by a centralized business service, a hacker may acquire and tamper the random number, even predict the random number according to the random number generation rule, the system does not have a corresponding independent verification mechanism for the generated random number, and the message authentication code generated by the HMAC can be used for replay attack by an adversary to consume the resources of a monitoring management server.
In addition, the conventional information reporting process lacks the design of the reported information time sequence, and particularly under the environment of the internet of things, the network environment is complex, and the situations of packet loss, line breakage, reported message time sequence errors and the like often occur. In addition, with the development of services, more and more enterprises adopt a distributed service architecture, a complex application system may be composed of tens of or even hundreds of micro-services, the information to be reported by the complex application system may be massive, and if a mechanism for limiting the rate of reporting information is not set, a great pressure is applied to the normal operation of the monitoring management server.
Patent document CN201710252986.5 entitled service monitoring system and method discloses that when a service monitoring system uploads monitoring information, the service monitoring system authenticates the identity by using the hash-based message authentication code algorithm HMAC, and the authentication method is insufficient and has a risk of being attacked maliciously.
How to utilize the characteristics of the system to ensure that the monitoring management server can safely identify the monitoring node and prevent replay attack, and simultaneously, the problems of time sequence of information reported by the monitoring node and effective limitation of the rate of information reported by the monitoring node are the problems which are urgently needed to be solved at present.
Disclosure of Invention
The invention provides a service monitoring system and method based on random numbers, aiming at solving the problems that the existing service monitoring method is low in safety and lacks of a reported information rate limiting mechanism.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a service monitoring system and method based on random number, including monitoring node, monitoring management server and distributed random number generator, said monitoring node, monitoring management server and distributed random number generator communicate each other, said method comprises:
step 1 preparation phase: initializing the distributed random number generator, the monitoring node and the monitoring management server;
step 2, authentication stage: the monitoring node generates a first message authentication code by combining with a distributed random number generator, the monitoring management server generates a second message authentication code by combining with the random number generator, and the monitoring management server compares the second message authentication code with the first message authentication code for authentication;
step 3, monitoring information reporting stage: if the authentication is successfully compared in the authentication stage, the monitoring node generates a monitoring node signature by combining random numbers of the distributed random number generator and updates the round number information;
and the monitoring management server checks the signature of the monitoring node, stores the monitoring information reported by the monitoring node and finally generates new round number information.
Further, the step 1 specifically includes:
step 1.1, the distributed random number generator generates a self public key and a private key, sets a time period generated among random numbers, defines one period as one round, and corresponds to the round number of each round to the random number value generated in the round one by one;
step 1.2: the monitoring management server acquires a key of a Hash-based message authentication code algorithm (HMAC) and a public key of the distributed random number generator;
step 1.3: the monitoring node acquires a key of a Hash-based message authentication code algorithm (HMAC) and a public key of the distributed random number generator; the monitoring node generates a public key and a private key of the monitoring node;
step 1.4: respectively resetting the monitoring management server end wheel number information storage area and the monitoring node end wheel number information storage area; the monitoring management server end wheel number information storage area refers to a storage area which is arranged in a monitoring management server and used for storing wheel number information corresponding to random numbers generated by the distributed random number generator; the monitoring node end information storage area refers to a storage area which is arranged in a monitoring node and used for storing the wheel number information corresponding to the random number generated by the distributed random number generator.
Further, the step 2 specifically includes:
step 2.1: the distributed random number generator generates a first random number, signs the first random number by using a private key of the distributed random number generator, and then transmits the first random number, first random number round number information and first random number signature information to the monitoring node;
the monitoring node checks the signature of the first random number signature information through a public key of the distributed random number generator;
step 2.2: if the signature verification of the first random number signature information is successful, the monitoring node calculates a key of a Hash-based message authentication code algorithm HMAC, the first random number and a public key of the monitoring node through the Hash-based message authentication code algorithm HMAC to obtain a first message authentication code;
the monitoring node stores the first random number round number information into a monitoring node end round number information storage area;
the monitoring node sends the first message authentication code, a public key of the monitoring node and first random number round number information to the monitoring management server;
step 2.3: the monitoring management server transmits first random number round number information to a distributed random number generator so as to obtain a random number corresponding to the first random number round number information from the distributed random number generator and mark the random number as a second random number;
the monitoring management server calculates a key of the message authentication code algorithm HMAC based on the Hash through a message authentication code algorithm HMAC based on the Hash, the second random number and a public key of the monitoring node to obtain a second message authentication code;
the monitoring management server compares the first message authentication code with the second message authentication code;
and if the first message authentication code is the same as the second message authentication code, the monitoring management server stores the public key of the monitoring node, a second random number and the second random number round number information in a round number information storage area of a monitoring management server.
Further, the step 3 specifically includes:
step 3.1: the distributed random number generator generates a third random number, signs the third random number by using a private key of the distributed random number generator, and then transmits the third random number, third random number round number information and third random number signature information to the monitoring node;
the monitoring node reads and compares the third random number round number information with the round number information of the monitoring node end round number information storage area;
step 3.2: if the indicated value of the third random number round number information is larger than the indicated value of the round number information in the round number information storage area of the monitoring node end, the monitoring node signs the monitoring information, the third random number and the third random number round number information through a private key of the monitoring node to obtain first monitoring node signature information;
the monitoring node transmits the first monitoring node signature information, the monitoring information, the third random number signature information and the third random number round number information to the monitoring management server;
the monitoring node stores the third random number round number information in a monitoring node end information storage area so as to replace the stored historical round number information;
step 3.3, the monitoring management server judges whether the public key of the monitoring node is stored in the monitoring management server;
if the public key of the monitoring node is stored, the monitoring management server compares the third random number round number information indicated value with the round number information indicated value in the monitoring management server end round number information storage area;
if the indicated value of the third random number round number information is larger than the indicated value of the round number information storage area of the monitoring management server, the monitoring management server checks the signature information of the first monitoring node through the public key of the monitoring node;
if the signature verification of the first monitoring node signature information is successful, the monitoring management server verifies the signature of the third random number signature information through a public key of the distributed random number generator;
if the third random number signature information is successfully verified, the monitoring management server stores the monitoring information;
and the monitoring management server stores the third random number round number information in a round number information storage area at the monitoring management server end so as to replace the stored historical round number information.
Further, the step 2.1 further comprises:
and the monitoring node checks the signature of the first random number signature information through the public key of the monitoring node, and if the signature check fails, the authentication stage is terminated and quit.
Further, the step 2.3 further comprises:
and the monitoring management server compares the first message authentication code with the second message authentication code, and if the first message authentication code is different from the second message authentication code, the authentication stage is terminated and quitted.
Further, the step 3.2 further comprises:
the monitoring node reads third random number round number information and compares the inner round number information in the monitoring node end information storage area with the third random number round number information;
and if the indicated value of the round number information in the monitoring node end information storage area is less than or equal to the indicated value of the third random number round number information, the monitoring node acquires the third random number, the third random number round number information and the third random signature information from the distributed random number generator again at fixed time intervals.
Further, the step 3.3 further includes:
the monitoring management server judges whether the public key of the monitoring node is stored in the monitoring management server or not, and if the public key of the monitoring node is not stored in the monitoring management server, the monitoring information reporting stage is terminated and quit;
the monitoring management server reads the third random number round number information and compares the wheel number information in the wheel number information storage area of the monitoring management server with the third random number round number information; if the indicated value of the round number information in the round number information storage area of the monitoring management server end is less than or equal to the indicated value of the third random number round number information, the monitoring information reporting stage is terminated and quits;
the monitoring management server checks the signature of the first monitoring node signature information through the public key of the monitoring node, and if the signature check fails, the monitoring information reporting stage is terminated and quitted;
the monitoring management server checks the signature of the third random number signature information through the public key of the distributed random number generator; if the signature verification fails, the monitoring information reporting stage is terminated and quitted.
Further, the service monitoring system based on the random number comprises a monitoring management server, at least one monitoring node and a distributed random number generator; the monitoring management server is in communication connection with the monitoring node; the monitoring management server and the monitoring node are respectively in communication connection with the distributed random number generator;
the monitoring node is used for initiating node identity authentication to the monitoring management server, collecting monitoring information and reporting the monitoring information to the monitoring management server; a monitoring node end wheel number information storage area used for storing wheel number information corresponding to random numbers generated by the distributed random number generator is arranged in the monitoring node;
the monitoring management server is used for performing node identity authentication on the monitoring node and receiving the monitoring information reported by the monitoring node; a monitoring management end wheel number information storage area used for storing wheel number information corresponding to random numbers generated by the distributed random number generator is arranged in the monitoring management server;
the distributed random number generator is used for continuously generating random numbers at fixed or real-time adjusted time intervals as a period so as to provide distributed, verifiable, unpredictable, unbiased and untrustworthy random numbers for the monitoring management server and the monitoring nodes; one cycle is called as one round, the number of rounds corresponding to each round is in one-to-one correspondence with the random number value generated by the round, and the random number uniquely corresponding to the round can be inquired through the number of rounds; the number of the rounds is sequentially increased; the distributed random number generator generates a public key and a private key of the distributed random number generator; the distributed random number generator signs the random number generated by the distributed random number generator by using a private key of the distributed random number generator;
the monitoring management server and the monitoring node respectively request random numbers from the distributed random number generator for the processing procedures of node identity authentication and monitoring information reporting.
Further, the monitoring information comprises machine state information, process information and port information; the machine state information comprises CPU core number, CPU utilization rate, memory information and hard disk information; the process information comprises a process identification ID, a process name and process survival information; the port information includes port number, port name, protocol type, port availability information.
Through the technical scheme, the invention has the beneficial effects that:
1. in the stage of monitoring the identity card of a management server to a monitoring node, the monitoring node takes a first random number generated by a distributed random number generator, a key of a Hash-based message authentication code algorithm (HMAC) and a public key of the monitoring node as input parameters of the Hash-based message authentication code algorithm (HMAC) to generate a first message authentication code;
when the monitoring management server verifies the message authentication code, a corresponding second random number is obtained from the distributed random number generator according to the number of rounds corresponding to the random number, and then a second message authentication code is generated by combining a key of a Hash-based message authentication code algorithm HMAC and a public key of a monitoring node;
and further judging whether the first message authentication code is the same as the second message authentication code, and if so, completing the identity authentication of the monitoring node.
In the identity authentication process, when the secret keys of the two parties based on the Hash message authentication code algorithm HMAC are the same, the identities of the two parties are correct; and because the round numbers correspond to the random numbers one by one, the random numbers of the monitoring nodes for authentication at each time are different, and the monitoring management server can identify the authentication request according to the round numbers and the corresponding random numbers, thereby preventing the replay attack of enemies to the monitoring management server in the identity authentication stage, and solving the problems of safely identifying the monitoring nodes and preventing the replay attack. Meanwhile, in the identity authentication stage, the monitoring management server verifies the integrity of the public key of the monitoring node sent by the monitoring node, and the preparation is made for the next information reporting stage.
2. In the invention, in the monitoring information reporting stage of the monitoring node, after the monitoring node signs the monitoring information, the third random number and the third random number round number information by using the own private key of the monitoring node, the monitoring node sends the monitoring information, the third random number signing information and the third random number round number information to the monitoring management server, so that the signature information of the monitoring node contains the latest random number component, and when the subsequent monitoring management server checks the signature information, the received random number and the corresponding round number information are complete. Because the sent random numbers are different when the monitoring node reports the monitoring information each time, the monitoring management server can identify the authentication request according to the round number and the corresponding random number, thereby preventing replay attack of an adversary to the monitoring management server in the monitoring information reporting stage. The monitoring management server judges whether the round number corresponding to the reported random number is larger than the round number of the random number used before, and the monitoring management server passes the verification only when the current round number is larger than the previous round number, so that the problem of time sequence of reporting messages by the monitoring node is solved.
In addition, before reporting the monitoring information, the monitoring node can initiate a reporting process only after acquiring a new random number and the round number information corresponding to the random number from the distributed random number generator, so that the monitoring information reported by the monitoring node is limited by the time period of the distributed random number generator, the rate of the information reported by the monitoring node is effectively limited, and particularly, when the period of generating the random number is adjusted by the distributed random number generator in real time, the purpose of dynamically changing the rate of the information reported by the monitoring node can be indirectly realized only by adjusting the period of generating the random number by the distributed random number generator in real time under the condition that the monitoring node is not directly controlled.
Drawings
Fig. 1 is a schematic system structure diagram of a service monitoring system and method based on random numbers.
Fig. 2 is a flow chart of a preparation phase of step 1 of a system and method for random number based service monitoring.
Fig. 3 is one of the flow charts of the authentication phase of step 2 of a system and method for random number based service monitoring.
Fig. 4 is a second flowchart of the authentication phase in step 2 of the random number based service monitoring system and method.
Fig. 5 is a flow chart of a service monitoring system and method based on random numbers in step 3, monitoring information reporting phase.
Detailed Description
The invention is further described with reference to the following figures and detailed description:
as shown in fig. 1 to 5, a service monitoring system and method based on random numbers includes a monitoring node, a monitoring management server, and a distributed random number generator, where the monitoring node, the monitoring management server, and the distributed random number generator are in communication with each other, and the method includes:
step 1 preparation phase: initializing the distributed random number generator, the monitoring node and the monitoring management server;
step 2, authentication stage: the monitoring node generates a first message authentication code by combining with a distributed random number generator, the monitoring management server generates a second message authentication code by combining with the random number generator, and the monitoring management server compares the second message authentication code with the first message authentication code for authentication;
step 3, monitoring information reporting stage: if the authentication is successfully compared in the authentication stage, the monitoring node generates a monitoring node signature by combining random numbers of the distributed random number generator and updates the round number information;
and the monitoring management server checks the signature of the monitoring node, stores the monitoring information reported by the monitoring node and finally generates new round number information.
The monitoring information comprises machine state information, process information and port information; the machine state information comprises CPU core number, CPU utilization rate, memory information and hard disk information; the process information comprises a process identification ID, a process name and process survival information; the port information comprises port number, port name, protocol type and port availability information;
the distributed random number generator is used for providing distributed, verifiable, unpredictable, unbiased and untamperable random numbers for the monitoring management server and the monitoring nodes;
wherein the unpredictable means that at any point in time no individual or group can predict the random number to be issued; the lack of bias means that the distribution of the final output of the distributed random number generator is completely random without any bias; the verifiable means that the random number can be verified after being generated;
the distributed random number generator is a random beacon Drand; the random beacon refers to a secure, truly random number; the Drand is a distributed random beacon daemon; the server running the land may use bilinear pairings and threshold encryption techniques to generate publicly verifiable, unpredictable random values at fixed or real-time adjusted time intervals; drand generates randomness by combining the contributions of independently running server networks. The land random beacon consists of a distributed set of nodes and is divided into two phases: setting: each node first generates a long-term use fixed public-private key pair. All public keys are then written to the group file along with some other metadata needed to operate the beacon. After distributing the set of files, the nodes execute a Distributed Key Generation (DKG) protocol to create a public key and a private key factor for each server. That is, the private key is a distributed private key commonly held by a group of nodes. Each participant does not explicitly see or use the entire distributed private key, but rather uses individual private key factors to computationally learn the public key pair to generate public randomness. The set process only needs to be operated once; generating: after the setting, the node switches to a continuous random generation mode. Any one node may initiate a random generation round by broadcasting a message and all other participants sign using n threshold versions of the Boneh-Lynn-shacham (bls) signature scheme and their respective private key factors. Once any node (or third party observer) has collected t partial signatures, it can reconstruct the complete BLS signature (using lagrangian interpolation). The signature is then hashed using SHA-512 to ensure that the final output byte representation is unbiased. The hash corresponds to the collective random value and can be verified against the collective public key;
the Hash-based Message Authentication Code HMAC is an english acronym of Hash-based Message Authentication Code, is a method for performing Message Authentication based on a Hash function and a key, proposed by h.krawezyk, m.bellare, r.canetti in 1996, is published as RFC2104 in 1997, is widely applied to IPSec and other network protocols (such as SSL), and is now becoming a de facto Internet security standard. The HMAC operation uses a hash algorithm to generate a message digest of a fixed length as output, with a message M and a key K as inputs. The HMAC algorithm utilizes the existing Hash function, and the key problem is how to use the key. The key length of the HMAC may be of any size, and if it is smaller than n (the size of the hash output value), the strength of the algorithm security will be weakened. The key K should be chosen randomly. The key used by the HMAC is agreed upon by both parties in advance and is not known to the third party. Since the third party who illegally intercepts the information does not know the key, the third party cannot forge a consistent HMAC operation result.
As shown in fig. 2, the preparation phase of step 1 specifically includes:
step 1.1, the distributed random number generator generates a self public key and a private key, sets a time period generated among random numbers, defines one period as one round, and corresponds to the round number of each round to the random number value generated in the round one by one;
step 1.2: the monitoring management server acquires a key of a Hash-based message authentication code algorithm (HMAC) and a public key of the distributed random number generator;
step 1.3: the monitoring node acquires a key of a Hash-based message authentication code algorithm (HMAC) and a public key of the distributed random number generator; the monitoring node generates a public key and a private key of the monitoring node;
step 1.4: respectively resetting the monitoring management server end wheel number information storage area and the monitoring node end wheel number information storage area; the monitoring management server end wheel number information storage area refers to a storage area which is arranged in a monitoring management server and used for storing wheel number information corresponding to random numbers generated by the distributed random number generator; the monitoring node end information storage area refers to a storage area which is arranged in a monitoring node and used for storing the wheel number information corresponding to the random number generated by the distributed random number generator.
As shown in fig. 3, the authentication phase in step 2 specifically includes:
step 2.1: the distributed random number generator generates a first random number, signs the first random number by using a private key of the distributed random number generator, and then transmits the first random number, first random number round number information and first random number signature information to the monitoring node;
the monitoring node checks the signature of the first random number signature information through a public key of the distributed random number generator; (if the signature verification fails, the authentication phase terminates and exits.);
step 2.2: if the signature verification of the first random number signature information is successful, the monitoring node calculates a key of a Hash-based message authentication code algorithm HMAC, the first random number and a public key of the monitoring node through the Hash-based message authentication code algorithm HMAC to obtain a first message authentication code;
the monitoring node stores the first random number round number information into a monitoring node end round number information storage area;
the monitoring node sends the first message authentication code, a public key of the monitoring node and first random number round number information to the monitoring management server;
step 2.3: the monitoring management server transmits first random number round number information to a distributed random number generator so as to obtain a random number corresponding to the first random number round number information from the distributed random number generator and mark the random number as a second random number;
the monitoring management server calculates a key of the message authentication code algorithm HMAC based on the Hash through a message authentication code algorithm HMAC based on the Hash, the second random number and a public key of the monitoring node to obtain a second message authentication code;
the monitoring management server compares the first message authentication code with the second message authentication code; (if the first message authentication code is not the same as the second message authentication code, the authentication phase is terminated and exited.)
And if the first message authentication code is the same as the second message authentication code, the monitoring management server stores the public key of the monitoring node, a second random number and the second random number round number information in a round number information storage area of a monitoring management server.
As shown in fig. 4, the monitoring information reporting stage in step 3 specifically includes:
step 3.1: the distributed random number generator generates a third random number, signs the third random number by using a private key of the distributed random number generator, and then transmits the third random number, third random number round number information and third random number signature information to the monitoring node;
the monitoring node reads and compares the third random number round number information with the round number information of the monitoring node end information storage area; (if the indicated value of the third random number round number information is less than or equal to the indicated value of the round number information in the round number information storage area at the monitoring node, the monitoring node reads new third random number, third random number round number information and third random number signature information to the distributed random number generator circularly at a fixed time interval (such as 1000 milliseconds) until the obtained new third random number round number information is greater than the round number information stored in the round number information storage area at the monitoring node, and then the cycle is finished.)
Step 3.2: if the indicated value of the third random number round number information is larger than the indicated value of the round number information in the round number information storage area of the monitoring node end, the monitoring node signs the monitoring information, the third random number and the third random number round number information through a private key of the monitoring node to obtain first monitoring node signature information;
the monitoring node transmits the first monitoring node signature information, the monitoring information, the third random number signature information and the third random number round number information to the monitoring management server;
the monitoring node stores the third random number round number information in a monitoring node end information storage area so as to replace the stored historical round number information;
step 3.3, the monitoring management server judges whether the public key of the monitoring node is stored in the monitoring management server (if the public key does not exist, the monitoring information reporting stage is terminated and quitted);
if the public key of the monitoring node is stored, the monitoring management server compares the third random number round number information indicated value with the round number information indicated value in the monitoring management server end round number information storage area; (if the indicated value of the third random number round number information is less than or equal to the indicated value of the inner round number information in the round number information storage area of the monitoring management server, the reporting stage of the monitoring information is terminated and quit.)
If the indicated value of the third random number round number information is larger than the indicated value of the round number information storage area of the monitoring management server, the monitoring management server checks the signature information of the first monitoring node through the public key of the monitoring node; (if the signature check fails, the monitoring information reporting stage is terminated and quits.)
If the signature verification of the first monitoring node signature information is successful, the monitoring management server verifies the signature of the third random number signature information through a public key of the distributed random number generator; (if the signature check fails, the monitoring information reporting stage is terminated and quits.)
If the third random number signature information is successfully verified, the monitoring management server stores the monitoring information;
and the monitoring management server stores the third random number round number information in a round number information storage area at the monitoring management server end so as to replace the stored historical round number information.
The above-described embodiments are merely preferred embodiments of the present invention, and not intended to limit the scope of the invention, so that equivalent changes or modifications in the structure, features and principles described in the present invention should be included in the claims of the present invention.

Claims (9)

1. A service monitoring method based on random number comprises a monitoring node, a monitoring management server and a distributed random number generator, wherein the monitoring node, the monitoring management server and the distributed random number generator are communicated with each other, and the method is characterized by comprising the following steps:
step 1 preparation phase: initializing the distributed random number generator, the monitoring node and the monitoring management server;
step 2, authentication stage: the monitoring node generates a first message authentication code by combining with a distributed random number generator, the monitoring management server generates a second message authentication code by combining with the random number generator, and the monitoring management server compares the second message authentication code with the first message authentication code for authentication;
step 3, monitoring information reporting stage: if the authentication is successfully compared in the authentication stage, the monitoring node generates a monitoring node signature by combining the random number of the distributed random number generator and updates the round number information;
the monitoring management server checks the signature of the monitoring node, stores the monitoring information reported by the monitoring node and generates new round number information;
the step 2 specifically comprises:
step 2.1: the distributed random number generator generates a first random number, signs the first random number by using a private key of the distributed random number generator, and then transmits the first random number, first random number round number information and first random number signature information to the monitoring node;
the monitoring node checks the signature of the first random number signature information through a public key of the distributed random number generator;
step 2.2: if the signature verification of the first random number signature information is successful, the monitoring node calculates a key of a Hash-based message authentication code algorithm HMAC, the first random number and a public key of the monitoring node through the Hash-based message authentication code algorithm HMAC to obtain a first message authentication code;
the monitoring node stores the first random number round number information into a monitoring node end round number information storage area;
the monitoring node sends the first message authentication code, a public key of the monitoring node and first random number round number information to the monitoring management server;
step 2.3: the monitoring management server transmits first random number round number information to a distributed random number generator so as to obtain a random number corresponding to the first random number round number information from the distributed random number generator and mark the random number as a second random number;
the monitoring management server calculates a key of the message authentication code algorithm HMAC based on the Hash through a message authentication code algorithm HMAC based on the Hash, the second random number and a public key of the monitoring node to obtain a second message authentication code;
the monitoring management server compares the first message authentication code with the second message authentication code;
and if the first message authentication code is the same as the second message authentication code, the monitoring management server stores the public key of the monitoring node, a second random number and the second random number round number information in a round number information storage area of a monitoring management server.
2. The method for monitoring services based on random numbers according to claim 1, wherein the step 1 specifically comprises:
step 1.1, the distributed random number generator generates a self public key and a private key, sets a time period generated among random numbers, defines one period as one round, and corresponds to the round number of each round to the random number value generated in the round one by one;
step 1.2: the monitoring management server acquires a key of a Hash-based message authentication code algorithm (HMAC) and a public key of the distributed random number generator;
step 1.3: the monitoring node acquires a key of a Hash-based message authentication code algorithm (HMAC) and a public key of the distributed random number generator; the monitoring node generates a public key and a private key of the monitoring node;
step 1.4: respectively resetting the monitoring management server end wheel number information storage area and the monitoring node end wheel number information storage area; the monitoring management server end wheel number information storage area refers to a storage area which is arranged in a monitoring management server and used for storing wheel number information corresponding to random numbers generated by the distributed random number generator; the monitoring node end information storage area refers to a storage area which is arranged in a monitoring node and used for storing the wheel number information corresponding to the random number generated by the distributed random number generator.
3. The method for service monitoring based on random numbers as claimed in claim 2, wherein the step 3 specifically comprises:
step 3.1: the distributed random number generator generates a third random number, signs the third random number by using a private key of the distributed random number generator, and then transmits the third random number, third random number round number information and third random number signature information to the monitoring node;
the monitoring node reads and compares the third random number round number information with the round number information of the monitoring node end round number information storage area;
step 3.2: if the indicated value of the third random number round number information is larger than the indicated value of the round number information in the round number information storage area of the monitoring node end, the monitoring node signs the monitoring information, the third random number and the third random number round number information through a private key of the monitoring node to obtain first monitoring node signature information;
the monitoring node transmits the first monitoring node signature information, the monitoring information, the third random number signature information and the third random number round number information to the monitoring management server;
the monitoring node stores the third random number round number information in a monitoring node end information storage area so as to replace the stored historical round number information;
step 3.3, the monitoring management server judges whether the public key of the monitoring node is stored in the monitoring management server;
if the public key of the monitoring node is stored, the monitoring management server compares the third random number round number information indicated value with the round number information indicated value in the monitoring management server end round number information storage area;
if the indicated value of the third random number round number information is larger than the indicated value of the round number information storage area of the monitoring management server, the monitoring management server checks the signature information of the first monitoring node through the public key of the monitoring node;
if the signature verification of the first monitoring node signature information is successful, the monitoring management server verifies the signature of the third random number signature information through a public key of the distributed random number generator;
if the third random number signature information is successfully verified, the monitoring management server stores the monitoring information;
and the monitoring management server stores the third random number round number information in a round number information storage area at the monitoring management server end so as to replace the stored historical round number information.
4. A random number based service monitoring method according to claim 1, wherein said step 2.1 further comprises:
and the monitoring node checks the signature of the first random number signature information through the public key of the monitoring node, and if the signature check fails, the authentication stage is terminated and quit.
5. A random number based service monitoring method according to claim 1, wherein said step 2.3 further comprises:
and the monitoring management server compares the first message authentication code with the second message authentication code, and if the first message authentication code is different from the second message authentication code, the authentication stage is terminated and quitted.
6. A random number based service monitoring method according to claim 3, characterised in that said step 3.2 further comprises:
the monitoring node reads the third random number round number information and compares the inner round number information with the third random number round number information in the monitoring node end information storage area;
and if the indicated value of the round number information in the monitoring node end information storage area is less than or equal to the indicated value of the third random number round number information, the monitoring node acquires the third random number, the third random number round number information and the third random number signature information from the distributed random number generator again at fixed time intervals.
7. A random number based service monitoring method according to claim 3, wherein said step 3.3 further comprises:
the monitoring management server judges whether the public key of the monitoring node is stored in the monitoring management server or not, and if the public key of the monitoring node is not stored in the monitoring management server, the monitoring information reporting stage is terminated and quit;
the monitoring management server reads the third random number round number information and compares the wheel number information in the wheel number information storage area of the monitoring management server with the third random number round number information; if the indicated value of the round number information in the round number information storage area of the monitoring management server end is less than or equal to the indicated value of the third random number round number information, the monitoring information reporting stage is terminated and quits;
the monitoring management server checks the signature of the first monitoring node signature information through the public key of the monitoring node, and if the signature check fails, the monitoring information reporting stage is terminated and quitted;
the monitoring management server checks the signature of the third random number signature information through the public key of the distributed random number generator; if the signature verification fails, the monitoring information reporting stage is terminated and quitted.
8. A service monitoring system based on random number is characterized by comprising a monitoring management server, at least one monitoring node and a distributed random number generator; the monitoring management server is in communication connection with the monitoring node; the monitoring management server and the monitoring node are respectively in communication connection with the distributed random number generator;
the monitoring node is used for initiating node identity authentication to the monitoring management server, collecting monitoring information and reporting the monitoring information to the monitoring management server; a monitoring node end wheel number information storage area used for storing wheel number information corresponding to random numbers generated by the distributed random number generator is arranged in the monitoring node;
the monitoring management server is used for performing node identity authentication on the monitoring node and receiving the monitoring information reported by the monitoring node; a monitoring management end wheel number information storage area used for storing wheel number information corresponding to random numbers generated by the distributed random number generator is arranged in the monitoring management server;
the distributed random number generator is used for continuously generating random numbers at fixed or real-time adjusted time intervals as a period so as to provide distributed, verifiable, unpredictable, unbiased and untrustworthy random numbers for the monitoring management server and the monitoring nodes; one cycle is called as one round, the number of rounds corresponding to each round is in one-to-one correspondence with the random number value generated by the round, and the random number uniquely corresponding to the round can be inquired through the number of rounds; the number of the rounds is sequentially increased; the distributed random number generator generates a public key and a private key of the distributed random number generator; the distributed random number generator signs the random number generated by the distributed random number generator by using a private key of the distributed random number generator;
the monitoring management server and the monitoring node respectively request random numbers from the distributed random number generator for the processing procedures of node identity authentication and monitoring information reporting;
the identity authentication specifically comprises:
the distributed random number generator generates a first random number, signs the first random number by using a private key of the distributed random number generator, and then transmits the first random number, first random number round number information and first random number signature information to the monitoring node;
the monitoring node checks the signature of the first random number signature information through a public key of the distributed random number generator;
if the signature verification of the first random number signature information is successful, the monitoring node calculates a key of a Hash-based message authentication code algorithm HMAC, the first random number and a public key of the monitoring node through the Hash-based message authentication code algorithm HMAC to obtain a first message authentication code;
the monitoring node stores the first random number round number information into a monitoring node end round number information storage area;
the monitoring node sends the first message authentication code, a public key of the monitoring node and first random number round number information to the monitoring management server;
the monitoring management server transmits first random number round number information to a distributed random number generator so as to obtain a random number corresponding to the first random number round number information from the distributed random number generator and mark the random number as a second random number;
the monitoring management server calculates a key of the message authentication code algorithm HMAC based on the Hash through a message authentication code algorithm HMAC based on the Hash, the second random number and a public key of the monitoring node to obtain a second message authentication code;
the monitoring management server compares the first message authentication code with the second message authentication code;
and if the first message authentication code is the same as the second message authentication code, the monitoring management server stores the public key of the monitoring node, a second random number and the second random number round number information in a round number information storage area of a monitoring management server.
9. The random number based service monitoring system of claim 8, wherein the monitoring information includes machine state information, process information, and port information; the machine state information comprises CPU core number, CPU utilization rate, memory information and hard disk information; the process information comprises a process identification ID, a process name and process survival information; the port information includes port number, port name, protocol type, port availability information.
CN202011370430.4A 2020-11-30 2020-11-30 Service monitoring system and method based on random number Active CN112583584B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011370430.4A CN112583584B (en) 2020-11-30 2020-11-30 Service monitoring system and method based on random number

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011370430.4A CN112583584B (en) 2020-11-30 2020-11-30 Service monitoring system and method based on random number

Publications (2)

Publication Number Publication Date
CN112583584A CN112583584A (en) 2021-03-30
CN112583584B true CN112583584B (en) 2022-03-25

Family

ID=75126527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011370430.4A Active CN112583584B (en) 2020-11-30 2020-11-30 Service monitoring system and method based on random number

Country Status (1)

Country Link
CN (1) CN112583584B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741860A (en) * 2009-11-27 2010-06-16 华中科技大学 Computer remote security control method
CN105357181A (en) * 2015-09-29 2016-02-24 广东顺德中山大学卡内基梅隆大学国际联合研究院 Method for monitoring Wi-Fi label through multiple terminals
CN107305517A (en) * 2016-04-19 2017-10-31 三星Sds株式会社 service monitoring system and method
CN108282755A (en) * 2017-12-25 2018-07-13 陈剑桃 A kind of ward environment monitoring system
CN110086796A (en) * 2019-04-22 2019-08-02 南京联创北斗技术应用研究院有限公司 A kind of transmission method based on public private key encryption technology collection monitoring data
CN110098939A (en) * 2019-05-07 2019-08-06 浙江中控技术股份有限公司 Message authentication method and device
CN110324287A (en) * 2018-03-31 2019-10-11 华为技术有限公司 Access authentication method, device and server
CN111147257A (en) * 2019-12-26 2020-05-12 核芯互联科技(青岛)有限公司 Identity authentication and information confidentiality method, monitoring center and remote terminal unit
CN111541660A (en) * 2020-04-14 2020-08-14 深圳开源互联网安全技术有限公司 Identity authentication method for remote vehicle control
CN111737752A (en) * 2020-07-23 2020-10-02 杭州海康威视数字技术股份有限公司 Monitoring data access control method, device and equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2928798B1 (en) * 2008-03-14 2011-09-09 Centre Nat Rech Scient AUTHENTICATION METHOD, AUTHENTICATION SYSTEM, SERVER TERMINAL, CLIENT TERMINAL AND CORRESPONDING COMPUTER PROGRAMS
KR101198120B1 (en) * 2010-05-28 2012-11-12 남궁종 Iris information based 3-factor user authentication method for otp generation and secure two way authentication system of wireless communication device authentication using otp
CN103502931B (en) * 2011-05-03 2019-09-24 挪佛麦迪哥股份公司 Random number generator

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741860A (en) * 2009-11-27 2010-06-16 华中科技大学 Computer remote security control method
CN105357181A (en) * 2015-09-29 2016-02-24 广东顺德中山大学卡内基梅隆大学国际联合研究院 Method for monitoring Wi-Fi label through multiple terminals
CN107305517A (en) * 2016-04-19 2017-10-31 三星Sds株式会社 service monitoring system and method
CN108282755A (en) * 2017-12-25 2018-07-13 陈剑桃 A kind of ward environment monitoring system
CN110324287A (en) * 2018-03-31 2019-10-11 华为技术有限公司 Access authentication method, device and server
CN110086796A (en) * 2019-04-22 2019-08-02 南京联创北斗技术应用研究院有限公司 A kind of transmission method based on public private key encryption technology collection monitoring data
CN110098939A (en) * 2019-05-07 2019-08-06 浙江中控技术股份有限公司 Message authentication method and device
CN111147257A (en) * 2019-12-26 2020-05-12 核芯互联科技(青岛)有限公司 Identity authentication and information confidentiality method, monitoring center and remote terminal unit
CN111541660A (en) * 2020-04-14 2020-08-14 深圳开源互联网安全技术有限公司 Identity authentication method for remote vehicle control
CN111737752A (en) * 2020-07-23 2020-10-02 杭州海康威视数字技术股份有限公司 Monitoring data access control method, device and equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"微服务安全监控及认证交互机制研究";潘孝阳;《西南科技大学硕士学位论文》;20191015;全文 *

Also Published As

Publication number Publication date
CN112583584A (en) 2021-03-30

Similar Documents

Publication Publication Date Title
CN110391911B (en) System and method for anonymously voting block chain
Damgård et al. Secure two-party computation with low communication
CN104993937B (en) A kind of method of inspection for cloud storage data integrity
CN111447276B (en) Encryption continuous transmission method with key agreement function
CN111294352A (en) Data security authentication method between cloud and edge node
CN112968883A (en) Block chain heterogeneous consensus method with high safety and terminal
Li et al. On the practical and security issues of batch content distribution via network coding
Chen et al. An approach to verifying data integrity for cloud storage
Wang et al. Randchain: Practical scalable decentralized randomness attested by blockchain
CN112910861A (en) Group authentication and segmented authentication-based authentication method for terminal equipment of power internet of things
CN112202809A (en) Block chain link point checking method
CN110166237A (en) A kind of cryptographic key distribution method and system based on block chain
CN108494558B (en) Method and system for implementing fair switching
CN115051985A (en) Data consensus method of Byzantine fault-tolerant consensus protocol based on dynamic nodes
CN113382016A (en) Fault-tolerant safe lightweight data aggregation method under intelligent power grid environment
CN111865595B (en) Block chain consensus method and device
CN113591103B (en) Identity authentication method and system between intelligent terminals of electric power Internet of things
CN113901528A (en) Cloud data integrity auditing method based on block chain
CN113254987B (en) Fault-tolerant time sequence data aggregation method capable of protecting privacy
Corman et al. A Secure Group Agreement (SGA) protocol for peer-to-peer applications
CN114528565A (en) Efficient sensitive data uplink algorithm based on block chain
Gürgens et al. On the security of fair non-repudiation protocols
CN116582277B (en) Identity authentication method based on BACnet/IP protocol
CN112583584B (en) Service monitoring system and method based on random number
CN111541668A (en) Energy Internet of things information safe transmission and storage method based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant