CN114338431A - Identity registration method, device and system - Google Patents

Identity registration method, device and system Download PDF

Info

Publication number
CN114338431A
CN114338431A CN202111638194.4A CN202111638194A CN114338431A CN 114338431 A CN114338431 A CN 114338431A CN 202111638194 A CN202111638194 A CN 202111638194A CN 114338431 A CN114338431 A CN 114338431A
Authority
CN
China
Prior art keywords
mep
miap
information
meps
symmetric key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111638194.4A
Other languages
Chinese (zh)
Other versions
CN114338431B (en
Inventor
杨鑫宇
王孟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202111638194.4A priority Critical patent/CN114338431B/en
Publication of CN114338431A publication Critical patent/CN114338431A/en
Application granted granted Critical
Publication of CN114338431B publication Critical patent/CN114338431B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an identity registration method, device and system, which are used for solving the problems that the existing Ethernet OAM is low in security level and cannot identify malicious MEPs. The method is applied to the MIAP, the MIAP and a plurality of MEPs are in the same network maintenance area, and the method specifically comprises the following steps: the MIAP acquires the equipment information and the public key of the first MEP; the MIAP verifies the validity of the identity of the first MEP based on the equipment information of the first MEP; after the verification is passed, the MIAP stores the equipment information and the public key of the first MEP; the MIAP sends first encryption information to the first MEP, wherein the first encryption information comprises a symmetric key encrypted by a public key of the first MEP; the MIAP receives feedback information from the first MEP; and when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information, the MIAP marks the first MEP as an MEP successfully registered.

Description

Identity registration method, device and system
Technical Field
The present application relates to the field of data communication technologies, and in particular, to a method, an apparatus, and a system for identity registration.
Background
Operation Administration and Maintenance (OAM) is a tool for monitoring network failures. A user may monitor the link status between two end-to-end connected devices by enabling OAM at the two devices. Ethernet is a computer local area network technology that is simple and easy to use, low cost, and has an ever increasing bandwidth, connecting different computers through a device called a switch.
Ethernet OAM is a tool for monitoring ethernet for network failures. In the mechanism of the technology of ethernet OAM, a same network Maintenance area is divided into different Maintenance Entity Groups (MEG) according to the network scale of ethernet, and in the same MEG, different Maintenance Entities (ME) are divided. Each ME may deploy ethernet OAM, and maintain and monitor a relationship between two points of a network transmission path through the ethernet OAM, and End points at both ends of the relationship are referred to as Maintenance entity association End points (MEPs).
The functions of the existing ethernet OAM mainly include fault management, performance detection, module linkage, and the like. The main fault management functions comprise link connectivity detection, loopback detection, alarm signal suppression and the like; the performance detection comprises functions of packet loss rate, time delay jitter, throughput and the like; the protocol modules are linked to define functions for each manufacturer, and are often used for fault switching and switching protection.
At present, problems of network flow cut-off, failure of fault detection and the like caused by illegal instructions sent by malicious MEPs to other MEPs often exist in a network maintenance area. However, the existing ethernet OAM has a low security level, and these malicious MEPs cannot be identified.
Disclosure of Invention
The application provides an identity registration method, device and system, which are used for solving the problems that the existing Ethernet OAM is low in security level and cannot identify malicious MEPs.
In a first aspect, the present application provides a registration method, which specifically includes: the method is applied to an identity maintenance node (MIAP), wherein the MIAP and a plurality of maintenance entity group end points (MEPs) are positioned in a network maintenance area, and the method comprises the following steps: the MIAP acquires the equipment information and the public key of the first MEP; wherein the first MEP is one of the plurality of MEPs; the MIAP verifies the validity of the identity of the first MEP based on the equipment information of the first MEP; after the verification is passed, the MIAP saves the equipment information and the public key of the first MEP; the MIAP sends first encryption information to the first MEP, wherein the first encryption information comprises a symmetric key encrypted by a public key of the first MEP; the MIAP receives feedback information from the first MEP; the MIAP marks the first MEP as an MEP which is successfully registered when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information; wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
In the method, in a network maintenance area, the MIAP verifies the identities of other MEPs (such as the first MEP), so that the defect of authentication of the MEP identities, which is lack in the function of Ethernet OAM, is overcome. And the MIAP sends the symmetric key for communication to the MEP passing the verification, so that a verification basis is provided for communication between MEPs in the MEG, and the safety of communication between the MEPs is improved. And registering the successful MEP by the mark of the successfully received MEP, and finishing the registration of the MEP. By the method, the function of performing identity authentication and registration on the MEP can be added in the Ethernet OAM, the management on the MEP can be effectively improved, and the security level of the Ethernet OAM is improved.
Optionally, the acquiring, by the MIAP, the device information and the public key of the first MEP includes: the MIAP sends first notification information in a multicast mode in the MEPs, wherein the first notification information is used for indicating the MEP receiving the first notification information to return own equipment information and a public key to the MIAP; the MIAP receives device information and a public key of the first MEP from the first MEP.
In this mode, the MIAP sends the first notification information to the MEP in the network maintenance area in a multicast mode, so that the efficiency and accuracy of obtaining the device information and the public key are improved.
Optionally, a higher-level MEP of the plurality of MEPs sends a message to a MEP of the same level or a lower level; the MIAP receiving messages of MEPs of all levels of the plurality of MEPs; when the MIAP responds to the messages of the MEPs to send information, the level of the information sent by the MIAP is correspondingly equal to the level of the MEPs; when the MIAP sends the first notification information, the level of the first notification information is the same as the highest level of the MEPs.
In this way, different MEPs are at different levels, and messages sent by the MEPs are received only by the fixed levels, so that the efficiency of network communication is improved, while messages sent by the MIAP can be received by all MEPs in the same network maintenance area, and the MIAP can also receive messages sent by all MEPs in the same network maintenance area. By the method, a foundation is provided for MIAP management of other MEPs, and the reliability of the scheme is improved.
Optionally, the verifying, by the MIAP, the validity of the identity of the first MEP based on the device information of the first MEP includes: the MIAP displays the equipment information of the first MEP in a man-machine interaction interface; if the first verification information is received, the identity of the first MEP is confirmed to be legal; or, the MIAP judges whether the equipment information of the first MEP meets a preset rule; and if so, confirming that the identity of the first MEP is legal.
Through the method, the MIAP can adopt different modes to realize the verification of the validity of the first MEP identity, and the realization flexibility of the scheme is improved.
Optionally, the receiving, by the MIAP, feedback information from the first MEP includes: the MIAP receives feedback information from the first MEP, wherein the feedback information carries a first hash value, and the first hash value is obtained by performing hash calculation on the symmetric key by the first MEP; the determining, by the MIAP according to the feedback information, that the first MEP successfully receives the symmetric key includes: the MIAP compares the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on the symmetric key by the MIAP; if the first hash value is consistent with the second hash value, the MIAP confirms that the first MEP successfully receives the symmetric key.
Through the method, the MIAP judges whether the first MEP successfully acquires the symmetric key through the Hash value, the registration of the first MEP is completed, and the reliability of the scheme is improved.
Optionally, if the first hash value is inconsistent with the second hash value, the MIAP sends the first encryption information to the first MEP again; and when the MIAP sends the first encryption information to the first MEP for a preset number of times, the MIAP stops sending the first encryption information to the first MEP, and the first MEP is marked as an MEP failed in registration.
In the method, the first encryption information is repeatedly sent to the MEPs with inconsistent hash values, so that the fault tolerance rate of the scheme is improved, the information is not sent after the preset times are reached, the resource is ensured not to be excessively wasted, and meanwhile, the MEP which cannot successfully receive the symmetric key is marked as the MEP which fails in registration so that the MIAP can distinguish the MEP which succeeds in registration from the MEP which fails in registration.
Optionally, the MIAP periodically updates the symmetric key according to a preset time interval; sending the updated symmetric key to all registered MEPs in the plurality of MEPs.
In this way, the MIAP periodically updates the symmetric key, which can effectively avoid the risk of possible disclosure caused by long-term use of the same symmetric key. Meanwhile, the MIAP only updates the symmetric key to the registered MEPs, so that the MEPs with unknown identities can be prevented from acquiring the symmetric key to invade the communication between the MEPs, and the security level of the Ethernet OAM is further improved.
Optionally, the MIAP receives a logout instruction, where the logout instruction is used to instruct to logout the first MEP; the MIAP deletes the device information and the public key of the first MEP.
By the method, a network manager can log out any MEP in the network maintenance area through the MIAP to complete the management of all MEPs in the network maintenance area. And when network management personnel find malicious MEPs, the malicious MEPs can be processed in time, so that the security level of the Ethernet OAM is further improved.
In a second aspect, the present application provides an identity registration method, where an MIAP and a plurality of MEPs are located in a network maintenance area, the method is applied to a first MEP, where the first MEP is one of the MEPs, and the method specifically includes: the first MEP sends the equipment information and the public key of the first MEP to the MIAP so that the MIAP can verify the validity of the identity of the first MEP based on the equipment information of the first MEP; the first MEP receives first encryption information, wherein the first encryption information is sent to the first MEP by the MIAP after the first MEP is confirmed to pass verification, and the first encryption information comprises a symmetric key encrypted by a public key of the first MEP; the first MEP sends feedback information to the MIAP, so that when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information, the first MEP is marked as an MEP with successful registration; wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
In this approach, the first MEP may perform identity registration at the MIAP and obtain a symmetric key issued by the MIAP to communicate with other MEPs in the network maintenance area. By the method, the functions of authentication and registration are added in the technology of Ethernet OAM, thereby effectively improving the management of MEP and improving the security level of Ethernet OAM.
Optionally, before the first MEP sends the device information and the public key of the first MEP to the MIAP, the method further includes: the first MEP receives first notification information from the MIAP, wherein the first notification information is used for indicating the MEP receiving the first notification information to return own equipment information and a public key to the MIAP.
Optionally, a higher-level MEP of the plurality of MEPs sends a message to a same-level or lower-level MEP.
In the method, different MEPs are positioned at different levels, and the messages sent by the MEPs are only received by the fixed levels, so that the efficiency of network communication is improved.
Optionally, the sending, by the first MEP, feedback information to the MIAP includes: the first MEP decrypts the first encrypted information through a private key of the first MEP to obtain the symmetric key; the first MEP performs hash calculation on the symmetric key to obtain a first hash value; and the first MEP sends feedback information to the MIAP, wherein the feedback information carries the first hash value.
Optionally, the first MEP periodically receives an updated symmetric key from the MIAP according to a preset time interval, and updates the symmetric key stored in the first MEP based on the updated symmetric key.
By the method, the first MEP periodically acquires the updated symmetric key, so that the risk of secret leakage possibly caused by long-term use of the same symmetric key is prevented, and the safety of communication between the MEPs is improved.
Optionally, each MEP in the multiple MEPs stores a transmission identification field; the method further comprises the following steps: the first MEP encrypts the transmission identification field through the symmetric key, and performs hash calculation on the encrypted field to obtain a third hash value; and when the first MEP sends first transmission information to a second MEP, the third hash value and the first transmission information are simultaneously sent to the second MEP, so that the second MEP verifies the validity of the identity of the first MEP according to the third hash value.
By the method, the first MEP can prove the legality of the identity of the first MEP to the second MEP through the third hash value.
Optionally, each MEP in the multiple MEPs stores a transmission identification field; the method further comprises the following steps: the first MEP receiving second transmission information and a fourth hash value from a third MEP; the first MEP encrypts the transmission identification field through the symmetric key, and performs hash calculation on the encrypted field to obtain a fifth hash value; if the fourth hash value is consistent with the fifth hash value, confirming that the identity of the third MEP is legal, and receiving the second transmission information; and if the fourth hash value is inconsistent with the fifth hash value, confirming that the identity of the third MEP is illegal, and discarding the second transmission information.
By the method, the first MEP can confirm whether the identity of the MEP of the opposite end is legal or not through the fourth hash value, and different methods are adopted for different identities, so that the safety of communication in the MEG is improved.
Optionally, the first transmission information is: information for protection switching, or information for fault signal suppression, or information for controlling the behavior of the second MEP.
Through the mode, the first MEP only adds the hash value in the important information, so that the communication resources among the MEPs are saved and the communication performance is optimized on the premise of ensuring the communication safety.
Optionally, the second transmission information is: information for protection switching, or information for fault signal suppression, or information for controlling the first MEP behavior.
In a third aspect, the present application provides an identity registration apparatus, which is applied to an MIAP, where the MIAP and a plurality of MEPs are located in a network maintenance area, and the apparatus includes: the first receiving module is used for acquiring the equipment information and the public key of the first MEP; wherein the first MEP is one of the plurality of MEPs; the first processing module is used for verifying the validity of the identity of the first MEP based on the equipment information of the first MEP; the first storage module is used for storing the equipment information and the public key of the first MEP after the verification is passed; the first sending module is configured to send first encryption information to the first MEP, where the first encryption information includes a symmetric key encrypted by a public key of the first MEP; the first receiving module is further configured to receive feedback information from the first MEP; the first processing module is further configured to mark the first MEP as an MEP that is successfully registered when it is determined that the first MEP successfully receives the symmetric key according to the feedback information; wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
Optionally, the first sending module is further configured to send first notification information in a multicast manner among the MEPs, where the first notification information is used to indicate that the MEP that receives the first notification information returns its own device information and public key to the MIAP; the first receiving module is further configured to receive device information and a public key of the first MEP from the first MEP.
Optionally, a higher-level MEP of the plurality of MEPs sends a message to a MEP of the same level or a lower level; the MIAP receiving messages of MEPs of all levels of the plurality of MEPs; when the MIAP responds to the messages of the MEPs to send information, the level of the information sent by the MIAP is correspondingly equal to the level of the MEPs; when the MIAP sends the first notification information, the level of the first notification information is the same as the highest level of the MEPs.
Optionally, the first processing module is further configured to display device information of the first MEP in a human-computer interaction interface; if the first verification information is received, the identity of the first MEP is confirmed to be legal; or, judging whether the equipment information of the first MEP meets a preset rule; and if so, confirming that the identity of the first MEP is legal.
Optionally, the first receiving module is further configured to receive feedback information from the first MEP, where the feedback information carries a first hash value, and the first hash value is obtained by performing hash calculation on the symmetric key by the first MEP; the first processing module is further configured to compare the first hash value with a second hash value, where the second hash value is obtained by performing hash calculation on the symmetric key by the MIAP; and if the first hash value is consistent with the second hash value, confirming that the first MEP successfully receives the symmetric key.
Optionally, if the first hash value is inconsistent with the second hash value, the first sending module is further configured to send the first encryption information to the first MEP again; and when the first encryption information sent to the first MEP reaches a preset number, stopping sending the first encryption information to the first MEP, wherein the first processing module is further used for marking the first MEP as an MEP failing in registration.
Optionally, the first processing module is further configured to periodically update the symmetric key according to a preset time interval; the first sending module is further configured to send the updated symmetric key to all registered MEPs in the multiple MEPs.
Optionally, the first receiving module is further configured to receive a logout instruction, where the logout instruction is used to instruct to logout the first MEP; and deleting the equipment information and the public key of the first MEP.
In a fourth aspect, the present application provides an apparatus for identity registration, where a MIAP and a plurality of MEPs are located in a network maintenance area, and the method is applied to a first MEP, where the first MEP is one of the MEPs, and the apparatus includes: the second sending module is configured to send the device information and the public key of the first MEP to the MIAP, so that the MIAP verifies the validity of the identity of the first MEP based on the device information of the first MEP; the second receiving module is configured to receive first encryption information, where the first encryption information is sent by the MIAP to a first MEP after confirming that the first MEP passes verification, and the first encryption information includes a symmetric key encrypted by a public key of the first MEP; the second sending module is further configured to send feedback information to the MIAP, so that when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information, the first MEP is marked as an MEP that is successfully registered; wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
Optionally, the second receiving module is further configured to receive first notification information from the MIAP, where the first notification information is used to indicate that the MEP that receives the first notification information returns its own device information and public key to the MIAP.
Optionally, a higher-level MEP of the plurality of MEPs sends a message to a same-level or lower-level MEP.
Optionally, the apparatus further includes a second processing module, configured to decrypt the first encrypted information through a private key of the first MEP to obtain the symmetric key; performing hash calculation on the symmetric key to obtain a first hash value; the second sending module is further configured to send feedback information to the MIAP, where the feedback information carries the first hash value.
Optionally, the second receiving module is further configured to periodically receive an updated symmetric key from the MIAP according to a preset time interval, and the second storing module is configured to update the symmetric key stored in the first MEP based on the updated symmetric key.
Optionally, each MEP in the multiple MEPs stores a transmission identification field; the second processing module is further configured to encrypt the transmission identification field through the symmetric key, and perform hash calculation on the encrypted field to obtain a third hash value; the second sending module is further configured to send the third hash value and the first transmission information to a second MEP when sending the first transmission information to the second MEP, so that the second MEP verifies the validity of the identity of the first MEP according to the third hash value.
Optionally, each MEP in the multiple MEPs stores a transmission identification field; the second receiving module is further configured to receive second transmission information and a fourth hash value from a third MEP; the second processing module is further configured to encrypt the transmission identification field through the symmetric key, and perform hash calculation on the encrypted field to obtain a fifth hash value; if the fourth hash value is consistent with the fifth hash value, confirming that the identity of the third MEP is legal, and receiving the second transmission information; and if the fourth hash value is inconsistent with the fifth hash value, confirming that the identity of the third MEP is illegal, and discarding the second transmission information.
Optionally, the first transmission information is: information for protection switching, or information for fault signal suppression, or information for controlling the behavior of the second MEP.
Optionally, the second transmission information is: information for protection switching, or information for fault signal suppression, or information for controlling the first MEP behavior.
In a fifth aspect, the present application provides a system for identity registration, the system comprising the apparatus described in the third aspect and the apparatus described in the fourth aspect.
In a sixth aspect, the present application provides an electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the at least one processor causes the apparatus to perform the method of any one of the first aspect, any one of the optional implementations of the first aspect, and any one of the optional implementations of the second aspect or the second aspect by executing the instructions stored by the memory.
In a seventh aspect, a computer-readable storage medium is provided for storing instructions that, when executed, cause the method of any one of the first aspect, any one of the optional implementations of the first aspect, and any one of the optional implementations of the second aspect or the second aspect to be implemented.
The technical effects or advantages of one or more of the technical solutions provided in the third, fourth, fifth, sixth and seventh aspects of the embodiments of the present application may be correspondingly explained by the technical effects or advantages of one or more of the corresponding technical solutions provided in the first and second aspects.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1a is a schematic diagram of a topology of a network to which an embodiment of the present invention is applicable;
FIG. 1b is a schematic diagram of another network topology suitable for use in embodiments of the present application;
fig. 2 is a flowchart of a method for identity registration according to an embodiment of the present application;
FIG. 3 is a flow chart of a method by a MIAP of verifying the validity of an identity of a first MEP provided by an embodiment of the present application;
fig. 4 is a flowchart of another method for auditing the validity of the identity of a first MEP according to an embodiment of the present application;
fig. 5 is a schematic diagram of a possible message format according to an embodiment of the present application;
fig. 6 is a schematic diagram of another possible message format according to an embodiment of the present application;
fig. 7 is a schematic diagram of a possible TLV format provided by an embodiment of the present application;
fig. 8 is a schematic diagram of another possible TLV format provided by an embodiment of the present application;
fig. 9 is a schematic structural diagram of an identity registration apparatus according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of another identity registration apparatus provided in an embodiment of the present application;
fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions of the present application are described in detail below with reference to the drawings and specific embodiments, and it should be understood that the specific features in the embodiments and examples of the present application are detailed descriptions of the technical solutions of the present application, and are not limitations of the technical solutions of the present application, and the technical features in the embodiments and examples of the present application may be combined with each other without conflict.
It should be understood that the terms first, second, etc. in the description of the embodiments of the present application are used for distinguishing between the descriptions and not for indicating or implying relative importance or order. In the description of the embodiments of the present application, "a plurality" means two or more.
The term "and/or" in the embodiment of the present application is only one kind of association relationship describing an associated object, and means that three kinds of relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In order to facilitate understanding of the scheme of the embodiment of the present application, a possible application scenario of the embodiment of the present application is described below.
Referring to fig. 1a, which is a schematic diagram of a network topology applicable to the embodiment of the present application, the diagram shows a network topology of a network maintenance area. Specifically, in the network topology shown in fig. 1a, four MEPs are included, namely: MEP001, MEP002, MEP003, MEP004, any two MEPs may communicate with each other in a wired or wireless manner. Ethernet OAM is deployed in each MEP, and the technical scheme of the embodiment of the application can be realized by operating the Ethernet OAM by each MEP. It should be understood that fig. 1a is only an example, and in actual production life, there may be a greater number or a smaller number of MEPs in a network maintenance area, and the application is not limited thereto.
In the method provided in this embodiment of the present application, a network Maintenance area may further include a Maintenance Identity Authentication node (MIAP) for providing registration for multiple MEPs in the network Maintenance area, that is, the MIAP in fig. 1 a.
Referring to fig. 2, a flowchart of a registration method provided in an embodiment of the present application may be applied to the scenario shown in fig. 1a, where the method specifically includes:
step S201: the first MEP sends the equipment information and the public key of the first MEP to the MIAP, and the MIAP acquires the equipment information and the public key of the first MEP.
Where the first MEP is any other MEP in the same network maintenance area that is capable of communicating with the MIAP. For example, the first MEP is MEP001 or MEP002 as shown in fig. 1 a.
It should be understood that, in the same network maintenance area, there may also be a second MEP, a third MEP, a fifth MEP, and the like, and these MEPs may implement the same function as the first MEP in the solution of the present application, and the present solution may also be applied to all MEPs in other MEPs belonging to the same network maintenance area as the MIAP at the same time, which is not limited in the present application. For example, in step S201, the MIAP may acquire the device information and the public key of the first MEP, the MIAP may acquire the device information and the public key of the second MEP or the third MEP, or the MIAP may simultaneously acquire the device information and the public key of all other MEPs in one network maintenance area, such as the first MEP, the second MEP, and the third MEP.
Optionally, when the MIAP acquires the device information and the public key of the first MEP, the MIAP may send the first notification information to the multiple MEPs in the network maintenance area where the MIAP is located in a multicast manner, where a destination address of the multicast corresponds to all MEPs in the network maintenance area where the MIAP is located; the first notification information is used to instruct the MEP receiving the first notification information to return the device information and the public key of the MEP to the MIAP.
Of course, the MIAP may also adopt other transmission manners, for example, unicast the first notification message to each other MEP through a preset address list, or transmit the first notification message in a broadcast manner, and so on.
When the first MEP receives the first notification information from the MIAP, the first MEP returns its own device information and public key to the MIAP in response to the first notification information, and the first MEP may itself maintain a private key opposite to the public key. The public key may be a public key in a pair of asymmetric keys generated by the first MEP in response to the first notification information after the first MEP receives the first notification information, or may be generated in advance by the first MEP and stored in the first MEP, which is not limited in this application.
By the method, the MIAP directly acquires the equipment information and the public key of other MEPs, and can quickly finish information collection of other MEPs in the same network maintenance area.
Alternatively, different MEPs in a network maintenance area may have different levels.
Further, an MEP at a high level may send a message to an MEP at a low level or to an MEP at the same level.
For the MIAP, the MIAP may receive messages of all levels of MEPs in the same network maintenance area, which corresponds to the lowest level of the MIAP in the same network maintenance area. However, the first notification information is sent at the MIAP, and the level of the first notification information is the same as the level of the MEP at the highest level in the network maintenance area, so as to ensure that all MEPs in the network maintenance area can receive the first notification information sent by the MIAP. And when the MIAP receives the messages sent by other MEPs and sends corresponding messages to other MEPs, the level of the corresponding messages is equal to the level correspondence of other MEPs.
For example, referring to fig. 1b, in another possible network topology structure diagram provided by the present application, in the scenario shown in fig. 1b, all MEPs in a network maintenance area are assigned with different levels, for example, the level of a first MEP and a second MEP is level 1, and the level of a third MEP and a fourth MEP is level 3. Depending on the ranking of the MEPs, the MEPs may be divided into different MEG. It should be understood that the number and the levels of the MEPs in fig. 1b are only examples, in actual production life, there may be a greater number or a smaller number of levels (i.e., MEG) in a network maintenance area, and there may also be a greater number or a smaller number of MEPs in an MEG, and the present application is not limited thereto.
For example, in fig. 1b, when the MIAP sends the first notification information, the level of the first notification information is level 3, so that it is ensured that all of the first, second, third, and fourth MEPs can receive the first notification information. And when the MIAP needs to return feedback information to the first MEP after receiving the message sent by the first MEP, the level of the feedback information is the same as that of the first MEP.
In the method, different MEPs are positioned at different levels, and the messages sent by the MEPs are only received by the fixed levels, so that the efficiency of network communication is improved. The message sent by the MIAP can be received by all MEPs in the same MEG, and the MIAP can also receive the message sent by all MEPs in the same MEG.
Step S202: and the MIAP verifies the validity of the identity of the first MEP based on the acquired equipment information of the first MEP.
In one possible embodiment, the MIAP is only responsible for collecting the device information and public key of the first MEP, and the verification of the validity of the MEP identity is done by the network administrator.
Specifically, after the MIAP collects the device information of the first MEP, the device information of the first MEP is displayed in a human-computer interaction interface, and a network manager judges whether the identity of the first MEP is legal. If the network administrator determines that the identity of the first MEP is legal, a first instruction is input to indicate that the identity of the first MEP is legal; if the network administrator determines that the identity of the first MEP is not legal, a second instruction is input to indicate that the identity of the first MEP is illegal. Optionally, the operation of inputting the instruction may be completed on the human-computer interaction interface, or may be completed on other interfaces.
Illustratively, the MIAP displays the collected device information of the first MEP on the display device, and the network administrator determines whether the identity of the first MEP is legal according to the displayed device information of the first MEP, such as the manufacturer information of the device, the Media Access Control (MAC) address, the MEP number, and other information. For example, the network administrator knows the device information of all the security devices in the network maintenance area, so the network administrator can compare the collected device information of the first MEP with the device information of all the security MEPs in the network maintenance area to determine whether the first MEP is legal or not. If the first MEP is legal, the network administrator can enable the MIAP to receive the verification message by inputting an instruction, so as to indicate that the identity of the first MEP is legal.
In the method, the validity of the identity of the first MEP is verified in a manual auditing mode, so that the accuracy in identity verification is improved.
In another possible implementation, the MIAP directly checks the validity of the identity of the first MEP by determining whether the collected device information of the first MEP meets a preset rule.
Specifically, referring to fig. 3, a flowchart of a method for verifying the validity of the identity of the first MEP by the MIAP is provided in the embodiment of the present application, and the method includes the following specific steps:
s301: the MIAP receives device information of the first MEP.
S302: the MIAP judges whether the equipment information accords with a preset rule or not according to the received equipment information of the first MEP; if yes, go to step S303a, otherwise go to step S303 b.
The preset rule may be an audit rule pre-stored in the MIAP, for example, the preset rule may be a MAC address white list, and when the MAC address of the first MEP is in the white list in the device information of the first MEP received by the MIAP, the MIAP determines that the device information of the first MEP meets the preset rule, that is, the identity of the first MEP is legal. Or, the preset rule may also be an MEP white list established according to an MEP number in the device information or information of a manufacturer.
S303 a: the MIAP stores the device information for the first MEP in a database.
S303 b: the MIAP discards the device information of the first MEP.
Through the mode, the MIAP directly judges whether the identity information of the first MEP is legal or not according to the preset rule, and the efficiency of checking the identity of the first MEP is improved.
Optionally, referring to fig. 4, before executing step S303b, the MIAP may further select to take the following actions on the first MEP that does not satisfy the preset condition:
s401: judging whether the first MEP is an MEP in a blacklist or not according to the equipment information of the first MEP; if so, step S303b is executed directly, and if not, step S402 is executed.
The blacklist includes device information of a part of malicious MEPs, and the blacklist can be input to the MIAP in advance by a network manager or can be obtained by recording of the MIAP.
S402: and displaying the equipment information of the first MEP to a network manager through a man-machine interaction interface.
S403: receiving a verification message and judging the received verification message; if the received verification message is the first verification message, go to step S303 a; if the received authentication message is the second authentication message, step S404 is executed.
S404: the device information of the first MEP is saved in a blacklist.
After the recording is completed, step S303b may be performed.
Through the mode, the method combines the advantages of a direct judgment method and a manual auditing method, the MIAP directly audits the identities of other MEPs, the identities which meet the preset rule can be directly identified as legal, the identities which do not meet the preset rule can be continuously judged, the manual auditing is further carried out, the accuracy of identity auditing is ensured, and the auditing efficiency is improved. Moreover, the equipment information of the MEP which does not pass the audit is stored in the blacklist, so that the subsequent audit process is simplified, and the audit efficiency is further improved.
S203: and saving the equipment information and the public key of the first MEP which passes the verification.
Optionally, the device information and the public key may also be stored in other forms of data sets, such as in a file or in a table or in some documents.
S204: the MIAP generates a symmetric key and encrypts the symmetric key with the public key of the first MEP.
S205: the MIAP sends first encryption information to the first MEP, wherein the first encryption information comprises an encrypted symmetric key; the first MEP receives first encryption information.
S206: the first MEP responds to the first encryption information and sends feedback information to the MIAP; the MIAP receives the feedback information.
Optionally, after receiving the first encryption information, the first MEP sends feedback information to the MIAP by the following method: firstly, a first MEP decrypts first encryption information through a private key of the first MEP to obtain a symmetric key generated by an MIAP; secondly, the first MEP performs hash calculation on the symmetric key to obtain a first hash value; and finally, the first MEP sends feedback information to the MIAP, wherein the feedback information comprises a first hash value. Optionally, the first hash Value may be included in the feedback information in the form of a Type Length Value (TLV).
S207: the MIAP judges whether the first MEP successfully receives the symmetric key or not according to the feedback information; if it is determined that the first MEP is successfully received, step S208a is performed; if it is determined that the first MEP is not successfully received, step S208b is performed.
Optionally, the MIAP determines whether the first MEP successfully receives the symmetric key by:
first, the MIAP obtains a second hash value. The obtaining mode of the second hash value may include the following two modes: after receiving the feedback information, the MIAP directly performs Hash calculation on the symmetric key to obtain the symmetric key; the MIAP is directly obtained from the database, and the hash value stored in the database is obtained by directly carrying out hash calculation on the symmetric key when the MIAP generates the symmetric key and is stored.
Secondly, the MIAP compares the first hash value with the second hash value, and if the first hash value and the second hash value are consistent, the first MEP is confirmed to successfully acquire the symmetric key; and if the two are determined to be inconsistent, confirming that the first MEP fails to acquire the symmetric key.
By the method, the MIAP judges whether the first MEP successfully obtains the symmetric key or not through the Hash value, and the reliability of the scheme is improved.
S208 a: the MIAP marks the first MEP as a MEP with successful registration.
The successfully registered identifier may be stored in the database separately, or may be associated with the device information of the first MEP, which is not limited in this application.
S208 b: the MIAP marks the first MEP as a registration-failed MEP.
In the method, in a network maintenance area, the MIAP verifies the identities of other MEPs (such as the first MEP), so that the defect of authentication of the MEP identities, which is lack in the function of Ethernet OAM, is overcome. And the MIAP sends the symmetric key for communication to the MEPs passing the verification, thereby providing a verification foundation for the communication between the MEPs in the network maintenance area and improving the security of the communication between the MEPs. And registering the successful MEP by the mark of the successfully received MEP, and finishing the registration of the MEP. By the method, the function of performing identity authentication and registration on the MEP can be added in the Ethernet OAM, the management on the MEP can be effectively improved, and the security level of the Ethernet OAM is improved.
Optionally, after the MIAP determines that the first hash value is inconsistent with the second hash value, before executing step S208b, the MIAP may further send the first encryption information to the first MEP again for a preset number of times, where the preset number of times may be set according to an actual requirement, for example, may be set to 3 times; if the first hash value and the second hash value are not consistent after the predetermined number of times, step S208b is executed again.
In the method, the first encryption information is repeatedly sent to the MEPs with inconsistent hash values, so that the fault tolerance rate of the scheme is improved, the information is not sent after the preset times are reached, the resource is ensured not to be excessively wasted, and meanwhile, the MEP which cannot successfully receive the symmetric key is marked as the MEP which fails in registration so that the MIAP can distinguish the MEP which succeeds in registration from the MEP which fails in registration.
Optionally, the communication between MEPs may add authentication information in the network maintenance area where registration is completed.
Specifically, the communication between the registered first MEP and the registered second and third MEPs will be described as an example.
When the first MEP sends the first transmission information to the second MEP, firstly, the first MEP needs to encrypt the transmission identification field through the symmetric key, and then perform hash calculation on the encrypted information to obtain a third hash value. Wherein, the transmission identification field is common information held by all MEPs in the same network maintenance area. Secondly, the first MEP sends the third hash value to the second MEP together with the first transmission information.
By the method, the first MEP can prove the legality of the identity of the first MEP to the second MEP through the third hash value.
When the first MEP receives the second transmission information and the fourth hash value sent by the third MEP, first, the first MEP needs to determine whether the identity of the third MEP is legal or not according to the fourth hash value. Specifically, the first MEP encrypts the transmission field through the symmetric key, performs hash calculation on the encrypted information to obtain a fifth hash value, compares the fifth hash value with the fourth hash value, and if the fifth hash value and the fourth hash value are consistent, determines that the identity of the third MEP is legal, and receives the second transmission information; and if the first MEP identity and the second MEP identity are not consistent, the third MEP identity is determined to be illegal, and the second transmission information is discarded.
By the method, the first MEP can confirm whether the identity of the MEP of the opposite end is legal or not through the fourth hash value, and different methods are adopted for different identities, so that the communication safety between the MEPs is improved.
Optionally, the first transmission information and the second transmission information may be information for protection switching, or information for fault signal suppression, or information for controlling an opposite end MEP behavior.
Through the mode, the first MEP only adds the hash value in the important information, so that the communication resources among the MEPs are saved and the communication performance is optimized on the premise of ensuring the communication safety.
Optionally, the MIAP periodically updates the symmetric key according to a preset time interval, and sends the updated symmetric key to all registered MEPs in a network maintenance area where the MIAP is located. The preset time interval may be set according to actual needs, for example, updated once every hour or updated not half an hour. The process of sending the updated symmetric key may specifically refer to the process of sending and confirming the symmetric key to the first MEP by the MIAP, which is not described herein again.
In this way, the MIAP periodically updates the symmetric key, which can effectively avoid the risk of possible disclosure caused by long-term use of the same symmetric key. Meanwhile, the MIAP only updates the symmetric key to the registered MEP, so that the MEP with unknown identity can be prevented from acquiring the symmetric key to invade the communication between the MEPs in the MEG, and the security level of the Ethernet OAM is improved.
Alternatively, when the MIAP receives a deregistration indication indicating deregistration of the first MEP, the MIAP may take the following response action.
In the first mode, the MIAP deletes the device information and the public key of the first MEP from the database.
The MIAP deletes the equipment information and the public key of the first MEP from the database; sending notification information to the first MEP, wherein the notification information is used for notifying that the first MEP is deleted; at the same time, the transmission of the updated symmetric key to the first MEP is stopped.
The MIAP deletes the equipment information and the public key of the first MEP from the database; stop sending the updated symmetric key to the first MEP and immediately update the symmetric key within the MEG.
By the method, a network manager can log out any MEP in the network maintenance area through the MIAP to complete the management of all MEPs in the network maintenance area. And when network management personnel find malicious MEPs, the network management personnel can process the MEPs in time, so that the security level of the Ethernet OAM is improved.
Optionally, the communication information between any two MEPs in the present application may be carried in a message.
Specifically, the type of the message may be an Identity Check (IC) type, or other names, which is not limited in this application. The value of its operation type (OpCode) can be set to 60 to avoid duplication with the value of the preamble operation type.
As shown in table 1, the specific IC type messages can be classified into the following types according to functions:
TABLE 1
Figure BDA0003443167790000201
The above 5 message types may all correspond to the messages sent by the MIAP and other MEPs in the foregoing. For example, the ICM request of category 001 corresponds to the first notification information transmitted by the MIAP; the ICSM of class 003 requests first encryption information corresponding to the MIAP transmission; the category 004 ICSR response corresponds to the feedback information sent by the first MEP.
The types of messages are described above, and the information that may be contained in the messages is described below.
Referring to table 2, the kinds of TLVs that may be contained in the IC type message are shown:
TABLE 2
TLV class TLV name TLV interpretation
64 Device information Private information of devices, identifying each different device
65 Key information Public key information returned by other MEPs to MIAP
66 Hash value information Hash value information obtained after Hash calculation
In the following, information that each type of message may contain in an IC type message is described:
1) ICM request
Such a message may not contain the TLV information in 64, 65, 66 described above. Exemplarily, fig. 5 is a schematic diagram of a format of such a packet, where the packet includes 2-bit MEL information, 4-bit version information, 10-bit OpCode information, 8-bit tag information, 8-bit TLV offset information, 8-bit IC type information, and 8-bit final TLV information.
2) ICR response
Such a message may contain the TLV information in 64 and/or 65 above. Fig. 6 is a schematic diagram of a format of such a packet, which includes MEL information with 2 bits, version information with 4 bits, OpCode information with 10 bits, tag information with 8 bits, TLV offset information with 8 bits, IC type information with 8 bits, MEP-ID with 16 bits, MEG-ID information with 48 bytes, TLV information with indefinite length and final TLV information with 8 bits with fixed length.
The TLV information with indefinite length can be in the following formats:
when the type of the TLV is 64, i.e. the device information, for example, see fig. 7, which is a schematic diagram of a format of such TLV information, the TLV includes 8 bits of type information, 16 bits of length information, and 32 bits of device information.
When the type of the TLV is 65 or 66, for example, referring to fig. 8, a format diagram of such TLV information is shown, where the TLV includes 8 bits of type information, 16 bits of length information, and non-fixed-length public key information or hash value information.
3) ICSM request
The format of such a message may be similar to the message format of the ICR request, and only the carried TLV information is slightly different, and the type of TLV carried by the ICSM request is 65, for example, the format of the message type may be as shown in fig. 6.
4) ICSR response
The format of such a packet may be similar to the packet format of the ICR request, and only the carried TLV information is slightly different, and the type of TLV carried by the ICSM request is 66, for example, the format of this packet type may be as shown in fig. 6.
5) ICD revocation
The message may not contain TLV information of type 64, 64 or 66, and the format thereof may be as shown in fig. 7, where the message contains MEL information of 2 bits, version information of 4 bits, OpCode information of 10 bits, tag information of 8 bits, TLV offset information of 8 bits, MEP-ID of 16 bits of IC type information of 8 bits, MEG-ID information of 48 bytes, and final TLV information of 8 bits.
The method provided by the embodiment of the application is introduced above, and the device provided by the embodiment of the application is introduced below.
Referring to fig. 9, the present application provides an apparatus for identity registration, which may be the above MIAP or a chip or an integrated circuit in the MIAP device, and includes modules/units/technical means for performing the method performed by the MIAP device in the above method embodiments.
Illustratively, the apparatus 900 may include:
a first receiving module 901, configured to obtain device information and a public key of a first MEP; wherein the MIAP and the first MEP belong to the same MEG;
a first processing module 902, configured to verify validity of an identity of the first MEP based on the device information of the first MEP;
a first storage module 903, configured to store the device information and the public key of the first MEP after the verification passes;
a first sending module 904, configured to send first encryption information to the first MEP, where the first encryption information includes a symmetric key encrypted by a public key of the first MEP;
the first receiving module 901 is further configured to receive feedback information from the first MEP;
the first processing module 902 is further configured to mark the first MEP as an MEP successfully registered when it is determined that the first MEP successfully receives the symmetric key according to the feedback information; wherein the symmetric key is used for the first MEP to communicate with other MEPs in the MEG.
Referring to fig. 10, the present application provides an apparatus for identity registration, which may be the first MEP as described above or a chip or an integrated circuit in the first MEP device, and includes a module/unit/technical means for executing the method executed by the first MEP device in the above method embodiment.
Illustratively, the apparatus 1000 may comprise:
a second sending module 1001, configured to send the device information and the public key of the first MEP to an MIAP, so that the MIAP verifies the validity of the identity of the first MEP based on the device information of the first MEP; wherein the MIAP and the first MEP belong to the same MEG;
a second receiving module 1002, configured to receive first encryption information, where the first encryption information is sent by the MIAP to a first MEP after the MIAP confirms that the first MEP passes verification, and the first encryption information includes a symmetric key encrypted by a public key of the first MEP;
the second sending module 1001 is further configured to send feedback information to the MIAP, so that when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information, the first MEP is marked as an MEP that is successfully registered; wherein the symmetric key is used for the first MEP to communicate with other MEPs in the MEG.
As a possible product form of the above apparatus, the embodiment of the present application further provides an identity registration system, which includes the apparatus 900 shown in fig. 9 and the apparatus 1000 shown in fig. 10.
It should be understood that all relevant contents of each step related to the above method embodiments may be referred to the functional description of the corresponding functional module, and are not described herein again.
Referring to fig. 11, as a possible product form of the apparatus, an embodiment of the present application further provides an electronic device 1100, including:
at least one processor 111; and a communication interface 113 communicatively coupled to the at least one processor 111; the at least one processor 111, by executing the instructions stored by the memory 112, causes the electronic device 1100 to perform the method steps performed by any of the above-described method embodiments via the communication interface 113.
Optionally, the memory 112 is located outside the electronic device 1100.
Optionally, the electronic device 1100 includes the memory 112, the memory 112 is connected to the at least one processor 111, and the memory 112 stores instructions executable by the at least one processor 111. Fig. 11 shows in dashed lines that the memory 112 is optional for the electronic device 1100.
The processor 111 and the memory 112 may be coupled by an interface circuit, or may be integrated together, which is not limited herein.
The specific connection medium between the processor 111, the memory 112 and the communication interface 113 is not limited in the embodiments of the present application. In the embodiment of the present application, the processor 111, the memory 112, and the communication interface 113 are connected by the bus 114 in fig. 11, the bus is represented by a thick line in fig. 11, and the connection manner between other components is merely schematic for illustration and is not limited thereto. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 11, but this is not intended to represent only one bus or type of bus.
It should be understood that the processors mentioned in the embodiments of the present application may be implemented by hardware or may be implemented by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.
The Processor may be, for example, a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be appreciated that the memory referred to in the embodiments of the application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of example, but not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data rate Synchronous Dynamic random access memory (DDR SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DR RAM).
It should be noted that when the processor is a general-purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, the memory (memory module) may be integrated into the processor.
It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
As another possible product form, the present application further provides a computer-readable storage medium for storing instructions that, when executed, cause a computer to perform the method steps performed by any one of the above-mentioned method examples.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (18)

1. An identity registration method, which is applied to maintain an identity authentication node MIAP, where the MIAP and a plurality of maintenance entity group end points MEP are located in a network maintenance area, the method includes:
the MIAP acquires the equipment information and the public key of the first MEP; wherein the first MEP is one of the plurality of MEPs;
the MIAP verifies the validity of the identity of the first MEP based on the equipment information of the first MEP;
after the verification is passed, the MIAP saves the equipment information and the public key of the first MEP;
the MIAP sends first encryption information to the first MEP, wherein the first encryption information comprises a symmetric key encrypted by a public key of the first MEP;
the MIAP receives feedback information from the first MEP; the MIAP marks the first MEP as an MEP which is successfully registered when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information;
wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
2. The method of claim 1, wherein the MIAP obtaining the device information and the public key of the first MEP comprises:
the MIAP sends first notification information in a multicast mode in the MEPs, wherein the first notification information is used for indicating the MEP receiving the first notification information to return own equipment information and a public key to the MIAP;
the MIAP receives device information and a public key of the first MEP from the first MEP.
3. The method of claim 2, wherein a higher level MEP of the plurality of MEPs sends a message to a same level or a lower level MEP;
the MIAP receiving messages of MEPs of all levels of the plurality of MEPs;
when the MIAP responds to the messages of the MEPs to send information, the level of the information sent by the MIAP is correspondingly equal to the level of the MEPs;
when the MIAP sends the first notification information, the level of the first notification information is the same as the highest level of the MEPs.
4. The method of claim 1, wherein the MIAP verifying the validity of the identity of the first MEP based on the device information of the first MEP comprises:
the MIAP displays the equipment information of the first MEP in a man-machine interaction interface; if the first verification information is received, the identity of the first MEP is confirmed to be legal; or,
the MIAP judges whether the equipment information of the first MEP meets a preset rule or not; and if so, confirming that the identity of the first MEP is legal.
5. The method of any one of claims 1-4, wherein the MIAP receives feedback information from the first MEP, including:
the MIAP receives feedback information from the first MEP, wherein the feedback information carries a first hash value, and the first hash value is obtained by performing hash calculation on the symmetric key by the first MEP;
the determining, by the MIAP according to the feedback information, that the first MEP successfully receives the symmetric key includes:
the MIAP compares the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on the symmetric key by the MIAP;
if the first hash value is consistent with the second hash value, the MIAP confirms that the first MEP successfully receives the symmetric key.
6. The method of claim 5, wherein the method further comprises:
if the first hash value is inconsistent with the second hash value, the MIAP sends the first encryption information to the first MEP again;
and when the MIAP sends the first encryption information to the first MEP for a preset number of times, the MIAP stops sending the first encryption information to the first MEP, and the first MEP is marked as an MEP failed in registration.
7. The method of any one of claims 1-4, further comprising:
the MIAP periodically updates the symmetric key according to a preset time interval; sending the updated symmetric key to all registered MEPs in the plurality of MEPs.
8. The method of any one of claims 1-4, further comprising:
the MIAP receives a logout instruction, wherein the logout instruction is used for instructing to logout the first MEP;
the MIAP deletes the device information and the public key of the first MEP.
9. A method of identity registration, wherein a MIAP is located in a network maintenance area with a plurality of MEPs, and wherein the method is applied to a first MEP, and wherein the first MEP is one of the plurality of MEPs, and wherein the method comprises:
the first MEP sends the equipment information and the public key of the first MEP to the MIAP so that the MIAP can verify the validity of the identity of the first MEP based on the equipment information of the first MEP;
the first MEP receives first encryption information, wherein the first encryption information is sent to the first MEP by the MIAP after the first MEP is confirmed to pass verification, and the first encryption information comprises a symmetric key encrypted by a public key of the first MEP;
the first MEP sends feedback information to the MIAP, so that when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information, the first MEP is marked as an MEP with successful registration;
wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
10. The method of claim 9, wherein prior to the first MEP sending the device information and public key of the first MEP to the MIAP, the method further comprises:
the first MEP receives first notification information from the MIAP, wherein the first notification information is used for indicating the MEP receiving the first notification information to return own equipment information and a public key to the MIAP.
11. The method of claim 10, wherein a higher level MEP in the plurality of MEPs sends a message to a same level or a lower level MEP.
12. The method of any one of claims 9-11, wherein the first MEP sends feedback information to the MIAP, comprising:
the first MEP decrypts the first encrypted information through a private key of the first MEP to obtain the symmetric key;
the first MEP performs hash calculation on the symmetric key to obtain a first hash value;
and the first MEP sends feedback information to the MIAP, wherein the feedback information carries the first hash value.
13. The method of claim 9, wherein each MEP in the plurality of MEPs holds a transmission identification field;
the method further comprises the following steps:
the first MEP encrypts the transmission identification field through the symmetric key, and performs hash calculation on the encrypted field to obtain a third hash value;
and when the first MEP sends first transmission information to a second MEP, the third hash value and the first transmission information are simultaneously sent to the second MEP, so that the second MEP verifies the validity of the identity of the first MEP according to the third hash value.
14. An apparatus for identity registration, applied to a MIAP, the MIAP being co-located with a plurality of MEPs in a network maintenance area, the apparatus comprising:
the first receiving module is used for acquiring the equipment information and the public key of the first MEP; wherein the first MEP is one of the plurality of MEPs;
a first processing module, configured to verify validity of an identity of the first MEP based on the device information of the first MEP;
the first storage module is used for storing the equipment information and the public key of the first MEP after the verification is passed;
a first sending module, configured to send first encryption information to the first MEP, where the first encryption information includes a symmetric key encrypted by a public key of the first MEP;
the first receiving module is further configured to receive feedback information from the first MEP;
the first processing module is further configured to mark the first MEP as an MEP that is successfully registered when it is determined that the first MEP successfully receives the symmetric key according to the feedback information; wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
15. An apparatus for identity registration, wherein an MIAP is located in a network maintenance area with a plurality of MEPs, and wherein the first MEP is one of the MEPs, the apparatus comprising:
a second sending module, configured to send the device information and the public key of the first MEP to an MIAP, so that the MIAP verifies the validity of the identity of the first MEP based on the device information of the first MEP;
a second receiving module, configured to receive first encryption information, where the first encryption information is sent by the MIAP to a first MEP after confirming that the first MEP passes verification, and the first encryption information includes a symmetric key encrypted by a public key of the first MEP;
the second sending module is further configured to send feedback information to the MIAP, so that when the MIAP determines that the first MEP successfully receives the symmetric key according to the feedback information, the first MEP is marked as an MEP that is successfully registered;
wherein the symmetric key is used for the first MEP to communicate with other MEPs in the plurality of MEPs.
16. A system for identity registration, comprising: the apparatus of claim 14 and the apparatus of claim 15.
17. An electronic device, comprising:
at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor causing the apparatus to perform the method of any one of claims 1-8 and 9-13 by executing the instructions stored by the memory.
18. A computer-readable storage medium for storing instructions that, when executed, cause the method of any of claims 1-8 and 9-13 to be implemented.
CN202111638194.4A 2021-12-29 2021-12-29 Identity registration method, device and system Active CN114338431B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111638194.4A CN114338431B (en) 2021-12-29 2021-12-29 Identity registration method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111638194.4A CN114338431B (en) 2021-12-29 2021-12-29 Identity registration method, device and system

Publications (2)

Publication Number Publication Date
CN114338431A true CN114338431A (en) 2022-04-12
CN114338431B CN114338431B (en) 2024-08-20

Family

ID=81017474

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111638194.4A Active CN114338431B (en) 2021-12-29 2021-12-29 Identity registration method, device and system

Country Status (1)

Country Link
CN (1) CN114338431B (en)

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060007867A1 (en) * 2004-07-08 2006-01-12 Alcatel Domain configuration in an ethernet OAM network having multiple levels
US20080019363A1 (en) * 2006-07-24 2008-01-24 Nec Corporation Operation and administration system
US20090323636A1 (en) * 2006-08-03 2009-12-31 Aidan Dillon Roaming gateway
CN101873298A (en) * 2009-04-21 2010-10-27 华为软件技术有限公司 Registration method, terminal, server and system
US20120331136A1 (en) * 2010-03-31 2012-12-27 Nec Corporation Communication device, communication system, setting method, setting program, and setting circuit
JP2013128203A (en) * 2011-12-19 2013-06-27 Nec Commun Syst Ltd Communication system, communication control method, communication apparatus, communication apparatus control method, and communication apparatus control program
CN106230784A (en) * 2016-07-20 2016-12-14 杭州华三通信技术有限公司 A kind of device authentication method and device
CN107508672A (en) * 2017-09-07 2017-12-22 浙江神州量子网络科技有限公司 A kind of cipher key synchronization method and key synchronization device based on pool of symmetric keys, key synchronization system
CN111049794A (en) * 2019-10-14 2020-04-21 中国平安财产保险股份有限公司 Page reverse crawling method and device, storage medium and gateway equipment
US20200169880A1 (en) * 2018-11-23 2020-05-28 Industrial Technology Research Institute Network service system and network service method
CN111541677A (en) * 2020-04-17 2020-08-14 中国科学院上海微系统与信息技术研究所 Safe hybrid encryption method based on narrowband Internet of things
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method based on equipment identity and gateway
CN113473420A (en) * 2021-07-02 2021-10-01 南京大学 Scientific research data privacy protection enhancement method and system oriented to wireless network environment
CN113709115A (en) * 2021-08-10 2021-11-26 亚信科技(成都)有限公司 Authentication method and device

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060007867A1 (en) * 2004-07-08 2006-01-12 Alcatel Domain configuration in an ethernet OAM network having multiple levels
US20080019363A1 (en) * 2006-07-24 2008-01-24 Nec Corporation Operation and administration system
US20090323636A1 (en) * 2006-08-03 2009-12-31 Aidan Dillon Roaming gateway
CN101873298A (en) * 2009-04-21 2010-10-27 华为软件技术有限公司 Registration method, terminal, server and system
US20120331136A1 (en) * 2010-03-31 2012-12-27 Nec Corporation Communication device, communication system, setting method, setting program, and setting circuit
JP2013128203A (en) * 2011-12-19 2013-06-27 Nec Commun Syst Ltd Communication system, communication control method, communication apparatus, communication apparatus control method, and communication apparatus control program
CN106230784A (en) * 2016-07-20 2016-12-14 杭州华三通信技术有限公司 A kind of device authentication method and device
CN107508672A (en) * 2017-09-07 2017-12-22 浙江神州量子网络科技有限公司 A kind of cipher key synchronization method and key synchronization device based on pool of symmetric keys, key synchronization system
US20200169880A1 (en) * 2018-11-23 2020-05-28 Industrial Technology Research Institute Network service system and network service method
CN111049794A (en) * 2019-10-14 2020-04-21 中国平安财产保险股份有限公司 Page reverse crawling method and device, storage medium and gateway equipment
CN111541677A (en) * 2020-04-17 2020-08-14 中国科学院上海微系统与信息技术研究所 Safe hybrid encryption method based on narrowband Internet of things
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method based on equipment identity and gateway
CN113473420A (en) * 2021-07-02 2021-10-01 南京大学 Scientific research data privacy protection enhancement method and system oriented to wireless network environment
CN113709115A (en) * 2021-08-10 2021-11-26 亚信科技(成都)有限公司 Authentication method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周彦伟;杨波;张文政;: "安全高效的异构无线网络可控匿名漫游认证协议", 软件学报, no. 02, 15 February 2016 (2016-02-15) *

Also Published As

Publication number Publication date
CN114338431B (en) 2024-08-20

Similar Documents

Publication Publication Date Title
US10231107B2 (en) Resource subscription processing method and device
US9894166B2 (en) Registration method and system for common service entity
CN109688186B (en) Data interaction method, device, equipment and readable storage medium
US20190166042A1 (en) Method for data transmitting, centralized controller, forwarding plane device and communication apparatus
US20140207929A1 (en) Management apparatus and management method
EP3206422A1 (en) Method and device for creating subscription resource
EP3598333B1 (en) Electronic device update management
CN104301141A (en) Method, device and system for storing configuration information
CN107959930A (en) Terminal access method, device, Lora servers and Lora terminals
CN112653699B (en) BFD authentication method and device and electronic equipment
CN114338431B (en) Identity registration method, device and system
US20210195418A1 (en) A technique for authenticating data transmitted over a cellular network
CN106685914A (en) Information authentication method, server and client
CN112242976A (en) Identity authentication method and device
CN107566473A (en) A kind of electric power secondary system equipment check method
CN112583606B (en) Security verification method, server, terminal and storage medium
CN111030859B (en) Configuration method and device for port convergence
CN112887178A (en) Terminal network access method, device, equipment and storage medium of LoRaWAN server
CN112398820A (en) Data management method and device
CN114338777B (en) Escape control method and device
US12096214B2 (en) Establishing a backup connectivity between a sensor and a management system
CN116633698B (en) Data transmission method, apparatus, computer device, storage medium, and program product
CN115529590B (en) Method and device for acquiring capability open information and communication equipment
CN106685987B (en) Security authentication method and device for cascade network
CN117061160A (en) Equipment registration method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant