CN116319112B - Message integrity verification method and system - Google Patents
Message integrity verification method and system Download PDFInfo
- Publication number
- CN116319112B CN116319112B CN202310587101.2A CN202310587101A CN116319112B CN 116319112 B CN116319112 B CN 116319112B CN 202310587101 A CN202310587101 A CN 202310587101A CN 116319112 B CN116319112 B CN 116319112B
- Authority
- CN
- China
- Prior art keywords
- strategy
- message
- network
- signature
- sampling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a message integrity verification method and system, and relates to the technical field of communication transmission. The invention designates a strategy according to the network condition and the service requirement, and the message is cooperatively checked by constructing a hash iteration structure on the terminal and fairly sampling and checking the signature in the network, thereby reducing the calculation cost of the message integrity, improving the message checking efficiency and ensuring the safe transmission of the message.
Description
Technical Field
The invention belongs to the technical field of communication transmission, and particularly relates to a message integrity verification method and system.
Background
The data integrity is such that data is not modified without authorization, i.e., information remains unmodified, uncorrupted, and lost during storage or transmission. The data integrity is to ensure that data stored in a computer system or transmitted over a network is not damaged by illegal hacking or unexpected events, keeping the integrity of the data as a whole. The existing security mechanism usually adopts to verify the signature and message digest at the terminal to check the integrity of the message, but the signature and signature verification of each data packet digest can bring great space-time expenditure, and network performance is reduced.
Disclosure of Invention
In order to solve the above technical problems, the present invention provides a method and a system for checking the integrity of a message.
The first aspect of the invention discloses a message integrity verification method. The method comprises the following steps: step S1, respectively deploying a first verification device in a sending terminal and a receiving terminal of a communication network, and deploying a second verification device in each network element of the communication network; the first verification device comprises a network state sensing module, a hash structure module, a first strategy module and a first checking module; the second verification device comprises a second strategy module and a second checking module; step S2, the sending terminal senses the logic topology and the network state of the communication network for transmitting the target message by utilizing the network state sensing module, and determines a first strategy and a second strategy by utilizing the first strategy module based on the logic topology and the network state; the first strategy is used for hash structure calculation, the hash structure calculation mode and the hash structure storage mode are designated, the second strategy is used for signature verification sampling, the total signature checking rate of the target message is designated, and the first strategy and the second strategy are used as network messages to be sent to a network element and a receiving terminal which are passed through in the process of transmitting the target message; s3, the sending terminal carries out hash calculation and storage on the target message according to the first strategy, carries out sampling signature on the calculated and stored target message according to the second strategy, and sends the target message after sampling signature to the receiving terminal; and S4, the network element which receives the target message carries out sampling signature verification on the target message after sampling signature according to the second strategy, and the receiving terminal which receives the target message carries out hash calculation on the target message which passes through the sampling signature verification according to the first strategy and verifies the hash data carried in the target message. According to the method of the first aspect, in the method, the identifier of the message to be sent is embedded into each segmented data packet, so that the chain computing modules of the network elements and the receiving terminal utilize the mapping algorithm to compute the sequence value according to the identifier of the message to be sent carried in the segmented data packet.
According to the method of the first aspect, in said step S2: the higher the priority of the target message is, the higher the total signature checking rate is; the higher the real-time performance of the target message is, the higher the total signature checking rate is; the total signature check rate includes: and enabling the number of network elements, the sampling signature rate and the sampling signature rate of signature verification in all network elements through which the target message passes.
According to the method of the first aspect, in said step S2: after all network elements through which the target message passes receive the network message, determining whether a signature verification function is started or not according to the number of network elements starting signature verification in the second strategy, the sampling signature rate and the sampling verification rate; and after receiving the target message, the receiving terminal starts a hash calculation and verification function according to the hash structure calculation mode and the hash structure storage mode in the first strategy.
According to the method of the first aspect, in said step S3, sampling the computed and stored target message based on the sampling signature rate in the second policy; and when the size of the target message exceeds the limit threshold of the maximum transmission message, dividing the target message into a plurality of message slices meeting the limit threshold, and establishing an association relationship among the message slices, wherein the association relationship is used for recovering the message slices to the target message at the receiving terminal side.
The second aspect of the invention discloses a message integrity verification system; the system comprises: a first authentication device deployed in a transmitting terminal and a receiving terminal of a communication network, respectively, and a second authentication device deployed in each network element of the communication network; the first verification device comprises a network state sensing module, a hash structure module, a first strategy module and a first checking module; the second verification device comprises a second strategy module and a second checking module; wherein: the sending terminal senses a logic topology and a network state of a communication network for transmitting a target message by using the network state sensing module, and determines a first strategy and a second strategy by using the first strategy module based on the logic topology and the network state; the first strategy is used for hash structure calculation, the hash structure calculation mode and the hash structure storage mode are designated, the second strategy is used for signature verification sampling, the total signature checking rate of the target message is designated, and the first strategy and the second strategy are used as network messages to be sent to a network element and a receiving terminal which are passed through in the process of transmitting the target message; the sending terminal carries out hash calculation and storage on the target message according to the first strategy, carries out sampling signature on the calculated and stored target message according to the second strategy, and sends the target message after sampling signature to the receiving terminal; and the network element receiving the target message carries out sampling signature verification on the target message after sampling signature according to the second strategy, and the receiving terminal receiving the target message carries out hash calculation on the target message passing through the sampling signature verification according to the first strategy and verifies the hash data carried in the target message.
According to the system of the second aspect, the higher the priority of the target message is, the higher the total signature checking rate is; the higher the real-time performance of the target message is, the higher the total signature checking rate is; the total signature check rate includes: and enabling the number of network elements, the sampling signature rate and the sampling signature rate of signature verification in all network elements through which the target message passes.
According to the system of the second aspect, after all network elements through which the target message passes receive the network message, determining whether a signature verification function is started or not according to the number of network elements starting signature verification in the second policy, the sampling signature rate and the sampling signature verification rate; and after receiving the target message, the receiving terminal starts a hash calculation and verification function according to the hash structure calculation mode and the hash structure storage mode in the first strategy.
According to the system of the second aspect, sampling the computed and stored target message based on the sampling signature rate in the second policy; and when the size of the target message exceeds the limit threshold of the maximum transmission message, dividing the target message into a plurality of message slices meeting the limit threshold, and establishing an association relationship among the message slices, wherein the association relationship is used for recovering the message slices to the target message at the receiving terminal side.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, the memory storing a computer program, the processor implementing the steps in a method for verifying the integrity of a message according to any one of the first aspects of the disclosure when executing the computer program.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of a method for verifying the integrity of a message according to any one of the first aspects of the disclosure.
In summary, the technical scheme provided by the invention constructs a message integrity checking scheme in a network communication environment, and according to the network condition and the service demand appointed strategy, the message is cooperatively checked by constructing a hash iteration structure on the end and fairly sampling and checking the signature in the network, thereby realizing the purposes of reducing the calculation overhead of the message integrity, improving the message checking efficiency and guaranteeing the safe transmission of the message.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings which are required in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are some embodiments of the invention and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a diagram illustrating message integrity checking according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The first aspect of the invention discloses a message integrity verification method. The method comprises the following steps: step S1, respectively deploying a first verification device in a sending terminal and a receiving terminal of a communication network, and deploying a second verification device in each network element of the communication network; the first verification device comprises a network state sensing module, a hash structure module, a first strategy module and a first checking module; the second verification device comprises a second strategy module and a second checking module; step S2, the sending terminal senses the logic topology and the network state of the communication network for transmitting the target message by utilizing the network state sensing module, and determines a first strategy and a second strategy by utilizing the first strategy module based on the logic topology and the network state; the first strategy is used for hash structure calculation, the hash structure calculation mode and the hash structure storage mode are designated, the second strategy is used for signature verification sampling, the total signature checking rate of the target message is designated, and the first strategy and the second strategy are used as network messages to be sent to a network element and a receiving terminal which are passed through in the process of transmitting the target message; s3, the sending terminal carries out hash calculation and storage on the target message according to the first strategy, carries out sampling signature on the calculated and stored target message according to the second strategy, and sends the target message after sampling signature to the receiving terminal; and S4, the network element which receives the target message carries out sampling signature verification on the target message after sampling signature according to the second strategy, and the receiving terminal which receives the target message carries out hash calculation on the target message which passes through the sampling signature verification according to the first strategy and verifies the hash data carried in the target message. According to the method of the first aspect, in the method, the identifier of the message to be sent is embedded into each segmented data packet, so that the chain computing modules of the network elements and the receiving terminal utilize the mapping algorithm to compute the sequence value according to the identifier of the message to be sent carried in the segmented data packet.
According to the method of the first aspect, in said step S2: the higher the priority of the target message is, the higher the total signature checking rate is; the higher the real-time performance of the target message is, the higher the total signature checking rate is; the total signature check rate includes: and enabling the number of network elements, the sampling signature rate and the sampling signature rate of signature verification in all network elements through which the target message passes.
According to the method of the first aspect, in said step S2: after all network elements through which the target message passes receive the network message, determining whether a signature verification function is started or not according to the number of network elements starting signature verification in the second strategy, the sampling signature rate and the sampling verification rate; and after receiving the target message, the receiving terminal starts a hash calculation and verification function according to the hash structure calculation mode and the hash structure storage mode in the first strategy.
According to the method of the first aspect, in said step S3, sampling the computed and stored target message based on the sampling signature rate in the second policy; and when the size of the target message exceeds the limit threshold of the maximum transmission message, dividing the target message into a plurality of message slices meeting the limit threshold, and establishing an association relationship among the message slices, wherein the association relationship is used for recovering the message slices to the target message at the receiving terminal side.
The message is a data unit exchanged and transmitted in the network, namely, a data block to be sent by a station at one time, contains complete data information to be sent, and has inconsistent length and unlimited and variable length. The network is a computer network, which is a computer system for realizing resource sharing and information transmission under the management and coordination of a network operating system, network management software and a network communication protocol by connecting a plurality of computers with different geographic positions and external equipment thereof through communication lines, wherein a network state sensing module, a sampling module and a computing module are deployed in each equipment of the network, a strategy designating module and a strategy issuing module are deployed in the network, and strategies are shared between each computer and the equipment. The first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling are operated together between the computers and the devices. The integrity is that the data is not modified, corrupted, and lost during transmission.
In the method, a network state sensing module is called for each network computer and equipment to acquire network topology and network state information between communication targets, and the network topology information and the network state information are transmitted to a strategy designating module in the network. And a strategy designating module in the network designates strategies according to the message service type and the network state in the network, wherein the strategies comprise a first calculation strategy for hash structure calculation and a second calculation strategy for signature verification sampling, and the strategy issuing module is called to issue the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to all computers and equipment between communication targets. The network computer and the device call the sampling module and the computing module to execute the first computing strategy for hash structure computation issued by the strategy issuing module for the network computer and the device, the first computing strategy is used for computing hash structures, and the second computing strategy is used for executing sampling signature or sampling signature verification in the network.
The communication target is a computer which finally arrives when the computer sends a network message, the network topology is a logic topology, the virtual topology is a virtual layout of network equipment, the data is transmitted between the equipment through a network, the data is irrelevant to the physical connection of the equipment, and the network topology information is acquired through message analysis. The network state information comprises basic information such as bandwidth, packet loss rate, MTU (Maximum Transmission Unit ) and the like which are sensed by a port and analyzed by a message.
The policy making module calculates a first calculation policy designated for hash structure calculation and a second calculation policy for signature verification sampling according to the message service type and network state information sent by the computer, wherein the message service type calculation aspect comprises common message service without fragmentation and large message service with fragmentation, and the service priority and the computer priority are weighted on the common message service without fragmentation, namely, the policy is adjusted to be larger for the service requiring high-speed transmission or high-security guarantee or the computer with high security and priority. The network state information calculation aspect is weighted according to the link state information, namely whether a transmission link has the properties of high-speed transmission, idle or difficult packet loss and the like is judged, calculation is finally carried out according to a formula, and the results respectively correspond to the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling. The first calculation strategy for hash structure calculation comprises a single Bao Haxi strategy, an iterative hash strategy (a Wen Haxi chain, a Wen Haxi tree and the like), and the security and space-time overhead are gradually increased, the second calculation strategy for signature verification sampling comprises a designated device sampling verification rate and a designated verification device, the policy verification rate is finally reached, and the policy verification rate is a result obtained after the verification device quantity is started and the designated device sampling verification rate is calculated. The strategy assignment module transmits the strategy to the strategy issuing module, and the strategy issuing module issues the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to computers and devices in the network for later sampling and calculation.
And the sampling module deploys a size flow discriminator based on a Bloom Filter, and samples and signs or tests the network traffic according to the policy signature verification rate according to a second calculation policy for signature verification sampling issued by the issuing module. The flow is a series of data packets sent to a designated unicast address, anycast address or multicast address by a sending end, and the sending end marks the data packets as a flow; the sampling refers to the extraction of a portion of a sample unit from the whole sample to be studied, the basic requirement being to ensure that the extracted sample unit is sufficiently representative of the whole sample; the sampling probability is the proportion of the sampling sample in the total sample, the sampling probability can be set statically in advance or can be set subsequently, if the sampling probability is a transmitting end, the function can be converted into a sampling signature, and the subsequent computing equipment only verifies the data packet with the signature. The signature is a method that a sender generates a message digest from a message text by using a hash function, and then encrypts the digest by using a private key of the sender, and the hash function is a method that a small digital fingerprint is created from any data, so that the message or the data is compressed into the digest, the data quantity is reduced, and the format of the data is fixed. The Bloom Filter is a Bloom Filter consisting of a very long binary vector (bit vector) and a series of random mapping functions, which can be used to retrieve whether an element is in a set. The flow, the Bloom Filter size flow distinguishing counter is a calculation and distribution device deployed based on the method. The Bloom Filter large flow Filter in the Bloom Filter large flow distinguishing counter judges whether the packet belongs to the arrived large flow or not through the flow identification of the arrived packet, if so, the packet is mapped into the large flow counter through the hash address; if not, the packet is mapped into the small stream counter by content addressing. In the small flow counter, whether the counter value reaches the large flow threshold value is judged, so that whether the small flow counter value is replaced into the large flow counter is determined. The flow grouping is a part of the flow, and can carry out sampling waiting subsequent signature for the state to be sent before entering the large and small flow distinguishing counter, and can also carry out sampling waiting subsequent signature verification or inspection for the received state. The calculation module is used for calculating and checking hash information and signature information of the message.
FIG. 1 is a diagram illustrating message integrity checking according to an embodiment of the present invention; as shown in fig. 1, the message is a data unit exchanged and transmitted in the network, that is, a data block to be sent by a station at one time, and includes complete data information to be sent, which is very inconsistent in length, and is unlimited and variable in length. The network is a computer network, which is a computer system for realizing resource sharing and information transmission under the management and coordination of a network operating system, network management software and a network communication protocol by connecting a plurality of computers with different geographic positions and external equipment thereof through communication lines, wherein a network state sensing module, a sampling module and a computing module are deployed in each equipment of the network, a strategy designating module and a strategy issuing module are deployed in the network, and strategies are shared between each computer and the equipment. The first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling are operated together between the computers and the devices. The integrity is that the data is not modified, corrupted, and lost during transmission.
And for each network computer and equipment, a network state sensing module is called, network topology and network state information between communication targets are acquired, and the network topology information and the network state information are transmitted to a strategy designating module in the network. And a strategy designating module in the network designates strategies according to the message service type and the network state in the network, wherein the strategies comprise a first calculation strategy for hash structure calculation and a second calculation strategy for signature verification sampling, and the strategy issuing module is called to issue the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to all computers and equipment between communication targets. The network computer and the device call the sampling module and the computing module to execute the first computing strategy for hash structure computation issued by the strategy issuing module for the network computer and the device, the first computing strategy is used for computing hash structures, and the second computing strategy is used for executing sampling signature or sampling signature verification in the network.
Specifically, a network state sensing module, a strategy designating module, a strategy issuing module, a sampling module and a calculating module are arranged in a network system. The network state sensing module is used for acquiring network topology and network state information between communication targets and transmitting the network topology information and the network state information to the strategy designating module in the network; the strategy appointing module appoints a strategy according to the message service type in the network and the network state, wherein the strategy comprises a first calculation strategy for hash structure calculation and a second calculation strategy for signature verification sampling; invoking the strategy issuing module to issue the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to all computers and equipment between communication targets; the sampling module deploys a size flow discriminator based on a Bloom Filter, and samples and signs or tests the network traffic according to a second calculation strategy for signature and signature test sampling issued by the issuing module; the calculation module is used for calculating and checking hash information and signature information of the message. And a hash structure most suitable for the message service type is determined through a strategy, a representative flow individual is extracted for signature verification, the message integrity calculation cost is reduced, the message checking efficiency is improved, and the safe transmission of the message is ensured.
And for each network computer and equipment, a network state sensing module is called, network topology and network state information between communication targets are acquired, and the network topology information and the network state information are transmitted to a strategy designating module in the network.
In some embodiments, the network state sensing module performs active device inspection on the designated network based on network protocols such as ICMP, ARP, SNMP to obtain all active devices, then obtains basic information of the devices through SNMP, determines the types of the devices according to the basic information, obtains detailed information of corresponding devices according to the types of the devices, and finally senses topology information between destination communication hosts; judging that the connection relation of each switch is found in the topology of the link layer according to a cdp neighbor table, a port ifIndex and a port corresponding table of the switch and a self-learning table; and the routing topology relation of the related equipment can be obtained according to the returned routing path at all equipment nodes of the routing layer TraceRoute.
Specifically, the communication target is a computer which finally arrives by sending a network message by the computer, the network topology is a logic topology, the virtual layout of network equipment is realized, the data is transmitted between the equipment through a network, the data is irrelevant to the physical connection of the equipment, and the network topology information is acquired through message analysis.
In some embodiments, network status information such as bandwidth, packet loss rate, etc. is obtained through port sensing or tool packet grabbing, and link MTU information is obtained through probe messages such as PMTUD (Path MTU Discovery) protocol and ICMP messages, etc. And transmitting the network topology information and the network information to a strategy designating module in the network.
Specifically, the network state information includes bandwidth, packet loss rate, MTU (Maximum Transmission Unit ) and other basic information that are analyzed through port awareness and message.
And a strategy designating module in the network designates strategies according to the message service type and the network state in the network, wherein the strategies comprise a first calculation strategy for hash structure calculation and a second calculation strategy for signature verification sampling, and the strategy issuing module is called to issue the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to all computers and equipment between communication targets.
In some embodiments, an IP datagram will be fragmented for transmission when it exceeds the MTU of the frame, i.e., the datagram is a large message. And the strategy assignment module in the network evaluates whether the message service is vulnerable to attack and packet loss on the target link through combining the network topology information and the network state information by a weighting formula, and evaluates whether the message service is a high-priority or high-real-time service according to the computer priority weighting. And evaluating that the large message service is easy to attack, the real-time requirement is not high, the priority of the target computer or the source computer is not high, and a strategy is distributed for the large message service. The first calculation strategy for hash structure calculation is defined as a Wen Haxi tree, the total strategy verification rate of the second calculation strategy for signature verification sampling is determined to be 50%, namely, the number of verification devices is started and the verification rate of the designated device sampling is required to be 50% after calculation. The sampling signature is a sampling signature, or the sampling signature or the combination of several elements of the sampling specified signature verification device.
Specifically, the policy making module calculates a first calculation policy designated for hash structure calculation and a second calculation policy for signature verification sampling according to the message service type and network state information sent by the computer, wherein the message service type calculation aspect comprises a common message service without fragmentation and a large message service with fragmentation, and the service priority and the computer priority are weighted on the common message service without fragmentation, namely, the policy is adjusted to be larger for the service requiring high-speed transmission or high-security guarantee or the computer with high security and priority. The network state information calculation aspect is weighted according to the link state information, namely whether a transmission link has the properties of high-speed transmission, idle or difficult packet loss and the like is judged, calculation is finally carried out according to a formula, and the results respectively correspond to the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling. The first calculation strategy for hash structure calculation comprises a single Bao Haxi strategy, an iterative hash strategy (a Wen Haxi chain, a Wen Haxi tree and the like), and the security and space-time overhead are gradually increased, the second calculation strategy for signature verification sampling comprises a designated device sampling verification rate and a designated verification device, the policy verification rate is finally reached, and the policy verification rate is a result obtained after the verification device quantity is started and the designated device sampling verification rate is calculated.
In some embodiments, the policy issuing module issues a first calculation policy for hash structure calculation to the corresponding computer, and issues a second calculation policy for signature verification sampling to the corresponding computer and the device.
Specifically, the designated module transmits the policy to the policy issuing module, and the policy issuing module issues the first calculation policy for hash structure calculation and the second calculation policy for signature verification sampling to computers and devices in the network for later sampling and calculation.
The network computer and the device call the sampling module and the computing module to execute the first computing strategy for hash structure computation issued by the strategy issuing module for the network computer and the device, the first computing strategy is used for computing hash structures, and the second computing strategy is used for executing sampling signature or sampling signature verification in the network.
In some embodiments, the sampling module is configured to calculate the sampling probability or to receive the sampling probability for sampling, wherein a Bloom Filter based size flow divider sets the large flow threshold and the sampling probability. Sampling in the examples refers to the extraction of a portion of the sample unit from the total sample to be studied. The essential requirement is to ensure that the extracted sample units are sufficiently representative of the total sample. Further, the sampling probability of the whole flow can be set, and the larger the flow size is, the smaller the flow sampling rate is.
Specifically, the sampling module deploys a size flow discriminator based on a Bloom Filter, and samples and signs or tests the network traffic according to the policy signature testing rate according to a second calculation policy for signature testing sampling issued by the issuing module. The flow is a series of data packets sent to a designated unicast address, anycast address or multicast address by a sending end, and the sending end marks the data packets as a flow; the sampling refers to the extraction of a portion of a sample unit from the whole sample to be studied, the basic requirement being to ensure that the extracted sample unit is sufficiently representative of the whole sample; the sampling probability is the proportion of the sampling sample in the total sample, the sampling probability can be set statically in advance or can be set subsequently, if the sampling probability is a transmitting end, the function can be converted into a sampling signature, and the subsequent computing equipment only verifies the data packet with the signature. The signature generates a message digest from the message text for the sender using a hash function, and then encrypts the digest with its own private key. The Bloom Filter is a Bloom Filter consisting of a very long binary vector (bit vector) and a series of random mapping functions, which can be used to retrieve whether an element is in a set. The flow, the Bloom Filter size flow distinguishing counter is a calculation and distribution device deployed based on the method. The Bloom Filter large flow Filter in the Bloom Filter large flow distinguishing counter judges whether the packet belongs to the arrived large flow or not through the flow identification of the arrived packet, if so, the packet is mapped into the large flow counter through the hash address; if not, the packet is mapped into the small stream counter by content addressing. In the small flow counter, whether the counter value reaches the large flow threshold value is judged, so that whether the small flow counter value is replaced into the large flow counter is determined. The flow grouping is a part of the flow, and can carry out sampling waiting subsequent signature for the state to be sent before entering the large and small flow distinguishing counter, and can also carry out sampling waiting subsequent signature verification or inspection for the received state. The calculation module is used for calculating and checking hash information and signature information of the message.
In some embodiments, the big message m is divided into n small messages (n is greater than or equal to 1) when the big message m is transmitted by the sending end, the data packets are numbered according to the sequence, and a hash function is used for calculating each message to obtain a hash value. The message Wen Haxi tree is constructed, and the bottom leaf node stores the hash value of each data packet after slicing. The two adjacent hash values are combined into a character string, and then the hash of the character string is continuously operated to form a sub-hash. The two sub-hashes continue to be combined and calculated and stored to a node at a higher layer, the hash tree node value is stored in the packet head of the message data packet, and the analogy is traversed until a root node value is left. The receiving end reads the root node value of the transmitting end message Wen Haxi from the data packet, compares whether the results at the two ends are consistent or not to authenticate the large message, and if so, indicates that the message sequence is not tampered in the transmission process, and has good integrity. If the node values are inconsistent layer-by-layer two-percent, the fault data packet is positioned, and a packet loss or retransmission mechanism is started.
Specifically, the hash function is a method for creating a small digital fingerprint from any data, compressing a message or data into a digest, making the amount of data smaller, and fixing the format of the data.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
And a first step, deploying a message integrity checking system. The message integrity checking system consists of two devices, namely a checking terminal and a checking network element.
The inspection terminal is deployed in a terminal, and the terminal includes various devices supporting session or processing with a computer, such as a computer, a mobile device (mobile phone, notebook, tablet, POS, vehicle-mounted computer, etc.), a device capable of initiating or performing communication, etc. (virtual reality device, unmanned device, sensor, etc.). Besides the original functional modules of the terminal equipment, the checking terminal increment deployment network state sensing module, the hash structure module, the strategy module and the checking module; besides the original basic functions of the terminal equipment, the checking terminal supports the functions of network link and network state sensing, policy decision, issuing and receiving, hash iteration structure calculation and verification, digital signature sampling signature and verification and the like.
The inspection network element is deployed on the network element, and the network element equipment comprises the minimum unit which can be monitored or managed in various network management, such as a hub, a router, a switch, a gateway and the like or intelligent equipment which extends on basic functions and the like. In addition to the original functional modules of the network element equipment, a network element increment deployment strategy module and a checking module are checked; besides the original basic functions of the network element equipment, the functions of decision, issuing and receiving of the supporting strategy of the network element, fair sampling verification of the digital signature and the like are checked.
And secondly, initializing a message integrity checking system.
2.1 starting the checking terminal, analyzing the message information before the message is sent, and sensing the logic topology and the network state (bandwidth, packet loss rate, MTU, etc.) of the network link to be transmitted by the message. If the message is analyzed, determining the high priority (real-time or security) of the message or the high priority (real-time or security) of the transmission user, and jumping to the step 2.5.
And 2.2, transmitting the network logic topology information and the network state to an inspection terminal, and calculating a first strategy for hash structure calculation and a second strategy for signature verification sampling by the inspection terminal according to a formula. The first strategy designates a hash structure calculation mode and a storage mode, the second strategy designates a message total signature checking rate, the starting number of the network element is verified, and the total operation result of the sampling signature rate and the sampling signature checking rate is the message total signature checking rate.
And 2.3, the checking terminal transmits the first strategy for hash structure calculation and the second strategy for signature verification sampling to network element equipment and the terminal in the transmission network in the form of network messages, and the step 2.5 is skipped.
And 2.4, the checking terminal directly determines a first strategy for hash structure calculation and a second strategy for signature verification sampling according to high priority requirements, and issues the strategies to network element equipment and the terminal in a transmission network in the form of network messages.
2.5 according to the second strategy for signature verification sampling, the network element equipment in the transmission network receives the network message carrying the strategy information, then starts the checking function to be determined as checking network elements, and except the network element equipment at the key node, the checking network elements start the result obtained by calculating the total signature checking rate of the second strategy.
And 2.6, according to a first strategy used for hash structure calculation, determining a hash structure after the checking terminal receiving the message receives the network message carrying strategy information, and preparing for hash calculation and verification.
And thirdly, the checking terminal processes the message to be sent.
3.1, carrying out hash calculation on the message according to a first strategy for hash structure calculation, and jumping to the step 3.4. If the transmitted message is larger than the MTU limit, the step is skipped to step 3.2 for the large message needing to be fragmented.
And 3.2, the checking terminal segments the large message to be sent according to the MTU of the link, and prevents secondary segmentation on the link.
3.3, the checking terminal calculates a hash structure (a Wen Haxi chain, a Wen Haxi tree, etc.) of the segmented message according to the first strategy, constructs a stronger hash association relation for each segment, distributes the stronger hash association relation to each segment message for the checking of a receiving terminal, and jumps to step 3.5.
And 3.4, carrying out signature calculation on the message which is subjected to hash calculation and stored according to a second strategy for signature verification sampling, calculating a sampling signature rate according to a strategy-specified total check rate, and carrying out sampling signature on the message (if the sampling signature rate is 100%, the message is all the signatures).
And 3.5, packaging all signed messages and sending the packaged messages to a network.
Fourth, the checking network element samples and checks the message, and the sampling check rate reaches the policy requirement in the form of fair sampling of the size flow.
And 4.1, checking the network element to sample and check the signature on the transmission message fairly, and if the signature passes the checking, jumping to the step 4.2. If the signature does not pass the check, the message is discarded and error information is transmitted back to the sending end, and the sending end starts a corresponding fault recovery mechanism such as retransmission and the like.
4.2 signature passes inspection by the inspection network element and is forwarded to the next node.
And fifthly, performing signature sampling inspection and integrity inspection on the received message by the inspection terminal.
And 5.1, for the fragment message which needs to be recombined into the large message, jumping to the step 5.4. And for the common message which does not need to be recombined into the large message, firstly, sampling and checking the signature, if the step 5.2 is passed, and if the step 5.4 is not passed.
5.2 checking the message passing the signature checking through a way of calculating the hash and carrying the hash, if the message passes the step 5.3, the message does not pass the step 5.4.
And 5.3, transmitting the message passing the integrity check to an upper layer, and jumping to the step six.
And 5.4, if the message does not pass the check, discarding the message and transmitting error information back to the transmitting end, and starting a corresponding fault recovery mechanism such as retransmission and the like by the transmitting end.
And 5.5, sampling and checking labels of all the fragmented messages, if the fragmented messages pass the step 5.6, and if the fragmented messages do not pass the step 5.8.
And 5.6, according to a second strategy, carrying out hash structure operation on the segmented message, and comparing the result with hash information carried in the message, if the step 5.7 is passed, and if the step 5.9 is not passed.
And 5.7, after the message received by the receiving end is recombined, transmitting the message to an upper layer, and jumping to the step six.
And 5.8, if the signature does not pass the check, discarding the message and transmitting error information back to the transmitting end, and starting a corresponding fault recovery mechanism such as retransmission and the like by the transmitting end.
5.9 if the integrity does not pass the check, locating the fault data packet by a search mode, and transmitting error information back to the transmitting end, wherein the transmitting end starts a corresponding fault recovery mechanism such as retransmission and the like.
And sixthly, completing one-time message integrity check.
The invention can achieve the following technical effects:
the invention adopts the message integrity checking method and the system to assign the strategy according to the network condition and the service requirement in the communication network, and the message is cooperatively checked by combining the on-end checking of the hash iteration structure and the fair sampling and signature checking in the network, thereby reducing the calculation cost of the message integrity, improving the message checking efficiency and ensuring the safe transmission of the message.
The second aspect of the invention discloses a message integrity verification system; the system comprises: a first authentication device deployed in a transmitting terminal and a receiving terminal of a communication network, respectively, and a second authentication device deployed in each network element of the communication network; the first verification device comprises a network state sensing module, a hash structure module, a first strategy module and a first checking module; the second verification device comprises a second strategy module and a second checking module; wherein: the sending terminal senses a logic topology and a network state of a communication network for transmitting a target message by using the network state sensing module, and determines a first strategy and a second strategy by using the first strategy module based on the logic topology and the network state; the first strategy is used for hash structure calculation, the hash structure calculation mode and the hash structure storage mode are designated, the second strategy is used for signature verification sampling, the total signature checking rate of the target message is designated, and the first strategy and the second strategy are used as network messages to be sent to a network element and a receiving terminal which are passed through in the process of transmitting the target message; the sending terminal carries out hash calculation and storage on the target message according to the first strategy, carries out sampling signature on the calculated and stored target message according to the second strategy, and sends the target message after sampling signature to the receiving terminal; and the network element receiving the target message carries out sampling signature verification on the target message after sampling signature according to the second strategy, and the receiving terminal receiving the target message carries out hash calculation on the target message passing through the sampling signature verification according to the first strategy and verifies the hash data carried in the target message.
According to the system of the second aspect, the higher the priority of the target message is, the higher the total signature checking rate is; the higher the real-time performance of the target message is, the higher the total signature checking rate is; the total signature check rate includes: and enabling the number of network elements, the sampling signature rate and the sampling signature rate of signature verification in all network elements through which the target message passes.
According to the system of the second aspect, after all network elements through which the target message passes receive the network message, determining whether a signature verification function is started or not according to the number of network elements starting signature verification in the second policy, the sampling signature rate and the sampling signature verification rate; and after receiving the target message, the receiving terminal starts a hash calculation and verification function according to the hash structure calculation mode and the hash structure storage mode in the first strategy.
According to the system of the second aspect, sampling the computed and stored target message based on the sampling signature rate in the second policy; and when the size of the target message exceeds the limit threshold of the maximum transmission message, dividing the target message into a plurality of message slices meeting the limit threshold, and establishing an association relationship among the message slices, wherein the association relationship is used for recovering the message slices to the target message at the receiving terminal side.
The message is a data unit exchanged and transmitted in the network, namely, a data block to be sent by a station at one time, contains complete data information to be sent, and has inconsistent length and unlimited and variable length. The network is a computer network, which is a computer system for realizing resource sharing and information transmission under the management and coordination of a network operating system, network management software and a network communication protocol by connecting a plurality of computers with different geographic positions and external equipment thereof through communication lines, wherein a network state sensing module, a sampling module and a computing module are deployed in each equipment of the network, a strategy designating module and a strategy issuing module are deployed in the network, and strategies are shared between each computer and the equipment. The first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling are operated together between the computers and the devices. The integrity is that the data is not modified, corrupted, and lost during transmission.
And for each network computer and equipment, a network state sensing module is called, network topology and network state information between communication targets are acquired, and the network topology information and the network state information are transmitted to a strategy designating module in the network. And a strategy designating module in the network designates strategies according to the message service type and the network state in the network, wherein the strategies comprise a first calculation strategy for hash structure calculation and a second calculation strategy for signature verification sampling, and the strategy issuing module is called to issue the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to all computers and equipment between communication targets. The network computer and the device call the sampling module and the computing module to execute the first computing strategy for hash structure computation issued by the strategy issuing module for the network computer and the device, the first computing strategy is used for computing hash structures, and the second computing strategy is used for executing sampling signature or sampling signature verification in the network.
The communication target is a computer which finally arrives when the computer sends a network message, the network topology is a logic topology, the virtual topology is a virtual layout of network equipment, the data is transmitted between the equipment through a network, the data is irrelevant to the physical connection of the equipment, and the network topology information is acquired through message analysis. The network state information comprises basic information such as bandwidth, packet loss rate, MTU (Maximum Transmission Unit ) and the like which are sensed by a port and analyzed by a message.
The policy making module calculates a first calculation policy designated for hash structure calculation and a second calculation policy for signature verification sampling according to the message service type and network state information sent by the computer, wherein the message service type calculation aspect comprises common message service without fragmentation and large message service with fragmentation, and the service priority and the computer priority are weighted on the common message service without fragmentation, namely, the policy is adjusted to be larger for the service requiring high-speed transmission or high-security guarantee or the computer with high security and priority. The network state information calculation aspect is weighted according to the link state information, namely whether a transmission link has the properties of high-speed transmission, idle or difficult packet loss and the like is judged, calculation is finally carried out according to a formula, and the results respectively correspond to the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling. The first calculation strategy for hash structure calculation comprises a single Bao Haxi strategy, an iterative hash strategy (a Wen Haxi chain, a Wen Haxi tree and the like), and the security and space-time overhead are gradually increased, the second calculation strategy for signature verification sampling comprises a designated device sampling verification rate and a designated verification device, the policy verification rate is finally reached, and the policy verification rate is a result obtained after the verification device quantity is started and the designated device sampling verification rate is calculated. The strategy assignment module transmits the strategy to the strategy issuing module, and the strategy issuing module issues the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to computers and devices in the network for later sampling and calculation.
And the sampling module deploys a size flow discriminator based on a Bloom Filter, and samples and signs or tests the network traffic according to the policy signature verification rate according to a second calculation policy for signature verification sampling issued by the issuing module. The flow is a series of data packets sent to a designated unicast address, anycast address or multicast address by a sending end, and the sending end marks the data packets as a flow; the sampling refers to the extraction of a portion of a sample unit from the whole sample to be studied, the basic requirement being to ensure that the extracted sample unit is sufficiently representative of the whole sample; the sampling probability is the proportion of the sampling sample in the total sample, the sampling probability can be set statically in advance or can be set subsequently, if the sampling probability is a transmitting end, the function can be converted into a sampling signature, and the subsequent computing equipment only verifies the data packet with the signature. The signature is a method that a sender generates a message digest from a message text by using a hash function, and then encrypts the digest by using a private key of the sender, and the hash function is a method that a small digital fingerprint is created from any data, so that the message or the data is compressed into the digest, the data quantity is reduced, and the format of the data is fixed. The Bloom Filter is a Bloom Filter consisting of a very long binary vector (bit vector) and a series of random mapping functions, which can be used to retrieve whether an element is in a set. The flow, the Bloom Filter size flow distinguishing counter is a calculation and distribution device deployed based on the method. The Bloom Filter large flow Filter in the Bloom Filter large flow distinguishing counter judges whether the packet belongs to the arrived large flow or not through the flow identification of the arrived packet, if so, the packet is mapped into the large flow counter through the hash address; if not, the packet is mapped into the small stream counter by content addressing. In the small flow counter, whether the counter value reaches the large flow threshold value is judged, so that whether the small flow counter value is replaced into the large flow counter is determined. The flow grouping is a part of the flow, and can carry out sampling waiting subsequent signature for the state to be sent before entering the large and small flow distinguishing counter, and can also carry out sampling waiting subsequent signature verification or inspection for the received state. The calculation module is used for calculating and checking hash information and signature information of the message.
The message is a data unit exchanged and transmitted in the network, namely, a data block to be sent by a station at one time, contains complete data information to be sent, and has inconsistent length and unlimited and variable length. The network is a computer network, which is a computer system for realizing resource sharing and information transmission under the management and coordination of a network operating system, network management software and a network communication protocol by connecting a plurality of computers with different geographic positions and external equipment thereof through communication lines, wherein a network state sensing module, a sampling module and a computing module are deployed in each equipment of the network, a strategy designating module and a strategy issuing module are deployed in the network, and strategies are shared between each computer and the equipment. The first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling are operated together between the computers and the devices. The integrity is that the data is not modified, corrupted, and lost during transmission.
And for each network computer and equipment, a network state sensing module is called, network topology and network state information between communication targets are acquired, and the network topology information and the network state information are transmitted to a strategy designating module in the network. And a strategy designating module in the network designates strategies according to the message service type and the network state in the network, wherein the strategies comprise a first calculation strategy for hash structure calculation and a second calculation strategy for signature verification sampling, and the strategy issuing module is called to issue the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to all computers and equipment between communication targets. The network computer and the device call the sampling module and the computing module to execute the first computing strategy for hash structure computation issued by the strategy issuing module for the network computer and the device, the first computing strategy is used for computing hash structures, and the second computing strategy is used for executing sampling signature or sampling signature verification in the network.
The communication target is a computer which finally arrives when the computer sends a network message, the network topology is a logic topology, the virtual topology is a virtual layout of network equipment, the data is transmitted between the equipment through a network, the data is irrelevant to the physical connection of the equipment, and the network topology information is acquired through message analysis. The network state information comprises basic information such as bandwidth, packet loss rate, MTU (Maximum Transmission Unit ) and the like which are sensed by a port and analyzed by a message.
The policy making module calculates a first calculation policy designated for hash structure calculation and a second calculation policy for signature verification sampling according to the message service type and network state information sent by the computer, wherein the message service type calculation aspect comprises common message service without fragmentation and large message service with fragmentation, and the service priority and the computer priority are weighted on the common message service without fragmentation, namely, the policy is adjusted to be larger for the service requiring high-speed transmission or high-security guarantee or the computer with high security and priority. The network state information calculation aspect is weighted according to the link state information, namely whether a transmission link has the properties of high-speed transmission, idle or difficult packet loss and the like is judged, calculation is finally carried out according to a formula, and the results respectively correspond to the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling. The first calculation strategy for hash structure calculation comprises a single Bao Haxi strategy, an iterative hash strategy (a Wen Haxi chain, a Wen Haxi tree and the like), and the security and space-time overhead are gradually increased, the second calculation strategy for signature verification sampling comprises a designated device sampling verification rate and a designated verification device, the policy verification rate is finally reached, and the policy verification rate is a result obtained after the verification device quantity is started and the designated device sampling verification rate is calculated. The strategy assignment module transmits the strategy to the strategy issuing module, and the strategy issuing module issues the first calculation strategy for hash structure calculation and the second calculation strategy for signature verification sampling to computers and devices in the network for later sampling and calculation.
And the sampling module deploys a size flow discriminator based on a Bloom Filter, and samples and signs or tests the network traffic according to the policy signature verification rate according to a second calculation policy for signature verification sampling issued by the issuing module. The flow is a series of data packets sent to a designated unicast address, anycast address or multicast address by a sending end, and the sending end marks the data packets as a flow; the sampling refers to the extraction of a portion of a sample unit from the whole sample to be studied, the basic requirement being to ensure that the extracted sample unit is sufficiently representative of the whole sample; the sampling probability is the proportion of the sampling sample in the total sample, the sampling probability can be set statically in advance or can be set subsequently, if the sampling probability is a transmitting end, the function can be converted into a sampling signature, and the subsequent computing equipment only verifies the data packet with the signature. The signature is a method that a sender generates a message digest from a message text by using a hash function, and then encrypts the digest by using a private key of the sender, and the hash function is a method that a small digital fingerprint is created from any data, so that the message or the data is compressed into the digest, the data quantity is reduced, and the format of the data is fixed. The Bloom Filter is a Bloom Filter consisting of a very long binary vector (bit vector) and a series of random mapping functions, which can be used to retrieve whether an element is in a set. The flow, the Bloom Filter size flow distinguishing counter is a calculation and distribution device deployed based on the method. The Bloom Filter large flow Filter in the Bloom Filter large flow distinguishing counter judges whether the packet belongs to the arrived large flow or not through the flow identification of the arrived packet, if so, the packet is mapped into the large flow counter through the hash address; if not, the packet is mapped into the small stream counter by content addressing. In the small flow counter, whether the counter value reaches the large flow threshold value is judged, so that whether the small flow counter value is replaced into the large flow counter is determined. The flow grouping is a part of the flow, and can carry out sampling waiting subsequent signature for the state to be sent before entering the large and small flow distinguishing counter, and can also carry out sampling waiting subsequent signature verification or inspection for the received state. The calculation module is used for calculating and checking hash information and signature information of the message.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, the memory storing a computer program, the processor implementing the steps in a method for verifying the integrity of a message according to any one of the first aspects of the disclosure when executing the computer program.
Fig. 2 is a block diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 2, the electronic device includes a processor, a memory, a communication interface, a display screen, and an input device connected through a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic device includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the electronic device is used for conducting wired or wireless communication with an external terminal, and the wireless communication can be achieved through WIFI, an operator network, near Field Communication (NFC) or other technologies. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the electronic equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 2 is merely a block diagram of a portion related to the technical solution of the present disclosure, and does not constitute a limitation of the electronic device to which the technical solution of the present disclosure is applied, and that a specific electronic device may include more or less components than those shown in the drawings, or may combine some components, or have different component arrangements.
A fourth aspect of the application discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of a method for verifying the integrity of a message according to any one of the first aspects of the disclosure.
According to the technical scheme provided by the application, a message integrity checking scheme is constructed in a network communication environment, and according to a network condition and a service demand appointed strategy, a hash iteration structure is constructed on an end and a label is checked by fair sampling in a network to cooperatively check a message, so that the purposes of reducing the calculation cost of the message integrity, improving the message checking efficiency and guaranteeing the safe transmission of the message are realized.
Note that the technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be regarded as the scope of the description. The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.
Claims (8)
1. A method for verifying message integrity, the method comprising:
step S1, respectively deploying a first verification device in a sending terminal and a receiving terminal of a communication network, and deploying a second verification device in each network element of the communication network;
the first verification device comprises a network state sensing module, a hash structure module, a first strategy module and a first checking module; the second verification device comprises a second strategy module and a second checking module;
step S2, the sending terminal senses the logic topology and the network state of the communication network for transmitting the target message by utilizing the network state sensing module, and determines a first strategy and a second strategy by utilizing the first strategy module based on the logic topology and the network state;
the first strategy is used for hash structure calculation, the hash structure calculation mode and the hash structure storage mode are designated, the second strategy is used for signature verification sampling, the total signature checking rate of the target message is designated, and the first strategy and the second strategy are used as network messages to be sent to a network element and a receiving terminal which are passed through in the process of transmitting the target message;
S3, the sending terminal carries out hash calculation and storage on the target message according to the first strategy, carries out sampling signature on the calculated and stored target message according to the second strategy, and sends the target message after sampling signature to the receiving terminal;
and S4, the network element which receives the target message carries out sampling signature verification on the target message after sampling signature according to the second strategy, and the receiving terminal which receives the target message carries out hash calculation on the target message which passes through the sampling signature verification according to the first strategy and verifies the hash data carried in the target message.
2. The method for verifying the integrity of a message according to claim 1, wherein in the step S2: the higher the priority of the target message is, the higher the total signature checking rate is; the higher the real-time performance of the target message is, the higher the total signature checking rate is; the total signature check rate includes: and enabling the number of network elements, the sampling signature rate and the sampling signature rate of signature verification in all network elements through which the target message passes.
3. The method for verifying the integrity of a message according to claim 2, wherein in the step S2:
After all network elements through which the target message passes receive the network message, determining whether a signature verification function is started or not according to the number of network elements starting signature verification in the second strategy, the sampling signature rate and the sampling verification rate;
and after receiving the target message, the receiving terminal starts a hash calculation and verification function according to the hash structure calculation mode and the hash structure storage mode in the first strategy.
4. A method of verifying message integrity according to claim 3, wherein in step S3, the computed and stored target message is sample signed based on the sample signature rate in the second policy; and when the size of the target message exceeds the limit threshold of the maximum transmission message, dividing the target message into a plurality of message slices meeting the limit threshold, and establishing an association relationship among the message slices, wherein the association relationship is used for recovering the message slices to the target message at the receiving terminal side.
5. A message integrity verification system, the system comprising: a first authentication device deployed in a transmitting terminal and a receiving terminal of a communication network, respectively, and a second authentication device deployed in each network element of the communication network; the first verification device comprises a network state sensing module, a hash structure module, a first strategy module and a first checking module; the second verification device comprises a second strategy module and a second checking module; wherein:
The sending terminal senses a logic topology and a network state of a communication network for transmitting a target message by using the network state sensing module, and determines a first strategy and a second strategy by using the first strategy module based on the logic topology and the network state;
the first strategy is used for hash structure calculation, the hash structure calculation mode and the hash structure storage mode are designated, the second strategy is used for signature verification sampling, the total signature checking rate of the target message is designated, and the first strategy and the second strategy are used as network messages to be sent to a network element and a receiving terminal which are passed through in the process of transmitting the target message;
the sending terminal carries out hash calculation and storage on the target message according to the first strategy, carries out sampling signature on the calculated and stored target message according to the second strategy, and sends the target message after sampling signature to the receiving terminal;
and the network element receiving the target message carries out sampling signature verification on the target message after sampling signature according to the second strategy, and the receiving terminal receiving the target message carries out hash calculation on the target message passing through the sampling signature verification according to the first strategy and verifies the hash data carried in the target message.
6. The message integrity verification system of claim 5, wherein the higher the priority of the target message, the higher the total signature check rate; the higher the real-time performance of the target message is, the higher the total signature checking rate is; the total signature check rate includes: and enabling the number of network elements, the sampling signature rate and the sampling signature rate of signature verification in all network elements through which the target message passes.
7. The message integrity verification system of claim 6, wherein:
after all network elements through which the target message passes receive the network message, determining whether a signature verification function is started or not according to the number of network elements starting signature verification in the second strategy, the sampling signature rate and the sampling verification rate;
and after receiving the target message, the receiving terminal starts a hash calculation and verification function according to the hash structure calculation mode and the hash structure storage mode in the first strategy.
8. The message integrity verification system of claim 7, wherein the computed and stored target message is sample signed based on the sample signature rate in the second policy; and when the size of the target message exceeds the limit threshold of the maximum transmission message, dividing the target message into a plurality of message slices meeting the limit threshold, and establishing an association relationship among the message slices, wherein the association relationship is used for recovering the message slices to the target message at the receiving terminal side.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310587101.2A CN116319112B (en) | 2023-05-24 | 2023-05-24 | Message integrity verification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310587101.2A CN116319112B (en) | 2023-05-24 | 2023-05-24 | Message integrity verification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116319112A CN116319112A (en) | 2023-06-23 |
| CN116319112B true CN116319112B (en) | 2023-09-22 |
Family
ID=86785405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310587101.2A Active CN116319112B (en) | 2023-05-24 | 2023-05-24 | Message integrity verification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116319112B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104038347A (en) * | 2014-06-30 | 2014-09-10 | 西安电子科技大学 | Signature verification method based on Gaussian sampling |
| CN104518880A (en) * | 2014-12-17 | 2015-04-15 | 中国船舶重工集团公司第七0九研究所 | Big data reliability validation method and system based on random sampling detection |
| CN106301789A (en) * | 2016-08-16 | 2017-01-04 | 电子科技大学 | Apply the dynamic verification method of the cloud storage data that linear homomorphism based on lattice signs |
| WO2017198069A1 (en) * | 2016-05-18 | 2017-11-23 | 中兴通讯股份有限公司 | Streaming media file processing method and apparatus |
| CN107592203A (en) * | 2017-09-25 | 2018-01-16 | 深圳技术大学筹备办公室 | A kind of aggregate signature method and its system based on lattice |
| CN113722767A (en) * | 2021-09-03 | 2021-11-30 | 南京南瑞信息通信科技有限公司 | Data integrity verification method, system, storage medium and computing equipment |
| WO2022177759A2 (en) * | 2021-02-04 | 2022-08-25 | Axon Enterprise, Inc. | Payload platform accountability control system |
| CN115529134A (en) * | 2022-05-20 | 2022-12-27 | 曲阜师范大学 | Identity-based proxy blind signature method on lattice |
| CN116074253A (en) * | 2023-03-06 | 2023-05-05 | 中国人民解放军军事科学院系统工程研究院 | Message chained forwarding method and device |
| CN116094731A (en) * | 2021-03-01 | 2023-05-09 | 北京信息科技大学 | Signature authentication method and system based on Wen Haxi chain |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160306373A1 (en) * | 2015-04-16 | 2016-10-20 | Fujitsu Limited | Authenticated down-sampling of time-series data |
-
2023
- 2023-05-24 CN CN202310587101.2A patent/CN116319112B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104038347A (en) * | 2014-06-30 | 2014-09-10 | 西安电子科技大学 | Signature verification method based on Gaussian sampling |
| CN104518880A (en) * | 2014-12-17 | 2015-04-15 | 中国船舶重工集团公司第七0九研究所 | Big data reliability validation method and system based on random sampling detection |
| WO2017198069A1 (en) * | 2016-05-18 | 2017-11-23 | 中兴通讯股份有限公司 | Streaming media file processing method and apparatus |
| CN106301789A (en) * | 2016-08-16 | 2017-01-04 | 电子科技大学 | Apply the dynamic verification method of the cloud storage data that linear homomorphism based on lattice signs |
| CN107592203A (en) * | 2017-09-25 | 2018-01-16 | 深圳技术大学筹备办公室 | A kind of aggregate signature method and its system based on lattice |
| WO2022177759A2 (en) * | 2021-02-04 | 2022-08-25 | Axon Enterprise, Inc. | Payload platform accountability control system |
| CN116094731A (en) * | 2021-03-01 | 2023-05-09 | 北京信息科技大学 | Signature authentication method and system based on Wen Haxi chain |
| CN113722767A (en) * | 2021-09-03 | 2021-11-30 | 南京南瑞信息通信科技有限公司 | Data integrity verification method, system, storage medium and computing equipment |
| CN115529134A (en) * | 2022-05-20 | 2022-12-27 | 曲阜师范大学 | Identity-based proxy blind signature method on lattice |
| CN116074253A (en) * | 2023-03-06 | 2023-05-05 | 中国人民解放军军事科学院系统工程研究院 | Message chained forwarding method and device |
Non-Patent Citations (2)
| Title |
|---|
| DAS模式下基于密文分组索引的完整性验证;杨平平等;《计算机科学与探索》;第426-435页 * |
| Lattice-based Proxy Signature Scheme with Reject Sampling Method;Zoe L. Jiang等;《2017 International Conference on Security, Pattern Analysis, and Cybernetics (SPAC)》;第558-563页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116319112A (en) | 2023-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105122749B (en) | Update the method and system of the dialogue distribution in link aggregation | |
| Jero et al. | Beads: Automated attack discovery in openflow-based sdn systems | |
| US20130205376A1 (en) | System and method for securing distributed exporting models in a network environment | |
| US11240150B2 (en) | Applying attestation to segment routing | |
| CN112929200B (en) | SDN multi-controller oriented anomaly detection method | |
| KR20190065440A (en) | Method and electronic control unit for communication network | |
| WO2015081693A1 (en) | Network sharing user identification method and apparatus | |
| US20190260631A1 (en) | Deployable linear bitwise protocol transfromation | |
| CN111953527B (en) | Network attack recovery system | |
| US11297037B2 (en) | Method and network device for overlay tunnel termination and mirroring spanning datacenters | |
| CN109937563A (en) | Method and electronic monitoring unit for communication network | |
| CN111698110A (en) | Network equipment performance analysis method, system, equipment and computer medium | |
| CN116319112B (en) | Message integrity verification method and system | |
| Hua et al. | FOUM: A flow-ordered consistent update mechanism for software-defined networking in adversarial settings | |
| Koyama et al. | SOME/IP intrusion detection system using real-time and retroactive anomaly detection | |
| US20230051229A1 (en) | Transmission device for transmitting data | |
| CN108683529A (en) | Data accelerate transmission method and device | |
| CN111224934B (en) | Service path verification method for mimicry configuration in mimicry defense | |
| Wang et al. | An efficient scheme for SDN state consistency verification in cloud computing environment | |
| Cisco | Command Reference Master Index Cisco IOS Release 11.3 | |
| Salazar-Chacón et al. | OpenSDN Southbound Traffic Characterization: Proof-of-Concept Virtualized SDN-Infrastructure | |
| Wagener et al. | Towards an estimation of the accuracy of TCP reassembly in network forensics | |
| CN110366170A (en) | A kind of wireless network secure defence method based on software definition safety | |
| US20240146762A1 (en) | Intelligent manipulation of denial-of-service attack traffic | |
| CN114845305B (en) | High-flow 5G slice isolation test method based on marks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |