CN112637145B - Network equipment interconnection authentication method and system - Google Patents
Network equipment interconnection authentication method and system Download PDFInfo
- Publication number
- CN112637145B CN112637145B CN202011444665.3A CN202011444665A CN112637145B CN 112637145 B CN112637145 B CN 112637145B CN 202011444665 A CN202011444665 A CN 202011444665A CN 112637145 B CN112637145 B CN 112637145B
- Authority
- CN
- China
- Prior art keywords
- switch
- random number
- message
- key
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 230000005540 biological transmission Effects 0.000 claims abstract description 18
- 238000012545 processing Methods 0.000 claims description 32
- 239000011159 matrix material Substances 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 2
- 230000001360 synchronised effect Effects 0.000 abstract description 5
- 206010010099 Combined immunodeficiency Diseases 0.000 description 33
- 238000010586 diagram Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 238000001360 collision-induced dissociation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network equipment interconnection authentication method and a system, comprising the following steps: the first switch periodically sends a first declaration message to a second switch in the local area network; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the public key of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; the decrypted random number is sent to the second switch. The network equipment interconnection authentication method and system provided by the invention use the unique physical characteristics of the switch to generate the CID of the switch, so as to generate the corresponding public key and private key by using the CID for the authentication of the switch of the subsequent local area network, so as to realize the distribution of group keys, achieve the purposes of transmission encryption of synchronous information among the switches, solve the authentication problem of the local area network switch, and effectively improve the confidentiality of data security transmission.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and a system for network device interconnection authentication.
Background
With the rapid development of computer networks, problems in network crimes, hacking, and harmful information transmission become serious, and significant effects and losses are caused worldwide, so network security protection is already an unprecedented thing.
In the existing local area network, two layers of switch equipment are randomly accessed, and the legality of the accessed switch is guaranteed without mechanisms such as security authentication and the like; meanwhile, under the condition that all switches belong to one broadcast domain, the data message is transmitted by utilizing a plaintext, so that confidentiality measures are avoided, and potential safety hazards exist.
At present, no method for realizing the safety authentication of the local area network switch and the safety and confidentiality transmission of the data message exists.
Disclosure of Invention
Aiming at the problems existing in the prior art, the embodiment of the invention provides a network equipment interconnection authentication method and system.
In a first aspect, the present invention provides a network device interconnection authentication method, including: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number;
and sending the decrypted random number to the second switch.
According to the network device interconnection authentication method provided by the invention, after the decrypted random number is sent to the second switch, the method further comprises the following steps:
generating a group key under the condition that the first switch receives an authentication success message sent by the second switch;
the first switch sends the community key to the second switch for the second switch to utilize the community key to realize encrypted transmission with the first switch.
According to the network equipment interconnection authentication method provided by the invention, the generation of the group secret key comprises the following steps: the community key is generated based on a symmetric key encryption method.
According to the network equipment interconnection authentication method provided by the invention, the first declaration message comprises a source switch identity; after the first switch periodically sends the first declaration message to the second switch in the local area network, the method further comprises:
receiving a second voice message sent by the second switch, wherein the second voice message does not contain a source switch identity;
and according to the second sounding message, the first switch is added to a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is a slave switch in the switch multicast group.
According to the network equipment interconnection authentication method provided by the invention, the unique identity of the first switch is generated based on the network card physical address information of the first switch.
In a second aspect, the present invention provides a network device interconnection authentication method, including: the second switch receives a first declaration message sent by the first switch; the first declaration message comprises a unique identity of the first switch;
generating an encrypted random number according to the unique identity, and sending the encrypted random number to the first switch;
receiving a decrypted random number sent by the first switch; the decryption random number is generated by decrypting the encryption random number by the first switch by using a first switch private key;
and verifying the first switch according to the decrypted random number.
According to the network equipment interconnection authentication method provided by the invention, under the condition that the authentication result is qualified, an authentication success message is sent to the first switch;
receiving a community key sent by the first switch;
encrypted transmissions with the first switch are effected using the community key.
The invention also provides a network equipment interconnection authentication system, which comprises: at least one first switch and a plurality of second switches;
the first switch comprises a first processing module, a second processing module, a third processing module and a fourth processing module;
the first processing module is used for periodically sending a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
the second processing module is used for receiving the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the third processing module is used for decrypting the encrypted random number by using the private key of the first switch and outputting a decrypted random number;
the fourth processing module is configured to send the decrypted random number to the second switch.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the steps of the network device interconnection authentication method are realized by the processor when the program is executed.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the network device interconnection authentication method as described in any of the above.
The invention provides a network equipment interconnection authentication method and a system,
drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network device interconnection authentication method provided by the invention;
fig. 2 is a connection topology diagram of a switch in a lan according to the present invention;
FIG. 3 is a second flowchart of a network device interconnection authentication method according to the present invention;
fig. 4 is a signaling interaction diagram of the network device interconnection authentication method provided by the invention;
fig. 5 is a schematic structural diagram of a network device interconnection authentication system provided by the present invention;
fig. 6 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The following describes a network device interconnection authentication method and system provided by the embodiment of the invention with reference to fig. 1 to fig. 6.
Fig. 1 is a schematic flow chart of a network device interconnection authentication method provided by the present invention, as shown in fig. 1, including but not limited to the following steps:
step S1: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
step S2: the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
step S3: the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number;
step S4: and sending the decrypted random number to the second switch.
It should be noted that: in a local area network, particularly a switched local area network, a plurality of switches are generally present, so that through data interaction between the switches, the switches in the local area network can establish a plurality of concurrent connections between a plurality of ports of the switches to realize the exchange of related data in the local area network. And the switches in each local area network can be divided into two types, namely a source switch (Master switch) and a Slave switch (Slave switch), and at least comprise one Master switch and a plurality of Slave switches.
In the network equipment interconnection authentication method provided by the invention, the execution main body is the first switch, and the first switch can be defined as a Master switch.
In step S1, the first switch and the second switch send their own unique identity (Connection Identifier, CID) to each other through a declaration message (Declare message), and the Declare message sent by the first switch further includes an identifier that is a source switch, i.e. a Master switch.
Specifically, in a lan, a newly accessed switch (called a second switch) and a first switch send a Declare message periodically after accessing the lan. The Declare message contains the CID of the switch. Namely, the first switch sends a first Declare message to the second switch so as to send the CID of the first switch to the second switch through the first Declare message; at the same time, the second switch also periodically broadcasts a Declare message to send its own CID to the first switch.
Wherein the CID is a unique identity of the switch that distinguishes it from other switches.
Further, in step S2, after receiving the CID of the first switch, the second switch generates a public key according to the CID of the first switch and the public key matrix stored in advance by using the identification key technology, and encrypts a random number by using the public key to generate an encrypted random number, and sends the encrypted random number to the first switch.
Further, in step S3, after the first switch receives the encrypted random number sent by the second switch, the first switch generates a private key corresponding to the public key by using the private key matrix corresponding to the public key matrix and combining the CID of the first switch, and decrypts the encrypted random number by using the private key to obtain a decrypted random number.
Further, in step S4, the first switch sends the generated decrypted random number to the second switch again, so that the second switch compares the decrypted random number with the random number encrypted in step S2, so as to implement authentication for the first switch. If the decrypted random number is the same as the random number encrypted in the step S2, the authentication is passed; if the decrypted random number is not identical to the random number encrypted in step S2, the authentication is not passed.
The network equipment interconnection authentication method provided by the invention uses the unique physical characteristics of the switch to generate the CID of the switch, so that the CID is used for generating the corresponding public key and private key for the authentication of the switch of the subsequent local area network, so as to realize the purpose of distributing group secret keys, achieving the purposes of transmission encryption of synchronous information among the switches, solving the authentication problem of the local area network switch and effectively improving the confidentiality of data security transmission.
Based on the foregoing embodiments, as an optional embodiment, the network device interconnection authentication method provided by the present invention further includes, after the sending the decrypted random number to the second switch: generating a group key under the condition that the first switch receives an authentication success message sent by the second switch; the first switch sends the community key to the second switch for the second switch to utilize the community key to realize encrypted transmission with the first switch.
Specifically, in the network equipment interconnection authentication method provided by the invention, after receiving the Declare message from other Slave switches, the first switch adds the Slave switch which sends the message into the switch multicast group, so that all switches in the local area network can be counted into the multicast group, and meanwhile, the attribution of the first switch as a Master switch is also defined. The invention builds the multicast group by all the switches, realizes that when the Master switch needs to send information to each Slave switch, the Master switch only needs to send one data, and the destination address of the data is the multicast group address, so that all the members belonging to the group can receive the copy of the data sent by one Master switch. In addition, in the multicast mode, only the Slave switches required by the real information can receive the information, but other Slave switches cannot receive the information.
For example, the multicast mode used in the present invention may be static multicast, and its multicast address is 01-01-c 1-FE-10.
Further, under the condition that the Master switch receives the authentication success message sent by the Slave switch, a group key is generated and sent to the Slave switch. Therefore, when the synchronous related information (such as authentication information of a terminal and the like) is needed among all switches of the local area network, the information can be encrypted and transmitted by using a common group key, and the security of data transmission among all switches in the same multicast group can be fully ensured.
Based on the content of the foregoing embodiment, as an alternative embodiment, the generating the group key includes: the community key is generated based on a symmetric key encryption method.
The symmetric key encryption is also called private key encryption or shared key encryption, namely, two parties sending and receiving data need to use the same key to encrypt and decrypt the plaintext, and the symmetric key encryption algorithm is mainly a national encryption algorithm SM4.
The network equipment interconnection authentication method provided by the invention generates the group secret key through the symmetric secret key encryption method, so that the information is encrypted and decrypted by using the same secret key between the Master switch and the Slave switch in the same multicast group, and the security of information interaction in the multicast group is ensured.
Based on the foregoing embodiment, as an optional embodiment, the first declaration packet includes a source switch identifier; after the first switch periodically sends the first declaration message to the second switch in the local area network, the method further comprises:
receiving a second voice message sent by the second switch, wherein the second voice message does not contain a source switch identity;
and according to the second sounding message, the first switch is added to a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is a slave switch in the switch multicast group.
Fig. 2 is a connection topology diagram of switches in a local area network, as shown in fig. 2, in a local area network, the switches are divided into two types, namely a Master switch and a Slave switch, the Master switch is mainly responsible for distributing group keys, the number of the Master switches is generally one (or redundancy design is performed, one or more standby Master switches exist), and each Master switch is connected with a plurality of Slave switches. The network equipment interconnection authentication method provided by the invention determines the master-slave relationship by mutually sending the Declare message among the switches.
Specifically, adding a source switch identity in a Declare message sent by a Master switch to indicate the own Master switch identity; unlike the Declare message sent by the Slave switches, this does not contain the source switch identity in the Declare message sent by each Slave switch.
By adopting the mode, any two switches can determine the master-slave relationship between the two switches by receiving the Declare message of the other side, and a multicast group is built according to the master-slave relationship between the two switches.
The network equipment interconnection authentication method provided by the invention has the advantages that the Master switch establishes the multicast group by indicating the own Master identity in the broadcast Declare message, and a foundation is provided for information security interaction in the multicast group in the later stage.
Based on the foregoing embodiment, the unique identity of the first switch is generated based on the network card physical address information of the first switch.
The invention provides a CID generation method of a switch, which comprises the following steps:
first, network card physical address information (Media Access Control, MAC) of the switch is acquired.
Based on the uniqueness of the MAC information of each switch, the invention can utilize the unique identity generating tool to generate the CID of the switch according to the read MAC information after acquiring the MAC information of each switch. Alternatively, the MAC information may be included as part of the CID of the switch.
When the first switch receives the Declare message sent by the second switch, the prestored CID suffix name file can be called from the storage unit, and the first switch CID is correspondingly generated.
Further, the public key and the private key file corresponding to the first switch can be directly generated by using the IPK key technology and combining the CID of the first switch. And after receiving the Declare message sent by the second switch, directly sending the CID of the first switch to the second switch.
The IPK (Identity Public Key) identifier technology is also called IPK identifier public key, is a lightweight key system, and has two characteristics: firstly, the key data is short, secondly, authentication does not depend on a center, and the authentication efficiency is simple and high-efficiency.
The IPK identification key technology provided by the invention comprises two convenient contents, namely, a private key seed file (namely, a private key matrix) and a self CID are used for generating the private key file in a first switch; and generating the public key file according to the public key seed file (namely the public key matrix) and the CID of the public key seed file. Because of the symmetry of the private key matrix and the public key matrix, the symmetry of the private key file and the public key file is the basis for realizing the switch authentication.
According to the network equipment interconnection authentication method provided by the invention, the CID of the first switch is generated by utilizing the MAC information of the switch, so that the uniqueness of the CID is ensured, and the security of switch authentication is ensured.
Fig. 3 is a second flowchart of the network device interconnection authentication method provided by the present invention, as shown in fig. 3, the method includes, but is not limited to, the following steps:
step S21: the second switch receives a first declaration message sent by the first switch; the first declaration message comprises a unique identity of the first switch;
step S22: generating an encrypted random number according to the unique identity, and sending the encrypted random number to the first switch;
step S23: receiving a decrypted random number sent by the first switch; the decryption random number is generated by decrypting the encryption random number by the first switch by using a first switch private key;
step S24: and verifying the first switch according to the decrypted random number.
It should be noted that, in the network device interconnection authentication method provided by the present invention, the execution main body is the second switch, i.e. the Slave switch.
Fig. 4 is a signaling interaction diagram of the network device interconnection authentication method provided by the present invention, and as shown in fig. 4, the network device interconnection authentication method provided by the present invention mainly includes the following steps:
and broadcasting a Declare message between the Master switch and the Slave switch, wherein the Declare message broadcasted by the Master switch contains the CID of the switch and indicates the Master identity in the Declare message.
After receiving the Declare message of the Master switch, the Slave switch acquires the CID of the Master switch. Generating a target public key according to CID and public key matrix of the Master switch, encrypting a random number by using the target public key, generating an encrypted random number, and transmitting the encrypted random number to the Master switch.
After receiving the encrypted random number sent by the Slave switch, the Master switch decrypts the encrypted random number by using a target private key corresponding to the target public key to obtain a decrypted random number, and sends the decrypted random number to the Slave switch.
And after receiving the decryption random number, the Slave switch performs authentication according to the decryption random. If the authentication is passed, joining the multicast group of the Master switch.
And authenticating each Slave switch according to the method, and combining all the Slave switches passing the authentication with the Master switch to form a multicast group.
The network equipment interconnection authentication method provided by the invention uses the unique physical characteristics of the switch to generate the CID of the switch, so that the CID is used for generating the corresponding public key and private key for the authentication of the switch of the subsequent local area network, so as to realize the purpose of distributing group secret keys, achieving the purposes of transmission encryption of synchronous information among the switches, solving the authentication problem of the local area network switch and effectively improving the confidentiality of data security transmission.
Further, after verifying the first switch according to the decrypted random number, the method further includes: sending an authentication success message to the first switch when the verification result is qualified; receiving a community key sent by the first switch; encrypted transmissions with the first switch are effected using the community key.
After each Slave switch completes the authentication work of the Master switch, the Master switch generates a group key and sends the group key to all Slave switches.
When synchronization related information (such as authentication information of a terminal and the like) is needed among all switches of the local area network, the group key is used for encrypting and transmitting the information.
According to the network equipment interconnection authentication method, the multicast group is constructed jointly through authentication of each Slave switch to the Master switch, and a group key is generated through the Master switch, so that when information interaction is carried out among all switches in the whole multicast group, the group key is used for carrying out encryption transmission on interaction information, and the safety of the interaction information is effectively guaranteed.
Fig. 5 is a schematic structural diagram of a network device interconnection authentication system provided by the present invention, where, as shown in fig. 5, the network device interconnection authentication system provided by the present invention includes at least one first switch and a plurality of second switches; the first switch comprises a first processing module 1, a second processing module 2, a third processing module 3 and a fourth processing module 4, wherein:
the first processing module 1 is configured to periodically send a first declaration packet to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch;
the second processing module 2 is configured to receive an encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the third processing module 3 is configured to decrypt the encrypted random number by using a private key of the first switch, and output a decrypted random number;
the fourth processing module 4 is configured to send the decrypted random number to the second switch.
Wherein the first switch may be a Master switch. The second switch may be a Slave switch.
After the newly accessed Slave switch is accessed to the local area network, the Slave switch and the Master switch can each send a Declare message periodically. The Declare message contains the CID of the switch. That is, the first processing module 1 of the first switch sends a first Declare message to the second switch, so as to send its CID to the second switch through the first Declare message.
Further, after receiving the CID of the Master switch, the Slave switch generates a public key according to the CID of the Master switch and a prestored public key matrix by using an identification key technology, encrypts a random number by using the public key, and generates an encrypted random number to be sent to the Master switch.
The second processing module 2 receives the encrypted random number sent by the Slave switch and then sends it to the third processing module 3. The third processing module 3 generates a private key corresponding to the public key by using the private key matrix corresponding to the public key matrix and combining the CID of the Master switch, and decrypts the encrypted random number by using the private key to obtain a decrypted random number.
Further, the fourth processing module 4 sends the generated decrypted random number to the Slave switch again, so that the Slave switch can compare the decrypted random number with the random number encrypted in the step S2 according to the decrypted random number, and authentication of the Master switch is achieved.
The network equipment interconnection authentication system provided by the invention uses the unique physical characteristics of the switches to generate the CIDs of the switches, so that the CIDs are used for generating the corresponding public keys and private keys for the authentication of the switches of the subsequent local area network, so that the group secret keys are distributed, the purposes of transmission encryption of synchronous information among the switches and the like are achieved, the authentication problem of the switches of the local area network is solved, and the confidentiality of data security transmission is effectively improved.
It should be noted that, when the network device interconnection authentication system provided in the embodiment of the present invention is specifically executed, the network device interconnection authentication method may be implemented based on any one of the network device interconnection authentication methods described in the foregoing embodiments, which is not described in detail in this embodiment.
Fig. 6 is a schematic structural diagram of an electronic device according to the present invention, and as shown in fig. 6, the electronic device may include: processor 610, communication interface 620, memory 630, and communication bus 640, wherein processor 610, communication interface 620, and memory 630 communicate with each other via communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform a network device interconnection authentication method comprising: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; and sending the decrypted random number to the second switch.
Further, the logic instructions in the memory 630 may be implemented in the form of software functional units and stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-only memory (ROM), a random access memory (RAM, randomAccessMemory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the network device interconnection authentication method provided by the above methods, the method comprising: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; and sending the decrypted random number to the second switch.
In still another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the network device interconnection authentication method provided in the above embodiments, the method including: the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; and sending the decrypted random number to the second switch.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (9)
1. A network device interconnection authentication method, comprising:
the first switch periodically sends a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first declaration message also comprises a source switch identity;
the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on the unique identity of the first switch and a prestored public key matrix;
the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; the private key of the first switch is generated based on the unique identity of the first switch and a private key matrix corresponding to the public key matrix;
transmitting the decrypted random number to the second switch;
after the first switch periodically sends the first declaration message to the second switch in the local area network, the method further comprises:
receiving a second voice message sent by the second switch, wherein the second voice message does not contain a source switch identity;
and according to the second sounding message, the first switch is added to a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is a slave switch in the switch multicast group.
2. The network device interconnection authentication method of claim 1, further comprising, after the sending the decrypted random number to the second switch:
generating a group key under the condition that the first switch receives an authentication success message sent by the second switch;
the first switch sends the community key to the second switch for the second switch to utilize the community key to realize encrypted transmission with the first switch.
3. The network device interconnection authentication method of claim 2, wherein the generating a community key comprises: the community key is generated based on a symmetric key encryption method.
4. The network device interconnection authentication method of claim 1, wherein the unique identity of the first switch is generated based on network card physical address information of the first switch.
5. A network device interconnection authentication method, comprising:
the second switch receives a first declaration message sent by the first switch; the first declaration message comprises a unique identity of the first switch; the first declaration message comprises a source switch identity;
a second voice message is sent to the first switch, wherein the second voice message does not contain the source switch identity; according to the second voice message, the first switch is added to a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is determined to be a slave switch in the switch multicast group;
generating an encrypted random number according to the unique identity and a prestored public key matrix, and sending the encrypted random number to the first switch;
receiving a decrypted random number sent by the first switch; the decryption random number is generated by decrypting the encryption random number by the first switch by using a first switch private key; the private key of the first switch is generated based on the unique identity of the first switch and a private key matrix corresponding to the public key matrix;
and verifying the first switch according to the decrypted random number.
6. The network device interconnection authentication method of claim 5, further comprising, after verifying the first switch based on the decrypted random number:
sending an authentication success message to the first switch when the verification result is qualified;
receiving a community key sent by the first switch;
encrypted transmissions with the first switch are effected using the community key.
7. A network device interconnection authentication system comprising at least a first switch and a plurality of second switches;
the first switch comprises a first processing module, a second processing module, a third processing module and a fourth processing module;
the first processing module is used for periodically sending a first declaration message to a second switch in the local area network; the first declaration message comprises a unique identity of the first switch; the first declaration message also comprises a source switch identity;
the second processing module is used for receiving the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch encrypts by using the first switch public key; the first switch public key is generated based on the unique identity of the first switch and a prestored public key matrix;
the third processing module is used for decrypting the encrypted random number by using the private key of the first switch and outputting a decrypted random number; the private key of the first switch is generated based on the unique identity of the first switch and a private key matrix corresponding to the public key matrix;
the fourth processing module is configured to send the decrypted random number to the second switch;
the system further comprises a fifth processing module, after the first processing module periodically sends a first declaration message to a second switch in the local area network, the fifth processing module is configured to execute the following steps:
receiving a second voice message sent by the second switch, wherein the second voice message does not contain a source switch identity;
and according to the second sounding message, the first switch is added to a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is a slave switch in the switch multicast group.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the computer program, implements the network device interconnection authentication method steps of any one of claims 1 to 6.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the network device interconnection authentication method steps of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011444665.3A CN112637145B (en) | 2020-12-08 | 2020-12-08 | Network equipment interconnection authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011444665.3A CN112637145B (en) | 2020-12-08 | 2020-12-08 | Network equipment interconnection authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112637145A CN112637145A (en) | 2021-04-09 |
| CN112637145B true CN112637145B (en) | 2023-04-28 |
Family
ID=75309531
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011444665.3A Active CN112637145B (en) | 2020-12-08 | 2020-12-08 | Network equipment interconnection authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637145B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114374508B (en) * | 2021-12-20 | 2024-03-26 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN114866251B (en) * | 2022-04-25 | 2023-07-07 | 中国银联股份有限公司 | Equipment interconnection security authentication system, method, device, server and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
| CN106603234A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Method, device and system for device identity authentication |
| CN106789986A (en) * | 2016-12-08 | 2017-05-31 | 浙江宇视科技有限公司 | Monitoring device authentication method and device |
| CN108809914A (en) * | 2017-05-05 | 2018-11-13 | 国民技术股份有限公司 | Access control method, device, terminal and Internet of Things house system |
| CN110855695A (en) * | 2019-11-19 | 2020-02-28 | 武汉思普崚技术有限公司 | Improved SDN network security authentication method and system |
-
2020
- 2020-12-08 CN CN202011444665.3A patent/CN112637145B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
| CN106603234A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Method, device and system for device identity authentication |
| CN106789986A (en) * | 2016-12-08 | 2017-05-31 | 浙江宇视科技有限公司 | Monitoring device authentication method and device |
| CN108809914A (en) * | 2017-05-05 | 2018-11-13 | 国民技术股份有限公司 | Access control method, device, terminal and Internet of Things house system |
| CN110855695A (en) * | 2019-11-19 | 2020-02-28 | 武汉思普崚技术有限公司 | Improved SDN network security authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637145A (en) | 2021-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111740828B (en) | Key generation method, device and equipment and encryption and decryption method | |
| CN108683501B (en) | Multiple identity authentication system and method with timestamp as random number based on quantum communication network | |
| EP2984782B1 (en) | Method and system for accessing device by a user | |
| WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
| CN108282329B (en) | Bidirectional identity authentication method and device | |
| US9917692B2 (en) | Key exchange system, key exchange method, key exchange device, control method thereof, and recording medium for storing control program | |
| CN108650028B (en) | Multiple identity authentication system and method based on quantum communication network and true random number | |
| CN108964897B (en) | Identity authentication system and method based on group communication | |
| CN112926051A (en) | Multi-party security computing method and device | |
| JP2023500570A (en) | Digital signature generation using cold wallet | |
| CN112637145B (en) | Network equipment interconnection authentication method and system | |
| KR20210139344A (en) | Methods and devices for performing data-driven activities | |
| CN108964895B (en) | User-to-User identity authentication system and method based on group key pool and improved Kerberos | |
| CN108880799B (en) | Multi-time identity authentication system and method based on group key pool | |
| CN115174061A (en) | Message transmission method and device based on block chain relay communication network system | |
| US20050111668A1 (en) | Dynamic source authentication and encryption cryptographic scheme for a group-based secure communication environment | |
| CN102281303A (en) | Data exchange method | |
| CN108965266B (en) | User-to-User identity authentication system and method based on group key pool and Kerberos | |
| WO2014084711A1 (en) | A system and method for duty-shared authenticated group key transport | |
| CN115314284B (en) | Public key authentication searchable encryption method and system based on trusted execution environment | |
| Li et al. | A general compiler for password-authenticated group key exchange protocol | |
| CN113271586B (en) | Power equipment body area network safety communication method and system and storage medium | |
| CN112019553B (en) | Data sharing method based on IBE/IBBE | |
| CN114866244A (en) | Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption | |
| JP2009065226A (en) | Authenticated key exchange system, authenticated key exchange method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240326 Address after: Room 1501, 12th Floor, Building 3, No. 34 Zhongguancun South Street, Haidian District, Beijing, 100080 Patentee after: Federation of Industry and Commerce Lingchuang (Beijing) Technology Co.,Ltd. Country or region after: China Address before: Room 1602, block C, Zhongguancun Science and technology development building, 34 Zhongguancun South Street, Haidian District, Beijing 100081 Patentee before: BEIJING VRV SOFTWARE Corp.,Ltd. Country or region before: China |