CN115361136A - Verification method and device, equipment and computer readable storage medium - Google Patents

Verification method and device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN115361136A
CN115361136A CN202210925231.8A CN202210925231A CN115361136A CN 115361136 A CN115361136 A CN 115361136A CN 202210925231 A CN202210925231 A CN 202210925231A CN 115361136 A CN115361136 A CN 115361136A
Authority
CN
China
Prior art keywords
authentication code
hash operation
message authentication
srv
operation message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210925231.8A
Other languages
Chinese (zh)
Inventor
王海燚
衡心
樊宁
李韡晨
沈军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210925231.8A priority Critical patent/CN115361136A/en
Publication of CN115361136A publication Critical patent/CN115361136A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Abstract

The embodiment of the application discloses a verification method, a verification device, verification equipment and a computer-readable storage medium. The method comprises the steps that a SRv message sent by a single packet authorization data packet agent is received; generating a third hash operation message authentication code according to the SRv message; and verifying the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code. According to the method and the device, the second Hash operation message authentication code of the routing header of the SRv message is obtained, the routing node and the SDP controller in the SDP model generate the corresponding current Hash operation message authentication code according to the SRv message, the routing node verifies the message according to the current Hash operation message authentication code and the second Hash operation message authentication code, and whether the SRv message is tampered in the transmission process can be accurately determined.

Description

Verification method and device, equipment and computer readable storage medium
Technical Field
The present application relates to the field of communications, and in particular, to a verification method, apparatus, device, and computer-readable storage medium.
Background
SDP (Software Defined Perimeter) is a new generation of network security model, and generally combines the SDP model with SPA (Single Packet Authorization) technology to hide services. The SPA is a lightweight security protocol that verifies device or user identity before allowing access to the network where the associated system components, such as controllers or gateways, are located.
The SDP model comprises an SDP controller, an SDP client and the like, the SDP client is used as a sending party of an SPA data packet to send access request data and provide identity verification information for the SDP controller, and therefore the attacked surface of the SDP model is reduced, but the SDP controller still has the risk of opening an access port to a malicious attacker, and data transmission safety is difficult to guarantee.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present application respectively provide a verification method, a verification device, an authentication apparatus, and a computer-readable storage medium, which verify a SRv packet according to a relevant hash operation message authentication code, so as to accurately determine whether a SRv packet is tampered with.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.
According to an aspect of the embodiments of the present application, there is provided a verification method applied to a routing node, including: receiving SRv message sent by single packet authorization data packet agent; the routing header of the SRv packet comprises a first hash operation message authentication code and a second hash operation message authentication code, wherein the first hash operation message authentication code is obtained by calculation according to a first shared key, and the second hash operation message authentication code is obtained by calculation according to the first hash operation message verification code and a second shared key; generating a third hash operation message authentication code according to the SRv message; and verifying the SRv packet according to the third hash operation message authentication code and the second hash operation message authentication code.
According to an aspect of the embodiments of the present application, there is provided another verification method applied to a software-defined boundary controller, including: receiving SRv message sent by the routing node; the routing header of the SRv packet includes a first hash operation message authentication code, the first hash operation message authentication code is obtained by calculation according to a first shared key, the SRv packet includes payload data, and the payload data is data other than the first hash operation message authentication code in a single-packet authorization data packet; determining a fourth hash operation message authentication code according to the payload data; and verifying the SRv packet according to the fourth hash operation message authentication code and the first hash operation message authentication code.
According to an aspect of the embodiments of the present application, there is provided another verification method applied to a single-packet authorization packet agent, including: receiving a single packet authorization data packet sent by a sender of the single packet authorization data packet; acquiring a first Hash operation message authentication code from the single packet of authorized data packet, and calculating to obtain a second Hash operation message authentication code according to the first Hash operation message authentication code and a second shared key; the first hash operation message authentication code is obtained by calculation according to a first shared key; generating an initial message according to the single packet authorization data packet, and inserting the first hash operation message authentication code and the second hash message authentication code into a routing header in the initial message to obtain a SRv message; and sending the SRv message to a routing node, so that the routing node generates a third hash operation message authentication code according to the SRv message, and verifies the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code.
According to an aspect of the embodiments of the present application, there is provided an authentication apparatus applied to a routing node, including: the first receiving module is configured to receive a SRv message sent by a single packet authorization data packet agent; the routing header of the SRv packet comprises a first hash operation message authentication code and a second hash operation message authentication code, wherein the first hash operation message authentication code is obtained by calculation according to a first shared key, and the second hash operation message authentication code is obtained by calculation according to the first hash operation message verification code and a second shared key; the first generation module is configured to generate a third hash operation message authentication code according to the SRv packet; a first verification module configured to verify the SRv packet according to the third hash operation message authentication code and the second hash operation message authentication code.
In another embodiment, the SRv packet includes an address corresponding to a sender of the single packet authorization data packet; the first generation module comprises: a first obtaining unit configured to obtain the second shared key, which is a key shared by the single packet authorization packet agent and the routing node; a first calculation unit configured to calculate the third hash operation message authentication code according to the address of the sender, the data included in the routing header, and the second shared key.
In another embodiment, the first authentication module comprises: the first matching unit is configured to match the third hash operation message authentication code with the second hash operation message authentication code to obtain a matching result; the first verification unit is configured to verify the SRv message according to the matching result; a first verification success unit, configured to determine that the SRv packet is verified to pass if the matching result represents that the matching is successful; a first verification failure unit configured to determine that the SRv message is not verified if the matching result represents that the matching fails.
According to an aspect of the embodiments of the present application, there is provided another verification apparatus applied to a software-defined boundary controller, including: the second receiving module is configured to receive the SRv message sent by the routing node; the routing header of the SRv packet includes a first hash operation message authentication code, the first hash operation message authentication code is obtained by calculation according to a first shared key, the SRv packet includes payload data, and the payload data is data other than the first hash operation message authentication code in a single-packet authorization data packet; a second generation module configured to determine a fourth hash operation message authentication code from the payload data; a second verification module configured to verify the SRv packet according to the fourth hash operation message authentication code and the first hash operation message authentication code.
In another embodiment, the second generating module comprises: a second obtaining unit configured to obtain a first shared key used in a process of calculating the first hash operation message authentication code; a second calculating unit, configured to calculate the fourth hash operation message authentication code according to the payload data and the first shared key.
In another embodiment, the second authentication module comprises: the second matching unit is configured to match the fourth hash operation message authentication code with the first hash operation message authentication code to obtain a matching result; the second verification unit is configured to verify the SRv message according to the matching result; a second verification success unit, configured to determine that the SRv packet is verified to pass if the matching result represents that the matching is successful; and the second verification failure unit is configured to determine that the SRv message is not verified if the matching result represents that the matching fails.
According to an aspect of the embodiments of the present application, there is provided another verification apparatus, applied to a single-packet authorization packet agent, including: the third receiving module is configured to receive a single-packet authorized data packet sent by a sender of the single-packet authorized data packet; the acquisition module is configured to acquire a first Hash operation message authentication code from the single-packet authorization data packet and calculate a second Hash operation message authentication code according to the first Hash operation message authentication code and a second shared key; the first hash operation message authentication code is obtained by calculation according to a first shared key; a packet generation module configured to generate an initial packet according to the single packet authorization data packet, and insert the first hash operation message authentication code and the second hash operation message authentication code into a routing header in the initial packet to obtain a SRv packet; a sending module configured to send the SRv packet to a routing node, so that the routing node generates a third hash operation message authentication code according to the SRv packet, and verifies the SRv packet according to the third hash operation message authentication code and the second hash operation message authentication code.
According to an aspect of an embodiment of the present application, there is provided an electronic device including: a controller; a memory for storing one or more programs that, when executed by the controller, perform the authentication method described above.
According to an aspect of embodiments of the present application, there is also provided a computer-readable storage medium having stored thereon computer-readable instructions which, when executed by a processor of a computer, cause the computer to execute the above-mentioned authentication method.
According to an aspect of an embodiment of the present application, there is also provided a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the computer device executes the verification method.
In the technical scheme provided by the embodiment of the application, by obtaining the second hash operation message authentication code of the routing header of SRv message, the routing node and the SDP controller in the SDP model generate the corresponding current hash operation message authentication code according to SRv message, and the routing node verifies the message according to the current hash operation message authentication code and the second hash operation message authentication code. Meanwhile, in the transmission process of the SRv message, each routing node is sent out after the verification of the routing node is passed, whether the SRv message is tampered or replaced in the transmission process can be accurately determined, and the software defined boundary controller can verify the SRv message and a single packet authorization data packet. In addition, a SRv message contains various data, if the message is tampered and passes verification, the authentication of a corresponding node can be passed only by tampering with the data, the difficulty of message tampering is increased, and therefore the security of the SRv message in the transmission process is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 is a flow chart illustrating a method of authentication in accordance with an exemplary embodiment of the present application;
FIG. 2 is a flow chart of another authentication method based on the embodiment shown in FIG. 1;
FIG. 3 is a flow chart of another authentication method based on the embodiment shown in FIG. 1;
FIG. 4 is a diagram of an implementation environment of the authentication method shown in any one of the embodiments of FIGS. 1-3;
FIG. 5 is a flow chart of another authentication method shown in another exemplary embodiment of the present application;
FIG. 6 is a flow chart of another authentication method shown based on the embodiment shown in FIG. 5;
FIG. 7 is a flow chart of another authentication method shown based on the embodiment shown in FIG. 5;
FIG. 8 is a diagram of an environment for implementing the authentication method shown in any one of FIGS. 5-7;
FIG. 9 is a flow chart of another authentication method shown in another exemplary embodiment of the present application;
FIG. 10 is a diagram of an implementation environment for the authentication method shown in the embodiment shown in FIG. 9;
FIG. 11 is a schematic diagram of an exemplary embodiment of an authentication device according to the present application;
FIG. 12 is a schematic diagram of another authentication device shown in another exemplary embodiment of the present application;
FIG. 13 is a schematic diagram of another authentication device shown in another exemplary embodiment of the present application;
fig. 14 is a schematic diagram illustrating a computer system of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flowcharts shown in the figures are illustrative only and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Reference to "a plurality" in this application means two or more. "and/or" describe the association relationship of the associated objects, meaning that there may be three relationships, e.g., A and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
Referring first to fig. 1, fig. 1 is a flowchart illustrating a verification method according to an exemplary embodiment of the present application. As shown in fig. 1, the method is applied to a routing node, which at least includes S110 to S130, and is described in detail as follows:
s110: receiving a SRv message sent by a single packet authorization data packet agent; the routing header of the SRv packet includes a first hash operation message authentication code and a second hash operation message authentication code, the first hash operation message authentication code is calculated according to the first shared key, and the second hash operation message authentication code is calculated according to the first hash operation message verification code and the second shared key.
A single packet authorization data packet agent, namely a SPAAgent, which receives a single packet authorization data packet sent by an SDP client (a sender of the single packet authorization data packet in this application), and as a source node of SRv, disassembles the single packet authorization data packet, extracts a first Hash operation Message Authentication code, calculates a second Hash operation Message Authentication code according to the first Hash operation Message Authentication code and a second shared key, and further generates a complete HMAC TLV (Hash based Message Authentication code Length Value, a tag Length Value of the Hash operation Message Authentication code related to the key); inserting the HMAC TLV into an SRH (Segment Routing Header) of an initial message, wherein the SRH comprises a first Hash operation message authentication code and a second Hash operation message authentication code, and also comprises a preset complete transmission path, and generating a SRv message by taking the address of an SDP client as the source address of IPv6, so that the Routing Header of the SRv6 message comprises the first Hash operation message authentication code. The first hash operation message authentication code is calculated according to the first shared key, and the first hash operation message authentication code of this embodiment is calculated by using the first shared key by the sender of the single-packet authorized data packet.
The first shared key is a key shared by the SDP client and the SDP controller, namely a key shared by a sender of a single packet of authorized data packets and the software defined border controller in the application, and the two parties can respectively calculate and obtain corresponding hash operation message authentication codes by using the first shared key.
The second hash operation message authentication code is obtained by computing a single packet authorization data packet agent as a source node of SRv according to the first hash operation message verification code and the second shared key, so that a complete HMAC TLV is generated, and the HMAC TLV is added into the SRH, so that a SRv message is generated. The SRH comprises a first hash operation message authentication code and a second hash operation message authentication code.
The second shared secret key is a secret key shared by the single-packet authorized data packet agent and the routing node, and the second shared secret key and the related data can be respectively used for generating corresponding hash operation message authentication codes.
The routing node in this embodiment includes an initial routing node that directly receives a SRv packet sent by a single packet authorization packet agent, or receives a SRv packet sent by an upper routing node, and can send the SRv packet to a middle routing node of a next routing node, or receives an SRv packet sent by the upper routing node, and can send the SRv packet to an end routing node of a transit node. For example, after receiving SRv message sent by single packet authorization data packet agent, the initial routing node verifies SRv message, after the verification is passed, modifies the destination address in SRv message to the address of the next intermediate routing node, and sends the address to the intermediate routing node, so that the intermediate routing node verifies SRv message, and determines whether to send SRv message to the next routing node according to the verification result of SRv message.
S120: and generating a third hash operation message authentication code according to the SRv message.
After the routing node receives the SRv message, a third hash operation message authentication code can be obtained through calculation according to related data in the SRv message, and the third hash operation message authentication code can be compared with the second hash operation message authentication code to judge whether the two are the same.
S130: and verifying the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code.
And comparing the third hash operation message authentication code with the second hash operation message authentication code, and verifying the SRv message according to the obtained comparison result, namely the comparison result of the third hash operation message authentication code and the second hash operation message authentication code becomes the judgment basis for judging whether the SRv message passes the verification.
In this embodiment, the routing node obtains the second hash operation message authentication code of the routing header of SRv message, generates the third hash operation message authentication code according to SRv message, verifies the message according to the second hash operation message authentication code and the third hash operation message authentication code, determines whether SRv message passes the verification, and can accurately determine whether SRv message is tampered or replaced in the transmission process. In addition, in the transmission process of the SRv message, each routing node is sent out after the verification of the routing node passes, and whether the SRv message is tampered or replaced in the transmission process can be accurately determined. In addition, various data exist in the SRv message, if the message is tampered and passes verification, the authentication of a corresponding node can be achieved only by tampering with the data, the difficulty of message tampering is increased, and therefore the safety of the SRv message in the transmission process is improved.
Referring to fig. 2, fig. 2 is a flow chart of another verification method based on the embodiment shown in fig. 1. The SRv message includes an address corresponding to a sender of the single packet authorization data packet; the method includes at least S210 to S240 in S120 shown in fig. 1, and is described in detail as follows:
s210: and acquiring a second shared key, wherein the second shared key is a key shared by the single-packet authorized data packet agent and the routing node.
The routing node in this embodiment includes an initial routing node, that is, a routing node that directly receives a SRv packet sent by a single packet authorized data packet agent; the intermediate routing node receives the SRv message sent by the previous routing node, and can send the SRv message to the routing node of the next routing node; the last routing node receives the SRv packet sent by the previous routing node, and can send the SRv packet to the routing node of the transit node.
The second shared secret key is a secret key shared by the single-packet authorized data packet agent and the routing node in the transmission process, and the second shared secret key is respectively used for calculating to obtain a corresponding hash operation message authentication code.
S220: and calculating to obtain a third hash operation message authentication code according to the address of the sender, the data contained in the routing header and the second shared key.
The address of the sender is the source address of IPv6, i.e. the address of the SDP client.
The routing header contains data, i.e., relevant data in the SRH, such as all addresses in the Last Entry, flags, and Segment List in the SRH.
Illustratively, the routing node calculates a third hash operation message authentication code based on the method defined by RFC2104, according to the source address of IPv6, all addresses in Last Entry, flags and Segment List in SRH, and the second shared key.
This embodiment further illustrates how the routing node verifies the SRv packet. The third Hash operation message authentication code is obtained by obtaining the second shared key between the routing nodes and calculating the data and the second shared key contained in the routing header of the SRv message according to the address of the sender, and because the second shared key is a key shared by a single packet authorized data packet proxy and each routing node, other nodes cannot obtain the second key, other nodes cannot calculate the third Hash operation message authentication code, so that the SRv message of the tampered path cannot pass verification, the effect of verifying the identity of the routing node is achieved, and the safety in the data transmission process is guaranteed.
Referring to fig. 3, fig. 3 is a flowchart illustrating another verification method based on the embodiment shown in fig. 1. The method further includes steps S310 to S340 in S130 shown in fig. 1, which are described in detail below:
s310: and matching the third hash operation message authentication code with the second hash operation message authentication code to obtain a matching result.
And obtaining a matching result of the successful characteristic matching or the failed characteristic matching according to whether the third Hash operation message authentication code is successfully matched with the second Hash operation message authentication code.
S320: and verifying the SRv message according to the matching result.
And the matching result corresponds to the verification result of the SRv message, namely the matching result of the third hash operation message authentication code and the second hash operation message authentication code corresponds to the verification result of the SRv message.
S330: and if the matching result represents that the matching is successful, determining that the SRv message passes the verification.
Illustratively, if the second hash operation message authentication code is asdf &6, the third hash operation message authentication code is asdf &6, the second hash operation message authentication code is the same as the third hash operation message authentication code, and the matching of the two is successful, it is determined that the data in the SRv message is not tampered, and the verification thereof passes.
S340: and if the matching result represents that the matching fails, determining that the SRv message is not verified.
Exemplarily, if the second hash operation message authentication code is asdf &6, the third hash operation message authentication code is agfhfd &8, the second hash operation message authentication code is different from the third hash operation message authentication code, and the two are failed to match, it is determined that the data in the SRv message may be tampered, or the SRv message is not from SPAAgent (single packet authorized data packet proxy in this application), and the SRv message fails to be verified.
This embodiment further illustrates how to verify the SRv packet according to the third hash operation message authentication code and the second hash operation message authentication code. And determining whether the SRv message passes verification or not according to the matching result of the third hash operation message authentication code and the second hash operation message authentication code so as to prevent the SRv message from being maliciously tampered or replaced in the transmission process, thereby improving the safety of the SRv message in the transmission process.
Referring to fig. 4, fig. 4 is an environment diagram illustrating an implementation of the authentication method according to any one of the embodiments shown in fig. 1 to fig. 3. The SDP gateway comprises an SDP client 100, a single-packet authorization data packet agent 200, an initial routing node 300, an end routing node 400, a transit node 500 and an SDP controller 600, wherein a server 700 is located in the initial routing node 300.
The server 700 receives a SRv message sent by the single packet authorization data packet agent 200; the routing header of the SRv packet comprises a first hash operation message authentication code and a second hash operation message authentication code, wherein the first hash operation message authentication code is obtained by calculation according to a first shared key, and the second hash operation message authentication code is obtained by calculation according to a first hash operation message verification code and a second shared key; generating a third hash operation message authentication code according to the SRv message; and verifying the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code.
Specifically, the server 700 receives the SRv packet, performs hash operation message authentication code verification, then executes End action, updates the address of the next node, namely the last routing node 400, to the outer layer IPv6 destination address in the form of SID (Security Identifiers), and sends the SRv packet that passes the verification to the next routing node.
The server 700 may also be located in the last routing node 400 and execute the above method, that is, the server 700 receives the SRv packet authenticated by the initial routing node 300, and generates a third hash operation message authentication code according to the SRv packet; and verifying the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code.
In addition, there may be at least one intermediate routing node between the initial routing node 300 and the last routing node 400, and the server 700 may be located at any intermediate routing node to perform the above-mentioned method.
The transit node 500 in the present application is a common IPv6 node, does not participate in SRv processing, searches for an IPv6 routing table according to the longest match, and forwards a SRv packet forwarded by the last routing node 400 to the SDP controller as a common packet. It should be noted that only the SRv message forwarded by the transit node 500, SRH in the SRv message will not be stripped, that is, SRv message is directly sent to the SDP controller 600 from any routing node that receives and processes SRv message, SRH in the srv6 message will be stripped, so that the SDP controller 600 cannot perform message verification accurately.
The server 700 in this embodiment and the following embodiments may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, where a plurality of servers may form a block chain, and the server is a node on the block chain, and the server 700 may also be a cloud server that provides basic cloud computing services such as cloud service, cloud database, cloud computing, cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN (Content Delivery Network), big data, and artificial intelligence platform, which is not limited herein.
Fig. 5 is a flow chart illustrating another authentication method according to another exemplary embodiment of the present application. The method is applied to a software-defined boundary controller, which includes steps S510 to S530, and is described in detail below:
s510: receiving SRv message sent by the routing node; the routing header of the SRv packet includes a first hash operation message authentication code, the first hash operation message authentication code is obtained by calculation according to a first shared key, the SRv packet includes payload data, and the payload data is other data in the single-packet authorized data packet except the first hash operation message authentication code.
Specifically, the last routing node sends the SRv packet to the transit node, where the transit node is a normal IPv6 node and cannot identify the SRH, and then according to a normal IPv6 packet processing flow, the IPv6 routing table is searched according to the longest matching principle, and the packet is forwarded to the SDP controller, that is, the software-defined boundary controller in this embodiment.
The software-defined boundary controller receives a SRv packet which is sent by a routing node and forwarded by a transit node, wherein a routing header of the SRv packet includes a first hash operation message authentication code, and the first hash operation message authentication code of this embodiment is obtained by calculating a first shared key shared by a sender of a single-packet authorized data packet and the software-defined boundary controller, specifically, the sender of the single-packet authorized data packet is obtained by calculating the first shared key.
The payload data, i.e. payload, is the data of the single authorized data packet except the first hash operation message authentication code after the single authorized data packet is disassembled by the single authorized data packet proxy.
S520: and determining a fourth hash operation message authentication code according to the payload data.
And the software-defined boundary controller receives the SRv message, extracts payload in the message, and calculates a fourth hash operation message authentication code according to the payload data.
S530: and verifying the SRv message according to the fourth hash operation message authentication code and the first hash operation message authentication code.
The software-defined boundary controller receives the SRv message, extracts the last segment content in the SRv message, namely the first hash operation message authentication code in this embodiment, compares the first hash operation message authentication code with the fourth hash operation message authentication code, and verifies the SRv message according to the obtained comparison result, namely the comparison result of the first hash operation message authentication code and the fourth hash operation message authentication code, which becomes the basis for judging whether the SRv message passes the verification.
In the embodiment, a software-defined boundary controller is used as an execution end, a fourth hash operation message authentication code is generated according to payload data in a SRv message by acquiring a first hash operation message authentication code of a routing header of a SRv message, the message is verified according to the first hash operation message authentication code and the fourth hash operation message authentication code, and whether a SRv message passes the verification is judged. In the transmission process of SRv messages, each routing node sends out the messages after the verification of the routing node passes, namely the SRv messages received by the software-defined boundary controller are already messages subjected to authentication of a plurality of routing nodes, namely the security of the whole message transmission process is high, and the software-defined boundary controller can also verify a single-packet authorization data packet by verifying the SRv messages. In addition, because there are many kinds of data in SRv message, if it is to be tampered and verified, it is necessary to tamper many data to pass the authentication of corresponding node, increasing the difficulty of tampering message, and thus improving the security of SRv message in transmission process.
Fig. 6 is a flow chart of another authentication method based on the embodiment shown in fig. 5. The method includes S610 to S620 in S520 as shown in fig. 5, which will be described in detail below:
s610: and acquiring a first shared key used in the process of obtaining the first Hash operation message authentication code through calculation.
The first shared key is a key shared by the sender of the single-packet authorized data packet and the software-defined boundary controller, and is different from a second shared key shared between the single-packet authorized data packet proxy and the routing node, that is, only the sender of the single-packet authorized data packet and the software-defined boundary controller can obtain the corresponding hash operation message authentication code by calculation using the first shared key.
S620: and calculating to obtain a fourth hash operation message authentication code according to the payload data and the first shared key.
And the software-defined boundary controller calculates to obtain a fourth Hash operation message authentication code according to the payload data and the first shared key and a preset algorithm.
In this embodiment, how to obtain the fourth hash operation message authentication code is illustrated, the software defined boundary controller calculates the fourth hash operation message authentication code according to the payload data and the first shared key. Since the payload data is other data in the single-packet authorized data packet except the first hash operation message authentication code, that is, the payload data is from the single-packet authorized data packet, the SRv packet can be verified while the SRv packet is verified subsequently according to the first hash operation message authentication code and the fourth hash operation message authentication code.
Fig. 7 is a flow chart of another authentication method based on the embodiment shown in fig. 5. The method includes S710 to S740 in S530 as shown in fig. 5, which are described in detail below:
s710: and matching the fourth Hash operation message authentication code with the first Hash operation message authentication code to obtain a matching result.
And obtaining a matching result of the successful characteristic matching or the failed characteristic matching according to whether the fourth Hash operation message authentication code is successfully matched with the first Hash operation message authentication code.
S720: and verifying the SRv message according to the matching result.
And corresponding the matching result with a verification result of SRv message, namely, the matching result of the fourth hash operation message authentication code and the first hash operation message authentication code corresponds to a verification result of SRv message.
S730: and if the matching result represents that the matching is successful, determining that the SRv message passes the verification.
Illustratively, if the fourth hash operation message authentication code is the same as the first hash operation message authentication code and the fourth hash operation message authentication code is successfully matched with the first hash operation message authentication code, it is determined that the data in the SRv message is not tampered, and the verification thereof passes, so that it is determined that the single-packet authorized data packet is not maliciously tampered or replaced in the transmission process.
S740: and if the matching result represents that the matching fails, determining that the SRv message is not verified.
Illustratively, if the fourth hash operation message authentication code and the first hash operation message authentication code are not the same and the matching between the fourth hash operation message authentication code and the first hash operation message authentication code fails, it is determined that the SRv message fails to verify, the data in the SRv message may be tampered, or the SRv message does not come from the single packet authorization packet agent. Or, the single-packet authorization data packet is tampered or replaced, that is, the identity authentication of the sender of the single-packet authorization data is not passed.
This embodiment further illustrates how to verify the SRv packet according to the fourth hash operation message authentication code and the first hash operation message authentication code. And determining whether the SRv message passes verification or not according to the matching result of the fourth hash operation message authentication code and the first hash operation message authentication code, so as to verify the single-packet authorized data packet, prevent the single-packet authorized data packet from being maliciously tampered or replaced in the transmission process, and improve the safety of the data transmission process.
Referring to fig. 8, fig. 8 is an environment diagram illustrating an implementation of the authentication method according to any one of the embodiments shown in fig. 5 to 7. The SDP server includes an SDP client 100, a single-packet authorization packet agent 200, an initial routing node 300, a last routing node 400, a transit node 500, and an SDP controller 600, and a server 700 is located in the SDP controller 600, so as to execute the authentication method shown in any one of the embodiments in fig. 5 to 7.
The server 700 in the SDP controller 600 receives the SRv packet forwarded by the transit node 500, extracts the first hash operation message authentication code from the Segment List [0] of the SRH according to the preset rule, calculates the fourth hash operation message authentication code using the first shared key and the information carried by the packet payload, compares the two, if the two are the same, indicates that the verification is passed, and executes the predetermined authorization operation in the subsequent SDP process.
Specifically, the server 700 in the SDP controller 600 receives the SRv packet forwarded by the transit node 500, extracts the content of Segment List [0], that is, the value HMAC1 of the first hash operation message authentication code, from the relevant information in the payload, such as the ID of the SDP client 100, and uses the stored first shared key shared with the SDP client 100, in combination with the SPA-related information carried by the payload, and calculates the value HMAC2 of the fourth hash operation message authentication code according to a preset algorithm, if the HMAC1 is the same as the HMAC2, the server 700 in the SDP controller 600 confirms that the SPA packet is valid, and the corresponding SDP client 100 passes the verification, and then executes the predetermined authorization operation and other operations in the subsequent SDP flow.
Fig. 9 is a flow chart illustrating another authentication method according to another exemplary embodiment of the present application. The method is applied to single packet authorization packet agent, and includes steps S910 to S940, which are described in detail below:
s910: and receiving the single packet authorization data packet sent by the sender of the single packet authorization data packet.
The execution end of the embodiment is a single packet authorization data packet Agent, namely an SPA Agent.
And the SPA Agent receives an SPA data packet sent by the SDP client.
S920: acquiring a first Hash operation message authentication code from a single packet of authorized data packet, and calculating to obtain a second Hash operation message authentication code according to the first Hash operation message authentication code and a second shared key; the first hash operation message authentication code is calculated according to the first shared key.
The first hash operation message authentication code is calculated by the SDP client by using the first shared key. The first shared key is a key shared by the SDP client and the SDP controller, namely a key shared by a sender of a single-packet authorized data packet and the software defined boundary controller in the application, and the two parties can respectively calculate and obtain a corresponding hash operation message authentication code by using the first shared key.
The second hash operation message authentication code is obtained by computing a single packet authorization data packet agent as a source node of SRv according to the first hash operation message verification code and the second shared key, so that a complete HMAC TLV is generated, and the HMAC TLV is added into the SRH, so that a SRv message is generated. The SRH comprises a first hash operation message authentication code and a second hash operation message authentication code.
The second shared secret key is a secret key shared by the single-packet authorized data packet agent and the routing node, and the second shared secret key and the related data can be respectively used for generating corresponding hash operation message authentication codes.
S930: and generating an initial message according to the single packet authorization data packet, and inserting the first hash operation message authentication code and the second hash operation message authentication code into a routing header in the initial message to obtain a SRv message.
The SPA Agent is used as a source node of SRv, a first Hash operation message authentication code in a single-packet authorized data packet is extracted according to a preset format of the single-packet authorized data packet, a second Hash operation message authentication code is obtained through calculation according to the first Hash operation message authentication code and a second shared key, the first Hash operation message authentication code and the second Hash operation message authentication code are inserted into an SRH in an SID form, the address of an SDP client is used as an IPv6 source address, and a SRv message is generated, so that a routing header of the SRv message comprises the first Hash operation message authentication code.
S940: and sending the SRv message to the routing node, so that the routing node generates a third hash operation message authentication code according to the SRv message, and verifies the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code.
The routing node in this embodiment is specifically an initial routing node in the routing nodes, that is, a routing node that directly receives a SRv packet sent by a single packet authorized data packet agent.
The initial routing node receives a SRv message sent by a single packet authorization data packet agent, generates a third hash operation message authentication code according to a SRv message, and verifies the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code.
In this embodiment, the single-packet authorized data packet agent is used as an execution end, and obtains the second hash operation message authentication code from the single-packet authorized data packet, and inserts the second hash operation message authentication code into the routing header in the initial message generated according to the single-packet authorized data packet to obtain the SRv message, so that a routing node in the subsequent message transmission process generates a third hash operation message authentication code according to the SRv message, and verifies the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code, which can accurately determine whether the SRv message is tampered or replaced in the transmission process, and ensure the security of the data transmission process.
Referring to fig. 10, fig. 10 is an implementation environment diagram of the verification method shown in the embodiment of fig. 9. The SDP client 100, the single-packet authorized data packet agent 200, the initial routing node 300, the last routing node 400, the transit node 500, and the SDP controller 600 are included, and the server 700 is located in the single-packet authorized data packet agent 200, so as to execute the authentication method shown in the embodiment shown in fig. 9.
The server 700 pushes the extracted first hash operation message authentication code, together with the address of the SDP controller, the end.x SID of the link from the End routing node 400 to the transit node 500, and the End SID of the link from the initial routing node 300 to the End routing node 400, into the SID sequence in reverse order. Assuming that the first hash message authentication code in this embodiment selects the MD5 algorithm, the size of the hash message authentication code is 128 bits, and there are 4 SIDs including the first hash message authentication code, at this time, segment Left is 3, segment List [0] is the value HMAC1 of the first hash message authentication code, segment List [1] is the address of the SDP controller, segment List [2] is the end.x SID of the link from the End routing node 400 to the transit node 500, and Segment List [3] is the link End SID from the initial routing node 300 to the End routing node 400.
Specifically, in order not to hinder the normal routing of the data packet, the server 700 in the single packet authorization data packet agent 200 needs to insert the first hash operation message authentication code as the last path into the SRH. Secondly, when the first hash operation message authentication code is calculated, the length of the calculated first hash operation message authentication code may be larger than the length of one segment list because of different cryptographic algorithms, and thus a plurality of segment lists need to be occupied.
In this embodiment, the first hash message authentication code is inserted into the SRH in SID form, and since SRv SID is a 128-bit value, the size of the first hash message authentication code should be n × 128 bits, for example, if the hash message authentication code selects SHA256 hash algorithm (or MD5, SHA384, SHA512, SM3, etc.), the size of the hash message authentication code is 256 bits, and the hash message authentication code can be split into two 128-bit values, which are respectively used as the values of Segment List [0] and Segment List [1 ]. If the value of the hash operation message authentication code is not an integer multiple of 128 bits, a preset value is adopted for completion, for example, a number 0 is adopted for completion. If the length of the calculated first hash operation message authentication code is possibly greater than the length of one segment list because of different cryptographic algorithms, multiple segment lists need to be occupied, and in this case, the size of segment left values in the SRH needs to be adjusted at the same time, so as to ensure that the path information is not affected and the data packet can be routed to the transit node normally.
The single packet authorization packet agent 200 serves as a source node, wherein the server 700 generates an HMAC TLV according to a standard process to protect the SRH, and uses the remaining data in the original SPA packet except the first hash operation message authentication code as payload, with initial Segment List =3, that is, the SL value is 3 (subsequently, an End action is performed, and the SL value is decreased by 1), and uses the IPv6 source address of the SDP client as the source address of SRv packet, and generates SRv packet. Meanwhile, the value of Segment List [3], namely the address of the initial routing node 300, is copied to the destination address field of the outer IPv6 message header, an IPv6 routing table is searched, the SRv message is forwarded to the initial routing node 300, so that the routing node 300 generates a third Hash operation message authentication code according to the SRv message, and the SRv message is verified according to the third Hash operation message authentication code and the second Hash operation message authentication code.
The SDP controller 600 receives the SRv message sent by the transit node 500; the routing header of the SRv message comprises a first hash operation message authentication code, the first hash operation message authentication code is obtained through calculation according to a first shared key, the SRv message comprises payload data, and the payload data is other data except the first hash operation message authentication code in a single-packet authorized data packet; the SDP controller 600 determines a fourth hash operation message authentication code according to the payload data; the SDP controller 600 verifies the SRv packet according to the fourth hash operation message authentication code and the first hash operation message authentication code.
Another aspect of the present application further provides an authentication apparatus, as shown in fig. 11, where fig. 11 is a schematic structural diagram of the authentication apparatus shown in an exemplary embodiment of the present application. Wherein, the verifying device is applied to the routing node and comprises:
a first receiving module 1110, configured to receive a SRv packet sent by a single packet authorization packet agent; the routing header of the SRv packet includes a first hash operation message authentication code and a second hash operation message authentication code, the first hash operation message authentication code is calculated according to the first shared key, and the second hash operation message authentication code is calculated according to the first hash operation message verification code and the second shared key.
A first generating module 1130 configured to generate a third hash operation message authentication code from the SRv message.
A first verification module 1150 configured to verify the SRv packet according to the third hash operation message authentication code and the second hash operation message authentication code.
In another embodiment, the SRv message includes an address corresponding to a sender of a single packet authorization data packet; the first generation module 1130 includes:
a first obtaining unit configured to obtain a second shared key, the second shared key being a key shared by the single-packet authorized data packet agent and the routing node.
And the first calculation unit is configured to calculate a third hash operation message authentication code according to the address of the sender, the data contained in the routing header and the second shared key.
In another embodiment, the first authentication module 1150 includes:
and the first matching unit is configured to match the third hash operation message authentication code with the second hash operation message authentication code to obtain a matching result.
And the first verification unit is configured to verify the SRv message according to the matching result.
And the first verification success unit is configured to determine that the SRv message passes verification if the matching result represents that the matching is successful.
And the first verification failure unit is configured to determine that the verification of the SRv message fails if the matching result represents that the matching fails.
According to another aspect of the embodiments of the present application, another authentication apparatus is provided, as shown in fig. 12, and fig. 12 is a schematic structural diagram of another authentication apparatus shown in another exemplary embodiment of the present application. Wherein, the verifying device is applied to the software defined boundary controller and comprises:
a second receiving module 1210 configured to receive a SRv packet sent by a routing node; the routing header of the SRv packet includes a first hash operation message authentication code, the first hash operation message authentication code is obtained by calculation according to a first shared key, the SRv packet includes payload data, and the payload data is other data in the single-packet authorized data packet except the first hash operation message authentication code.
A second generating module 1230 configured to determine a fourth hash message authentication code from the payload data.
A second verification module 1250 configured to verify the SRv packet according to the fourth hash operation message authentication code and the first hash operation message authentication code.
In another embodiment, the second generating module 1230 includes:
and the second acquisition unit is configured to acquire the first shared key used in the process of calculating the first hash operation message authentication code.
And the second calculation unit is configured to calculate a fourth hash operation message authentication code according to the payload data and the first shared key.
In another embodiment, the second verification module 1250 includes:
and the second matching unit is configured to match the fourth hash operation message authentication code with the first hash operation message authentication code to obtain a matching result.
And the second verification unit is configured to verify the SRv message according to the matching result.
And the second verification success unit is configured to determine that the SRv message passes verification if the matching result represents that the matching is successful.
And the second verification failure unit is configured to determine that the verification of the SRv message fails if the matching result represents that the matching fails.
According to an aspect of an embodiment of the present application, there is provided another authentication apparatus, as shown in fig. 13, and fig. 13 is a schematic structural diagram of another authentication apparatus shown in another exemplary embodiment of the present application. Wherein, verifying attachment is applied to single packet of authorized data packet and acts on, includes:
a third receiving module 1310 configured to receive a single packet authorization data packet sent by a sender of the single packet authorization data packet.
An obtaining module 1330 configured to obtain the first hash operation message authentication code from the single authorization data packet, and calculate the second hash operation message authentication code according to the first hash operation message authentication code and the second shared key; the first hash operation message authentication code is obtained by calculation according to the first shared secret key.
The packet generation module 1350 is configured to generate an initial packet according to the single packet authorization data packet, and insert the first hash operation message authentication code and the second hash message authentication code into the routing header in the initial packet, so as to obtain a SRv packet.
The sending module 1370 is configured to send SRv packets to the routing node, so that the routing node generates a third hash operation message authentication code according to the SRv packet, and verifies SRv packets according to the third hash operation message authentication code and the second hash operation message authentication code.
It should be noted that the verification apparatus provided in the foregoing embodiment and the verification method provided in the foregoing embodiment belong to the same concept, and specific manners of operations executed by each module and unit have been described in detail in the method embodiment, and are not described again here.
Another aspect of the present application also provides an electronic device, including: a controller; a memory for storing one or more programs, the one or more programs when executed by the controller for performing the above-described method.
Referring to fig. 14, fig. 14 is a schematic structural diagram of a computer system of an electronic device according to an exemplary embodiment of the present application, which illustrates a schematic structural diagram of a computer system suitable for implementing the electronic device according to the embodiment of the present application.
It should be noted that the computer system 1400 of the electronic device shown in fig. 14 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 14, the computer system 1400 includes a Central Processing Unit (CPU) 1401, which can perform various appropriate actions and processes, such as executing the method in the above-described embodiment, according to a program stored in a Read-Only Memory (ROM) 1402 or a program loaded from a storage portion 1408 into a Random Access Memory (RAM) 1403. In the RAM 1403, various programs and data necessary for system operation are also stored. The CPU 1401, ROM 1402, and RAM 1403 are connected to each other via a bus 1404. An Input/Output (I/O) interface 1405 is also connected to the bus 1404.
The following components are connected to the I/O interface 1405: an input portion 1406 including a keyboard, a mouse, and the like; an output portion 1407 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage portion 1408 including a hard disk and the like; and a communication section 1409 including a Network interface card such as a LAN (Local Area Network) card, a modem, and the like. The communication section 1409 performs communication processing via a network such as the internet. The driver 1410 is also connected to the I/O interface 1405 as necessary. A removable medium 1411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1410 as necessary, so that a computer program read out therefrom is installed into the storage section 1408 as necessary.
In particular, according to embodiments of the present application, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. When the computer program is executed by a Central Processing Unit (CPU) 1401, various functions defined in the system of the present application are executed.
It should be noted that the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. The computer readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with a computer program embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program embodied on the computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
Another aspect of the present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the authentication method as before. The computer-readable storage medium may be included in the electronic device described in the above embodiment, or may exist separately without being incorporated in the electronic device.
Another aspect of the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the authentication method provided in the above embodiments.
According to an aspect of an embodiment of the present application, there is also provided a computer system including a Central Processing Unit (CPU) that can perform various appropriate actions and processes, such as performing the method in the above-described embodiment, according to a program stored in a Read-Only Memory (ROM) or a program loaded from a storage portion into a Random Access Memory (RAM). In the RAM, various programs and data necessary for system operation are also stored. The CPU, ROM, and RAM are connected to each other via a bus. An Input/Output (I/O) interface is also connected to the bus.
The following components are connected to the I/O interface: an input section including a keyboard, a mouse, and the like; an output section including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section including a hard disk and the like; and a communication section including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section performs communication processing via a network such as the internet. The drive is also connected to the I/O interface as needed. A removable medium such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive as necessary, so that a computer program read out therefrom is mounted into the storage section as necessary.
The above description is only a preferred exemplary embodiment of the present application, and is not intended to limit the embodiments of the present application, and those skilled in the art can easily make various changes and modifications according to the main concept and spirit of the present application, so that the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. An authentication method applied to a routing node includes:
receiving SRv message sent by single packet authorization data packet agent; the routing header of the SRv packet comprises a first hash operation message authentication code and a second hash operation message authentication code, wherein the first hash operation message authentication code is obtained by calculation according to a first shared key, and the second hash operation message authentication code is obtained by calculation according to the first hash operation message verification code and a second shared key;
generating a third hash operation message authentication code according to the SRv message;
and verifying the SRv packet according to the third hash operation message authentication code and the second hash operation message authentication code.
2. The method of claim 1, wherein the SRv packet includes an address corresponding to a sender of the single packet authorization data packet; the generating a third hash operation message authentication code according to the SRv packet includes:
obtaining the second shared key, wherein the second shared key is a key shared by the single packet authorization data packet agent and the routing node;
and calculating to obtain the third hash operation message authentication code according to the address of the sender, the data contained in the routing header and the second shared key.
3. The method of claim 1, wherein the validating the SRv packet according to the third hashed message authentication code and the second hashed message authentication code comprises:
matching the third hash operation message authentication code with the second hash operation message authentication code to obtain a matching result;
verifying the SRv message according to the matching result;
if the matching result represents that the matching is successful, determining that the SRv message passes the verification;
and if the matching result represents that the matching fails, determining that the SRv message is not verified.
4. An authentication method applied to a software-defined border controller, comprising:
receiving SRv message sent by the routing node; the routing header of the SRv packet includes a first hash operation message authentication code, the first hash operation message authentication code is obtained by calculation according to a first shared key, the SRv packet includes payload data, and the payload data is data other than the first hash operation message authentication code in a single-packet authorization data packet;
determining a fourth hash operation message authentication code according to the payload data;
and verifying the SRv packet according to the fourth hash operation message authentication code and the first hash operation message authentication code.
5. The method of claim 4, wherein determining a fourth hash message authentication code from the payload data comprises:
acquiring a first shared key used in the process of obtaining the first Hash operation message authentication code through calculation;
and calculating to obtain the fourth hash operation message authentication code according to the payload data and the first shared key.
6. The method of claim 4, wherein the validating the SRv packet according to the fourth hashed message authentication code and the first hashed message authentication code comprises:
matching the fourth hash operation message authentication code with the first hash operation message authentication code to obtain a matching result;
verifying the SRv message according to the matching result;
if the matching result represents that the matching is successful, determining that the SRv message passes the verification;
and if the matching result represents that the matching fails, determining that the SRv message is not verified.
7. An authentication method applied to a single packet authorization packet proxy, comprising:
receiving a single packet authorization data packet sent by a sender of the single packet authorization data packet;
acquiring a first Hash operation message authentication code from the single packet of authorized data packet, and calculating to obtain a second Hash operation message authentication code according to the first Hash operation message authentication code and a second shared key; the first hash operation message authentication code is obtained by calculation according to a first shared key;
generating an initial message according to the single packet authorization data packet, and inserting the first hash operation message authentication code and the second hash message authentication code into a routing header in the initial message to obtain a SRv message;
and sending the SRv message to a routing node, so that the routing node generates a third hash operation message authentication code according to the SRv message, and verifies the SRv message according to the third hash operation message authentication code and the second hash operation message authentication code.
8. An authentication apparatus applied to a routing node, comprising:
the first receiving module is configured to receive a SRv message sent by a single packet authorization data packet agent; the routing header of the SRv packet comprises a first hash operation message authentication code and a second hash operation message authentication code, wherein the first hash operation message authentication code is obtained by calculation according to a first shared key, and the second hash operation message authentication code is obtained by calculation according to a first hash operation message verification code and a second shared key;
the first generation module is configured to generate a third hash operation message authentication code according to the SRv packet;
a first verification module configured to verify the SRv packet according to the third hash operation message authentication code and the second hash operation message authentication code.
9. An electronic device, comprising:
a controller;
a memory for storing one or more programs that, when executed by the controller, cause the controller to implement the authentication method of any one of claims 1 to 7.
10. A computer-readable storage medium having stored thereon computer-readable instructions which, when executed by a processor of a computer, cause the computer to perform the authentication method of any one of claims 1 to 7.
CN202210925231.8A 2022-08-02 2022-08-02 Verification method and device, equipment and computer readable storage medium Pending CN115361136A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210925231.8A CN115361136A (en) 2022-08-02 2022-08-02 Verification method and device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210925231.8A CN115361136A (en) 2022-08-02 2022-08-02 Verification method and device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN115361136A true CN115361136A (en) 2022-11-18

Family

ID=84001300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210925231.8A Pending CN115361136A (en) 2022-08-02 2022-08-02 Verification method and device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115361136A (en)

Similar Documents

Publication Publication Date Title
CN107483509B (en) A kind of auth method, server and readable storage medium storing program for executing
CN111585890B (en) SRv 6-based network path verification method and system
US9118644B2 (en) Method for directing requests to trusted resources
JPH08507416A (en) Method and apparatus for authentication of client-server communication
CN111130798B (en) Request authentication method and related equipment
CN107517194B (en) Return source authentication method and device of content distribution network
CN112491829B (en) MEC platform identity authentication method and device based on 5G core network and blockchain
CN112311779B (en) Data access control method and device applied to block chain system
CN112351117A (en) Domain name management method and device, electronic equipment and storage medium
CN114244530A (en) Resource access method and device, electronic equipment and computer readable storage medium
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN115189913B (en) Data message transmission method and device
CN112637298B (en) Authentication method and member node
CN114338033A (en) Request processing method, device, equipment and storage medium
CN113821789A (en) Block chain-based user key generation method, device, equipment and medium
CN111404884B (en) Secure communication method, client and non-public server
CN110784318B (en) Group key updating method, device, electronic equipment, storage medium and communication system
CN114428661A (en) Mirror image management method and device
CN112118292A (en) Method, apparatus, network node and storage medium for cross-link communication
CN108055285B (en) Intrusion protection method and device based on OSPF routing protocol
CN115001714B (en) Resource access method and device, electronic equipment and storage medium
CN114172923B (en) Data transmission method, communication system and communication device
CN115361136A (en) Verification method and device, equipment and computer readable storage medium
KR101256114B1 (en) Message authentication code test method and system of many mac testserver
CN112738751B (en) Wireless sensor access authentication method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination