CN114844716A - Digital signature message processing method, device, equipment and computer medium - Google Patents
Digital signature message processing method, device, equipment and computer medium Download PDFInfo
- Publication number
- CN114844716A CN114844716A CN202210576995.0A CN202210576995A CN114844716A CN 114844716 A CN114844716 A CN 114844716A CN 202210576995 A CN202210576995 A CN 202210576995A CN 114844716 A CN114844716 A CN 114844716A
- Authority
- CN
- China
- Prior art keywords
- digital signature
- host
- message
- equipment
- signature message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a method, a device, equipment and a computer medium for processing a digital signature message, wherein the method comprises the following steps: receiving a digital signature message forwarded by access equipment and a destination address thereof; storing the digital signature message, the equipment information of the access equipment and the user identification information of the first host connected with the access equipment, and sending the digital signature message to a second host based on the destination address; and if a negotiation verification request of a digital signature message sent by a second host is received, sending the digital signature message and the user identification information to the access equipment based on the equipment information, so that the access equipment performs counterfeit message detection on the first host sending the digital signature message based on the user identification information. The method and the device can efficiently identify the forged digital signature message without introducing an authoritative certification CA mechanism, effectively improve the safety and reliability of a network system, and reduce the operation cost of the whole service.
Description
Technical Field
The present application relates to the field of computer information transmission and security, and in particular, to a method, an apparatus, a device, and a computer medium for processing a digital signature packet.
Background
The digital signature is an encryption mechanism and a network information transmission proving mechanism, is a section of digital string which can only be generated by a sender of information or a message and cannot be forged by others, and the section of digital string is also an effective proving for the authenticity of the information or the message sent by the sender of the message.
However, the difficulty with digital signature algorithms is that it is difficult to ensure that the message is signed by sender a, since the digital signature is produced by the owner of the private key, but what the private key is, only the owner himself knows. If a third party generates a digital signature by using the private key of the sender A and sends the digital signature to the receiver B through the Internet, the receiver B cannot judge whether the digital signature is finished by the sender A, namely, the digital signature cannot ensure that the third party generates the digital signature by using the private key of the real sender, so that the message receiver cannot identify the condition of forging the digital signature message.
Disclosure of Invention
In view of the above problems, the present application provides a method, an apparatus, a device, and a computer medium for processing a digital signature packet, so as to solve the problem that a third party cannot identify a forged digital signature packet due to a generation of a digital signature by using a private key of a real sender.
In order to achieve the above purpose, the present application provides the following technical solutions:
in a first aspect, the present application provides a method for processing a digital signature packet, where the method is applied to a forwarding device, and the method includes:
receiving a digital signature message and a destination address thereof forwarded by access equipment, wherein the digital signature message and the destination address thereof are received by the access equipment from a first host connected with the access equipment and forwarded to the forwarding equipment, and the digital signature message carries a public key, a file and a digital signature;
storing the digital signature message, the equipment information of the access equipment and the user identification information of the first host connected with the access equipment, and sending the digital signature message to a second host based on the destination address;
and if a negotiation verification request of a digital signature message sent by a second host is received, sending the digital signature message and the user identification information to the access equipment based on the equipment information, so that the access equipment performs counterfeit message detection on the first host sending the digital signature message based on the user identification information.
In one embodiment, the digital signature message negotiation validation request is issued by the second host to the forwarding device upon identification of a different digital signature.
In one embodiment, after receiving a digital signature message forwarded by an access device and before storing the digital signature message, device information of the access device, and user identification information of a first host connected to the access device, the method further includes:
and identifying whether a second host to receive the digital signature message is a host connected with the own equipment or not based on the destination address, if so, executing the step of storing the digital signature message, the equipment information of the access equipment and the user identification information of the first host connected with the access equipment.
In one embodiment, the digitally signed message is forwarded after the access device receives a digital signature from a first host to which the access device is connected and writes a first label of the access device in a first specific field of the digitally signed message.
In one embodiment, after receiving a digital signature message forwarded by an access device and before storing the digital signature message, device information of the access device, and user identification information of a first host connected to the access device, the method further includes:
and if the digital signature message does not carry the second label of the self equipment, writing the second label of the self equipment into a second specific field of the digital signature message.
In a second aspect, the present application provides another digital signature packet processing method, which is applied to an access device, and the method includes:
receiving a digital signature message and a destination address thereof sent by a first host connected with self equipment, wherein the digital signature message carries a public key, a file and a digital signature;
forwarding the digital signature message to forwarding equipment based on the destination address so that the forwarding equipment stores the digital signature message, equipment information of the access equipment and user identification information of a first host connected with the access equipment, sends the digital signature message to a second host based on the destination address, and sends the digital signature message to the access equipment based on the equipment information and the user identification information when a negotiation verification request of the digital signature message sent by the second host is received;
and detecting forged messages of the first host sending the digital signature messages based on the user identification information.
In one embodiment, the digital signature message negotiation validation request is issued by the second host to the forwarding device upon identification of a different digital signature.
In one embodiment, after receiving a digitally signed packet sent by a first host connected to the self device and before forwarding the digitally signed packet to the forwarding device based on the destination address, the method further includes:
and writing a first label of the self equipment in a first specific field of the digital signature message.
In one embodiment, performing counterfeit message detection on the first host sending out the digitally signed message based on the user identification information includes:
and judging whether the session between the first host and the second host exists in the historical session record of the first host, if so, judging that the first host sending the digital signature message is a valid host, and the digital signature message is a valid message.
In one embodiment, performing counterfeit message detection on the first host sending out the digitally signed message based on the user identification information includes:
sending the counterfeit messages of other services to the first host, judging whether the first host processes the counterfeit messages by adopting other user identification information after receiving the counterfeit messages, if so, judging that the first host sending the digital signature messages is a valid host, and the digital signature messages are valid messages.
In a third aspect, the present application provides a digital signature packet processing apparatus, applied to a forwarding device, including:
the first receiving module is configured to receive a digital signature message and a destination address thereof forwarded by an access device, wherein the digital signature message and the destination address thereof are received by the access device from a first host connected with the access device and forwarded to the forwarding device, and the digital signature message carries a public key, a file and a digital signature;
the storage module is configured to store the digital signature message, the device information of the access device and the user identification information of the first host connected with the access device, and send the digital signature message to the second host based on the destination address;
and the sending detection module is set to send the digital signature message and the user identification information to the access equipment based on the equipment information if a digital signature message negotiation verification request sent by a second host is received, so that the access equipment carries out forged message detection on a first host sending the digital signature message based on the user identification information.
In a fourth aspect, the present application provides a digital signature packet processing apparatus, which is applied to an access device, and the apparatus includes:
the second receiving module is arranged for receiving a digital signature message and a destination address thereof, wherein the digital signature message carries a public key, a file and a digital signature, and the destination address is sent by a first host connected with the own equipment;
a forwarding module configured to forward the digitally signed packet to a forwarding device based on the destination address, so that the forwarding device stores the digitally signed packet, device information of the access device, and user identification information of a first host connected to the forwarding device, and sends the digitally signed packet to a second host based on the destination address, and sends the digitally signed packet to the access device based on the device information and the user identification information when a negotiation verification request of the digitally signed packet sent by the second host is received;
and the detection module is used for detecting forged messages of the first host sending the digital signature messages on the basis of the user identification information.
In a fifth aspect, a forwarding device is provided, which includes: a processor and a memory;
the memory stores computer-executable instructions;
the processor executes the computer execution instructions stored in the memory, so that the forwarding device executes the digital signature message processing method.
In a sixth aspect, an access device is provided, which includes: a processor and a memory;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory, so that the access device executes the other digital signature message processing method.
In a seventh aspect, a computer-readable storage medium is provided, in which computer-executable instructions are stored, and when executed by a processor, the computer-executable instructions are used to implement the one digital signature message processing method or the another digital signature message processing method.
According to the digital signature message processing method, the device, the equipment and the computer medium provided by the application, when the digital signature message is transmitted between a sender and a receiver through a negotiation decision mechanism of the intermediate equipment, namely the access equipment and the forwarding equipment, the access equipment and the forwarding equipment are used for accessing and forwarding the digital signature message, the forged digital signature message can be efficiently identified on the basis of not introducing an authoritative certification CA mechanism by recording and storing the digital signature message, equipment information of the corresponding access equipment and user identification information of a first host connected with the equipment information and detecting the forged digital signature message by using the detection function of the intermediate equipment, so that the safety and reliability of a network system are effectively improved, and the operation cost of the whole service is reduced.
Drawings
Fig. 1 is a schematic diagram of a network architecture for digital signature message transmission in the related art;
FIG. 2 is a diagram illustrating a network architecture for digitally signed message transmission with counterfeit messages in the related art;
FIG. 3 is a schematic diagram of a possible network architecture according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a digital signature message processing method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of another digital signature message processing method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a digital signature packet processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of another digital signature message processing apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a forwarding device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an access device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a digital signature message processing system according to an embodiment of the present application.
Detailed Description
To facilitate understanding of embodiments of the present application, the digital signature mechanism is explained first: for the description of the digital signature mechanism, it can be analogized that a person signs his/her name on a document. When he signs on paper, we can verify (e.g. by handwriting) that the signature actually came from the person's hand. How to verify a digital signature is one of the hands of a person after the person digitally signs a document? The mechanism of digital signature is to solve this problem. With reference to fig. 1, the specific mechanism is as follows:
1) assume that communication is between a (sender) and B (receiver).
2) A, generating a public key and a private key according to an RSA encryption algorithm;
3) carrying out Hash operation on a file to be transmitted to obtain a file Hash value H;
4) encrypting the hash value of the file by using a private key to obtain a digital signature S;
5) a, sending a public key, a file and a digital signature to B through the Internet;
6) b, after receiving the information, starting to verify whether the digital signature is finished by A, wherein the specific steps are as follows;
7) b, decrypting S by using the public key to obtain a file hash value G (which is a characteristic of an RSA encryption algorithm, namely decryption can be completed according to the public key);
8) b, carrying out Hash operation on the received file to obtain G';
9) and B, comparing G with G ', and if G is equal to G', obtaining a conclusion that the signature is established, otherwise, obtaining a negative conclusion.
The above is the overall steps of the digital signature. The process can ensure that the file is not tampered in the process of transmitting through the internet, otherwise, G-G' cannot be obtained, because the hash value changes after the file is tampered.
The above process involves two important concepts, the RSA encryption algorithm and the hash algorithm, respectively. RSA is a symmetric encryption algorithm, and the encryption and decryption processes can be performed bi-directionally. Specifically, an encryption party produces a pair of public key and private key, encrypts the file with the private key, and simultaneously discloses the public key. The characteristics of RSA determine that a decryption party can decrypt the encrypted file only by obtaining public key information without obtaining private key information of the encryption party; the hash is a one-way encryption algorithm (open source algorithm). A common Message Digest Algorithm (Message-Digest Algorithm, MD5) belongs to the hash Algorithm. The hash algorithm can encrypt any kind of file and obtain a section of number with fixed length. This number is compared to the encrypted file, but the source file cannot be recovered by this number.
The difficulty with digital signature algorithms is that it is difficult to ensure that a document is a signed because the digital signature can only be produced by the owner of the private key, but what the private key is, only known to the owner himself. If a third person generates a digital signature by using the private key of the third person and sends the digital signature to B through the Internet, B cannot judge whether the digital signature is finished by A or not, as shown in FIG. 2.
Since the public key and the private key are always produced in pairs, the owner of a certain private key is also the generator of the corresponding public key, and since the public key is not spoofable (because it is always published on the internet), it is only necessary to prove that the public key is generated by a. In order to ensure the authenticity of the digital signature, a method generally adopted in the related art is a form of a digital Certificate, in which a digital Certificate is issued to a by a digital Certificate Authority (CA), and specifically, a issues personal information and public key information to the CA, and the CA issues a Certificate to the CA. The certificate has the personal information of a and its public key recorded therein, and then a puts the certificate on the internet. Thus, B can determine whether the public key belongs to a.
But the disadvantage of this mechanism is that 1) relies heavily on a digital certificate authority. If the CA is in error, serious consequences can be brought; 2) the mechanism brings high operation cost, and communication parties pay high service fee for obtaining the signed certificate even if network communication is normal. The operating cost of the mechanism becomes higher and higher as the number of users increases.
In view of this, an embodiment of the present application provides a digital signature packet processing scheme, which employs a mechanism of negotiation decision of a forwarding device, when a digital signature packet is transmitted between a sender and a receiver, accesses and forwards the digital signature packet by using an access device and the forwarding device, records a forwarding process, and detects a packet with a forged digital signature by using functions of negotiation and judgment between the access device and the forwarding device. The method can help the communication network to effectively utilize the digital signature without introducing an authoritative certification CA mechanism, reduce the success rate of the digital signature to forge the message, effectively improve the safety and reliability of the network system and reduce the operation cost of the whole service.
In order to make the objects, technical solutions and advantages of the present application clearer, the technical solutions in the embodiments of the present application will be described in more detail below with reference to the accompanying drawings in the embodiments of the present application. In the drawings, the same or similar reference numerals denote the same or similar components or components having the same or similar functions throughout. The described embodiments are a subset of the embodiments in the present application and not all embodiments in the present application. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 3 is a diagram of a possible network architecture provided in an embodiment of the present application, as shown in fig. 3, including a first access device X, a second access device Z, and a forwarding device Y, where the first access device X, the second access device Z, and the forwarding device Y may be connected to each other through a wired or wireless network. For example, the data transmission links of the first access device X, the second access device Z, and the forwarding device Y may further include other communication devices, where the first access device X is connected to the host a, the second access device Z is connected to the host C, the forwarding device is connected to the host B, the host a and the host C correspond to the message sender respectively, and the host B corresponds to the message receiver.
The first access device X, the second access device Z, and the forwarding device Y are terminal devices capable of receiving and forwarding a digital signature packet, and may include, but are not limited to, a computer, a smart phone, a tablet computer, an electronic book reader, a Moving Picture experts compressed standard audio layer 3 (MP 3 for short) player, a Moving Picture experts compressed standard audio layer 4 (MP 4 for short) player, a portable computer, a vehicle-mounted computer, a wearable device, a desktop computer, a set-top box, a smart television, and the like.
Optionally, in other examples, the number of the access devices may be more or less, and this is not limited in this embodiment of the application.
The host refers to the main body part of the computer except the input and output devices, and is also a control box (container main) for placing the mainboard and other main components. Typically including a CPU, memory, motherboard, hard disk, optical drive, power supply, chassis, heat dissipation system, and other input/output controllers and interfaces. In this embodiment, to a terminal device that transmits and receives information.
The above scenario diagram of the present application is briefly described, and the following takes the access device X and the forwarding device Y applied in fig. 1 as an example to describe in detail the digital signature message processing method provided in the embodiment of the present application.
Referring to fig. 4, fig. 4 is a schematic flowchart of a digital signature packet processing method provided in this embodiment, and is applied to a forwarding device Y, where the method includes steps S401 to S403.
Step S401, receiving a digital signature message and a destination address thereof forwarded by an access device, wherein the digital signature message and the destination address thereof are received by the access device from a first host connected with the access device and forwarded to the forwarding device, and the digital signature message carries a public key, a file and a digital signature.
It is to be understood that the digitally signed message is a message for verifying the identity of the information transmission party in the form of a digital signature, and is not particularly limited to the type, content, and the like of the message.
In this embodiment, a first host, that is, a host a, and a second host, that is, a host B, replace a direct message transmission mode between the host a and the host B in the prior art, when the host a needs to transmit a digital signature message to the host B, the intermediate devices, that is, an access device X and a forwarding device Y, are used to forward the digital signature message, specifically, the host a first sends the digital signature message including a public key, a file, and a digital signature to the access device X, and sets a destination address of the message as a destination address of the host B. After receiving the message, the access device X recognizes that the message is a digital signature message, and then enters the subsequent message forwarding step.
Step S402, storing the digital signature message, the equipment information of the access equipment and the user identification information of the first host connected with the access equipment, and sending the digital signature message to the second host based on the destination address.
In this embodiment, after receiving the digital signature message, the forwarding device records and stores digital signature message information, device information of the access device X, and user identification ID information of the host a, and forwards the digital signature message to the host B.
It should be noted that, the forwarding device Y of this embodiment is used as the last hop of the digital signature packet in the network, and in some embodiments, if the receiver host B is not the host to which the forwarding device Y is connected, the forwarding device Y continues to forward the digital signature packet to the forwarding device of the next hop until the digital signature packet is forwarded to the forwarding device connected to the host B, where the digital signature packet, the device information of the access device and the user identification information of the first host connected to the access device may be stored only by the forwarding device of the last hop or any other hop, or the forwarding device of each hop may store the above information, which is not limited in this embodiment.
Step S403, if a negotiation verification request of a digital signature packet sent by a second host is received, sending the digital signature packet and the user identification information to the access device based on the device information, so that the access device performs counterfeit packet detection on the first host sending the digital signature packet based on the user identification information.
Wherein the digital signature message negotiation verification request is sent by the second host to the forwarding device when a different digital signature is identified.
Specifically, if the host B receives only one piece of digital signature information within a specific time range, it indicates that the message is a digital signature sent by the host a (assuming that the host a is a real identity), and the sending process of the digital signature is finished; if the host B receives more than one digital signature information within a specific time range, the existence of a counterfeiter aiming at the digital signature in the network is judged. At this time, the host B sends a digital signature message negotiation verification request message to the forwarding device Y. It will be appreciated that the specific time range may be set in conjunction with the actual application, such as the time period for message transmission between a and B.
After receiving a negotiation verification request of a digital signature message of a host B, a forwarding device Y sends the digital signature message and the user identification information to a corresponding access device X (if the device information of an access device Z is stored, the device information is sent to the access device Z at the same time) based on the stored device information, so that the access device X (and the access device Z) performs forged message detection on a first host sending the digital signature message based on the user identification information.
Further, the counterfeit message detection process may be that after receiving the message, the access device X (and the access device Z) respectively initiates a check to the host a (the host C connected to the access device Z), and may simultaneously start a negotiation process with the other party (between the access device X and the access device Z). Exemplarily, taking the checking procedure of X as an example: for example, the access device X checks the previous session record of the host a, and if it is determined that the session is performed between a and B, it is determined that a is a valid host; for example, the access device X initiates a dummy packet of another service to the host a, and if the host a uses another user ID (often its real user ID), it determines that the host a is a valid host. The access device X and the access device Z can identify the real user through the above methods, respectively, that is, a is the real user. As optimization, the access device X and the access device Z initiate a negotiation interaction message, and the access device Z lists the address of the host C in a blacklist, so that the subsequent operation of forging the message by the host C is eliminated.
In the above process, the authenticity authentication of the digital signature message can be realized only by using the negotiation interaction between the access device and the forwarding device, without introducing an authoritative authentication CA mechanism in the related technology, thereby effectively helping the communication network to effectively utilize the digital signature, reducing the success rate of the message forged by the digital signature, improving the safety and reliability of the network system, and reducing the operation cost of the whole service.
In one embodiment, after receiving a digital signature message forwarded by an access device (step S401), and before storing the digital signature message, device information of the access device, and user identification information of a first host connected to the access device (step S402), the method further includes the following steps:
and identifying whether a second host to receive the digital signature message is a host connected with the own equipment or not based on the destination address, if so, executing the step of storing the digital signature message, the equipment information of the access equipment and the user identification information of the first host connected with the access equipment.
In this embodiment, considering that the forwarding device Y may be used as an intermediate route in the transmission network or a host connected to the forwarding device Y and not a receiver device, in order to avoid storing and forwarding useless information, the forwarding device Y performs the storing and sending of the information only when it is identified that the receiver device is the host connected to the forwarding device Y, that is, when the forwarding device Y is the last hop of the digital signature packet transmission, the subsequent steps are performed.
In an implementation manner, in order to record information of a network device and the like which is passed through during transmission of a digital signature message, so as to facilitate detection of a counterfeit message, the digital signature message of this embodiment is forwarded after the access device receives a digital signature from a first host to which the access device is connected and writes a first tag of the access device in a first specific field of the digital signature message.
It should be noted that the first tag and the second tag are only used for distinguishing different tag information, and have no other meaning, where the first tag of the access device may be an egress IP address and a MAC address of the access device; accordingly, the second label of the forwarding device may be the egress IP address and the MAC address of the forwarding device.
Further, the forwarding device Y also writes tag information of its own device in the digital signature message to record the network device through which the transmission process of the digital signature message passes, and specifically, after receiving the digital signature message forwarded by the access device (step S401), and before storing the digital signature message, the device information of the access device, and the user identification information of the first host connected to the access device (step S402), further includes the following steps:
and if the digital signature message does not carry the second label of the self equipment, writing the second label of the self equipment into a second specific field of the digital signature message.
In some embodiments, forwarding device Y, access device X, or other forwarding device may have tagged forwarding device Y's tag information in the digitally signed message, at which point forwarding device Y need not have its tag information tagged again.
Referring to fig. 5, fig. 5 is a schematic flow chart of another digital signature message processing method provided in the embodiment of the present application, and the method is applied to an access device X, where the method includes steps S501 to S503.
Step S501, receiving a digital signature message and a destination address thereof sent by a first host connected with self equipment, wherein the digital signature message carries a public key, a file and a digital signature;
step S502, forwarding the digital signature packet to a forwarding device based on the destination address, so that the forwarding device stores the digital signature packet, the device information of the access device and the user identification information of the first host connected thereto, sends the digital signature packet to the second host based on the destination address, and sends the digital signature packet to the access device based on the device information and the user identification information when receiving a negotiation verification request of the digital signature packet sent by the second host;
step S503, detecting the forged message of the first host sending the digital signature message based on the user identification information.
In one embodiment, the digital signature message negotiation validation request is issued by the second host to the forwarding device upon identification of a different digital signature.
In one embodiment, after receiving a digitally signed packet sent by a first host connected to the self device and before forwarding the digitally signed packet to the forwarding device based on the destination address, the method further includes:
and writing a first label of the self equipment in a first specific field of the digital signature message.
In one embodiment, the method for determining counterfeit messages by detecting historical sessions, specifically, detecting counterfeit messages for the first host sending out the digitally signed messages based on the user identification information (step S503), includes the following steps:
and judging whether the session between the first host and the second host exists in the historical session record of the first host, if so, judging that the first host sending the digital signature message is a valid host, and the digital signature message is a valid message.
In one embodiment, the method includes the steps of identifying a host identity in the form of sending a fake message, and detecting the fake message based on the user identification information for a first host sending the digitally signed message (step S503), including the steps of:
sending the counterfeit message of other services to the first host, judging whether the first host processes the counterfeit message by adopting other user identification information after receiving the counterfeit message, if so, judging that the first host sending the digital signature message is a valid host, and the digital signature message is a valid message.
It should be noted that the principle of the above steps has been described in detail in the above embodiments, and the details of the embodiments are not repeated.
In an exemplary embodiment, in combination with the network architecture diagram provided by the present application, as shown in fig. 3, a flow of the digital signature message processing method provided by the present application is as follows:
1) a, sending a public key, a file and a digital signature to an access device X, and setting a destination address of a message as an address of B;
2) the X identifies the digital signature message, marks a label of the equipment in the message, and forwards the message, wherein the content of the label is an outlet IP address and an MAC address of the equipment;
3) the forwarding equipment in the message forwarding link identifies the message, and when the label information of the forwarding equipment in the specific field is seen, the label of the equipment is not filled in;
4) when the forwarding device Y identifies that the destination address of the message is the host device connected with the forwarding device Y, the forwarding device Y can judge that the forwarding device Y is the last hop of the message in the network;
5) the forwarding device Y records the digital signature message information, the access device X and the address information of the user ID of the sender A, and forwards the message to the B;
6) if only one kind of digital signature information is received in a specific time range, the message is judged to be the digital signature sent by the A, and the sending process of the digital signature is finished;
7) if B receives more than one digital signature information in a specific time range, judging that a counterfeiter aiming at the digital signature exists in the network. At the moment, B sends the negotiation request message of the digital signature message to Y;
8) at this time, Y has recorded different public key information of the same user ID (i.e., user ID of a) and its access device information, i.e., a _ ID: X and a _ ID: Z. Y sends related message and address information of X, Z to X and Z respectively;
9) after receiving the message, X and Z initiate check to host A and C respectively, and start the negotiation process with the other side (between X and Z). The specific inspection process can be divided into two types, taking the inspection process of X as an example: the first is that the access device X checks the previous session record of the host A, if the session is determined to be performed between A and B, the A is determined to be a valid host; the second is that the access device X initiates a dummy packet of another service to the host a, and if the host a uses another user ID (often its real user ID), it determines that the host a is a valid host. X and Z can identify the real user, namely A, respectively by the method;
10) x and Z initiate negotiation interactive message, and Z lists the address of the C host in a blacklist, thereby eliminating the subsequent operation of C counterfeiting the message.
Through the process, the success rate of the digital signature counterfeit message can be effectively reduced under the condition of not introducing an authoritative certification authority, the reliability of a network system is effectively improved, and the operation cost of the whole service is reduced.
The embodiment of the present application further provides a digital signature packet processing apparatus, as shown in fig. 6, which is applied to a forwarding device, and includes a first receiving module 61, a storage module 62, and a sending and detecting module, wherein,
a first receiving module 61, configured to receive a digital signature packet and a destination address thereof forwarded by an access device, where the digital signature packet and the destination address thereof are received by the access device from a first host connected to the access device and forwarded to the forwarding device, and the digital signature packet carries a public key, a file, and a digital signature;
a storage module 62 configured to store the digital signature packet, the device information of the access device, and the user identification information of the first host connected thereto, and send the digital signature packet to the second host based on the destination address;
and a sending detection module 63, configured to send the digital signature packet and the user identification information to the access device based on the device information if a negotiation verification request of the digital signature packet sent by the second host is received, so that the access device performs counterfeit packet detection on the first host sending the digital signature packet based on the user identification information.
In one embodiment, the digital signature message negotiation validation request is issued by the second host to the forwarding device upon identification of a different digital signature.
In one embodiment, the apparatus further comprises:
the identification module is used for identifying whether a second host to receive the digital signature message is a host connected with the equipment of the second host or not based on the destination address;
the storage module 62 is further configured to store the digital signature packet, the device information of the access device, and the user identification information of the first host connected thereto when the identification module identifies that the device is the host connected to the device itself.
In one embodiment, the digitally signed message is forwarded after the access device receives a digital signature from a first host to which the access device is connected and writes a first label of the access device in a first specific field of the digitally signed message.
In one embodiment, the apparatus further comprises:
and the first writing module is configured to write the second label of the self device into the second specific field of the digital signature message if the digital signature message does not carry the second label of the self device.
The embodiment of the present application correspondingly provides a digital signature packet processing apparatus, which is applied to an access device, as shown in fig. 7, the apparatus includes a second receiving module 71, a forwarding module 72, and a detecting module 73, wherein,
a second receiving module 71, configured to receive a digital signature message and a destination address thereof sent by a first host connected to a device of the second receiving module, where the digital signature message carries a public key, a file, and a digital signature;
a forwarding module 72 configured to forward the digitally signed packet to a forwarding device based on the destination address, so that the forwarding device stores the digitally signed packet, the device information of the access device, and the user identification information of the first host connected to the access device, and sends the digitally signed packet to the second host based on the destination address, and sends the digitally signed packet to the access device based on the device information and the user identification information when receiving a negotiation verification request of the digitally signed packet sent by the second host;
and the detection module 73 is configured to detect a forged message of the first host sending the digital signature message based on the user identification information.
In one embodiment, the digital signature message negotiation validation request is sent by the second host to the forwarding device when a different digital signature is identified.
In one embodiment, the apparatus further comprises:
and the second writing module is set to write the first label of the self equipment in the first specific field of the digital signature message.
In an embodiment, the detecting module 73 is specifically configured to determine whether a session between the first host and the second host exists in the historical session record of the first host, and if so, determine that the first host sending the digital signature message is a valid host, and the digital signature message is a valid message.
In an embodiment, the detecting module 73 is specifically configured to send a counterfeit message of another service to the first host, determine whether the first host processes the counterfeit message by using other user identification information after receiving the counterfeit message, and if so, determine that the first host sending the digital signature message is a valid host, and the digital signature message is a valid message.
Correspondingly, an embodiment of the present application further provides a forwarding device, as shown in fig. 8, including: a processor 81 and a memory 82;
the memory 82 stores computer-executable instructions;
the processor 81 executes computer-executable instructions stored in the memory 82, so that the forwarding device executes the digital signature message processing method.
Correspondingly, an access device is further provided in an embodiment of the present application, as shown in fig. 9, including: a processor 91 and a memory 92;
the memory 92 stores computer-executable instructions;
the processor 91 executes computer-executable instructions stored in the memory 92 to cause the access device to perform the alternative digitally signed message processing method.
The present application also provides a digital signature packet processing system, as shown in fig. 10, the system includes an access device 100, a first host 200, a forwarding device 300 and a second host 400, where the access device is electrically connected to the first host and the forwarding device, and the forwarding device is electrically connected to the access device and the second host.
The embodiment of the present application correspondingly provides a computer-readable storage medium, where a computer-executable instruction is stored in the computer-readable storage medium, and the computer-executable instruction is used to implement the digital signature message processing method or the other digital signature message processing method when being executed by a processor.
The embodiments of the present application provide an understanding that all or some of the steps of the methods, systems, and functional modules/units in the devices disclosed above can be implemented as software, firmware, hardware, and suitable combinations thereof, as will be understood by those of ordinary skill in the art. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).
The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer.
In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as is well known to those skilled in the art.
In the description of the embodiments of the present application, the term "and/or" merely represents an association relationship describing an associated object, and means that three relationships may exist, for example, a and/or B may represent: a exists alone, A and B exist simultaneously, and B exists alone. Additionally, the term "at least one" means any combination of any one or more of a variety of at least two, including, for example, A, B, and may mean any one or more elements selected from the group consisting of A, B and C.
In the description of the embodiments of the present application, the terms "first," "second," "third," "fourth," and the like (if any) are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (15)
1. A method for processing a digital signature message is applied to forwarding equipment, and the method comprises the following steps:
receiving a digital signature message and a destination address thereof forwarded by access equipment, wherein the digital signature message and the destination address thereof are received by the access equipment from a first host connected with the access equipment and forwarded to the forwarding equipment, and the digital signature message carries a public key, a file and a digital signature;
storing the digital signature message, the equipment information of the access equipment and the user identification information of the first host connected with the access equipment, and sending the digital signature message to a second host based on the destination address;
and if a negotiation verification request of a digital signature message sent by a second host is received, sending the digital signature message and the user identification information to the access equipment based on the equipment information, so that the access equipment performs counterfeit message detection on the first host sending the digital signature message based on the user identification information.
2. The method of claim 1, wherein the digitally signed message negotiation validation request is issued by the second host to the forwarding device upon identification of a different digital signature.
3. The method of claim 1, after receiving a digitally signed message forwarded by an access device and before storing the digitally signed message, device information of the access device and user identification information of a first host connected thereto, further comprising:
and identifying whether a second host to receive the digital signature message is a host connected with the own equipment or not based on the destination address, if so, executing the step of storing the digital signature message, the equipment information of the access equipment and the user identification information of the first host connected with the access equipment.
4. The method of claim 1, wherein the digitally signed message is forwarded after the access device receives a digital signature from a first host to which the access device is connected and writes a first tag of the access device in a first specific field of the digitally signed message.
5. The method according to claim 1 or 4, after receiving the digitally signed message forwarded by the access device and before storing the digitally signed message, the device information of the access device and the user identification information of the first host connected thereto, further comprising:
and if the digital signature message does not carry the second label of the self equipment, writing the second label of the self equipment into a second specific field of the digital signature message.
6. A method for processing a digital signature message is applied to an access device, and the method comprises the following steps:
receiving a digital signature message and a destination address thereof sent by a first host connected with self equipment, wherein the digital signature message carries a public key, a file and a digital signature;
forwarding the digital signature message to forwarding equipment based on the destination address so that the forwarding equipment stores the digital signature message, equipment information of the access equipment and user identification information of a first host connected with the access equipment, sends the digital signature message to a second host based on the destination address, and sends the digital signature message to the access equipment based on the equipment information and the user identification information when a negotiation verification request of the digital signature message sent by the second host is received;
and detecting forged messages of the first host sending the digital signature messages based on the user identification information.
7. The method of claim 6, wherein the digitally signed message negotiation validation request is issued by the second host to the forwarding device upon identification of a different digital signature.
8. The method according to claim 6, wherein after receiving the digitally signed packet sent by the first host connected to the self device and before forwarding the digitally signed packet to the forwarding device based on the destination address, the method further comprises:
and writing a first label of the self equipment in a first specific field of the digital signature message.
9. The method of claim 6, wherein detecting counterfeit messages from the first host sending the digitally signed message based on the user identification information comprises:
and judging whether the session between the first host and the second host exists in the historical session record of the first host, if so, judging that the first host sending the digital signature message is a valid host, and the digital signature message is a valid message.
10. The method of claim 6, wherein detecting counterfeit messages from the first host sending the digitally signed message based on the user identification information comprises:
sending the counterfeit messages of other services to the first host, judging whether the first host processes the counterfeit messages by adopting other user identification information after receiving the counterfeit messages, if so, judging that the first host sending the digital signature messages is a valid host, and the digital signature messages are valid messages.
11. A digital signature message processing device is applied to forwarding equipment and comprises:
the first receiving module is configured to receive a digital signature message and a destination address thereof forwarded by an access device, wherein the digital signature message and the destination address thereof are received by the access device from a first host connected with the access device and forwarded to the forwarding device, and the digital signature message carries a public key, a file and a digital signature;
the storage module is configured to store the digital signature message, the device information of the access device and the user identification information of the first host connected with the access device, and send the digital signature message to the second host based on the destination address;
and the sending detection module is set to send the digital signature message and the user identification information to the access equipment based on the equipment information if a digital signature message negotiation verification request sent by a second host is received, so that the access equipment performs counterfeit message detection on a first host sending the digital signature message based on the user identification information.
12. A digital signature packet processing apparatus, applied to an access device, the apparatus comprising:
the second receiving module is arranged for receiving a digital signature message and a destination address thereof, wherein the digital signature message carries a public key, a file and a digital signature, and the destination address is sent by a first host connected with the own equipment;
a forwarding module configured to forward the digitally signed packet to a forwarding device based on the destination address, so that the forwarding device stores the digitally signed packet, device information of the access device, and user identification information of a first host connected to the forwarding device, and sends the digitally signed packet to a second host based on the destination address, and sends the digitally signed packet to the access device based on the device information and the user identification information when a negotiation verification request of the digitally signed packet sent by the second host is received;
and the detection module is used for detecting forged messages of the first host sending the digital signature messages on the basis of the user identification information.
13. A forwarding device, comprising: a processor and a memory;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored by the memory to cause the forwarding device to perform the method of digitally signed message processing of any of claims 1-5.
14. An access device, comprising: a processor and a memory;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory to cause the access device to perform the method of digitally signed message processing according to any of claims 6 to 10.
15. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, implement the method of digitally signing a message according to any one of claims 1 to 5 or the method of digitally signing a message according to any one of claims 6 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210576995.0A CN114844716B (en) | 2022-05-25 | 2022-05-25 | Digital signature message processing method, device, equipment and computer medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210576995.0A CN114844716B (en) | 2022-05-25 | 2022-05-25 | Digital signature message processing method, device, equipment and computer medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114844716A true CN114844716A (en) | 2022-08-02 |
| CN114844716B CN114844716B (en) | 2023-07-25 |
Family
ID=82571941
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210576995.0A Active CN114844716B (en) | 2022-05-25 | 2022-05-25 | Digital signature message processing method, device, equipment and computer medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114844716B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115361142A (en) * | 2022-08-22 | 2022-11-18 | 中国联合网络通信集团有限公司 | Digital signature processing method, device, equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0869637A2 (en) * | 1997-04-02 | 1998-10-07 | Arcanvs | Digital certification system |
| US20030217165A1 (en) * | 2002-05-17 | 2003-11-20 | Microsoft Corporation | End-to-end authentication of session initiation protocol messages using certificates |
| US20050102499A1 (en) * | 2003-09-25 | 2005-05-12 | Masayuki Kosuga | Apparatus for proving original document of electronic mail |
| US20070168657A1 (en) * | 2004-04-08 | 2007-07-19 | International Business Machines Corporation | Method and system for linking certificates to signed files |
| US7373512B1 (en) * | 2000-03-27 | 2008-05-13 | Entrust Limited | Method and apparatus for providing information security to prevent digital signature forgery |
| CN111064573A (en) * | 2018-10-16 | 2020-04-24 | 金联汇通信息技术有限公司 | Digital certificate generation method, authentication method and electronic equipment |
| CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
| CN111431724A (en) * | 2020-03-27 | 2020-07-17 | 微梦创科网络科技(中国)有限公司 | Data transmission method and device and electronic equipment |
| CN113904809A (en) * | 2021-09-08 | 2022-01-07 | 北京世纪互联宽带数据中心有限公司 | Communication method, communication device, electronic equipment and storage medium |
| CN114520726A (en) * | 2022-03-21 | 2022-05-20 | 中国工商银行股份有限公司 | Processing method and device based on block chain data, processor and electronic equipment |
-
2022
- 2022-05-25 CN CN202210576995.0A patent/CN114844716B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0869637A2 (en) * | 1997-04-02 | 1998-10-07 | Arcanvs | Digital certification system |
| US7373512B1 (en) * | 2000-03-27 | 2008-05-13 | Entrust Limited | Method and apparatus for providing information security to prevent digital signature forgery |
| US20030217165A1 (en) * | 2002-05-17 | 2003-11-20 | Microsoft Corporation | End-to-end authentication of session initiation protocol messages using certificates |
| US20050102499A1 (en) * | 2003-09-25 | 2005-05-12 | Masayuki Kosuga | Apparatus for proving original document of electronic mail |
| US20070168657A1 (en) * | 2004-04-08 | 2007-07-19 | International Business Machines Corporation | Method and system for linking certificates to signed files |
| CN111064573A (en) * | 2018-10-16 | 2020-04-24 | 金联汇通信息技术有限公司 | Digital certificate generation method, authentication method and electronic equipment |
| CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
| CN111431724A (en) * | 2020-03-27 | 2020-07-17 | 微梦创科网络科技(中国)有限公司 | Data transmission method and device and electronic equipment |
| CN113904809A (en) * | 2021-09-08 | 2022-01-07 | 北京世纪互联宽带数据中心有限公司 | Communication method, communication device, electronic equipment and storage medium |
| CN114520726A (en) * | 2022-03-21 | 2022-05-20 | 中国工商银行股份有限公司 | Processing method and device based on block chain data, processor and electronic equipment |
Non-Patent Citations (2)
| Title |
|---|
| 尚青为;魏更宇;: "基于数字签名的伪基站垃圾短信识别研究", 软件, no. 12 * |
| 辛海华;: "基于PKI的数字签名系统实现方案探讨", 科技信息(科学教研), no. 34 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115361142A (en) * | 2022-08-22 | 2022-11-18 | 中国联合网络通信集团有限公司 | Digital signature processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114844716B (en) | 2023-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| US7953391B2 (en) | Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method | |
| US6678270B1 (en) | Packet interception system including arrangement facilitating authentication of intercepted packets | |
| US8555069B2 (en) | Fast-reconnection of negotiable authentication network clients | |
| CN107948736A (en) | A kind of audio and video preservation of evidence method and system | |
| CN106357396A (en) | Digital signature method, digital signature system and quantum key card | |
| CN111314274A (en) | Vehicle-mounted terminal and center platform bidirectional authentication method and system | |
| KR20190031989A (en) | System and method for processing electronic contracts based on blockchain | |
| US10237072B2 (en) | Signatures for near field communications | |
| US8850208B1 (en) | Certificate crosschecking by multiple certificate authorities | |
| CN107483419A (en) | Method, apparatus, system, server and the computer-readable recording medium of server authentication access terminal | |
| CN101399666A (en) | Safety control method and system for digital certificate of file | |
| WO2007003078A1 (en) | A method for implementing encryption and the device thereof | |
| RU2009136564A (en) | SYSTEM AND METHOD FOR ATTACHING A SUBSCRIPTION COMPUTER SYSTEM TO AN INTERNET SERVICE PROVIDER | |
| WO2012072001A1 (en) | Safe method for card issuing, card issuing device and system | |
| CN114900304B (en) | Digital signature method and apparatus, electronic device, and computer-readable storage medium | |
| US11804961B1 (en) | Secure video content transmission over a computer network | |
| CN112055019B (en) | Method for establishing communication channel and user terminal | |
| CN109754226B (en) | Data management method, device and storage medium | |
| CN110300287A (en) | A kind of public safety video monitoring networking camera access authentication method | |
| CN110690969B (en) | Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation | |
| KR101253683B1 (en) | Digital Signing System and Method Using Chained Hash | |
| CN109391473B (en) | Electronic signature method, device and storage medium | |
| CN114844716B (en) | Digital signature message processing method, device, equipment and computer medium | |
| US20200145220A1 (en) | Verification system, verification method and non-transitory computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |