CN116743453A - DHCPv6 security authentication method - Google Patents

DHCPv6 security authentication method Download PDF

Info

Publication number
CN116743453A
CN116743453A CN202310681673.7A CN202310681673A CN116743453A CN 116743453 A CN116743453 A CN 116743453A CN 202310681673 A CN202310681673 A CN 202310681673A CN 116743453 A CN116743453 A CN 116743453A
Authority
CN
China
Prior art keywords
dhcpv6
message
field
option
ipv6 host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310681673.7A
Other languages
Chinese (zh)
Inventor
赵泽钧
袁苇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Newland Communication Science Technologies Co ltd
Original Assignee
Fujian Newland Communication Science Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Newland Communication Science Technologies Co ltd filed Critical Fujian Newland Communication Science Technologies Co ltd
Priority to CN202310681673.7A priority Critical patent/CN116743453A/en
Publication of CN116743453A publication Critical patent/CN116743453A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Abstract

The application provides a DHCPv6 security authentication method in the technical field of IPv6, which comprises the following steps: step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information; step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host; step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message; step S40, the IPv6 host performs replay attack verification on the DHCPv6 message; and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed. The application has the advantages that: the safety of the DHCPv6 protocol is greatly improved.

Description

DHCPv6 security authentication method
Technical Field
The application relates to the technical field of IPv6, in particular to a DHCPv6 security authentication method.
Background
DHCPv6 was developed and designed for IPv6 hosts, a protocol for assigning IP addresses and distributing network configuration information. The DHCPv6 server has two working modes, namely a stateful mode and a stateless mode, wherein the stateful mode DHCPv6 server is used for distributing the IPv6 address and the distribution network configuration information, and the stateless mode DHCPv6 server is only used for distributing the network configuration information. When an IPv6 host joins a new IPv6 network, the IPv6 host sends a router solicitation message (RS) to the router, which returns a router advertisement message (RA) containing the working mode of the DHCPv6 server, and the IPv6 host configures its IPv6 address based on the working mode.
While the DHCPv6 protocol provides some improvements over the DHCP protocol under IPv4, such as simplifying headers, authentication, etc., it still has some security challenges including:
1. DHCPv6 does not provide a mechanism to verify the source and integrity of the message sent by the DHCPv6 server, making IPv6 hosts vulnerable to fake messages; 2. the DHCPv6 protocol exposes identification information of the IPv6 host during transmission and may be utilized by an attacker to replay attacks.
Therefore, how to provide a DHCPv6 security authentication method to improve the security of DHCPv6 protocol is a technical problem to be solved urgently.
Disclosure of Invention
The application aims to solve the technical problem of providing a DHCPv6 security authentication method for improving the security of a DHCPv6 protocol.
The application is realized in the following way: a DHCPv6 security authentication method comprises the following steps:
step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information;
step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host;
step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message;
step S40, the IPv6 host performs replay attack verification on the DHCPv6 message;
and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed.
Further, in the step S10, the distributing the public key to the IPv6 host through the router advertisement message specifically includes:
adding a DPK option in a router advertisement message, wherein the DPK option carries a first type field, a first length field, a first reserved field and a key field; and after the public key is written into the key field, distributing the router advertisement message added with the DPK option to the IPv6 host.
Further, the value of the first type field is set to 253, which represents the option type; the value of the first length field is set to be 3, and the length of the DPK option is represented; the value of the first reserved field is set to 0.
Further, in the step S10, the router advertisement message is distributed through a secure neighbor discovery protocol.
Further, in the step S10, the router advertisement message is distributed through ra_guard.
Further, in the step S20, the SA option carries a second type field, a second length field, a protocol type field, an algorithm field, an RD field, and a sign field;
the value of the second type field is set to 11, and the option type is represented; the value of the second length field is set to 79; the value of the protocol type field is set to be 4, which represents a checking mechanism of DHCPv 6; the value of the algorithm field is set to be 4 and is used for storing an asymmetric authentication algorithm; the RD field is an increment value based on the current time; the sign field is used to store signature data.
Further, in the step S20, the asymmetric authentication algorithm is Ed25519 algorithm.
Further, the step S30 specifically includes:
the DHCPv6 server and the IPv6 host randomly generate a transaction ID based on a preset rule, and the DHCPv6 server adds the transaction ID into a DHCPv6 message;
the IPv6 host judges whether the received transaction ID carried by the DHCPv6 message is consistent with the locally generated transaction ID, if so, the transaction ID passes the verification, and the step S40 is entered; if not, the transaction ID check is not passed, and the DHCPv6 message is discarded.
Further, the step S40 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, judges whether the value of the RD field in the SA option is larger than the value of the RD field of the last DHCPv6 message, if so, indicates that no replay attack exists, and then enters step S50; if not, indicating that replay attack exists, discarding the DHCPv6 message.
Further, the step S50 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, signature data is obtained from a sign field in the SA option, signature verification is carried out on the signature data by utilizing the public key and an asymmetric authentication algorithm, and if the signature verification is successful, DHCPv6 security authentication is completed; and if the signature verification fails, discarding the DHCPv6 message.
The application has the advantages that:
distributing the public key to the IPv6 host through a router advertisement message by creating a pair of public key and private key at the DHCPv6 server; the DHCPv6 server adds an SA option in the generated DHCPv6 message, signs the DHCPv6 message by using a private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to the IPv6 host; after checking the transaction ID carried by the received DHCPv6 message, the IPv6 host checks replay attack, and finally, the public key and the asymmetric authentication algorithm are utilized to check the DHCPv6 message, thereby completing DHCPv6 security authentication; in the process of security authentication, signature and signature verification are adopted, the signature and signature verification process is combined with a public key, a private key and an asymmetric authentication algorithm, transaction ID verification and replay attack verification are performed in a quadruple security measure, and finally the security of the DHCPv6 protocol is greatly improved.
Drawings
The application will be further described with reference to examples of embodiments with reference to the accompanying drawings.
Fig. 1 is a flowchart of a DHCPv6 security authentication method of the present application.
Detailed Description
The technical scheme in the embodiment of the application has the following overall thought: in the security authentication process, signature and signature verification are adopted, and the signature and signature verification process combines a public key, a private key and an asymmetric authentication algorithm, so that transaction ID verification and replay attack verification are performed in a quadruple security measure, and the security of the DHCPv6 protocol is improved.
Referring to fig. 1, a preferred embodiment of a DHCPv6 security authentication method of the present application includes the following steps:
step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information;
step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host; verifying the source and integrity of the DHCPv6 message by the signature data;
step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message;
step S40, the IPv6 host performs replay attack verification on the DHCPv6 message; by first replay attack verification before signature verification, the DHCPv6 server can be prevented from being paralyzed when DoS attack occurs;
and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed. By combining the asymmetric authentication algorithm to sign and check the signature, the malicious DHCPv6 server can be prevented from being attacked.
In the step S10, the distributing the public key to the IPv6 host through the router advertisement message specifically includes:
adding a DPK option in a router advertisement message, wherein the DPK option carries a first type field, a first length field, a first reserved field and a key field; and after the public key is written into the key field, distributing the router advertisement message added with the DPK option to the IPv6 host.
The value of the first type field is set to 253, which represents the option type; the value of the first length field is set to be 3, and the length of the DPK option is represented; the value of the first reserved field is set to 0.
In the step S10, the router advertisement message is distributed through a secure neighbor discovery protocol.
In the step S10, the router advertisement message is distributed through ra_guard.
I.e. security extension by means of a secure neighbor discovery protocol or RA _ Guard.
In the step S20, the SA option carries a second type field, a second length field, a protocol type field, an algorithm field, an RD field, and a sign field;
the value of the second type field is set to 11, and the option type is represented; the value of the second length field is set to 79; the value of the protocol type field is set to be 4, which represents a checking mechanism of DHCPv 6; the value of the algorithm field is set to be 4 and is used for storing an asymmetric authentication algorithm; the RD field is an increment value based on the current time; the sign field is used to store signature data.
The application distributes public keys through the DPK option and delivers signature data through the SA option.
In the step S20, the asymmetric authentication algorithm is Ed25519 algorithm.
The step S30 specifically includes:
the DHCPv6 server and the IPv6 host randomly generate a transaction ID based on a preset rule, and the DHCPv6 server adds the transaction ID into a DHCPv6 message; the transaction ID is defined in standard RFC 8415, associated with the request and corresponding to the DHCPv6 message;
the IPv6 host judges whether the received transaction ID carried by the DHCPv6 message is consistent with the locally generated transaction ID, if so, the transaction ID passes the verification, and the step S40 is entered; if not, the transaction ID check is not passed, and the DHCPv6 message is discarded.
The step S40 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, judges whether the value of the RD field in the SA option is larger than the value of the RD field of the last DHCPv6 message, if so, indicates that no replay attack exists, and then enters step S50; if not, indicating that replay attack exists, discarding the DHCPv6 message.
The step S50 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, signature data is obtained from a sign field in the SA option, signature verification is carried out on the signature data by utilizing the public key and an asymmetric authentication algorithm, and if the signature verification is successful, DHCPv6 security authentication is completed; and if the signature verification fails, discarding the DHCPv6 message.
In summary, the application has the advantages that:
distributing the public key to the IPv6 host through a router advertisement message by creating a pair of public key and private key at the DHCPv6 server; the DHCPv6 server adds an SA option in the generated DHCPv6 message, signs the DHCPv6 message by using a private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to the IPv6 host; after checking the transaction ID carried by the received DHCPv6 message, the IPv6 host checks replay attack, and finally, the public key and the asymmetric authentication algorithm are utilized to check the DHCPv6 message, thereby completing DHCPv6 security authentication; in the process of security authentication, signature and signature verification are adopted, the signature and signature verification process is combined with a public key, a private key and an asymmetric authentication algorithm, transaction ID verification and replay attack verification are performed in a quadruple security measure, and finally the security of the DHCPv6 protocol is greatly improved.
While specific embodiments of the application have been described above, it will be appreciated by those skilled in the art that the specific embodiments described are illustrative only and not intended to limit the scope of the application, and that equivalent modifications and variations of the application in light of the spirit of the application will be covered by the claims of the present application.

Claims (10)

1. A DHCPv6 security authentication method is characterized in that: the method comprises the following steps:
step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information;
step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host;
step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message;
step S40, the IPv6 host performs replay attack verification on the DHCPv6 message;
and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed.
2. The DHCPv6 security authentication method according to claim 1, wherein: in the step S10, the distributing the public key to the IPv6 host through the router advertisement message specifically includes:
adding a DPK option in a router advertisement message, wherein the DPK option carries a first type field, a first length field, a first reserved field and a key field; and after the public key is written into the key field, distributing the router advertisement message added with the DPK option to the IPv6 host.
3. The DHCPv6 security authentication method according to claim 2, wherein: the value of the first type field is set to 253, which represents the option type; the value of the first length field is set to be 3, and the length of the DPK option is represented; the value of the first reserved field is set to 0.
4. The DHCPv6 security authentication method according to claim 1, wherein: in the step S10, the router advertisement message is distributed through a secure neighbor discovery protocol.
5. The DHCPv6 security authentication method according to claim 1, wherein: in the step S10, the router advertisement message is distributed through ra_guard.
6. The DHCPv6 security authentication method according to claim 1, wherein: in the step S20, the SA option carries a second type field, a second length field, a protocol type field, an algorithm field, an RD field, and a sign field;
the value of the second type field is set to 11, and the option type is represented; the value of the second length field is set to 79; the value of the protocol type field is set to be 4, which represents a checking mechanism of DHCPv 6; the value of the algorithm field is set to be 4 and is used for storing an asymmetric authentication algorithm; the RD field is an increment value based on the current time; the sign field is used to store signature data.
7. The DHCPv6 security authentication method according to claim 1, wherein: in the step S20, the asymmetric authentication algorithm is Ed25519 algorithm.
8. The DHCPv6 security authentication method according to claim 1, wherein: the step S30 specifically includes:
the DHCPv6 server and the IPv6 host randomly generate a transaction ID based on a preset rule, and the DHCPv6 server adds the transaction ID into a DHCPv6 message;
the IPv6 host judges whether the received transaction ID carried by the DHCPv6 message is consistent with the locally generated transaction ID, if so, the transaction ID passes the verification, and the step S40 is entered; if not, the transaction ID check is not passed, and the DHCPv6 message is discarded.
9. The DHCPv6 security authentication method according to claim 1, wherein: the step S40 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, judges whether the value of the RD field in the SA option is larger than the value of the RD field of the last DHCPv6 message, if so, indicates that no replay attack exists, and then enters step S50; if not, indicating that replay attack exists, discarding the DHCPv6 message.
10. The DHCPv6 security authentication method according to claim 1, wherein: the step S50 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, signature data is obtained from a sign field in the SA option, signature verification is carried out on the signature data by utilizing the public key and an asymmetric authentication algorithm, and if the signature verification is successful, DHCPv6 security authentication is completed; and if the signature verification fails, discarding the DHCPv6 message.
CN202310681673.7A 2023-06-09 2023-06-09 DHCPv6 security authentication method Pending CN116743453A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310681673.7A CN116743453A (en) 2023-06-09 2023-06-09 DHCPv6 security authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310681673.7A CN116743453A (en) 2023-06-09 2023-06-09 DHCPv6 security authentication method

Publications (1)

Publication Number Publication Date
CN116743453A true CN116743453A (en) 2023-09-12

Family

ID=87916314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310681673.7A Pending CN116743453A (en) 2023-06-09 2023-06-09 DHCPv6 security authentication method

Country Status (1)

Country Link
CN (1) CN116743453A (en)

Similar Documents

Publication Publication Date Title
KR100651715B1 (en) Method for generating and accepting address automatically in IPv6-based Internet and data structure thereof
US8239549B2 (en) Dynamic host configuration protocol
US8261062B2 (en) Non-cryptographic addressing
US7610487B2 (en) Human input security codes
US8806565B2 (en) Secure network location awareness
US7624264B2 (en) Using time to determine a hash extension
US8418242B2 (en) Method, system, and device for negotiating SA on IPv6 network
US8499146B2 (en) Method and device for preventing network attacks
US9344418B2 (en) Systems and methods for inhibiting attacks with a network
US10333970B2 (en) Front-end protocol for server protection
US8843751B2 (en) IP address delegation
US8566584B2 (en) Method, apparatus, and system for processing dynamic host configuration protocol message
WO2010000171A1 (en) Communication establishing method, system and device
Rafiee et al. SSAS: A simple secure addressing scheme for IPv6 autoconfiguration
US8898737B2 (en) Authentication method for stateless address allocation in IPv6 networks
Aura RFC 3972: Cryptographically generated addresses (CGA)
KR100856918B1 (en) Method for IP address authentication in IPv6 network, and IPv6 network system
CN106453308A (en) Method for preventing ARP cheating
CN116743453A (en) DHCPv6 security authentication method
Su et al. Secure DHCPv6 that uses RSA authentication integrated with self-certified address
JP2007258986A (en) Communication apparatus, communication method, and communication program
Rafiee et al. DNS update extension to IPv6 secure addressing
Huang et al. An improved SEND protocol against DoS attacks in Mobile IPv6 environment
WO2024001645A1 (en) Packet processing method, switching device, terminal, and storage medium
Hammouda et al. An enhanced secure ARP protocol and LAN switch for preveting ARP based attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination