CN114553507B - Security authentication method, device, equipment and machine-readable storage medium - Google Patents
Security authentication method, device, equipment and machine-readable storage medium Download PDFInfo
- Publication number
- CN114553507B CN114553507B CN202210126625.7A CN202210126625A CN114553507B CN 114553507 B CN114553507 B CN 114553507B CN 202210126625 A CN202210126625 A CN 202210126625A CN 114553507 B CN114553507 B CN 114553507B
- Authority
- CN
- China
- Prior art keywords
- ike
- proposal
- certificate
- response node
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000004044 response Effects 0.000 claims abstract description 133
- 230000006855 networking Effects 0.000 claims abstract description 17
- 238000012545 processing Methods 0.000 claims description 10
- 239000000758 substrate Substances 0.000 claims 1
- 238000004891 communication Methods 0.000 abstract description 16
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a security authentication method, apparatus, device, and machine-readable storage medium, the method comprising: transmitting a pre-configured IKE security proposal group to a response node; receiving an associated response node certificate sent by a response node; and according to the response node certificate, mutually verifying the identity with the response node by using the associated local certificate. According to the technical scheme, when the node equipment establishes a secure communication channel with other node equipment in the same network, at least two optional IKE secure proposals are arranged, so that the secure communication channel is established more stably, when more than one IKE secure proposal can be established, the fact that the IPsec tunnel is disconnected due to the fact that a certain IKE secure proposal and/or a corresponding digital certificate is changed can be avoided, and the secure communication channel can be established with different other node equipment by using different IKE secure proposals, so that the networking complexity is reduced.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a security authentication method, apparatus, device, and machine-readable storage medium.
Background
The IKE (Internet Key Exchange ) protocol defines a process of key exchange using ISAKMP (Internet Security Association and Key Management Protocol, internet security alliance and key management protocol) language, and is an identity authentication mechanism for the security service IKE to confirm identities of both parties of communication.
Digital signature authentication: both parties use digital certificates issued by the CA to prove their identity to the opposite party. Digital signature authentication is more secure and is often used in networking environments in a "center-branch" mode. For example, in an IKE negotiation using pre-shared key authentication in a "center-finger" networking, the center side may need to configure one pre-shared key for each finger, which can be complex when the fingers are numerous, and only one PKI domain when using digital signature authentication.
IPsec (IP Security) is a three-layer tunnel encryption protocol formulated by IETF, which provides high-quality Security assurance based on cryptography for data transmitted over the internet, and is a conventional Security technique for implementing three-layer VPN (Virtual Private Network ). IPsec protects user data transmitted between parties by establishing a "tunnel" between certain parties, e.g., between two security gateways, commonly referred to as an IPsec tunnel.
The IPsec protocol is not a separate protocol and provides a complete set of security architecture for network data security at the IP layer, including security protocols AH (Authentication Header ) and ESP (Encapsulating Security Payload, encapsulating security payloads), IKE (Internet Key Exchange ), and algorithms for network authentication and encryption, among others. The SA (Security Association ) is the basis of and essential to IPsec. IPsec provides secure communications between two endpoints, such endpoints being referred to as IPsec peers. The SA is an inter-IPsec peer agreement on certain elements, such as the security protocol used (AH, ESP or a combination of both), the encapsulation mode of protocol messages (transport mode or tunnel mode), the authentication algorithm (HMAC-MD 5, HMAC-SHA1 or SM 3), the encryption algorithm (DES, 3DES, AES or SM), the shared key to protect data in a particular stream, and the lifetime of the key. Establishing an IPSec tunnel for communication requires two phases of negotiation, namely a one-phase IKE SA and a two-phase IPSec SA. In the process of negotiating and establishing an IPSec VPN tunnel, after the negotiation of the IKE SA of one stage is completed, two stages of IPSec SA negotiation can be initiated.
In the networking process, the same communication tunnel is established by networking negotiation, so that the overall configuration of networking is solidified, the configuration is complicated, and the networking is not flexible enough.
Disclosure of Invention
In view of the above, the present disclosure provides a security authentication method, a security authentication device, an electronic device, and a machine-readable storage medium, so as to improve the above technical problems.
The technical scheme is as follows:
the present disclosure provides a security authentication method applied to a node device of a network, the method comprising: transmitting a preconfigured set of IKE security proposals to a responding node, the set of IKE security proposals comprising at least two different IKE security proposals; receiving an associated response node certificate sent by a response node, wherein the response node is a digital certificate matched with each IKE safety proposal group according to the target IKE safety proposal after the response node responds to the IKE safety proposal group and matches one target IKE safety proposal in each IKE safety proposal group; and according to the response node certificate, mutually verifying the identity with the response node by using the associated local certificate.
As a technical solution, the mutual authentication of the identity with the responding node by using the associated local certificate according to the responding node certificate includes: analyzing the response node certificate, inquiring a local certificate matched with the response node certificate in each pre-stored local certificate, and sending the local certificate and corresponding key generation information to the response node so as to prompt the response node to complete mutual authentication identity; the local certificates are associated with one IKE security proposal in the set of IKE security proposals.
As a technical solution, the receiving an associated response node certificate sent by a response node, where the response node is a digital certificate that is matched according to a target IKE security proposal after the response node matches a target IKE security proposal in each IKE security proposal group of the IKE security proposal group in response to the IKE security proposal group, and includes: the response node certificate is a digital certificate which is matched according to the target IKE security proposal, wherein the response node responds to the IKE security proposal group and matches each IKE security proposal of the IKE security proposal group with each IKE security proposal which is locally and pre-configured by the response node one by one, and after at least two matched IKE security proposals are found, the IKE security proposal with high priority is selected as the target IKE security proposal.
Receiving a negotiation failure message sent by a response node, wherein the negotiation failure message is a feedback message sent by the response node after the response node responds to the IKE safety proposal groups, fails to match a target IKE safety proposal in each IKE safety proposal group of the IKE safety proposal groups or fails to match a digital certificate according to the target IKE safety proposal after matching one target IKE safety proposal in each IKE safety proposal group of the IKE safety proposal groups; and stopping the safety authentication flow according to the negotiation failure message.
The present disclosure also provides a security authentication device applied to a node device of a network, the device including: a sending module, configured to send a preconfigured IKE security proposal group to a responding node, the IKE security proposal group including at least two different IKE security proposals; the receiving module is used for receiving an associated response node certificate sent by a response node, wherein the response node certificate is a digital certificate matched according to the target IKE security proposal after the response node responds to the IKE security proposal group and matches one target IKE security proposal in each IKE security proposal group of the IKE security proposal group; and the processing module is used for mutually verifying the identity with the response node by using the associated local certificate according to the response node certificate.
As a technical solution, the mutual authentication of the identity with the responding node by using the associated local certificate according to the responding node certificate includes: analyzing the response node certificate, inquiring a local certificate matched with the response node certificate in each pre-stored local certificate, and sending the local certificate and corresponding key generation information to the response node so as to prompt the response node to complete mutual authentication identity; the local certificates are associated with one IKE security proposal in the set of IKE security proposals.
As a technical solution, the receiving an associated response node certificate sent by a response node, where the response node is a digital certificate that is matched according to a target IKE security proposal after the response node matches a target IKE security proposal in each IKE security proposal group of the IKE security proposal group in response to the IKE security proposal group, and includes: the response node certificate is a digital certificate which is matched according to the target IKE security proposal, wherein the response node responds to the IKE security proposal group and matches each IKE security proposal of the IKE security proposal group with each IKE security proposal which is locally and pre-configured by the response node one by one, and after at least two matched IKE security proposals are found, the IKE security proposal with high priority is selected as the target IKE security proposal.
As a technical solution, the receiving module is further configured to receive a negotiation failure message sent by the responding node, where the negotiation failure message is a feedback message sent by the responding node after the responding node responds to the IKE security proposal group, fails to match a target IKE security proposal in each IKE security proposal group of the IKE security proposal group, or fails to match a digital certificate according to the target IKE security proposal after matching one target IKE security proposal in each IKE security proposal group of the IKE security proposal group; and the processing module is also used for stopping the safety authentication flow according to the negotiation failure message.
The present disclosure also provides an electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the aforementioned security authentication method.
The present disclosure also provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned security authentication method.
The technical scheme provided by the disclosure at least brings the following beneficial effects:
when the node equipment establishes a secure communication channel with other node equipment in the same network, at least two optional IKE secure proposals are arranged, so that the secure communication channel is established more stably, when more than one IKE secure proposal is arranged, the fact that the IPsec tunnel is disconnected due to the fact that a certain IKE secure proposal and/or a corresponding digital certificate is changed can be avoided, and the secure communication channel can be established with different other node equipment by using different IKE secure proposals, so that the networking complexity is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required to be used in the embodiments of the present disclosure or the description of the prior art will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings may also be obtained according to these drawings of the embodiments of the present disclosure to those skilled in the art.
FIG. 1 is a flow chart of a security authentication method in one embodiment of the present disclosure;
FIG. 2 is a flow chart of a security authentication method in one embodiment of the present disclosure;
FIG. 3 is a hardware block diagram of an electronic device in one embodiment of the present disclosure;
fig. 4 is a flow chart in one embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to any or all possible combinations including one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in the embodiments of the present disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, furthermore, the word "if" used may be interpreted as "at … …" or "at … …" or "in response to a determination".
In the first stage of IKE SA negotiation, a sender firstly sends an IKE safety proposal, after a responder receives the IKE safety proposal, the matched IKE safety proposal is checked, and if the matched IKE safety proposal cannot be matched, the negotiation fails; if a match is enabled, the responder sends an acknowledged IKE security offer and certificate. The digital certificate negotiation includes two authentication methods: digital signatures and digital envelopes.
1. In digital signature authentication, both parties of communication use a CA certificate to perform digital certificate validity verification. In a CA certificate, both parties have their own public (transmitted over the network) and private keys (held by themselves). The sender carries out hash operation on the original message, encrypts the message calculation result by using the private key of the sender, and generates a digital signature. The receiver decrypts the digital signature by using the public key of the sender, then adopts the same hash algorithm to hash the decrypted message, and checks whether the operation result is the same as the hash value sent by the decryption sender. If the authentication is the same, the authentication is passed; otherwise, the authentication fails.
2. Another basic principle of digital envelope authentication is to encrypt a symmetric key asymmetrically (i.e. there are both public and private keys) and then send the encrypted symmetric key to the other party, similar to a real-life letter. It is known that letters in real life can ensure that only addressees can read the contents of letters under the constraint of law. The digital envelope adopts the password technology to ensure that only the specified receiver can read the confidential content. In a digital envelope, a sender digitally signs a message to be sent by using a symmetric key (the sender needs to randomly generate a symmetric key in advance), encrypts the symmetric key (this part is called a digital envelope) by using a public key of a receiver, and then sends the encrypted symmetric key together with the digitally signed message to the receiver. After receiving, the receiver firstly opens the digital envelope with its own private key to obtain the symmetric key of the sender, then decrypts the message originally digitally signed with the symmetric key, and verifies whether the digital signature of the sender is correct. If the authentication is correct, the authentication is passed; otherwise, the authentication fails.
In the networking process, the same communication tunnel is established by networking negotiation, so that the overall configuration of networking is solidified, the configuration is complicated, and the networking is not flexible enough.
Center networking (for example, 3 branch nodes correspond to 1 center node), if the authentication mode of the center node IKE is configured with the SM2 digital envelope mode and the national encryption certificate, the authentication modes of the 3 branch nodes IKE must be the SM2 digital envelope mode and the national encryption certificate, otherwise, the establishment fails. This makes networking inflexible.
Once the central node changes the authentication mode and the certificate type of the IKE, and the branch node does not change the IKE, the ipsec networking will fail to be established, which causes great inconvenience in practical use.
A security authentication method, device, electronic equipment and machine-readable storage medium can improve the technical problems.
The specific technical scheme is as follows.
In one embodiment, the present disclosure provides a security authentication method applied to a node device of a network, the method including: transmitting a preconfigured set of IKE security proposals to a responding node, the set of IKE security proposals comprising at least two different IKE security proposals; receiving an associated response node certificate sent by a response node, wherein the response node is a digital certificate matched with each IKE safety proposal group according to the target IKE safety proposal after the response node responds to the IKE safety proposal group and matches one target IKE safety proposal in each IKE safety proposal group; and according to the response node certificate, mutually verifying the identity with the response node by using the associated local certificate.
Specifically, as shown in fig. 1, the method comprises the following steps:
step S11, a preconfigured IKE security proposal group is sent to the responding node.
Wherein the IKE security proposal group comprises at least two different IKE security proposals
Step S12, receiving the associated response node certificate sent by the response node.
The response node certificate is a digital certificate matched with the response node in response to the IKE safety proposal group, after one target IKE safety proposal is matched in each IKE safety proposal group of the IKE safety proposal group, and the response node certificate is a digital certificate matched with the target IKE safety proposal;
step S13, according to the response node certificate, the identity is mutually verified by using the associated local certificate and the response node.
When the node equipment establishes a secure communication channel with other node equipment in the same network, at least two optional IKE secure proposals are arranged, so that the secure communication channel is established more stably, when more than one IKE secure proposal is arranged, the fact that the IPsec tunnel is disconnected due to the fact that a certain IKE secure proposal and/or a corresponding digital certificate is changed can be avoided, and the secure communication channel can be established with different other node equipment by using different IKE secure proposals, so that the networking complexity is reduced.
In one embodiment, the mutual authentication of the identity with the responding node using the associated local certificate according to the responding node certificate includes: analyzing the response node certificate, inquiring a local certificate matched with the response node certificate in each pre-stored local certificate, and sending the local certificate and corresponding key generation information to the response node so as to prompt the response node to complete mutual authentication identity; the local certificates are associated with one IKE security proposal in the set of IKE security proposals.
In one embodiment, the receiving the associated response node certificate sent by the response node, where the response node is a digital certificate that is matched according to a target IKE security proposal after the response node matches a target IKE security proposal in each IKE security proposal group of the IKE security proposal group in response to the IKE security proposal group, and the method includes: the response node certificate is a digital certificate which is matched according to the target IKE security proposal, wherein the response node responds to the IKE security proposal group and matches each IKE security proposal of the IKE security proposal group with each IKE security proposal which is locally and pre-configured by the response node one by one, and after at least two matched IKE security proposals are found, the IKE security proposal with high priority is selected as the target IKE security proposal.
In one embodiment, a negotiation failure message sent by a response node is received, where the negotiation failure message is a feedback message sent by the response node after the response node responds to the IKE security proposal group, fails to match a target IKE security proposal in each IKE security proposal group of the IKE security proposal group, or fails to match a digital certificate according to a target IKE security proposal after matching one target IKE security proposal in each IKE security proposal group of the IKE security proposal group; and stopping the safety authentication flow according to the negotiation failure message.
In one embodiment, as in fig. 4, the sender node device sends an IKE security proposal set containing a plurality of IKE security proposals of configuration to the responder response node. The response party is configured with a plurality of IKE safety proposals, after receiving the IKE safety proposals, checking whether the IKE safety proposals are in the self IKE configuration one by one, and if the corresponding IKE safety proposals are available (if two or more IKE safety proposals are successfully matched, the IKE safety proposals with high priority are used as the reference), proceeding to the next step; if there is no corresponding IKE security proposal, the IKE negotiation fails. The responder checks a plurality of certificates in the self IKE configuration, and judges whether the certificate types corresponding to the confirmed IKE security proposal and the number of the certificate types exist. If so, the responder sends the confirmed IKE security proposal and the corresponding certificate (if a plurality of corresponding certificates exist, the certificate configured in advance is used as the reference); if not, the IKE negotiation fails. After receiving the certificate, the sender judges whether the certificate can be matched with a plurality of certificates in the IKE configuration of the sender, and if so, the sender sends key generation information and the certificate which can be matched by the sender; if the two certificates cannot be matched, the sender feeds back information of the matching failure, and the responder reselects another matched certificate. After the digital certificate is determined, the two parties interact with the key to generate information and the key and mutually verify the identity.
In one embodiment, if the responder matches two digital certificates associated with corresponding IKE security offers, the responder sends the digital certificates to the sender, the sender matches each local digital certificate after receiving the certificates, finds a digital certificate that can be matched, and then the two parties interact with the key generation information and the key and verify the identity with each other after the digital certificates are determined.
In one embodiment, the present disclosure also provides a security authentication apparatus, as shown in fig. 2, applied to a node device of a network, where the apparatus includes: a sending module 21 for sending a pre-configured set of IKE security proposals to the responding node, the set of IKE security proposals comprising at least two different IKE security proposals; a receiving module 22, configured to receive an associated response node certificate sent by a response node, where the response node responds to the IKE security proposal group, and after one target IKE security proposal is matched in each IKE security proposal group of the IKE security proposal group, the response node is a digital certificate matched according to the target IKE security proposal; a processing module 23, configured to mutually verify the identity with the responding node by using the associated local certificate according to the responding node certificate.
In one embodiment, the mutual authentication of the identity with the responding node using the associated local certificate according to the responding node certificate includes: analyzing the response node certificate, inquiring a local certificate matched with the response node certificate in each pre-stored local certificate, and sending the local certificate and corresponding key generation information to the response node so as to prompt the response node to complete mutual authentication identity; the local certificates are associated with one IKE security proposal in the set of IKE security proposals.
In one embodiment, the receiving the associated response node certificate sent by the response node, where the response node is a digital certificate that is matched according to a target IKE security proposal after the response node matches a target IKE security proposal in each IKE security proposal group of the IKE security proposal group in response to the IKE security proposal group, and the method includes: the response node certificate is a digital certificate which is matched according to the target IKE security proposal, wherein the response node responds to the IKE security proposal group and matches each IKE security proposal of the IKE security proposal group with each IKE security proposal which is locally and pre-configured by the response node one by one, and after at least two matched IKE security proposals are found, the IKE security proposal with high priority is selected as the target IKE security proposal.
In one embodiment, the receiving module is further configured to receive a negotiation failure message sent by the responding node, where the negotiation failure message is a feedback message sent by the responding node after the responding node responds to the IKE security proposal group, fails to match a target IKE security proposal in each IKE security proposal group of the IKE security proposal group, or fails to match a digital certificate according to the target IKE security proposal after matching one target IKE security proposal in each IKE security proposal group of the IKE security proposal group; and the processing module is also used for stopping the safety authentication flow according to the negotiation failure message.
The device embodiments are the same as or similar to the corresponding method embodiments and are not described in detail herein.
In one embodiment, the present disclosure provides an electronic device including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the aforementioned security authentication method, and from a hardware level, a hardware architecture diagram may be seen in fig. 3.
In one embodiment, the present disclosure provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned security authentication method.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware when implementing the present disclosure.
It will be apparent to those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be appreciated by those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but are not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The foregoing is merely an embodiment of the present disclosure and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present disclosure, are intended to be included within the scope of the claims of the present disclosure.
Claims (10)
1. A security authentication method, applied to a node device of a network, the method comprising:
transmitting a preconfigured set of IKE security proposals to a responding node, the set of IKE security proposals comprising at least two different IKE security proposals;
receiving an associated response node certificate sent by a response node, wherein the response node is a digital certificate matched with each IKE safety proposal group according to the target IKE safety proposal after the response node responds to the IKE safety proposal group and matches one target IKE safety proposal in each IKE safety proposal group;
and according to the response node certificate, mutually verifying the identity with the response node by using the associated local certificate.
2. The method of claim 1, wherein said mutually authenticating identities with a responding node using an associated local certificate based on said responding node certificate comprises:
analyzing the response node certificate, inquiring a local certificate matched with the response node certificate in each pre-stored local certificate, and sending the local certificate and corresponding key generation information to the response node so as to prompt the response node to complete mutual authentication identity;
the local certificates are associated with one IKE security proposal in the set of IKE security proposals.
3. The method of claim 1, wherein the receiving the associated response node certificate sent by the response node, the response node certificate being a digital certificate to which the response node matches, in response to the IKE security proposal group, after matching a target IKE security proposal in each IKE security proposal group of the IKE security proposal group, according to the target IKE security proposal, includes:
the response node certificate is a digital certificate which is matched according to the target IKE security proposal, wherein the response node responds to the IKE security proposal group and matches each IKE security proposal of the IKE security proposal group with each IKE security proposal which is locally and pre-configured by the response node one by one, and after at least two matched IKE security proposals are found, the IKE security proposal with high priority is selected as the target IKE security proposal.
4. The method of claim 1, wherein the step of determining the position of the substrate comprises,
receiving a negotiation failure message sent by a response node, wherein the negotiation failure message is a feedback message sent by the response node after responding to the IKE safety proposal group, after failing to match a target IKE safety proposal in each IKE safety proposal group of the IKE safety proposal group or after failing to match a digital certificate according to the target IKE safety proposal after matching one target IKE safety proposal in each IKE safety proposal group of the IKE safety proposal group;
and stopping the safety authentication flow according to the negotiation failure message.
5. A security authentication apparatus, characterized by a node device for use in networking, the apparatus comprising:
a sending module, configured to send a preconfigured IKE security proposal group to a responding node, the IKE security proposal group including at least two different IKE security proposals;
the receiving module is used for receiving an associated response node certificate sent by a response node, wherein the response node certificate is a digital certificate matched according to the target IKE security proposal after the response node responds to the IKE security proposal group and matches one target IKE security proposal in each IKE security proposal group of the IKE security proposal group;
and the processing module is used for mutually verifying the identity with the response node by using the associated local certificate according to the response node certificate.
6. The apparatus of claim 5, wherein said mutually authenticating identities with a responding node using an associated local certificate based on said responding node certificate comprises:
analyzing the response node certificate, inquiring a local certificate matched with the response node certificate in each pre-stored local certificate, and sending the local certificate and corresponding key generation information to the response node so as to prompt the response node to complete mutual authentication identity;
the local certificates are associated with one IKE security proposal in the set of IKE security proposals.
7. The apparatus of claim 5, wherein the receiving the associated response node certificate sent by the response node, the response node certificate being a digital certificate to which the response node matches, in response to the IKE security proposal group, after matching a target IKE security proposal in each IKE security proposal group of the IKE security proposal group, the digital certificate according to the target IKE security proposal, the digital certificate comprising:
the response node certificate is a digital certificate which is matched according to the target IKE security proposal, wherein the response node responds to the IKE security proposal group and matches each IKE security proposal of the IKE security proposal group with each IKE security proposal which is locally and pre-configured by the response node one by one, and after at least two matched IKE security proposals are found, the IKE security proposal with high priority is selected as the target IKE security proposal.
8. The apparatus of claim 5, wherein the device comprises a plurality of sensors,
the receiving module is further configured to receive a negotiation failure message sent by the response node, where the negotiation failure message is a feedback message sent by the response node after the response node responds to the IKE security proposal group, fails to match a target IKE security proposal in each IKE security proposal group of the IKE security proposal group, or fails to match a digital certificate according to the target IKE security proposal after matching a target IKE security proposal in each IKE security proposal group of the IKE security proposal group;
and the processing module is also used for stopping the safety authentication flow according to the negotiation failure message.
9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any one of claims 1-4.
10. A machine-readable storage medium storing machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210126625.7A CN114553507B (en) | 2022-02-10 | 2022-02-10 | Security authentication method, device, equipment and machine-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210126625.7A CN114553507B (en) | 2022-02-10 | 2022-02-10 | Security authentication method, device, equipment and machine-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114553507A CN114553507A (en) | 2022-05-27 |
| CN114553507B true CN114553507B (en) | 2024-02-09 |
Family
ID=81672779
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210126625.7A Active CN114553507B (en) | 2022-02-10 | 2022-02-10 | Security authentication method, device, equipment and machine-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553507B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110086798A (en) * | 2019-04-23 | 2019-08-02 | 北京奇安信科技有限公司 | A kind of method and device communicated based on common virtual interface |
| CN110120907A (en) * | 2019-04-25 | 2019-08-13 | 北京奇安信科技有限公司 | A kind of communication means and device of the IPSec vpn tunneling based on proposal group |
| CN111130775A (en) * | 2019-12-27 | 2020-05-08 | 广东电网有限责任公司电力科学研究院 | Key negotiation method, device and equipment |
| CN111294212A (en) * | 2020-05-12 | 2020-06-16 | 广东纬德信息科技股份有限公司 | Security gateway key negotiation method based on power distribution |
| CN113747434A (en) * | 2021-10-15 | 2021-12-03 | 湖南麒麟信安科技股份有限公司 | IPSec-based mobile communication secure communication method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9350708B2 (en) * | 2010-06-01 | 2016-05-24 | Good Technology Corporation | System and method for providing secured access to services |
-
2022
- 2022-02-10 CN CN202210126625.7A patent/CN114553507B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110086798A (en) * | 2019-04-23 | 2019-08-02 | 北京奇安信科技有限公司 | A kind of method and device communicated based on common virtual interface |
| CN110120907A (en) * | 2019-04-25 | 2019-08-13 | 北京奇安信科技有限公司 | A kind of communication means and device of the IPSec vpn tunneling based on proposal group |
| CN111130775A (en) * | 2019-12-27 | 2020-05-08 | 广东电网有限责任公司电力科学研究院 | Key negotiation method, device and equipment |
| CN111294212A (en) * | 2020-05-12 | 2020-06-16 | 广东纬德信息科技股份有限公司 | Security gateway key negotiation method based on power distribution |
| CN113747434A (en) * | 2021-10-15 | 2021-12-03 | 湖南麒麟信安科技股份有限公司 | IPSec-based mobile communication secure communication method and device |
Non-Patent Citations (3)
| Title |
|---|
| Analysis of the IPSec key exchange standard;R. Perlman;《Proceedings Tenth IEEE International Workshop on Enabling Technologies》;全文 * |
| S. Fluhrer ; D. McGrew ; P. Kampanakis ; Cisco Systems ; .Postquantum Preshared Keys for IKEv2 draft-fluhrer-qr-ikev2-04.IETF .2017,全文. * |
| 支持ECC数字证书的IKEv2认证设计;陆洁茹;苏兵;;计算机工程与应用(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114553507A (en) | 2022-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10951423B2 (en) | System and method for distribution of identity based key material and certificate | |
| CN108599925B (en) | Improved AKA identity authentication system and method based on quantum communication network | |
| JP7232816B2 (en) | Authentication system and authentication method for authenticating assets | |
| US11044082B2 (en) | Authenticating secure channel establishment messages based on shared-secret | |
| EP1976322A1 (en) | An authentication method | |
| CN106788989B (en) | Method and equipment for establishing secure encrypted channel | |
| EP1926278B1 (en) | System and method for secure record protocol using shared knowledge of mobile user credentials | |
| US20150128243A1 (en) | Method of authenticating a device and encrypting data transmitted between the device and a server | |
| JP2005515715A (en) | Data transmission link | |
| CN111614621B (en) | Internet of things communication method and system | |
| CN106941404B (en) | Key protection method and device | |
| US11722466B2 (en) | Methods for communicating data utilizing sessionless dynamic encryption | |
| US11088835B1 (en) | Cryptographic module to generate cryptographic keys from cryptographic key parts | |
| CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
| US11818268B2 (en) | Hub-based token generation and endpoint selection for secure channel establishment | |
| CN114142995B (en) | Key security distribution method and device for block chain relay communication network | |
| JP2020506627A (en) | Programmable hardware security module and method used for programmable hardware security module | |
| CN118540165A (en) | Quantum security enhancement method for national security IPSec VPN protocol | |
| CN113950802A (en) | Gateway apparatus and method for performing site-to-site communication | |
| US20070003063A1 (en) | Methods and apparatus to perform associated security protocol extensions | |
| US11170094B2 (en) | System and method for securing a communication channel | |
| CN114978542B (en) | Full life cycle-oriented internet of things equipment identity authentication method, system and storage medium | |
| CN114553507B (en) | Security authentication method, device, equipment and machine-readable storage medium | |
| CN114039812A (en) | Data transmission channel establishing method and device, computer equipment and storage medium | |
| Karati et al. | QuDPas-FHA: Quantum-Defended Privacy-Preserved Fast Handover Authentication in Space Information Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |