CN113162947A - System and method for testing sensor network password security protocol - Google Patents

System and method for testing sensor network password security protocol Download PDF

Info

Publication number
CN113162947A
CN113162947A CN202110513178.6A CN202110513178A CN113162947A CN 113162947 A CN113162947 A CN 113162947A CN 202110513178 A CN202110513178 A CN 202110513178A CN 113162947 A CN113162947 A CN 113162947A
Authority
CN
China
Prior art keywords
detection
data
protocol
module
offline
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110513178.6A
Other languages
Chinese (zh)
Inventor
刘辛越
卓兰
肖青海
王立军
杨宏
李孟良
刘凯
郭子帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Creative Centure Information Technology Co ltd
China Electronics Standardization Institute
Original Assignee
Beijing Creative Centure Information Technology Co ltd
China Electronics Standardization Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Creative Centure Information Technology Co ltd, China Electronics Standardization Institute filed Critical Beijing Creative Centure Information Technology Co ltd
Priority to CN202110513178.6A priority Critical patent/CN113162947A/en
Publication of CN113162947A publication Critical patent/CN113162947A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a system and a method for testing a sensor network password security protocol. The invention designs a detection system of a secure transmission protocol cryptographic algorithm, and designs functional modules in the system in detail. And the IPSec safe transmission protocol password detection subsystem and the SSL safe transmission protocol password detection subsystem are respectively subjected to offline and online detection of a safe transmission protocol password algorithm, so that the detection on the compliance, the correctness and the integrity of a national password algorithm and a secret key contained in a protocol basic structure (a password suite, a protocol version, a protocol structure body and the like) in a safe protocol is realized. The method provides good extension for the national cryptographic algorithm detection of related products such as VPN and the like by the cryptographic evaluation detection tool, and perfects the cryptographic authentication system.

Description

System and method for testing sensor network password security protocol
Technical Field
The invention relates to the field of information security, in particular to a sensor network password security protocol testing method, and specifically relates to a sensor network password security protocol testing system and method.
Background
With the rapid development of internet technology, non-traditional security threats represented by cyber security continue to spread, cyber-space security risks continue to increase, and threat challenges become more severe. The password security is an important basis of information security, and with formal implementation of basic requirements of GBT 22239 plus 2019 information security technology for network security level protection, more local application password technologies exist, and the domestic password algorithm has larger application space. Meanwhile, with the implementation of the requirements of the cryptographic standard, the standardization and normalization of the application of the cryptographic algorithm are provided, so that a corresponding detection method is required to judge the compliance, the correctness and the integrity of the cryptographic algorithm. The application of cryptographic algorithms is very wide, and one of the very important applications is the use of secure transmission protocols, such as SSL, IPSec, etc., for cryptographic algorithms. However, the existing test methods cannot be compliant or use signatures correctly, lack security, and cannot be directed to efficient detection in online or offline mode.
Disclosure of Invention
Aiming at various irregular uses of a cryptographic algorithm in use, the invention provides a system and a method for testing a sensor network cryptographic security protocol, aiming at solving the problems of non-standardization, incorrectness and incompleteness in the application of the cryptographic algorithm.
According to the purpose of the invention, the invention provides a sensor network password security protocol testing system which comprises a client, a security transmission protocol detection module, an operating system and hardware equipment, wherein the client acquires the address and information of a user and sends the address and information to the security transmission protocol detection module, and the security transmission protocol detection module acquires an online data packet or offline data according to the acquired address and information so as to detect the SSL protocol and the IPSec protocol of the data; the operating system is one of linux and windows operating systems; the hardware equipment is the relevant equipment supporting the cryptographic security protocol test system.
Further, the client is an external interaction platform to select a corresponding detection mode.
Further, the security transport protocol detection module includes:
the data acquisition module is used for acquiring data in an off-line/on-line mode;
the detection interface module is used for enabling the acquired data to sequentially pass through the data extraction and analysis sub-module, the detection information acquisition sub-module and the detection report generation sub-module to complete receiving analysis, display of detection results and generation and display of detection reports;
and the detection core module is used for carrying out IPSec VPN detection and SSL VPN detection analysis on the extracted data of the detection interface module.
Furthermore, the IPSec VPN detection comprises an offline detection mode and an online detection mode, and the SSL VPN detection comprises the offline detection mode and the online detection mode.
According to an embodiment of the present invention, the present invention further provides a test method for a sensor network password security protocol test system, where the test method includes:
s101, a client acquires first data based on user address information and sends the first data to a security transmission protocol detection module;
s102, the security transmission protocol detection module judges whether off-line detection or on-line detection is carried out according to the acquired first data, if the off-line detection is carried out, the security transmission protocol detection module enters an off-line detection mode, and if the on-line detection is carried out, the security transmission protocol detection module enters an on-line detection mode. After the offline detection mode or online detection mode is detected in advance, a preprocessing service is started, and an offline data file stored by a server is read or an online data file is obtained to extract effective data; the process advances to step S103;
s103, analyzing and detecting services, setting a detection sequence, calling an IPSec VPN/SSL VPN password library, starting detection, organizing data packets into a standard IPSec/SSL data structure format according to GB/T0022-; in the detection process, a heartbeat monitoring mode is adopted, real-time detection information is generated and fed back to the collection display service;
s104, acquiring real-time detection information and detection result information by the convergence display service;
and S105, the convergence display service displays the detection result on a web interface in real time.
Further, the step of performing the pre-detection in the offline detection mode includes:
setting an offline detection mode, setting relevant parameters of an offline data path to be detected, storing an offline data file to a local PC (personal computer) terminal, and starting detection;
and reading off-line data of the local PC terminal, uploading the off-line data to a designated path of the server, and storing the off-line data in a file form.
Further, the step of performing the pre-detection in the online detection mode includes:
setting an online detection mode, setting an IP address to be detected and packet capturing depth information, and starting detection;
and starting an online packet capturing module, capturing IPSec/SSL protocol data sent by the client and the server, and storing the online data in a file form.
Further, the second data includes a protocol header, a cipher suite, a client and server certificate, and a cipher text.
Further, the preset detection information includes a detection type, detection time, detection personnel, a detection report path, and a detection result.
The invention has the following beneficial effects:
the complete detection of the security transmission protocol IPSec VPN cryptographic algorithm is realized:
compliance: the IPSec safety transmission protocol data information structure conforms to the GB/T0022-;
correctness: the certificate signature algorithm is used correctly, and a correct signature is verified; the abstract algorithm obtains a correct hash value; the encryption and decryption cryptographic algorithm is used correctly, and the ciphertext and the plaintext can be obtained correctly;
integrity: whether the acquired data is tampered and omitted is proved by detecting the hash value of the data.
Secondly, the complete detection of the SSL VPN cryptographic algorithm is realized:
compliance: the SSL secure transmission protocol data information structure conforms to the GB/T0024-;
correctness: the certificate signature algorithm is used correctly, and a correct signature is verified; the abstract algorithm obtains a correct hash value; the encryption and decryption cryptographic algorithm is used correctly, and the ciphertext and the plaintext can be obtained correctly;
integrity: the obtained data is not tampered and omitted, and the data is obtained by detecting the hash value of the data.
Drawings
FIG. 1 is a schematic diagram of a module structure according to the present invention.
Detailed Description
For the convenience of understanding, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a sensor network password security protocol test system, which comprises a client, a security transmission protocol detection module, an operating system and hardware equipment, wherein the client acquires the address and information of a user and sends the address and information to the security transmission protocol detection module, and the security transmission protocol detection module acquires online data packets or offline data according to the acquired address and information so as to detect SSL (secure socket layer) protocol and IPSec (Internet protocol security) protocol of the data; the operating system is one of linux and windows operating systems; the hardware equipment is the relevant equipment supporting the cryptographic security protocol test system.
The client side of the invention is an external interaction platform to realize the selection of a corresponding detection mode.
The secure transmission protocol detection module comprises:
the data acquisition module is used for acquiring data in an off-line/on-line mode;
the detection interface module is used for enabling the acquired data to sequentially pass through the data extraction and analysis sub-module, the detection information acquisition sub-module and the detection report generation sub-module to complete receiving analysis, display of detection results and generation and display of detection reports;
and the detection core module is used for carrying out IPSec VPN detection and SSL VPN detection analysis on the extracted data of the detection interface module.
The IPSec VPN detection comprises an offline detection mode and an online detection mode, and the SSL VPN detection comprises the offline detection mode and the online detection mode.
According to an embodiment of the present invention, the present invention further provides a test method for a sensor network password security protocol test system, where the test method includes:
s101, a client acquires first data based on user address information and sends the first data to a security transmission protocol detection module;
s102, the security transmission protocol detection module judges whether offline detection or online detection is carried out according to the acquired first data, if the offline detection is carried out, the security transmission protocol detection module enters an offline detection mode, if the online detection is carried out, the security transmission protocol detection module enters an online detection mode, after the offline detection mode or the online detection mode is pre-detected, preprocessing service is started, an offline data file stored by a server is read or an online data file is acquired, and effective data are extracted; the process advances to step S103;
s103, analyzing and detecting service, setting a detection sequence, calling an IPSec VPN/SSL VPN password library, starting detection, organizing the data packets into a standard IPSec/SSL data structure format according to the GB/T0022-. And detecting the correctness and the compliance of the second data, generating a detection report, storing the detection report in a server in a file form, and feeding back a detection result and preset detection information to the analysis and detection service, wherein the preset detection information comprises data information such as a detection type, detection time, detection personnel, a detection report path, a detection result and the like. The preset detection information is stored in a detection report database, detection result information is generated and fed back to the convergence display service; and in the detection process, a heartbeat monitoring mode is adopted, real-time detection information is generated and fed back to the collection display service.
The step of performing the pre-detection in the off-line detection mode comprises the following steps:
setting an offline detection mode, setting relevant parameters of an offline data path to be detected, storing an offline data file to a local PC (personal computer) terminal, and starting detection;
and reading off-line data of the local PC terminal, uploading the off-line data to a designated path of the server, and storing the off-line data in a file form.
The step of performing the pre-detection in the online detection mode comprises the following steps:
setting an online detection mode, setting an IP address to be detected and packet capturing depth information, and starting detection;
and starting an online packet capturing module, capturing IPSec/SSL protocol data sent by the client and the server, and storing the online data in a file form.
S104, acquiring real-time detection information and detection result information by the convergence display service;
and S105, the convergence display service displays the detection result on a web interface in real time.
It will be evident to those skilled in the art that the embodiments of the present invention are not limited to the details of the foregoing illustrative embodiments, and that the embodiments of the present invention are capable of being embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the embodiments being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. Several units, modules or means recited in the system, apparatus or terminal claims may also be implemented by one and the same unit, module or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention and not for limiting, and although the embodiments of the present invention are described in detail with reference to the above preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made on the technical solutions of the embodiments of the present invention without departing from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (9)

1. A sensor network password security protocol test system is characterized by comprising a client, a security transmission protocol detection module, an operating system and hardware equipment, wherein the client acquires an address and information of a user and sends the address and the information to the security transmission protocol detection module, and the security transmission protocol detection module acquires an online data packet or offline data according to the acquired address and information, so that the data is detected by an SSL protocol and an IPSec protocol; the operating system is one of a linux operating system and a windows operating system; the hardware equipment is related equipment supporting a cipher safety protocol test system.
2. The system for testing the cryptographic security protocol of the sensor network according to claim 1, wherein the client is an external interaction platform to select the corresponding detection mode.
3. The cryptographic security protocol test system of claim 2, wherein the security transport protocol detection module comprises:
the data acquisition module is used for acquiring data in an off-line/on-line mode;
the detection interface module is used for enabling the acquired data to sequentially pass through the data extraction and analysis sub-module, the detection information acquisition sub-module and the detection report generation sub-module to complete receiving analysis, display of detection results and generation and display of detection reports;
and the detection core module is used for carrying out IPSec VPN detection and SSL VPN detection analysis on the extracted data of the detection interface module.
4. The sensor network password security protocol test system of claim 3, wherein the IPSec VPN detection comprises off-line and on-line detection modes, and the SSL VPN detection comprises off-line and on-line detection modes.
5. The method for testing the cryptographic security protocol test system of the sensor network according to claim 4, wherein the detection method comprises:
s101, a client acquires first data based on user address information and sends the first data to a security transmission protocol detection module;
s102, the security transmission protocol detection module judges whether offline detection or online detection is carried out according to the acquired first data, if the offline detection is carried out, the security transmission protocol detection module enters an offline detection mode, if the online detection is carried out, the security transmission protocol detection module enters an online detection mode, after the offline detection mode or the online detection mode is pre-detected, preprocessing service is started, an offline data file stored by a server is read or an online data file is acquired, and effective data are extracted; the process advances to step S103;
s103, analyzing and detecting services, setting a detection sequence, calling an IPSec VPN/SSL VPN password library, starting detection, organizing the data packets into a standard IPSec/SSL data structure format according to GB/T0022-. The preset detection information is stored in a detection report database, detection result information is generated and fed back to the convergence display service; in the detection process, a heartbeat monitoring mode is adopted, real-time detection information is generated and fed back to the collection display service;
s104, acquiring real-time detection information and detection result information by the convergence display service;
and S105, the convergence display service displays the detection result on a web interface in real time.
6. The method as claimed in claim 5, wherein the step of performing the pre-detection in the offline detection mode comprises:
setting an offline detection mode, setting relevant parameters of an offline data path to be detected, storing an offline data file to a local PC (personal computer) terminal, and starting detection;
and reading off-line data of the local PC terminal, uploading the off-line data to a designated path of the server, and storing the off-line data in a file form.
7. The method for testing the cryptographic security protocol test system of the sensor network according to claim 5, wherein the step of performing the pre-test in the online test mode comprises:
setting an online detection mode, setting an IP address to be detected and packet capturing depth information, and starting detection;
and starting an online packet capturing module, capturing IPSec/SSL protocol data sent by the client and the server, and storing the online data in a file form.
8. The method for testing the cryptographic security protocol testing system of the sensor network according to claim 5, wherein the second data comprises a protocol header, a cryptographic suite, client and server certificates, and a ciphertext.
9. The method as claimed in claim 5, wherein the predetermined detection information includes detection type, detection time, detection personnel, detection report path, and detection result.
CN202110513178.6A 2021-05-11 2021-05-11 System and method for testing sensor network password security protocol Pending CN113162947A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110513178.6A CN113162947A (en) 2021-05-11 2021-05-11 System and method for testing sensor network password security protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110513178.6A CN113162947A (en) 2021-05-11 2021-05-11 System and method for testing sensor network password security protocol

Publications (1)

Publication Number Publication Date
CN113162947A true CN113162947A (en) 2021-07-23

Family

ID=76874691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110513178.6A Pending CN113162947A (en) 2021-05-11 2021-05-11 System and method for testing sensor network password security protocol

Country Status (1)

Country Link
CN (1) CN113162947A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116346688A (en) * 2023-05-24 2023-06-27 江苏金盾检测技术股份有限公司 SSL VPN security authentication gateway service compliance detection system and method based on active scanning

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116346688A (en) * 2023-05-24 2023-06-27 江苏金盾检测技术股份有限公司 SSL VPN security authentication gateway service compliance detection system and method based on active scanning
CN116346688B (en) * 2023-05-24 2023-08-04 江苏金盾检测技术股份有限公司 SSL VPN security authentication gateway service compliance detection system and method

Similar Documents

Publication Publication Date Title
CN106909847B (en) Malicious code detection method, device and system
CN103685311B (en) A kind of login validation method and equipment
CN108347361B (en) Application program testing method and device, computer equipment and storage medium
US20160021111A1 (en) Method, Terminal Device, and Network Device for Improving Information Security
CN107612698B (en) Commercial password detection method, device and system
EP1990972A1 (en) Method for testing safety access protocol conformity to identification service entity and system thereof
CN106302550A (en) A kind of information security method for intelligent substation automatization and system
CN108989296A (en) A kind of Internet of things system safety comprehensive assessment system and method
CN113315767B (en) Electric power internet of things equipment safety detection system and method
CN112738121B (en) Password security situation awareness method, device, equipment and readable storage medium
CN112651029B (en) System and method for detecting application system loopholes, storage medium and electronic equipment
Chhabra et al. Distributed network forensics framework: A systematic review
CN116980175A (en) Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium
CN113162947A (en) System and method for testing sensor network password security protocol
CN110636076A (en) Host attack detection method and system
CN115604037B (en) Communication safety test method of fault monitoring system
Wijayanto et al. TAARA Method for Processing on the Network Forensics in the Event of an ARP Spoofing Attack
Singh et al. Scalable Approach Towards Discovery of Unknown Vulnerabilities.
Mate et al. Network Forensic Tool--Concept and Architecture
CN112087301A (en) Gas meter safety certification system based on state cryptographic algorithm
Kotsiuba et al. Basic forensic procedures for cyber crime investigation in smart grid networks
CN114640519B (en) Encrypted flow detection method and device and readable storage medium
CN106130996B (en) A kind of website attack protection verifying system and method
CN114301802A (en) Confidential evaluation detection method and device and electronic equipment
CN114567469A (en) Application password type detection method and platform based on B/S mode

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication