Disclosure of Invention
Aiming at the problems existing in the prior art, the embodiment of the invention provides a network equipment interconnection authentication method and system.
In a first aspect, the present invention provides a network device interconnection authentication method, including: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number;
and sending the decrypted random number to the second switch.
According to the network device interconnection authentication method provided by the invention, after the decrypted random number is sent to the second switch, the method further comprises the following steps:
generating a group key under the condition that the first switch receives an authentication success message sent by the second switch;
the first switch sends the community key to the second switch for the second switch to utilize the community key to realize encrypted transmission with the first switch.
According to the network equipment interconnection authentication method provided by the invention, the generation of the group secret key comprises the following steps: the community key is generated based on a symmetric key encryption method.
According to the network equipment interconnection authentication method provided by the invention, the first declaration message comprises a source switch identity; after the first switch periodically sends the first declaration message to the second switch in the local area network, the method further comprises:
receiving a second voice message sent by the second switch, wherein the second voice message does not contain a source switch identity;
and according to the second sounding message, the first switch is added to a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is a slave switch in the switch multicast group.
According to the network equipment interconnection authentication method provided by the invention, the unique identity of the first switch is generated based on the network card physical address information of the first switch.
In a second aspect, the present invention provides a network device interconnection authentication method, including: the second switch receives a first declaration message sent by the first switch; the first declaration message comprises a unique identity of the first switch;
generating an encrypted random number according to the unique identity, and sending the encrypted random number to the first switch;
receiving a decrypted random number sent by the first switch; the decryption random number is generated by decrypting the encryption random number by the first switch by using a first switch private key;
and verifying the first switch according to the decrypted random number.
According to the network equipment interconnection authentication method provided by the invention, under the condition that the authentication result is qualified, an authentication success message is sent to the first switch;
receiving a community key sent by the first switch;
encrypted transmissions with the first switch are effected using the community key.
The invention also provides a network equipment interconnection authentication system, which comprises: at least one first switch and a plurality of second switches;
the first switch comprises a first processing module, a second processing module, a third processing module and a fourth processing module;
the first processing module is used for periodically sending a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
the second processing module is used for receiving the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the third processing module is used for decrypting the encrypted random number by using the private key of the first switch and outputting a decrypted random number;
the fourth processing module is configured to send the decrypted random number to the second switch.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the steps of the network device interconnection authentication method are realized by the processor when the program is executed.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the network device interconnection authentication method as described in any of the above.
The invention provides a network equipment interconnection authentication method and a system,
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The following describes a network device interconnection authentication method and system provided by the embodiment of the invention with reference to fig. 1 to fig. 6.
Fig. 1 is a schematic flow chart of a network device interconnection authentication method provided by the present invention, as shown in fig. 1, including but not limited to the following steps:
step S1: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
step S2: the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
step S3: the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number;
step S4: and sending the decrypted random number to the second switch.
It should be noted that: in a local area network, particularly a switched local area network, a plurality of switches are generally present, so that through data interaction between the switches, the switches in the local area network can establish a plurality of concurrent connections between a plurality of ports of the switches to realize the exchange of related data in the local area network. And the switches in each local area network can be divided into two types, namely a source switch (Master switch) and a Slave switch (Slave switch), and at least comprise one Master switch and a plurality of Slave switches.
In the network equipment interconnection authentication method provided by the invention, the execution main body is the first switch, and the first switch can be defined as a Master switch.
In step S1, the first switch and the second switch send their own unique identity (Connection Identifier, CID) to each other through a declaration message (Declare message), and the Declare message sent by the first switch further includes an identifier that is a source switch, i.e. a Master switch.
Specifically, in a lan, a newly accessed switch (called a second switch) and a first switch send a Declare message periodically after accessing the lan. The Declare message contains the CID of the switch. Namely, the first switch sends a first Declare message to the second switch so as to send the CID of the first switch to the second switch through the first Declare message; at the same time, the second switch also periodically broadcasts a Declare message to send its own CID to the first switch.
Wherein the CID is a unique identity of the switch that distinguishes it from other switches.
Further, in step S2, after receiving the CID of the first switch, the second switch generates a public key according to the CID of the first switch and the public key matrix stored in advance by using the identification key technology, and encrypts a random number by using the public key to generate an encrypted random number, and sends the encrypted random number to the first switch.
Further, in step S3, after the first switch receives the encrypted random number sent by the second switch, the first switch generates a private key corresponding to the public key by using the private key matrix corresponding to the public key matrix and combining the CID of the first switch, and decrypts the encrypted random number by using the private key to obtain a decrypted random number.
Further, in step S4, the first switch sends the generated decrypted random number to the second switch again, so that the second switch compares the decrypted random number with the random number encrypted in step S2, so as to implement authentication for the first switch. If the decrypted random number is the same as the random number encrypted in the step S2, the authentication is passed; if the decrypted random number is not identical to the random number encrypted in step S2, the authentication is not passed.
The network equipment interconnection authentication method provided by the invention uses the unique physical characteristics of the switch to generate the CID of the switch, so that the CID is used for generating the corresponding public key and private key for the authentication of the switch of the subsequent local area network, so as to realize the purpose of distributing group secret keys, achieving the purposes of transmission encryption of synchronous information among the switches, solving the authentication problem of the local area network switch and effectively improving the confidentiality of data security transmission.
Based on the foregoing embodiments, as an optional embodiment, the network device interconnection authentication method provided by the present invention further includes, after the sending the decrypted random number to the second switch: generating a group key under the condition that the first switch receives an authentication success message sent by the second switch; the first switch sends the community key to the second switch for the second switch to utilize the community key to realize encrypted transmission with the first switch.
Specifically, in the network equipment interconnection authentication method provided by the invention, after receiving the Declare message from other Slave switches, the first switch adds the Slave switch which sends the message into the switch multicast group, so that all switches in the local area network can be counted into the multicast group, and meanwhile, the attribution of the first switch as a Master switch is also defined. The invention builds the multicast group by all the switches, realizes that when the Master switch needs to send information to each Slave switch, the Master switch only needs to send one data, and the destination address of the data is the multicast group address, so that all the members belonging to the group can receive the copy of the data sent by one Master switch. In addition, in the multicast mode, only the Slave switches required by the real information can receive the information, but other Slave switches cannot receive the information.
For example, the multicast mode used in the present invention may be static multicast, and its multicast address is 01-01-c 1-FE-10.
Further, under the condition that the Master switch receives the authentication success message sent by the Slave switch, a group key is generated and sent to the Slave switch. Therefore, when the synchronous related information (such as authentication information of a terminal and the like) is needed among all switches of the local area network, the information can be encrypted and transmitted by using a common group key, and the security of data transmission among all switches in the same multicast group can be fully ensured.
Based on the content of the foregoing embodiment, as an alternative embodiment, the generating the group key includes: the community key is generated based on a symmetric key encryption method.
The symmetric key encryption is also called private key encryption or shared key encryption, namely, two parties sending and receiving data need to use the same key to encrypt and decrypt the plaintext, and the symmetric key encryption algorithm is mainly a national encryption algorithm SM4.
The network equipment interconnection authentication method provided by the invention generates the group secret key through the symmetric secret key encryption method, so that the information is encrypted and decrypted by using the same secret key between the Master switch and the Slave switch in the same multicast group, and the security of information interaction in the multicast group is ensured.
Based on the foregoing embodiment, as an optional embodiment, the first declaration packet includes a source switch identifier; after the first switch periodically sends the first declaration message to the second switch in the local area network, the method further comprises:
receiving a second voice message sent by the second switch, wherein the second voice message does not contain a source switch identity;
and according to the second sounding message, the first switch is added to a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is a slave switch in the switch multicast group.
Fig. 2 is a connection topology diagram of switches in a local area network, as shown in fig. 2, in a local area network, the switches are divided into two types, namely a Master switch and a Slave switch, the Master switch is mainly responsible for distributing group keys, the number of the Master switches is generally one (or redundancy design is performed, one or more standby Master switches exist), and each Master switch is connected with a plurality of Slave switches. The network equipment interconnection authentication method provided by the invention determines the master-slave relationship by mutually sending the Declare message among the switches.
Specifically, adding a source switch identity in a Declare message sent by a Master switch to indicate the own Master switch identity; unlike the Declare message sent by the Slave switches, this does not contain the source switch identity in the Declare message sent by each Slave switch.
By adopting the mode, any two switches can determine the master-slave relationship between the two switches by receiving the Declare message of the other side, and a multicast group is built according to the master-slave relationship between the two switches.
The network equipment interconnection authentication method provided by the invention has the advantages that the Master switch establishes the multicast group by indicating the own Master identity in the broadcast Declare message, and a foundation is provided for information security interaction in the multicast group in the later stage.
Based on the foregoing embodiment, the unique identity of the first switch is generated based on the network card physical address information of the first switch.
The invention provides a CID generation method of a switch, which comprises the following steps:
first, network card physical address information (Media Access Control, MAC) of the switch is acquired.
Based on the uniqueness of the MAC information of each switch, the invention can utilize the unique identity generating tool to generate the CID of the switch according to the read MAC information after acquiring the MAC information of each switch. Alternatively, the MAC information may be included as part of the CID of the switch.
When the first switch receives the Declare message sent by the second switch, the prestored CID suffix name file can be called from the storage unit, and the first switch CID is correspondingly generated.
Further, the public key and the private key file corresponding to the first switch can be directly generated by using the IPK key technology and combining the CID of the first switch. And after receiving the Declare message sent by the second switch, directly sending the CID of the first switch to the second switch.
The IPK (Identity Public Key) identifier technology is also called IPK identifier public key, is a lightweight key system, and has two characteristics: firstly, the key data is short, secondly, authentication does not depend on a center, and the authentication efficiency is simple and high-efficiency.
The IPK identification key technology provided by the invention comprises two convenient contents, namely, a private key seed file (namely, a private key matrix) and a self CID are used for generating the private key file in a first switch; and generating the public key file according to the public key seed file (namely the public key matrix) and the CID of the public key seed file. Because of the symmetry of the private key matrix and the public key matrix, the symmetry of the private key file and the public key file is the basis for realizing the switch authentication.
According to the network equipment interconnection authentication method provided by the invention, the CID of the first switch is generated by utilizing the MAC information of the switch, so that the uniqueness of the CID is ensured, and the security of switch authentication is ensured.
Fig. 3 is a second flowchart of the network device interconnection authentication method provided by the present invention, as shown in fig. 3, the method includes, but is not limited to, the following steps:
step S21: the second switch receives a first declaration message sent by the first switch; the first declaration message comprises a unique identity of the first switch;
step S22: generating an encrypted random number according to the unique identity, and sending the encrypted random number to the first switch;
step S23: receiving a decrypted random number sent by the first switch; the decryption random number is generated by decrypting the encryption random number by the first switch by using a first switch private key;
step S24: and verifying the first switch according to the decrypted random number.
It should be noted that, in the network device interconnection authentication method provided by the present invention, the execution main body is the second switch, i.e. the Slave switch.
Fig. 4 is a signaling interaction diagram of the network device interconnection authentication method provided by the present invention, and as shown in fig. 4, the network device interconnection authentication method provided by the present invention mainly includes the following steps:
and broadcasting a Declare message between the Master switch and the Slave switch, wherein the Declare message broadcasted by the Master switch contains the CID of the switch and indicates the Master identity in the Declare message.
After receiving the Declare message of the Master switch, the Slave switch acquires the CID of the Master switch. Generating a target public key according to CID and public key matrix of the Master switch, encrypting a random number by using the target public key, generating an encrypted random number, and transmitting the encrypted random number to the Master switch.
After receiving the encrypted random number sent by the Slave switch, the Master switch decrypts the encrypted random number by using a target private key corresponding to the target public key to obtain a decrypted random number, and sends the decrypted random number to the Slave switch.
And after receiving the decryption random number, the Slave switch performs authentication according to the decryption random. If the authentication is passed, joining the multicast group of the Master switch.
And authenticating each Slave switch according to the method, and combining all the Slave switches passing the authentication with the Master switch to form a multicast group.
The network equipment interconnection authentication method provided by the invention uses the unique physical characteristics of the switch to generate the CID of the switch, so that the CID is used for generating the corresponding public key and private key for the authentication of the switch of the subsequent local area network, so as to realize the purpose of distributing group secret keys, achieving the purposes of transmission encryption of synchronous information among the switches, solving the authentication problem of the local area network switch and effectively improving the confidentiality of data security transmission.
Further, after verifying the first switch according to the decrypted random number, the method further includes: sending an authentication success message to the first switch when the verification result is qualified; receiving a community key sent by the first switch; encrypted transmissions with the first switch are effected using the community key.
After each Slave switch completes the authentication work of the Master switch, the Master switch generates a group key and sends the group key to all Slave switches.
When synchronization related information (such as authentication information of a terminal and the like) is needed among all switches of the local area network, the group key is used for encrypting and transmitting the information.
According to the network equipment interconnection authentication method, the multicast group is constructed jointly through authentication of each Slave switch to the Master switch, and a group key is generated through the Master switch, so that when information interaction is carried out among all switches in the whole multicast group, the group key is used for carrying out encryption transmission on interaction information, and the safety of the interaction information is effectively guaranteed.
Fig. 5 is a schematic structural diagram of a network device interconnection authentication system provided by the present invention, where, as shown in fig. 5, the network device interconnection authentication system provided by the present invention includes at least one first switch and a plurality of second switches; the first switch comprises a first processing module 1, a second processing module 2, a third processing module 3 and a fourth processing module 4, wherein:
the first processing module 1 is configured to periodically send a first declaration packet to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
the second processing module 2 is configured to receive an encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the third processing module 3 is configured to decrypt the encrypted random number by using a private key of the first switch, and output a decrypted random number;
the fourth processing module 4 is configured to send the decrypted random number to the second switch.
Wherein the first switch may be a Master switch. The second switch may be a Slave switch.
After the newly accessed Slave switch is accessed to the local area network, the Slave switch and the Master switch can each send a Declare message periodically. The Declare message contains the CID of the switch. That is, the first processing module 1 of the first switch sends a first Declare message to the second switch, so as to send its CID to the second switch through the first Declare message.
Further, after receiving the CID of the Master switch, the Slave switch generates a public key according to the CID of the Master switch and a prestored public key matrix by using an identification key technology, encrypts a random number by using the public key, and generates an encrypted random number to be sent to the Master switch.
The second processing module 2 receives the encrypted random number sent by the Slave switch and then sends it to the third processing module 3. The third processing module 3 generates a private key corresponding to the public key by using the private key matrix corresponding to the public key matrix and combining the CID of the Master switch, and decrypts the encrypted random number by using the private key to obtain a decrypted random number.
Further, the fourth processing module 4 sends the generated decrypted random number to the Slave switch again, so that the Slave switch can compare the decrypted random number with the random number encrypted in the step S2 according to the decrypted random number, and authentication of the Master switch is achieved.
The network equipment interconnection authentication system provided by the invention uses the unique physical characteristics of the switches to generate the CIDs of the switches, so that the CIDs are used for generating the corresponding public keys and private keys for the authentication of the switches of the subsequent local area network, so that the group secret keys are distributed, the purposes of transmission encryption of synchronous information among the switches and the like are achieved, the authentication problem of the switches of the local area network is solved, and the confidentiality of data security transmission is effectively improved.
It should be noted that, when the network device interconnection authentication system provided in the embodiment of the present invention is specifically executed, the network device interconnection authentication method may be implemented based on any one of the network device interconnection authentication methods described in the foregoing embodiments, which is not described in detail in this embodiment.
Fig. 6 is a schematic structural diagram of an electronic device according to the present invention, and as shown in fig. 6, the electronic device may include: processor 610, communication interface 620, memory 630, and communication bus 640, wherein processor 610, communication interface 620, and memory 630 communicate with each other via communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform a network device interconnection authentication method comprising: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; and sending the decrypted random number to the second switch.
Further, the logic instructions in the memory 630 may be implemented in the form of software functional units and stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-only memory (ROM), a random access memory (RAM, randomAccessMemory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the network device interconnection authentication method provided by the above methods, the method comprising: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; and sending the decrypted random number to the second switch.
In still another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the network device interconnection authentication method provided in the above embodiments, the method including: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; and sending the decrypted random number to the second switch.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.