CN116743453A - DHCPv6 security authentication method - Google Patents
DHCPv6 security authentication method Download PDFInfo
- Publication number
- CN116743453A CN116743453A CN202310681673.7A CN202310681673A CN116743453A CN 116743453 A CN116743453 A CN 116743453A CN 202310681673 A CN202310681673 A CN 202310681673A CN 116743453 A CN116743453 A CN 116743453A
- Authority
- CN
- China
- Prior art keywords
- dhcpv6
- message
- field
- option
- ipv6 host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000012795 verification Methods 0.000 claims abstract description 34
- 230000007246 mechanism Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 description 6
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Abstract
The application provides a DHCPv6 security authentication method in the technical field of IPv6, which comprises the following steps: step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information; step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host; step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message; step S40, the IPv6 host performs replay attack verification on the DHCPv6 message; and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed. The application has the advantages that: the safety of the DHCPv6 protocol is greatly improved.
Description
Technical Field
The application relates to the technical field of IPv6, in particular to a DHCPv6 security authentication method.
Background
DHCPv6 was developed and designed for IPv6 hosts, a protocol for assigning IP addresses and distributing network configuration information. The DHCPv6 server has two working modes, namely a stateful mode and a stateless mode, wherein the stateful mode DHCPv6 server is used for distributing the IPv6 address and the distribution network configuration information, and the stateless mode DHCPv6 server is only used for distributing the network configuration information. When an IPv6 host joins a new IPv6 network, the IPv6 host sends a router solicitation message (RS) to the router, which returns a router advertisement message (RA) containing the working mode of the DHCPv6 server, and the IPv6 host configures its IPv6 address based on the working mode.
While the DHCPv6 protocol provides some improvements over the DHCP protocol under IPv4, such as simplifying headers, authentication, etc., it still has some security challenges including:
1. DHCPv6 does not provide a mechanism to verify the source and integrity of the message sent by the DHCPv6 server, making IPv6 hosts vulnerable to fake messages; 2. the DHCPv6 protocol exposes identification information of the IPv6 host during transmission and may be utilized by an attacker to replay attacks.
Therefore, how to provide a DHCPv6 security authentication method to improve the security of DHCPv6 protocol is a technical problem to be solved urgently.
Disclosure of Invention
The application aims to solve the technical problem of providing a DHCPv6 security authentication method for improving the security of a DHCPv6 protocol.
The application is realized in the following way: a DHCPv6 security authentication method comprises the following steps:
step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information;
step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host;
step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message;
step S40, the IPv6 host performs replay attack verification on the DHCPv6 message;
and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed.
Further, in the step S10, the distributing the public key to the IPv6 host through the router advertisement message specifically includes:
adding a DPK option in a router advertisement message, wherein the DPK option carries a first type field, a first length field, a first reserved field and a key field; and after the public key is written into the key field, distributing the router advertisement message added with the DPK option to the IPv6 host.
Further, the value of the first type field is set to 253, which represents the option type; the value of the first length field is set to be 3, and the length of the DPK option is represented; the value of the first reserved field is set to 0.
Further, in the step S10, the router advertisement message is distributed through a secure neighbor discovery protocol.
Further, in the step S10, the router advertisement message is distributed through ra_guard.
Further, in the step S20, the SA option carries a second type field, a second length field, a protocol type field, an algorithm field, an RD field, and a sign field;
the value of the second type field is set to 11, and the option type is represented; the value of the second length field is set to 79; the value of the protocol type field is set to be 4, which represents a checking mechanism of DHCPv 6; the value of the algorithm field is set to be 4 and is used for storing an asymmetric authentication algorithm; the RD field is an increment value based on the current time; the sign field is used to store signature data.
Further, in the step S20, the asymmetric authentication algorithm is Ed25519 algorithm.
Further, the step S30 specifically includes:
the DHCPv6 server and the IPv6 host randomly generate a transaction ID based on a preset rule, and the DHCPv6 server adds the transaction ID into a DHCPv6 message;
the IPv6 host judges whether the received transaction ID carried by the DHCPv6 message is consistent with the locally generated transaction ID, if so, the transaction ID passes the verification, and the step S40 is entered; if not, the transaction ID check is not passed, and the DHCPv6 message is discarded.
Further, the step S40 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, judges whether the value of the RD field in the SA option is larger than the value of the RD field of the last DHCPv6 message, if so, indicates that no replay attack exists, and then enters step S50; if not, indicating that replay attack exists, discarding the DHCPv6 message.
Further, the step S50 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, signature data is obtained from a sign field in the SA option, signature verification is carried out on the signature data by utilizing the public key and an asymmetric authentication algorithm, and if the signature verification is successful, DHCPv6 security authentication is completed; and if the signature verification fails, discarding the DHCPv6 message.
The application has the advantages that:
distributing the public key to the IPv6 host through a router advertisement message by creating a pair of public key and private key at the DHCPv6 server; the DHCPv6 server adds an SA option in the generated DHCPv6 message, signs the DHCPv6 message by using a private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to the IPv6 host; after checking the transaction ID carried by the received DHCPv6 message, the IPv6 host checks replay attack, and finally, the public key and the asymmetric authentication algorithm are utilized to check the DHCPv6 message, thereby completing DHCPv6 security authentication; in the process of security authentication, signature and signature verification are adopted, the signature and signature verification process is combined with a public key, a private key and an asymmetric authentication algorithm, transaction ID verification and replay attack verification are performed in a quadruple security measure, and finally the security of the DHCPv6 protocol is greatly improved.
Drawings
The application will be further described with reference to examples of embodiments with reference to the accompanying drawings.
Fig. 1 is a flowchart of a DHCPv6 security authentication method of the present application.
Detailed Description
The technical scheme in the embodiment of the application has the following overall thought: in the security authentication process, signature and signature verification are adopted, and the signature and signature verification process combines a public key, a private key and an asymmetric authentication algorithm, so that transaction ID verification and replay attack verification are performed in a quadruple security measure, and the security of the DHCPv6 protocol is improved.
Referring to fig. 1, a preferred embodiment of a DHCPv6 security authentication method of the present application includes the following steps:
step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information;
step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host; verifying the source and integrity of the DHCPv6 message by the signature data;
step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message;
step S40, the IPv6 host performs replay attack verification on the DHCPv6 message; by first replay attack verification before signature verification, the DHCPv6 server can be prevented from being paralyzed when DoS attack occurs;
and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed. By combining the asymmetric authentication algorithm to sign and check the signature, the malicious DHCPv6 server can be prevented from being attacked.
In the step S10, the distributing the public key to the IPv6 host through the router advertisement message specifically includes:
adding a DPK option in a router advertisement message, wherein the DPK option carries a first type field, a first length field, a first reserved field and a key field; and after the public key is written into the key field, distributing the router advertisement message added with the DPK option to the IPv6 host.
The value of the first type field is set to 253, which represents the option type; the value of the first length field is set to be 3, and the length of the DPK option is represented; the value of the first reserved field is set to 0.
In the step S10, the router advertisement message is distributed through a secure neighbor discovery protocol.
In the step S10, the router advertisement message is distributed through ra_guard.
I.e. security extension by means of a secure neighbor discovery protocol or RA _ Guard.
In the step S20, the SA option carries a second type field, a second length field, a protocol type field, an algorithm field, an RD field, and a sign field;
the value of the second type field is set to 11, and the option type is represented; the value of the second length field is set to 79; the value of the protocol type field is set to be 4, which represents a checking mechanism of DHCPv 6; the value of the algorithm field is set to be 4 and is used for storing an asymmetric authentication algorithm; the RD field is an increment value based on the current time; the sign field is used to store signature data.
The application distributes public keys through the DPK option and delivers signature data through the SA option.
In the step S20, the asymmetric authentication algorithm is Ed25519 algorithm.
The step S30 specifically includes:
the DHCPv6 server and the IPv6 host randomly generate a transaction ID based on a preset rule, and the DHCPv6 server adds the transaction ID into a DHCPv6 message; the transaction ID is defined in standard RFC 8415, associated with the request and corresponding to the DHCPv6 message;
the IPv6 host judges whether the received transaction ID carried by the DHCPv6 message is consistent with the locally generated transaction ID, if so, the transaction ID passes the verification, and the step S40 is entered; if not, the transaction ID check is not passed, and the DHCPv6 message is discarded.
The step S40 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, judges whether the value of the RD field in the SA option is larger than the value of the RD field of the last DHCPv6 message, if so, indicates that no replay attack exists, and then enters step S50; if not, indicating that replay attack exists, discarding the DHCPv6 message.
The step S50 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, signature data is obtained from a sign field in the SA option, signature verification is carried out on the signature data by utilizing the public key and an asymmetric authentication algorithm, and if the signature verification is successful, DHCPv6 security authentication is completed; and if the signature verification fails, discarding the DHCPv6 message.
In summary, the application has the advantages that:
distributing the public key to the IPv6 host through a router advertisement message by creating a pair of public key and private key at the DHCPv6 server; the DHCPv6 server adds an SA option in the generated DHCPv6 message, signs the DHCPv6 message by using a private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to the IPv6 host; after checking the transaction ID carried by the received DHCPv6 message, the IPv6 host checks replay attack, and finally, the public key and the asymmetric authentication algorithm are utilized to check the DHCPv6 message, thereby completing DHCPv6 security authentication; in the process of security authentication, signature and signature verification are adopted, the signature and signature verification process is combined with a public key, a private key and an asymmetric authentication algorithm, transaction ID verification and replay attack verification are performed in a quadruple security measure, and finally the security of the DHCPv6 protocol is greatly improved.
While specific embodiments of the application have been described above, it will be appreciated by those skilled in the art that the specific embodiments described are illustrative only and not intended to limit the scope of the application, and that equivalent modifications and variations of the application in light of the spirit of the application will be covered by the claims of the present application.
Claims (10)
1. A DHCPv6 security authentication method is characterized in that: the method comprises the following steps:
step S10, the DHCPv6 server creates a pair of public key and private key, and distributes the public key to the IPv6 host through router advertisement information;
step S20, a DHCPv6 server generates a DHCPv6 message, adds an SA option in the DHCPv6 message, signs the DHCPv6 message by using the private key and an asymmetric authentication algorithm to obtain signature data, inserts the signature data into the SA option, and then sends the DHCPv6 message to an IPv6 host;
step S30, the IPv6 host checks the transaction ID carried by the received DHCPv6 message;
step S40, the IPv6 host performs replay attack verification on the DHCPv6 message;
and S50, the IPv6 host performs signature verification on the DHCPv6 message by using the public key and the asymmetric authentication algorithm, so that the DHCPv6 security authentication is completed.
2. The DHCPv6 security authentication method according to claim 1, wherein: in the step S10, the distributing the public key to the IPv6 host through the router advertisement message specifically includes:
adding a DPK option in a router advertisement message, wherein the DPK option carries a first type field, a first length field, a first reserved field and a key field; and after the public key is written into the key field, distributing the router advertisement message added with the DPK option to the IPv6 host.
3. The DHCPv6 security authentication method according to claim 2, wherein: the value of the first type field is set to 253, which represents the option type; the value of the first length field is set to be 3, and the length of the DPK option is represented; the value of the first reserved field is set to 0.
4. The DHCPv6 security authentication method according to claim 1, wherein: in the step S10, the router advertisement message is distributed through a secure neighbor discovery protocol.
5. The DHCPv6 security authentication method according to claim 1, wherein: in the step S10, the router advertisement message is distributed through ra_guard.
6. The DHCPv6 security authentication method according to claim 1, wherein: in the step S20, the SA option carries a second type field, a second length field, a protocol type field, an algorithm field, an RD field, and a sign field;
the value of the second type field is set to 11, and the option type is represented; the value of the second length field is set to 79; the value of the protocol type field is set to be 4, which represents a checking mechanism of DHCPv 6; the value of the algorithm field is set to be 4 and is used for storing an asymmetric authentication algorithm; the RD field is an increment value based on the current time; the sign field is used to store signature data.
7. The DHCPv6 security authentication method according to claim 1, wherein: in the step S20, the asymmetric authentication algorithm is Ed25519 algorithm.
8. The DHCPv6 security authentication method according to claim 1, wherein: the step S30 specifically includes:
the DHCPv6 server and the IPv6 host randomly generate a transaction ID based on a preset rule, and the DHCPv6 server adds the transaction ID into a DHCPv6 message;
the IPv6 host judges whether the received transaction ID carried by the DHCPv6 message is consistent with the locally generated transaction ID, if so, the transaction ID passes the verification, and the step S40 is entered; if not, the transaction ID check is not passed, and the DHCPv6 message is discarded.
9. The DHCPv6 security authentication method according to claim 1, wherein: the step S40 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, judges whether the value of the RD field in the SA option is larger than the value of the RD field of the last DHCPv6 message, if so, indicates that no replay attack exists, and then enters step S50; if not, indicating that replay attack exists, discarding the DHCPv6 message.
10. The DHCPv6 security authentication method according to claim 1, wherein: the step S50 specifically includes:
the IPv6 host analyzes the DHCPv6 message to obtain a carried SA option, signature data is obtained from a sign field in the SA option, signature verification is carried out on the signature data by utilizing the public key and an asymmetric authentication algorithm, and if the signature verification is successful, DHCPv6 security authentication is completed; and if the signature verification fails, discarding the DHCPv6 message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310681673.7A CN116743453A (en) | 2023-06-09 | 2023-06-09 | DHCPv6 security authentication method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310681673.7A CN116743453A (en) | 2023-06-09 | 2023-06-09 | DHCPv6 security authentication method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116743453A true CN116743453A (en) | 2023-09-12 |
Family
ID=87916314
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310681673.7A Pending CN116743453A (en) | 2023-06-09 | 2023-06-09 | DHCPv6 security authentication method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116743453A (en) |
-
2023
- 2023-06-09 CN CN202310681673.7A patent/CN116743453A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR100651715B1 (en) | Method for generating and accepting address automatically in IPv6-based Internet and data structure thereof | |
US8239549B2 (en) | Dynamic host configuration protocol | |
US8261062B2 (en) | Non-cryptographic addressing | |
US7610487B2 (en) | Human input security codes | |
US8806565B2 (en) | Secure network location awareness | |
US7624264B2 (en) | Using time to determine a hash extension | |
US8418242B2 (en) | Method, system, and device for negotiating SA on IPv6 network | |
US8499146B2 (en) | Method and device for preventing network attacks | |
US9344418B2 (en) | Systems and methods for inhibiting attacks with a network | |
US10333970B2 (en) | Front-end protocol for server protection | |
US8843751B2 (en) | IP address delegation | |
US8566584B2 (en) | Method, apparatus, and system for processing dynamic host configuration protocol message | |
WO2010000171A1 (en) | Communication establishing method, system and device | |
Rafiee et al. | SSAS: A simple secure addressing scheme for IPv6 autoconfiguration | |
US8898737B2 (en) | Authentication method for stateless address allocation in IPv6 networks | |
Aura | RFC 3972: Cryptographically generated addresses (CGA) | |
KR100856918B1 (en) | Method for IP address authentication in IPv6 network, and IPv6 network system | |
CN106453308A (en) | Method for preventing ARP cheating | |
CN116743453A (en) | DHCPv6 security authentication method | |
Su et al. | Secure DHCPv6 that uses RSA authentication integrated with self-certified address | |
JP2007258986A (en) | Communication apparatus, communication method, and communication program | |
Rafiee et al. | DNS update extension to IPv6 secure addressing | |
Huang et al. | An improved SEND protocol against DoS attacks in Mobile IPv6 environment | |
WO2024001645A1 (en) | Packet processing method, switching device, terminal, and storage medium | |
Hammouda et al. | An enhanced secure ARP protocol and LAN switch for preveting ARP based attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |