CN113904788A - Block chain-based network frame security verification method and SDN switch - Google Patents

Block chain-based network frame security verification method and SDN switch Download PDF

Info

Publication number
CN113904788A
CN113904788A CN202110926301.7A CN202110926301A CN113904788A CN 113904788 A CN113904788 A CN 113904788A CN 202110926301 A CN202110926301 A CN 202110926301A CN 113904788 A CN113904788 A CN 113904788A
Authority
CN
China
Prior art keywords
verification
data
verified
host
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110926301.7A
Other languages
Chinese (zh)
Inventor
陈何雄
罗宇薇
罗震宇
杭菲璐
郭威
谢林江
何映军
毛正雄
张振红
韦云凯
杨宁
李良
许茂林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Yunnan Power Grid Co Ltd
Original Assignee
Information Center of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Yunnan Power Grid Co Ltd filed Critical Information Center of Yunnan Power Grid Co Ltd
Priority to CN202110926301.7A priority Critical patent/CN113904788A/en
Publication of CN113904788A publication Critical patent/CN113904788A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a block chain-based network frame security verification method and an SDN switch, comprising the following steps of: s1, the current SDN switch receives data to be verified sent by the direct connection user host; s2, analyzing and identifying the data to be verified according to the verification probability p to generate a probability judgment algorithm, judging whether the data to be verified is subjected to forwarding verification, if so, turning to the step S3, and if not, turning to the step S4; s3, verifying the data to be verified according to a forwarding verification algorithm; and S4, directly sending the data to be verified to other SDN switches. The invention provides a frame forwarding certification-based consensus algorithm by combining SDN network characteristics, combines semi-random selection verification and verification information maintenance, and designs a data frame security verification mechanism which can avoid the problems of single-point failure and private key leakage and can identify the source validity and content security of a data frame under reasonable system overhead.

Description

Block chain-based network frame security verification method and SDN switch
Technical Field
The invention relates to the field of communication network security, in particular to a network frame security verification method based on a block chain and an SDN switch.
Background
The SDN network improves the flexibility of network deployment by separating a data plane and a control plane of the traditional network equipment, and has higher openness and programmability. With the increasing highlighting of network security and countermeasure problems, in a countermeasure environment where malicious nodes exist, the SDN network must consider effective security verification of data frames transmitted therein.
Currently, there are several ways for the verification mechanism of the data frame: (1) verification bits, such as checksums, are added to the data frame. This method mainly ensures non-antagonistic errors such as bit errors in the transmission process, and is not suitable for antagonistic environments. (2) And (4) path verification. Comparing and verifying the actual forwarding path of the data frame with a forwarding path (a predetermined forwarding path) issued by an SDN controller, and ensuring that all devices experienced by the data frame in the forwarding process are legal and trusted devices; meanwhile, if an abnormal forwarding behavior occurs in a certain device on the predetermined forwarding path, the abnormal forwarding behavior can also be used as a basis for the suspicion of the device. However, this type of method cannot guarantee the reliability of the data frame transmission source, and when a malicious device only tampers with the data frame content but follows a predetermined forwarding path, the mechanism cannot effectively recognize the tampering of the data frame. (3) And (5) verifying by the source node. The data frame sender is ensured to be a legal node approved by the system through some kind of label or mechanism agreed by both the verifier (such as an SDN controller, a designated verification server or network equipment) and the verifier (a communication terminal host). However, such authentication mechanisms are usually based on a centralized architecture, and when a central node is attacked and fails, the entire authentication architecture will fail. (4) And (5) encryption protection. This approach may be used for overall protection of the data frame. However, if a symmetric key is used, the disclosure of the key may introduce additional risks to the system; if asymmetric keys are used, there is a significant amount of overhead incurred for full-text encryption of data frames.
In practical applications, there is a mode that combines the two or more modes, but this mode will bring more resource burden to the system. Therefore, in the SDN network, the existing authentication mechanisms have certain defects. Under reasonable system overhead, based on the distributed characteristic of the block chain, the data frame security verification mechanism which can avoid the problems of single-point failure and private key leakage and can effectively identify the source validity and the content security of the data frame is designed, and the method has important significance.
Disclosure of Invention
The invention aims to provide a network frame security verification method based on a block chain and an SDN switch, wherein a block chain system for data frame security verification is constructed based on a frame forwarding certification-based consensus method, and a verification information maintenance mechanism is provided based on the block chain system, so that distributed implementation and security guarantee of verification information and a verification process are guaranteed under low and reasonable system overhead, and meanwhile, in order to further reduce the verification overhead of the system under the condition of not reducing the verification performance, a semi-random selection verification mechanism is further provided. The method is used for solving the problem that the whole verification system cannot effectively operate when the existing data frame security verification mechanism is attacked or maliciously controlled by verification equipment.
A network frame security verification method based on a block chain comprises the following steps:
s1, the current SDN switch receives data to be verified sent by the direct connection user host;
s2, analyzing and identifying the data to be verified according to the verification probability p to generate a probability judgment algorithm, judging whether the data to be verified is subjected to forwarding verification, if so, turning to the step S3, and if not, turning to the step S4;
s3, verifying the data to be verified according to a forwarding verification algorithm;
and S4, directly sending the data to be verified to other SDN switches.
Further, the generation process of the data to be verified is as follows:
the method comprises the steps that a data frame and a preset hash function in a user host computer generate a message digest, then private key updating is completed according to an internal storage pseudo-random number and the identity attribute of the user host computer, the message digest is encrypted based on the updated private key to form a digital signature, and the digital signature and the data frame are packaged and packaged to form data to be verified.
Further, the step S2 of determining whether to forward verify the data to be verified according to the probability determination algorithm includes the following steps:
s21, receiving a verification probability p sent by the SDN controller according to the network load condition and updating internally stored verification probability information;
s22, receiving the data to be verified, analyzing and identifying the data to be verified, analyzing and acquiring a source address and a destination address of the data to be verified, and generating a host-port number mapping table;
s23, identifying whether the device connected with the receiving and sending ports matched with the data is a direct connection user host according to the host-port number mapping table, and if the device connected is the direct connection user host, determining that the device is 'yes'; and if the connected equipment is the non-direct connection user host, judging the equipment to be yes or no according to the verification probability p.
Further, the step S3 of performing forwarding verification on the to-be-verified data according to a forwarding verification algorithm includes the following steps:
s31, carrying out hash operation on the data to be verified according to a preset hash function to obtain a first message digest;
s32, searching the public key of the corresponding user host from the block chain to decrypt the digital signature carried by the data frame to obtain a second message digest;
and S33, the SDN switch judges the consistency of the first message abstract and the second message abstract, if the first message abstract and the second message abstract are the same, the consistency is judged and the data to be verified is forwarded to other SDN switches, otherwise, the data to be verified is discarded.
Further, the pseudo random number updates and maintains a private key according to a preset period of the SDN network, and the private key updating comprises the following steps:
s101, obtaining a designated SDN switch of a block right under a consensus algorithm rule based on a frame forwarding certificate, generating a pseudo-random number and sending the pseudo-random number to an SDN controller;
s102, the SDN switch receives public key updating information sent by a direct connection user host, the public key updating information is that the user host completes private key updating according to identity attributes of the user host and pseudo random numbers from an SDN controller, and public key updating information is generated;
further, in step S102, the public key update information includes a new public key of the host, a MAC address of the host, an old public key of the host, a digital signature of an old private key of the host, and update time.
Further, the SDN controller sends a pseudo-random number to a user host of the SDN network every other preset period, the user host waits for a preset time interval to enable a new private key after the private key is updated, and the preset time interval is smaller than the preset period.
Further, the designated switch in step S101 is: determining a designated SDN switch obtaining the block weight under a consensus algorithm rule based on frame forwarding certification every other consensus period, wherein the SDN switch obtaining the block weight generates a pseudo-random number in the next consensus period.
Further, the SDN switch generates a new block from the public key update information based on a frame forwarding certification consensus method, and verifies the public key update information in the new block, where verifying the public key update information includes integrity verification and validity verification, where the integrity verification is: verifying the 'old host private key digital signature' by using the 'old host public key' in the public key updating information, and if the verification is successful, the integrity verification is passed; the validity verification is as follows: and comparing and judging the 'new host public key' in the obtained old public key updating information with the 'old host public key' in the new public key updating information by calling the old public key information in the preset period, wherein the difference between the updating time and the current updating time in the block chain is less than two times, and if the obtained new host public key and the obtained old host public key are the same, the validity verification is passed.
Further, an SDN switch for security verification, comprising:
a data receiving module for receiving data to be verified from the user host
The data source identification module is used for analyzing and identifying the data to be verified according to the verification probability p and the generation probability judgment algorithm and judging whether the data to be verified is verified;
and the data forwarding verification module is used for forwarding and verifying the data to be verified by a forwarding verification algorithm according to a judgment result of whether the data to be verified is verified, and directly sending the data to be verified to other SDN switches if the data to be verified is verified.
In an SDN network, the existing verification mechanisms are mostly single or two combined verification modes, a large amount of additional system overhead exists, certain defects such as tampering of a certain data frame cannot be effectively identified and the like exist. The mechanism fully utilizes the characteristics of traceability and tamper resistance of the block chain, and ensures the reliability and safety of the verification information.
The verification information maintenance mechanism based on the block chain comprises pseudo-random number issuing and public key information updating. Firstly, a switch which obtains the block right in the previous round generates a pseudo-random number uploading controller, then the controller periodically sends the pseudo-random number to the host machine underground, the host machine completes the updating of the private key, and the security of the verification mechanism can be enhanced by regularly updating the verification information. In the case of a controller being untrusted, the authentication mechanism can still operate effectively as long as it issues pseudo-random numbers; if the controller stops sending the pseudo random number, only the updating of the verification information is influenced, the verification behavior of the switch is not influenced, and the behavior is used as the basis for the doubtful property of the controller. The host issues the updated public key as verification information to the network, the switch collects and confirms the integrity and the legality of the verification information, the verification information is maintained in a block chain mode, injection of false verification information is prevented, when the switch is attacked or controlled, the verification information is guaranteed not to be tampered, and a verification mechanism can still operate effectively.
The invention has the following beneficial effects:
1. the verification information maintenance mechanism based on the block chain fully utilizes the characteristics of traceability and tamper resistance of the block chain, ensures the reliability and safety of the verification information, and the user host issues the updated public key as the verification information to the network, and the switch collects and confirms the integrity and the validity of the verification information to maintain in the form of the block chain, thereby preventing the injection of false verification information, ensuring that the verification information is not tampered when the SDN switch is attacked or controlled, and still effectively operating the verification mechanism;
2. according to the semi-random selection verification mechanism provided by the invention, the semi-random selection verification mechanism is cooperatively implemented by the SDN controller and the SDN switch, so that the verification performance is ensured, and the verification cost is reduced.
3. The system can effectively identify the source validity and verify the content security of the data frames transmitted in the network, and ensures that the verification mechanism can still normally operate when partial network equipment is subjected to dead wood virus or remote malicious control.
Drawings
Fig. 1 is a schematic diagram of a block chain-based network frame security verification method according to the present invention;
figure 2 is a schematic diagram of an SDN switch architecture for security verification in accordance with the present invention;
FIG. 3 is a flow chart of a frame forwarding certification consensus method according to the present invention;
FIG. 4 is a schematic diagram of a semi-random selection verification mechanism according to the present invention;
FIG. 5 is a schematic diagram of a verification information maintenance mechanism according to the present invention;
Detailed Description
The present invention will be described in further detail with reference to examples and drawings, but the present invention is not limited to these examples.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "longitudinal", "lateral", "horizontal", "inner", "outer", "front", "rear", "top", "bottom", and the like indicate orientations or positional relationships that are based on the orientations or positional relationships shown in the drawings, or that are conventionally placed when the product of the present invention is used, and are used only for convenience in describing and simplifying the description, but do not indicate or imply that the device or element referred to must have a particular orientation, be constructed in a particular orientation, and be operated, and thus should not be construed as limiting the invention.
In the description of the present invention, it should also be noted that, unless otherwise explicitly specified or limited, the terms "disposed," "open," "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Examples
Specifically, the consensus method based on the frame forwarding certification includes:
since the digital signature is generated by the host and transmitted with the data frame, only the switch that actually forwarded the frame can obtain the information, so that the generation of the digital signature is specifically described in the semi-random selection verification mechanism by using the information as the frame forwarding certificate. The consensus algorithm based on frame forwarding certification comprises three stages: the certificate collection stage, the block right identification stage and the block identification stage represent the time for collecting the digital signature (frame forwarding certificate) as TcThe time to reach the consensus on the block right is denoted as TwThe time of the new block uplink is denoted as TuLet the consensus period be denoted TfThen there is Tf=Tc+Tw+Tu
To better describe the frame forwarding-based proof of consensus algorithm, the following definitions are made: denote the set of SDN switches as S, with the number m, S ═ S1,s2,...,sm}; the set of hosts is denoted H, and the number is n, then H ═ H1,h2,...,hn}; the link between the SDN switch and the host is denoted as
Figure RE-GDA0003294463140000061
If s isiAnd hjThere is a single-hop connection between them, then
Figure RE-GDA0003294463140000062
Otherwise
Figure RE-GDA0003294463140000063
Therefore, the set of SDN switch direct connected hosts is
Figure RE-GDA0003294463140000064
In an amount of
Figure RE-GDA0003294463140000065
In the certification collecting period TcIn the method, the set of digital signatures generated by all hosts in the network is represented as D, and the number is a, then D ═ D1,d2,...,da}; representing a generating relationship between a host and a digital signature as
Figure RE-GDA0003294463140000066
If the signature is generated by the host, then
Figure RE-GDA0003294463140000067
Otherwise
Figure RE-GDA0003294463140000068
In the period TcIn the method, a single host generates a digital signature set of
Figure RE-GDA0003294463140000069
Then the number
Figure RE-GDA00032944631400000610
Thus, in the period TcIn the method, the digital signature set received by the SDN switch from the direct connection host can be represented as
Figure RE-GDA00032944631400000611
In an amount of
Figure RE-GDA00032944631400000612
Because there is one and only one SDN switch directly connected with the host, there is
Figure RE-GDA00032944631400000613
The probability that the SDN switch obtains the block weight is
Figure RE-GDA00032944631400000614
As can be seen, the total amount of data frames forwarded by the SDN switch to the directly connected hosts depends on the number of directly connected hosts and the number of data frames sent by each directly connected host. If the SDN switch bears more data frame verification work, the requirement of the SDN switch on the timeliness of public key information updating is higher, the SDN switch obtains the block right, the block right is beneficial to timely verification to filter illegal data frames, and unnecessary forwarding cost is reduced.
The following is a brief description of each stage, and a specific flow is shown in fig. 3.
In the certification collection phase (T)c) And the exchanger collects the digital signatures of the directly connected hosts, stores the digital signature with a smaller value each time and records the storage time, and the time is used as a selection basis for the digital signatures with the same value in the block-right identification stage. The method comprises the following specific steps:
step 1: the SDN switch forwards and verifies a data frame sent by a direct connection host, and if the data frame passes the verification, a digital signature carried by the data frame is recorded as dnewAnd saving the recording time tnewAnd associated information, if the current original record is signed by a signature dlocalIs 0, then according to dnewInformation update d oflocal
step 2: comparing new record signatures dnewSignature with original record dlocalAlways keeping the smaller one as dlocalUpdating the recording time t simultaneouslylocalAnd related information;
step 3: step1-step2 is repeatedly executed until the proof collection duration exceeds TcEntering the block-out-right consensus stage.
Thus, after the certification collection phase is finished, the SDN switch obtains the direct connection host at TcDigital signature d with minimum value generated in itlocalAnd its associated information.
In the block-out-weight consensus phase (T)w) The switch will be at TcDigital signature d recorded after the end of the epochlocalSending the related information to other SDN switches in a multicast mode, verifying digital signature records from other SDN switches, and always keeping after comparisonThe one with the smaller value stored is dminAnd update dminThe steps of the related information are as follows:
step 1: will dlocal、tlocalAnd related information is sent to other SDN switches in a multicast mode according to dlocalInformation update minimum signature d ofminThe corresponding information of (2);
step 2: recording received digital signatures from other SDN switches as dnewComparing the new record signature dnewWith the current minimum signature dminAlways keeping the smaller one as dminIf a digital signature with the same value is received, the earlier one of the record times is stored as dminUpdating the recording time t simultaneouslylocalAnd related information;
step 3: repeating step2 until the block weight consensus period exceeds TwEnter the block consensus stage.
Thus, after the block right identification stage is finished, each SDN switch carries out digital signature d with the minimum valueminThe record reaches a basic consensus that the writer gets the right to turn out the block.
In the block consensus phase (T)u) The SDN switch which obtains the block right issues a new block, other SDN switches wait for receiving the new block, and the confirmed new block is stored in a local block chain, and the steps are as follows:
step 1: judging whether the user obtains the block right (recorder with the minimum digital signature), if so, issuing a new block, and turning to step5, otherwise, turning to step 2;
step 2: requesting a new block from a neighbor SDN switch, and waiting for receiving the new block;
step 3: confirming validity and legality of the received new block, if the new block passes the confirmation, storing the new block into a local block chain, and turning to step 5;
step 4: step2-step3 is repeatedly executed;
step 5: when the duration of the block consensus period exceeds TuAnd entering the next consensus cycle.
Wherein, SDN switch pair receivesThe validity of the new block is confirmed by checking the new block issuer and the current consensus period dminThe validity confirmation is the confirmation of the public key updating information contained in the new block, and the specific meaning of the confirmation is described in the verification information maintenance mechanism based on the block chain.
Based on a frame forwarding certification-based consensus method, the invention provides a verification information maintenance mechanism based on a block chain, wherein verification information is generated by a system and a terminal host in a cooperation manner and is used for verifying a digital signature carried by a data frame, so that the verification mechanism can still effectively operate when network equipment is attacked or controlled. The mechanism fully utilizes the characteristics of traceability and tamper resistance of the block chain, and ensures the reliability and safety of the verification information.
The verification information maintenance mechanism based on the block chain comprises pseudo-random number issuing and public key information updating. Firstly, the SDN switch which obtains the block right in the previous round generates a pseudo random number and uploads the pseudo random number to the SDN controller, then the SDN controller periodically sends the pseudo random number to the host machine underground, the host machine completes the updating of the private key, and the security of the verification mechanism can be enhanced by periodically updating the verification information. In the case of a controller being untrusted, the authentication mechanism can still operate effectively as long as it issues pseudo-random numbers; if the SDN controller stops issuing the pseudo random number, only verification information updating is influenced, verification behavior of the SDN switch is not influenced, and the behavior is used as a basis for the SDN controller to have suspicion. The host issues the updated public key as verification information to the network, the SDN switch collects and confirms the integrity and the validity of the verification information, the maintenance is carried out in a block chain mode, the injection of false verification information is prevented, when the SDN switch is attacked or controlled, the verification information is guaranteed not to be tampered, and the verification mechanism can still effectively operate.
The mechanism comprises two processes of pseudo random number issuing and verification information updating. In order to ensure the randomness of the pseudo random numbers, the SDN switch obtaining the block weight from the previous recognition period uses a Merson spin algorithm (Mersene Twister) to quickly generate a high-quality pseudo random number upload controller, and then the SDN controller periodically issues the pseudo random numbers to be provided for a host to periodically update the private key. The host needs to issue public key update information containing the signature every time the host updates the public key, and the public key update information as the verification information is maintained by the switch in a block chain manner.
As shown in fig. 4, the authentication information update process is as follows:
step 1: the SDN controller periodically transmits a pseudo-random number to a network host;
step 2: the host uses the pseudo-random number and self information to complete private key updating, and publishes public key updating information containing a host new public key, a host MAC address, a host old public key, a host old private key digital signature and updating time in the network;
step 3: the SDN switch carries out integrity confirmation by verifying the signature of the public key updating information, and searches records meeting the 'new host public key' in the historical public key updating information as 'old host public key' in the current public key updating information to carry out validity confirmation;
step 4: if the acknowledgement passes, the update information is saved and waits to be written to the blockchain, and if the acknowledgement does not pass, the update information is discarded.
In order to prevent the host from generating a signature by using the previous round of private key after the new private key is written into the block chain or generating the signature by using the new private key which is not written into the block chain, the host waits for a period of time to start the new private key after the private key is updated, and a pseudo-random number issuing period (namely a public key updating period) is represented as TsThe starting interval time of the new private key is TkShould be Tk<TsThe SDN switch should search the block chain at the time of verification for the distance of 2T from the current timesCorresponding public key of, wherein, TkAnd TsThe specific value of (a) needs to be adjusted according to the actual network scale.
Based on a consensus method based on frame forwarding certification, the invention provides a semi-random selection verification mechanism, when a host sends a data frame, a digital signature is generated according to actual needs and random numbers and transmitted along with the frame, and an SDN switch is used as a verification main body to perform forwarding verification on the data frame. The semi-random selection verification mechanism is cooperatively implemented by the SDN controller and the switch, so that the verification performance is ensured, and meanwhile, the verification overhead is reduced.
When all the SDN switches on the forwarding path perform forwarding verification on the data frame, a huge burden is brought to the network; if the data frames are not verified by the SDN switch, the tampered data frames can still be spread in the network, the network security is threatened, and the resources of the controller and the switch are wasted; if the switch node for verifying the data is fixed, a targeted attack can be suffered, and the verification performance of the mechanism is further weakened. In order to give consideration to verification performance and verification overhead, the invention provides a semi-random selection verification mechanism, the network-in switch and the network-out switch of a data frame must verify the frame, the other switches in the path all perform verification according to the probability, and the verification probability is periodically adjusted by a controller according to the network load condition.
When a host sends a data frame, a message digest is generated from a data text by using a hash function, then a private key generated by storing a pseudo-random number in the host is used for encrypting the digest, the encrypted digest is used as a digital signature and sent to a receiving party together with a message, an SDN (software defined network) switch firstly calculates the message digest from a received original message by using the hash function same as that of the host, then a public key is used for decrypting the digital signature attached to the message, and if the two digests are the same, the receiving party can confirm that the message is the sending party. As shown in fig. 5, when performing forwarding verification, the SDN switch needs to perform hash operation on data to be verified using an agreed hash function to obtain a message digest 1, search a corresponding host public key from a block chain to decrypt a digital signature carried by a data frame to obtain a message digest 2, and then perform consistency judgment on the message digest 1 and the message digest 2, if the two are consistent, forward the frame, otherwise discard the frame.
The SDN controller calculates a verification probability p according to the network load condition and issues the verification probability p to an SDN switch in the network, and if the actual throughput of the network is represented as TrTheoretical throughput is denoted as TtThen the network load rate is
Figure RE-GDA0003294463140000101
The validation probability will be relied upon by the SDN controller
Figure RE-GDA0003294463140000102
Performing a periodic adjustment, wherein
Figure RE-GDA0003294463140000103
When the network load rate is lower, the verification probability is adjusted up to improve the verification effectiveness, and when the network load rate is higher, the verification probability is adjusted down to reduce the verification overhead, so that the verification performance and the verification overhead are balanced.
And if the SDN switch forwarding the frame is not the network-in switch or the network-out switch of the frame, executing forwarding verification according to a given verification probability, otherwise, directly executing the forwarding verification. The SDN switch may determine whether the current device is an access or egress switch of the frame by detecting whether the source and destination addresses of the frame and the device connected to the receiving and transmitting ports matching the frame are hosts. The verification on the network-in switch can filter false network frames as early as possible so as to save network resources, the verification on the network-out switch can ensure that data frames delivered to a target host are safe and not tampered, and the verification on the SDN switch can prevent the tampered network frames from further spreading.
The invention combines SDN network characteristics and an SDN framework lightweight consensus method based on the block chain, fully utilizes the distributed, traceable and tamper-proof characteristics of the block chain to maintain verification information, implements semi-random selection verification and a verification information maintenance mechanism based on the block chain, and designs a data frame security verification mechanism which can avoid the problems of single-point failure and private key leakage and can identify the source validity and content security of a data frame under reasonable system overhead.
The foregoing is only a preferred embodiment of the present invention, and the present invention is not limited thereto in any way, and any simple modification, equivalent replacement and improvement made to the above embodiment within the spirit and principle of the present invention still fall within the protection scope of the present invention.

Claims (10)

1. A network frame security verification method based on a block chain is characterized by comprising the following steps:
s1, the current SDN switch receives data to be verified sent by the direct connection user host;
s2, analyzing and identifying the data to be verified according to the verification probability p to generate a probability judgment algorithm, judging whether the data to be verified is subjected to forwarding verification, if so, turning to the step S3, and if not, turning to the step S4;
s3, verifying the data to be verified according to a forwarding verification algorithm;
and S4, directly sending the data to be verified to other SDN switches.
2. The method according to claim 1, wherein the generation process of the data to be verified is as follows:
the method comprises the steps that a data frame and a preset hash function in a user host computer generate a message digest, then private key updating is completed according to an internal storage pseudo-random number and the identity attribute of the user host computer, the message digest is encrypted based on the updated private key to form a digital signature, and the digital signature and the data frame are packaged and packaged to form data to be verified.
3. The method according to claim 1, wherein the step S2 of determining whether to forward verify the data to be verified according to a probabilistic decision algorithm comprises the following steps:
s21, receiving a verification probability p sent by the SDN controller according to the network load condition and updating internally stored verification probability information;
s22, receiving the data to be verified, analyzing and identifying the data to be verified, analyzing and acquiring a source address and a destination address of the data to be verified, and generating a host-port number mapping table;
s23, identifying whether the device connected with the receiving and sending ports matched with the data is a direct connection user host according to the host-port number mapping table, and if the device connected is the direct connection user host, determining that the device is 'yes'; and if the connected equipment is the non-direct connection user host, judging the equipment to be yes or no according to the verification probability p.
4. The method according to claim 1, wherein the step S3 of performing forwarding verification on the data to be verified according to a forwarding verification algorithm includes the following steps:
s31, carrying out hash operation on the data to be verified according to a preset hash function to obtain a first message digest;
s32, searching the public key of the corresponding user host from the block chain to decrypt the digital signature carried by the data frame to obtain a second message digest;
and S33, the SDN switch judges the consistency of the first message abstract and the second message abstract, if the first message abstract and the second message abstract are the same, the consistency is judged and the data to be verified is forwarded to other SDN switches, otherwise, the data to be verified is discarded.
5. The method for verifying the network frame security based on the blockchain according to claim 2, wherein the pseudo random number updates and maintains a private key according to a preset period of an SDN network, and the step of updating the private key is as follows:
s101, obtaining a designated SDN switch of a block right under a consensus algorithm rule based on a frame forwarding certificate, generating a pseudo-random number and sending the pseudo-random number to an SDN controller;
s102, the SDN switch receives public key updating information sent by a direct connection user host, the public key updating information is that the user host completes private key updating according to identity attributes of the user host and pseudo-random numbers from an SDN controller, and public key updating information is generated.
6. The method according to claim 5, wherein the public key update information in step S102 includes a new host public key, a host MAC address, an old host public key, a digital signature of an old host private key, and update time.
7. The blockchain-based network frame security verification method according to claim 2, wherein the SDN controller sends the pseudo random number to a user host of the SDN network every preset period, and the user host waits for a preset time interval after updating the private key to enable a new private key, wherein the preset time interval is smaller than the preset period.
8. The method according to claim 5, wherein the designated switch in step S101 is: determining a designated SDN switch obtaining the block weight under a consensus algorithm rule based on frame forwarding certification every other consensus period, wherein the SDN switch obtaining the block weight generates a pseudo-random number in the next consensus period.
9. The method of claim 5, wherein the SDN switch generates the public key update information into a new block based on a frame forwarding certification consensus method, and verifies the public key update information in the new block, and the verification of the public key update information includes integrity verification and validity verification, and the integrity verification is that: verifying the 'old host private key digital signature' by using the 'old host public key' in the public key updating information, and if the verification is successful, the integrity verification is passed; the validity verification is as follows: and comparing and judging the 'new host public key' in the obtained old public key updating information with the 'old host public key' in the new public key updating information by calling the old public key information in the preset period, wherein the difference between the updating time and the current updating time in the block chain is less than two times, and if the obtained new host public key and the obtained old host public key are the same, the validity verification is passed.
10. An SDN switch for security verification, comprising:
a data receiving module for receiving data to be verified from the user host
The data source identification module is used for analyzing and identifying the data to be verified according to the verification probability p and the generation probability judgment algorithm and judging whether the data to be verified is verified;
and the data forwarding verification module is used for performing forwarding verification on the data to be verified according to a forwarding verification algorithm or directly sending the data to be verified to other SDN switches.
CN202110926301.7A 2021-08-12 2021-08-12 Block chain-based network frame security verification method and SDN switch Pending CN113904788A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110926301.7A CN113904788A (en) 2021-08-12 2021-08-12 Block chain-based network frame security verification method and SDN switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110926301.7A CN113904788A (en) 2021-08-12 2021-08-12 Block chain-based network frame security verification method and SDN switch

Publications (1)

Publication Number Publication Date
CN113904788A true CN113904788A (en) 2022-01-07

Family

ID=79187805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110926301.7A Pending CN113904788A (en) 2021-08-12 2021-08-12 Block chain-based network frame security verification method and SDN switch

Country Status (1)

Country Link
CN (1) CN113904788A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494581A (en) * 2018-02-09 2018-09-04 孔泽 The controller distributed information log generation method and device of SDN network
US20180349621A1 (en) * 2017-06-01 2018-12-06 Schvey, Inc. d/b/a/ Axoni Distributed privately subspaced blockchain data structures with secure access restriction management
CN109525397A (en) * 2018-10-12 2019-03-26 南京邮电大学 A kind of block chain and method towards SDN network stream rule safety guarantee
WO2019195755A1 (en) * 2018-04-05 2019-10-10 Neji, Inc. Network protocol for blockchain based network packets

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180349621A1 (en) * 2017-06-01 2018-12-06 Schvey, Inc. d/b/a/ Axoni Distributed privately subspaced blockchain data structures with secure access restriction management
CN108494581A (en) * 2018-02-09 2018-09-04 孔泽 The controller distributed information log generation method and device of SDN network
WO2019195755A1 (en) * 2018-04-05 2019-10-10 Neji, Inc. Network protocol for blockchain based network packets
CN109525397A (en) * 2018-10-12 2019-03-26 南京邮电大学 A kind of block chain and method towards SDN network stream rule safety guarantee

Similar Documents

Publication Publication Date Title
CN110996318B (en) Safety communication access system of intelligent inspection robot of transformer substation
Ashibani et al. Cyber physical systems security: Analysis, challenges and solutions
Yang et al. SDAP: A secure hop-by-hop data aggregation protocol for sensor networks
CN114499895B (en) Data trusted processing method and system fusing trusted computing and block chain
Kohnhäuser et al. Salad: Secure and lightweight attestation of highly dynamic and disruptive networks
CN102594823B (en) Trusted system for remote secure access of intelligent home
US8503677B2 (en) Communication system and device
CN111372243A (en) Safe distributed aggregation and access system and method based on fog alliance chain
US6425004B1 (en) Detecting and locating a misbehaving device in a network domain
CN114139203B (en) Block chain-based heterogeneous identity alliance risk assessment system and method and terminal
CN115362443A (en) Trust management method and device in integrated network based on block chain
CN112417494A (en) Power block chain system based on trusted computing
CN114389835A (en) IPv6 option explicit source address encryption security verification gateway and verification method
WO2023236551A1 (en) Decentralized trusted access method for cellular base station
Accorsi Log data as digital evidence: What secure logging protocols have to offer?
CN115118756A (en) Method and device for designing safety interaction protocol in energy internet scene
Subramani et al. Blockchain-based physically secure and privacy-aware anonymous authentication scheme for fog-based vanets
CN113055883A (en) Wireless sensor network system and method based on CPK
Halgamuge Latency estimation of blockchain-based distributed access control for cyber infrastructure in the iot environment
Liu et al. A trust chain assessment method based on blockchain for SDN network nodes
CN113904788A (en) Block chain-based network frame security verification method and SDN switch
Mashima et al. Enhancing demand response signal verification in automated demand response systems
CN113676331B (en) SDN framework lightweight consensus method based on block chain and SDN switch
Wang et al. An Access Control Method Against Unauthorized and Noncompliant Behaviors of Real-Time Data in Industrial IoT
US11095687B2 (en) Network security system using statistical object identification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination