CN115175177B - Message transmission method and device - Google Patents
Message transmission method and device Download PDFInfo
- Publication number
- CN115175177B CN115175177B CN202210688107.4A CN202210688107A CN115175177B CN 115175177 B CN115175177 B CN 115175177B CN 202210688107 A CN202210688107 A CN 202210688107A CN 115175177 B CN115175177 B CN 115175177B
- Authority
- CN
- China
- Prior art keywords
- message
- port number
- source port
- rule
- specific field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000005540 biological transmission Effects 0.000 title claims abstract description 15
- 230000003993 interaction Effects 0.000 claims abstract description 19
- 239000000284 extract Substances 0.000 claims description 15
- 230000011664 signaling Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
Abstract
The application relates to a message transmission method and a device, wherein the method comprises the following steps: before negotiating a master-slave relationship, the two ends encrypt specific field groups and then construct a negotiation message for interaction, and the correct port number of the opposite end is determined; when PTP message is sent, encrypting the specific field group to form encryption information, and storing the encryption information into reserved bytes for sending together; after receiving the PTP message, the opposite terminal decrypts the encryption information and judges whether the encryption information is legal or not according to a preset rule, if so, the PTP message is processed, and if not, the PTP message is discarded. Thus, the attack message is effectively identified.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting a message.
Background
Currently, in mobile communication between 4G and 5G base stations, 1588 time synchronization technology (standard in IEEE1588-2008 standard) is used to achieve time synchronization between network elements. The 1588 time synchronization technique mainly comprises: the optimal time source selection algorithm (by comparing the clock quality parameters carried by the Announce message) selects the source and decides the port state, calculates the time offset and adjusts the time.
When an illegal PTP message attacks the running time synchronization network, if the attack message is Anno messages and the carrying data set is better, according to the BMC algorithm, the slave port of the device is switched to the port receiving the attack message, and a series of abnormal alarms are generated; after the Slave port is switched, the attacker continues to send an attack message (Sync, delay-Resp) of an event type and carries an error timestamp, and the 1588 performance can be greatly hopped due to incorrect timestamp (the size is determined according to the timestamp information carried by the attack message).
Disclosure of Invention
The embodiment of the invention provides a message transmission method and device for effectively identifying an attack message.
In one aspect, an embodiment of the present invention provides a method for transmitting a message, which is characterized in that the method includes the steps of:
Before negotiating a master-slave relationship, the two ends encrypt specific field groups and then construct a negotiation message for interaction, and the correct port number of the opposite end is determined;
When PTP message is sent, encrypting the specific field group to form encryption information, and storing the encryption information into reserved bytes for sending together;
After receiving the PTP message, the opposite terminal decrypts the encryption information and judges whether the encryption information is legal or not according to a preset rule, if so, the PTP message is processed, and if not, the PTP message is discarded.
In some embodiments, the interaction between the two ends to construct a negotiation message after encrypting the specific field set, and determining the correct opposite end port number, includes the steps of:
Respectively sending out first assurance messages from two ends, wherein the first assurance messages are provided with specific field groups which are used for storing message serial numbers extracted from message heads;
After receiving the first confident message, one end extracts the source port number of the sending message from the message and fills the source port number into the specific field group of the message to form a second confident message, and the second confident message is sent back to the opposite end;
the opposite terminal extracts the source port number from the specific field group of the second confident message and compares the source port number with the local port number, if the source port number is consistent with the local port number, the opposite terminal determines that the source port number is correct, and if the source port number is inconsistent with the local port number, the opposite terminal determines that the source port number is illegal and discards the source port number.
In some embodiments, before extracting the source port number of the sending message from the message, the method further includes the steps of:
The opposite terminal extracts the message sequence number from the specific field group of the first confident message and compares the message sequence number with the message sequence number in the message header, if the message sequence number is the same, the interaction is continued, and if the message sequence number is not the same, the opposite terminal judges that the message is illegal and discards the illegal message.
In some embodiments, before comparing the sequence number with the sequence number of the message in the header, the method further includes:
and judging whether the message serial numbers are continuous, if so, continuing to interact, and if not, judging that the message serial numbers are illegal messages and discarding the illegal messages.
In some embodiments, the step of encrypting the specific field set to form the encrypted information and storing the encrypted information in the reserved byte to be transmitted together includes the steps of:
And filling the encrypted information obtained by extracting the message serial number and the source port number from the message into a reserved field or other available fields, and then sending the encrypted information back to the opposite end.
In some embodiments, the preset rule includes:
a first rule for judging whether or not the message sequence numbers decrypted from the encrypted information are continuous;
a second rule for judging whether the message sequence number decrypted from the encrypted information is the same as the message sequence number in the message header;
And a third rule for judging whether or not the source port number decrypted from the encrypted information coincides with the local port number.
In some embodiments, the decrypting the encrypted information and determining whether the encrypted information is a legal message according to a preset rule includes:
judging the first rule, if yes, continuing to judge the second rule, otherwise judging that the message is illegal;
judging the second rule, if yes, continuing to judge the third rule, otherwise judging that the message is illegal;
and judging the third rule, if the result is that the message is legal, otherwise, judging that the message is illegal.
On the other hand, the embodiment of the invention also provides a message transmission device, which is characterized by comprising:
the first negotiation module is used for establishing a negotiation message for interaction after encrypting the specific field group at two ends before negotiating the master-slave relationship, and determining the correct port number of the opposite end;
A second negotiation module for:
When PTP message is sent, encrypting the specific field group to form encryption information, and storing the encryption information into reserved bytes for sending together;
After receiving the PTP message, the opposite terminal decrypts the encryption information and judges whether the encryption information is legal or not according to a preset rule, if so, the PTP message is processed, and if not, the PTP message is discarded.
In some embodiments, the first negotiation module is further configured to:
Respectively sending out first assurance messages from two ends, wherein the first assurance messages are provided with specific field groups which are used for storing message serial numbers extracted from message heads;
After receiving the first confident message, one end extracts the source port number of the sending message from the message and fills the source port number into the specific field group of the message to form a second confident message, and the second confident message is sent back to the opposite end;
the opposite terminal extracts the source port number from the specific field group of the second confident message and compares the source port number with the local port number, if the source port number is consistent with the local port number, the opposite terminal determines that the source port number is correct, and if the source port number is inconsistent with the local port number, the opposite terminal determines that the source port number is illegal and discards the source port number.
In some embodiments, the second negotiation module is further configured to:
Filling the encrypted information after the message serial number and the source port number are extracted from the message into a reserved field or other available fields, and then sending the encrypted information back to the opposite end;
the preset rule comprises the following steps:
a first rule for judging whether or not the message sequence numbers decrypted from the encrypted information are continuous;
a second rule for judging whether the message sequence number decrypted from the encrypted information is the same as the message sequence number in the message header;
And a third rule for judging whether or not the source port number decrypted from the encrypted information coincides with the local port number.
The technical scheme provided by the invention has the beneficial effects that:
The embodiment of the invention provides a message transmission method and a message transmission device, which are used for acquiring a correct opposite port ID (identity) by adding a negotiation stage before common master-slave negotiation, so that a PTP attack message can be effectively identified, and error switching and jumping of equipment are prevented.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a message transmission method according to an embodiment of the present invention;
Fig. 2 is a schematic diagram of a packet attack scenario provided in an embodiment of the present invention;
Fig. 3 is a schematic diagram of a header format and a field provided in an embodiment of the present invention;
FIG. 4 is a schematic diagram of an encryption field according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a negotiation stage flow provided in an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a message transmission device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, an embodiment of the present invention provides a message transmission method, which includes the steps of:
S100, before negotiating a master-slave relationship, the two ends encrypt specific field groups and then construct a negotiation message for interaction, and the correct port number of the opposite end is determined;
s200, encrypting a specific field group to form encryption information and storing the encryption information into reserved bytes to be transmitted together when the PTP message is transmitted;
S300, after receiving the PTP message, decrypting the encryption information and judging whether the PTP message is legal or not according to a preset rule, if so, processing the PTP message, and if not, discarding the PTP message.
It should be noted that, the message related to the embodiment of the present invention includes 1588 protocol messages, the 1588 protocol messages include Anno messages of Sync, delay-req, delay-resp, follow up, pdelay-req, pdelay-resp-Followup, signaling, and the message interaction in the E2E mode (direct mode, end-to-End mode) generally only uses 5 messages of Anno, sync, delay-req, delay-resp, follow, and five messages of Anno, sync, pdelay-req, pdelay-resp-Followup in the P2P (Peer-to-Peer) mode, so that the 1588 attack message (illegal message) is the attack message, but carries the wrong information to achieve the purpose. In general, PTP synchronization (master-slave relationship negotiation) is performed by connecting two devices through a port, where a port a of an a device is connected with a port B of a B device, and an a device is upstream, a B device is downstream, and the B device adjusts its own time to be consistent with that of the a device through PTP message interaction, where a port a is a master, a port B is a slave, and only one port of each device is a slave port. The AB device decides whose port is master and whose port is slave according to BMC algorithm in IEEE1588 standard by mutually sending Anno message and Anno message, which carries the data set of the device, such as clock id, priority1, clock class, priority2, etc. After the master and slave are determined, the master port only sends anno, sync and delay-resp messages, and the slave port only sends delay-req messages.
It can be understood that when the two-end devices start to communicate, the general message (such as Signaling message) is negotiated through the newly added negotiation stage, and then the master-slave negotiation is performed, so that the negotiation is not needed after the negotiation is completed. Except for the situations that the general message is lost and the negotiation between the general message and the master and slave is needed to be carried out again, and the situation that the client and slave negotiation is needed to be carried out again when Anno message is lost.
The embodiment of the invention mainly prevents the modification of the time stamp of the event message (sync, delay-req, delay-resp, etc.) and the time delay attack when the related technology is adopted to prevent the PTP message attack. If the attacker acquires the message of the normal path and then directly fills the message from another port, the message can be normally identified, and when the PortID (port number) of the attacked port is smaller than the PortID of the current synchronous path, the synchronous path is switched. This situation is not prevented by the related art. Before conventional master-slave negotiation, the embodiment of the invention adds a negotiation stage which determines whether the correct opposite port number exists or not through the transmission interaction of the message encryption so as to identify the attack message. Message attacks (mainly anno message attacks) of other ports (ports except the slave port of the device) can be prevented, so that synchronous path switching is prevented.
In some embodiments, S100 comprises the steps of:
s110, respectively sending out first assurance messages at two ends, wherein the first assurance messages are provided with specific field groups for storing message serial numbers extracted from message heads;
s120, after receiving the first confident message, one end extracts the source port number of the sending message from the message and fills the source port number into the specific field group of the message to form a second confident message, and the second confident message is sent back to the opposite end;
And S130, the opposite terminal extracts the source port number from the specific field group of the second assurance message and compares the source port number with a local port number, if the source port number is consistent with the local port number, the opposite terminal determines that the source port number is correct, and if the source port number is inconsistent with the local port number, the opposite terminal determines that the source port number is illegal, and discards the illegal message.
As shown in fig. 3, the content of the message sequence number field may be filled into a 4-byte reserved field in the PTP header format to form a first confident message. In S120, the opposite port number (PortID) field is the last 2 bytes in sourcePortIdentity, which is the source port ID of the message, and the value of each port of the same device is unique. The content of the opposite port number field can be filled in a 4-byte reserved field (SequenceID is 2 bytes, the port ID is 2 bytes, and the four bytes are filled in the 4-byte reserved field after encryption)
In this embodiment, successful negotiation means that the correct opposite port number is determined through interaction of the negotiation messages. After the attack message intercepts the normal encrypted message, the attack message is tampered with certain data, the encrypted part is still identified as the normal message because of no modification, and the port number is selected as an encrypted object, so that the attack message can be effectively identified because the port number obtained through encryption and decryption has uniqueness in the interaction process.
In some embodiments, in S120, before extracting the source port number of the sending message from the message, the method further includes the steps of:
The opposite terminal extracts the message sequence number from the specific field group of the first confident message and compares the message sequence number with the message sequence number in the message header, if the message sequence number is the same, the interaction is continued, and if the message sequence number is not the same, the opposite terminal judges that the message is illegal and discards the illegal message.
In this embodiment, if the content of the decrypted message sequence number is inconsistent, it is determined that the illegal message is directly discarded. The negotiation stage can be finished in advance without entering the subsequent step of confirming the opposite terminal port number, and the negotiation efficiency can be further improved.
In some embodiments, before comparing the extracted message sequence number with the message sequence number in the message header, the method further comprises: and judging whether the message serial numbers are continuous, if so, continuing to interact, and if not, judging that the message serial numbers are illegal messages and discarding the illegal messages.
In this embodiment, it is considered that if the degree of falsification of the attack message is not high enough, the message sequence number may be a fixed value or discontinuous. The attack message is preliminarily filtered by judging whether the message sequence numbers are continuous, so that the subsequent flow is carried out, and the workload can be simplified.
In this embodiment, S200 includes the steps of:
And filling the encrypted information obtained by extracting the message serial number and the source port number from the message into a reserved field or other available fields, and then sending the encrypted information back to the opposite end.
In this embodiment, the preset rule includes:
a first rule for judging whether or not the message sequence numbers decrypted from the encrypted information are continuous;
a second rule for judging whether the message sequence number decrypted from the encrypted information is the same as the message sequence number in the message header;
And a third rule for judging whether or not the source port number decrypted from the encrypted information coincides with the local port number.
In some embodiments, the step S300 of decrypting the encrypted information and determining whether the encrypted information is a legal message according to a preset rule includes:
s310, judging the first rule, if yes, continuing to judge the second rule, otherwise, judging that the message is illegal;
s320, judging the second rule, if the result is yes, continuing to judge the third rule, otherwise, judging that the message is illegal;
S330, judging the third rule, if the result is that the third rule is judged to be legal, otherwise judging the third rule to be illegal.
In a specific embodiment, for the packet attack scenario shown in fig. 5, firstly, the device stores a dictionary of passwords, and the content to be encrypted includes: flag, sequenceId, and portID. As shown in the PTP header of fig. 6, sequenceId is a message sequence number, occupies 2 bytes, is continuously incremented, and starts counting again from 0 after accumulating two bytes; portID is the last 2 bytes in sourcePortIdentity. For Signaling messages, the encrypted fields are shown in FIG. 4.
Before negotiating the master-slave relationship, a negotiation stage is newly added, and a correct opposite port number is obtained through interaction of Signaling messages. In the Signaling message encryption field, flag represents a negotiation stage value, the encryption field sequenceId is a value obtained by encrypting sequenceId in the message header, the encryption field PortID is a value obtained by encrypting the opposite terminal port number, the total number of the encryption field is 5 bytes, and the encryption field is respectively filled in a 1-byte reserved field and a 4-byte reserved field in the PTP message header. In the negotiation, flag write 1 indicates that the two-end equipment just starts the negotiation; flag write 2 indicates that the opposite terminal port number sent by the opposite terminal has been received, and the opposite terminal port number is encrypted and then filled into reserved field; flag write 3 indicates that the negotiation of the devices at both ends is successful, and both obtain the correct opposite port ID. If the opposite terminal message is not received, the PortID is filled with 0.
The newly added negotiation stage Signaling messages can be divided into three types:
type 1: encrypting SequenceId, and writing a Signaling message of 1 by the flag;
type 2: encrypting SequenceId, portId, and writing a signaling message of 2 by the flag;
Type 3: and encrypting SequenceId, portId, wherein the flag writes a signaling message of 3. In the newly added negotiation stage, the attack message and the legal message are distinguished by judging the following three rules:
rule one: whether sequenceId in the PTP message header is continuous or not, if not, judging that the PTP message header is an attack message;
rule II: whether the decrypted sequenceId is consistent with sequenceId in the PTP message header or not is judged to be an attack message if the decrypted sequenceId is inconsistent with sequenceId in the PTP message header;
rule III: and judging whether the decrypted PortID is consistent with the PortID of the received message port or not, and if not, judging that the PortID is an attack message.
The flow of the newly added negotiation phase is shown in fig. 5:
S1, mutually sending a type 1 message;
s2, after receiving the Signaling message sent by the opposite terminal, judging a rule I and a rule II, if the rule I and the rule II are met, extracting a PortID in the message header, and entering S3; otherwise, discarding and returning to S1;
S3, writing the flag into the field 2, encrypting the flag with sequenceId, portID and filling the flag into the reserved field, and then sending a new signaling message;
And S4, after receiving the new Signaling message, judging rule 1, rule 2 and rule 3 according to the dictionary decryption encryption field, writing the flag into 3 when the Signaling message is sent again if all the rule 1, rule 2 and rule 3 are met, otherwise discarding the flag, and returning to S1.
S5, the ports for message interaction respectively receive Signaling messages with flag set 3 to indicate successful negotiation; at this point, both parties have acquired the PortID that is correct to the peer. And continuously sending the Signaling message in the S4.
In addition, if the correct Signaling message of the same type is not received for a long time, the message of the type 1 is considered as receiving timeout, and the message is restarted to be sent.
It can be understood that, in this embodiment, considering that the actual application may happen that the fiber is replaced, the port is linkdown, or the message is not available, the Signaling message in S4 is continuously sent in S5, so that the device can recognize the scenes, and the device can know that renegotiation is needed.
In this embodiment, the fields with the uniqueness (port number) and the variation (message sequence number) are selected for encryption. The newly added negotiation stage is similar to three-way handshake, and three types SIGANLING of messages are adopted, the AB devices can always send Signaling messages to each other, and the negotiation is successful only when the AB devices are all sending Signaling messages of the type 3. The correct opposite port number can be effectively determined.
In some embodiments, the encrypted field may also be transmitted by adding a message tlv and then placing the encrypted field in tlv.
As shown in fig. 6, an embodiment of the present invention further provides a message transmission device, which includes:
the first negotiation module is used for establishing a negotiation message for interaction after encrypting the specific field group at two ends before negotiating the master-slave relationship, and determining the correct port number of the opposite end;
A second negotiation module for:
When PTP message is sent, encrypting the specific field group to form encryption information, and storing the encryption information into reserved bytes for sending together;
After receiving the PTP message, the opposite terminal decrypts the encryption information and judges whether the encryption information is legal or not according to a preset rule, if so, the PTP message is processed, and if not, the PTP message is discarded.
In some embodiments, the first negotiation module is further to:
Respectively sending out first assurance messages from two ends, wherein the first assurance messages are provided with specific field groups which are used for storing message serial numbers extracted from message heads;
After receiving the first confident message, one end extracts the source port number of the sending message from the message and fills the source port number into the specific field group of the message to form a second confident message, and the second confident message is sent back to the opposite end;
the opposite terminal extracts the source port number from the specific field group of the second confident message and compares the source port number with the local port number, if the source port number is consistent with the local port number, the opposite terminal determines that the source port number is correct, and if the source port number is inconsistent with the local port number, the opposite terminal determines that the source port number is illegal and discards the source port number.
In some embodiments, the second negotiation module is further to:
Filling the encrypted information after the message serial number and the source port number are extracted from the message into a reserved field or other available fields, and then sending the encrypted information back to the opposite end;
the preset rule comprises the following steps:
a first rule for judging whether or not the message sequence numbers decrypted from the encrypted information are continuous;
a second rule for judging whether the message sequence number decrypted from the encrypted information is the same as the message sequence number in the message header;
And a third rule for judging whether or not the source port number decrypted from the encrypted information coincides with the local port number.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer-readable storage media, which may include computer-readable storage media (or non-transitory media) and communication media (or transitory media).
The foregoing is merely a specific implementation of the embodiment of the present invention, but the protection scope of the embodiment of the present invention is not limited thereto, and any person skilled in the art may easily think of various equivalent modifications or substitutions within the technical scope of the embodiment of the present invention, and these modifications or substitutions should be covered in the protection scope of the embodiment of the present invention. Therefore, the protection scope of the embodiments of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A method for transmitting messages, comprising the steps of:
Before negotiating a master-slave relationship, the two ends encrypt specific field groups and then construct a negotiation message for interaction, and the correct port number of the opposite end is determined;
When PTP message is sent, encrypting the specific field group to form encryption information, and storing the encryption information into reserved bytes for sending together;
After receiving the PTP message, the opposite terminal decrypts the encryption information and judges whether the encryption information is legal or not according to a preset rule, if so, the PTP message is processed, and if not, the PTP message is discarded;
The two ends construct a negotiation message for interaction after encrypting the specific field group, and determine the correct opposite end port number, comprising the following steps:
Respectively sending out first assurance messages from two ends, wherein the first assurance messages are provided with specific field groups which are used for storing message serial numbers extracted from message heads;
After receiving the first confident message, one end extracts the source port number of the sending message from the message and fills the source port number into the specific field group of the message to form a second confident message, and the second confident message is sent back to the opposite end;
the opposite terminal extracts the source port number from the specific field group of the second confident message and compares the source port number with the local port number, if the source port number is consistent with the local port number, the opposite terminal determines that the source port number is correct, and if the source port number is inconsistent with the local port number, the opposite terminal determines that the source port number is illegal and discards the source port number.
2. The method for transmitting a message according to claim 1, further comprising the step of, before extracting the source port number of the transmitted message from the message:
The opposite terminal extracts the message sequence number from the specific field group of the first confident message and compares the message sequence number with the message sequence number in the message header, if the message sequence number is the same, the interaction is continued, and if the message sequence number is not the same, the opposite terminal judges that the message is illegal and discards the illegal message.
3. The method for transmitting a message according to claim 2, further comprising, before comparing the message sequence number with the message sequence number in the header:
and judging whether the message serial numbers are continuous, if so, continuing to interact, and if not, judging that the message serial numbers are illegal messages and discarding the illegal messages.
4. The method for transmitting a message as claimed in claim 1, wherein the step of encrypting the specific field group to form the encrypted information and storing the encrypted information in the reserved byte for transmission includes the steps of:
And filling the encrypted information obtained by extracting the message serial number and the source port number from the message into a reserved field or other available fields, and then sending the encrypted information back to the opposite end.
5. The method for transmitting a message as claimed in claim 4, wherein the preset rule comprises:
a first rule for judging whether or not the message sequence numbers decrypted from the encrypted information are continuous;
a second rule for judging whether the message sequence number decrypted from the encrypted information is the same as the message sequence number in the message header;
And a third rule for judging whether or not the source port number decrypted from the encrypted information coincides with the local port number.
6. The method for transmitting a message as claimed in claim 5, wherein decrypting the encrypted information and determining whether the encrypted information is a legal message according to a predetermined rule comprises:
judging the first rule, if yes, continuing to judge the second rule, otherwise judging that the message is illegal;
judging the second rule, if yes, continuing to judge the third rule, otherwise judging that the message is illegal;
and judging the third rule, if the result is that the message is legal, otherwise, judging that the message is illegal.
7. A message transmission device, comprising:
the first negotiation module is used for establishing a negotiation message for interaction after encrypting the specific field group at two ends before negotiating the master-slave relationship, and determining the correct port number of the opposite end;
A second negotiation module for:
When PTP message is sent, encrypting the specific field group to form encryption information, and storing the encryption information into reserved bytes for sending together;
After receiving the PTP message, the opposite terminal decrypts the encryption information and judges whether the encryption information is legal or not according to a preset rule, if so, the PTP message is processed, and if not, the PTP message is discarded;
the first negotiation module is further configured to:
Respectively sending out first assurance messages from two ends, wherein the first assurance messages are provided with specific field groups which are used for storing message serial numbers extracted from message heads;
After receiving the first confident message, one end extracts the source port number of the sending message from the message and fills the source port number into the specific field group of the message to form a second confident message, and the second confident message is sent back to the opposite end;
the opposite terminal extracts the source port number from the specific field group of the second confident message and compares the source port number with the local port number, if the source port number is consistent with the local port number, the opposite terminal determines that the source port number is correct, and if the source port number is inconsistent with the local port number, the opposite terminal determines that the source port number is illegal and discards the source port number.
8. The message transmission apparatus of claim 7, wherein the second negotiation module is further configured to:
Filling the encrypted information after the message serial number and the source port number are extracted from the message into a reserved field or other available fields, and then sending the encrypted information back to the opposite end;
the preset rule comprises the following steps:
a first rule for judging whether or not the message sequence numbers decrypted from the encrypted information are continuous;
a second rule for judging whether the message sequence number decrypted from the encrypted information is the same as the message sequence number in the message header;
And a third rule for judging whether or not the source port number decrypted from the encrypted information coincides with the local port number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210688107.4A CN115175177B (en) | 2022-06-16 | 2022-06-16 | Message transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210688107.4A CN115175177B (en) | 2022-06-16 | 2022-06-16 | Message transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115175177A CN115175177A (en) | 2022-10-11 |
| CN115175177B true CN115175177B (en) | 2024-04-16 |
Family
ID=83485050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210688107.4A Active CN115175177B (en) | 2022-06-16 | 2022-06-16 | Message transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115175177B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436923A (en) * | 2008-12-05 | 2009-05-20 | 华为技术有限公司 | Method, equipment and network system for synchronizing clock |
| US8051474B1 (en) * | 2006-09-26 | 2011-11-01 | Avaya Inc. | Method and apparatus for identifying trusted sources based on access point |
| CN102594553A (en) * | 2011-01-12 | 2012-07-18 | 上海贝尔股份有限公司 | PTP protocol key distribution method and apparatus thereof |
| CN105072104A (en) * | 2015-07-30 | 2015-11-18 | 积成电子股份有限公司 | Switch system having anti-IEE1588 falsification function and processing method |
| CN106982225A (en) * | 2017-04-28 | 2017-07-25 | 新华三技术有限公司 | Anti-attack method and device |
| CN111371786A (en) * | 2020-03-04 | 2020-07-03 | 盛科网络(苏州)有限公司 | Encryption method and device for clock synchronization messages between Ethernet devices |
| CN113068179A (en) * | 2019-12-16 | 2021-07-02 | 中国科学院沈阳自动化研究所 | Safe time synchronization method based on node identity recognition |
| CN113746788A (en) * | 2020-05-30 | 2021-12-03 | 华为技术有限公司 | Data processing method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9992210B2 (en) * | 2014-06-02 | 2018-06-05 | Myth Innovations, Inc. | System and method for intrusion detection and suppression in a wireless server environment |
-
2022
- 2022-06-16 CN CN202210688107.4A patent/CN115175177B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8051474B1 (en) * | 2006-09-26 | 2011-11-01 | Avaya Inc. | Method and apparatus for identifying trusted sources based on access point |
| CN101436923A (en) * | 2008-12-05 | 2009-05-20 | 华为技术有限公司 | Method, equipment and network system for synchronizing clock |
| CN102594553A (en) * | 2011-01-12 | 2012-07-18 | 上海贝尔股份有限公司 | PTP protocol key distribution method and apparatus thereof |
| CN105072104A (en) * | 2015-07-30 | 2015-11-18 | 积成电子股份有限公司 | Switch system having anti-IEE1588 falsification function and processing method |
| CN106982225A (en) * | 2017-04-28 | 2017-07-25 | 新华三技术有限公司 | Anti-attack method and device |
| CN113068179A (en) * | 2019-12-16 | 2021-07-02 | 中国科学院沈阳自动化研究所 | Safe time synchronization method based on node identity recognition |
| CN111371786A (en) * | 2020-03-04 | 2020-07-03 | 盛科网络(苏州)有限公司 | Encryption method and device for clock synchronization messages between Ethernet devices |
| CN113746788A (en) * | 2020-05-30 | 2021-12-03 | 华为技术有限公司 | Data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115175177A (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11606341B2 (en) | Apparatus for use in a can system | |
| CN107888562B (en) | Data verification and transceiving method, node and system for parallel link access to interconnection chain | |
| US10104047B2 (en) | Method and system for encrypting/decrypting payload content of an OTN frame | |
| CN102130915B (en) | Clock-based replay protection | |
| EP2020136B1 (en) | Out-of-band authentication method and system for communication over a data network | |
| JP4608000B2 (en) | Secure and bandwidth efficient encryption synchronization method | |
| WO2022088094A1 (en) | Secure communication method and apparatus | |
| US20220417015A1 (en) | Key update method and related apparatus | |
| US20130136145A1 (en) | Time message processing method, apparatus and system | |
| CN113765853A (en) | Encryption control overhead transmission method and device in optical transport network | |
| WO2002051058A2 (en) | Synchronization of encryption in a wireless communication system | |
| EP3932044B1 (en) | Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp) | |
| CN114142995B (en) | Key security distribution method and device for block chain relay communication network | |
| CN102891850A (en) | Method for preventing parameter resetting in IPSec (IP Security) channel updating | |
| CN107135190B (en) | Data flow attribution identification method and device based on transport layer secure connection | |
| CN115175177B (en) | Message transmission method and device | |
| US10841085B2 (en) | Method for generating a secret or a key in a network | |
| CN106301768B (en) | Method, device and system for updating key based on optical transport network OTN | |
| WO2018040605A1 (en) | Data processing method and apparatus, and computer storage medium | |
| CN108141358B (en) | Method for generating a cryptographic key in a circuit arrangement | |
| KR101102089B1 (en) | Apparatus and method for time stamping in physical layer | |
| CN109936414B (en) | Direct connection method for data network to home | |
| CN116388915A (en) | PTP clock synchronization method, PTP system, clock device and storage medium | |
| CN114500007A (en) | Implementation method, device, storage medium and terminal equipment of MACsec in M-LAG system | |
| CN117896379A (en) | Data transmission method and device for energy storage equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |