CN117155656A - Networking communication method, device, equipment and storage medium - Google Patents

Networking communication method, device, equipment and storage medium Download PDF

Info

Publication number
CN117155656A
CN117155656A CN202311118550.9A CN202311118550A CN117155656A CN 117155656 A CN117155656 A CN 117155656A CN 202311118550 A CN202311118550 A CN 202311118550A CN 117155656 A CN117155656 A CN 117155656A
Authority
CN
China
Prior art keywords
gateway
data
authentication
equipment
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311118550.9A
Other languages
Chinese (zh)
Inventor
聂勋坦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202311118550.9A priority Critical patent/CN117155656A/en
Publication of CN117155656A publication Critical patent/CN117155656A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a networking communication method, a networking communication device, networking communication equipment and a networking communication storage medium, and relates to the technical field of communication. The method is applied to management equipment in a networking communication system, and the networking communication system further comprises a first gateway equipment and at least one second gateway equipment, wherein the first gateway equipment is the gateway equipment to be verified, and the second gateway equipment is the gateway equipment which passes through the bidirectional identity authentication with the management equipment. The method comprises the following steps: under the condition that the first gateway equipment has the authority of joining the networking communication system, performing bidirectional identity authentication on the first gateway equipment; and under the condition that the first gateway equipment passes the bidirectional identity authentication with the management equipment, the target key and the target encryption mode are sent to the first gateway equipment, so that the first gateway equipment communicates with the second gateway equipment based on the target key and the target encryption mode. The application is used for realizing the tunnel-free networking communication.

Description

Networking communication method, device, equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a networking communication method, device, equipment, and storage medium.
Background
With the rapid development of enterprises, more and more branches of enterprises are formed, and the construction of a safe enterprise networking has become a serious issue for the development of enterprises. The prior art generally implements full-interconnection networking (i.e., all devices in the networking may communicate with each other) or half-interconnection networking (i.e., some devices in the networking may communicate with each other) through an encryption manner of an internet security (IP security) tunnel. The IPSec tunnel is a point-to-point tunnel structure, i.e. communication between any two devices in the network does not pass through other devices. Thus, a large number of tunnels need to be constructed.
However, constructing a large number of tunnels consumes a large amount of network performance resources, making networking maintenance difficult. Meanwhile, because a large number of tunnels exist in the networking, the network is unstable.
Disclosure of Invention
The application provides a networking communication method, a networking communication device, networking communication equipment and a networking communication storage medium, which at least solve the problems that a large number of tunnels are constructed in the prior art, a large number of network performance resources are consumed, networking maintenance is difficult, and a network is unstable. The technical scheme of the application is as follows:
in a first aspect, a networking communication method is provided, which is applied to a management device in a networking communication system, where the networking communication system further includes a first gateway device and at least one second gateway device, the first gateway device is a gateway device to be verified, and the second gateway device is a gateway device that has passed bidirectional identity authentication with the management device; the method comprises the following steps: under the condition that the first gateway equipment has the authority of joining the networking communication system, performing bidirectional identity authentication on the first gateway equipment; and under the condition that the first gateway equipment passes the bidirectional identity authentication with the management equipment, the target key and the target encryption mode are sent to the first gateway equipment, so that the first gateway equipment communicates with the second gateway equipment based on the target key and the target encryption mode.
In one possible embodiment, the method further comprises: receiving an authentication request message sent by first gateway equipment; the authentication request message includes: a first digital certificate and a first gateway device identifier corresponding to the first gateway device; the first digital certificate includes: a first public key corresponding to the first gateway device, and a first digital signature; the first digital signature is obtained by encrypting the first public key by an authentication authority; according to the public key of the authentication authority, the first digital certificate is checked to obtain a first check result; judging whether the first gateway equipment has the authority to join the networking communication system or not according to the first gateway equipment identifier and a preset list under the condition that the first signature verification result is passed; the preset list stores gateway device identifications having the authority to join the networking communication system.
In one possible implementation manner, the performing bidirectional identity authentication on the first gateway device in the case that the first gateway device has the authority to join the networking communication system includes: transmitting a first authentication message to the first gateway device in case the first gateway device has the right to join the networking communication system; the first authentication message includes: the second digital certificate and the first encrypted verification data corresponding to the management equipment; the second digital certificate includes: a second public key corresponding to the management device and a second digital signature; the second digital signature is obtained by encrypting the second public key by the authentication authority; the first encrypted verification data is data obtained by encrypting the first verification data based on the first public key; the first authentication data includes: the first random number and the first moment of generating the first random number; receiving a second verification message sent by the first gateway device; the second authentication message includes: second encrypted authentication data; the second encrypted verification data is data obtained by encrypting the second verification data based on a second public key; the second verification data comprises a second random number, a third random number and a second moment for generating the third random number; responding to the second verification message, judging whether the second random number is the same as the first random number or not, and judging whether the difference value between the second moment and the first moment is within a preset range or not; transmitting a third verification message to the first gateway device under the condition that the second random number is the same as the first random number and the difference value between the second moment and the first moment is within a preset range; the third authentication message includes: third encrypted authentication data; the third encrypted verification data is data obtained by encrypting the third verification data based on the first public key; the third verification data comprises a fourth random number and a third moment of generating the third verification data; and responding to the verification passing message sent by the first gateway device, and determining that the bidirectional identity authentication of the first gateway device and the management device passes.
In one possible embodiment, the method further comprises: based on the first encryption algorithm, a second public key and a second private key corresponding to the second public key are generated.
In one possible implementation manner, before the sending the target key and the target encryption manner to the first gateway device, the method further includes: determining a target encryption mode based on a second encryption algorithm; generating a fifth random number, and determining a target key according to the fifth random number and a derivative function conforming to a target encryption mode; processing the target encryption mode and the target key based on a third encryption algorithm to obtain a data abstract; processing the data abstract based on the second private key to obtain first encrypted data; processing the target encryption mode, the target key and the first encryption data based on the first public key to obtain second encryption data; the method for sending the target key and the target encryption mode to the first gateway device comprises the following steps: the second encrypted data is sent to the first gateway device.
In one possible implementation manner, the sending the second encrypted data to the first gateway device includes: the second encrypted data is sent to the first gateway device based on the encrypted channel.
In one possible embodiment, the method further comprises: and periodically updating the target encryption mode and the target key.
In a second aspect, a networking communication method is provided, which is applied to a first gateway device in a networking communication system, where the networking communication system further includes a management device and at least one second gateway device, the first gateway device is a gateway device to be verified, and the second gateway device is a gateway device that has passed bidirectional identity authentication with the management device; the method comprises the following steps: receiving a target key and a target encryption mode sent by management equipment; encrypting the data packet based on the target key and the target encryption mode to obtain an encrypted data packet; and sending the encrypted data packet to the second gateway device.
In one possible embodiment, the method further comprises: sending a verification request message to the management device, so that the management device judges whether the first gateway device has the authority to join the networking communication system according to the verification request message; the authentication request message includes: a first digital certificate and a first gateway device identifier corresponding to the first gateway device; the first digital certificate includes: a first public key corresponding to the first gateway device, and a first digital signature; the first digital signature is obtained by encrypting the first public key by the authentication authority.
In a possible implementation manner, in the case that the first gateway device has the authority to join the networking communication system, the method further includes: receiving a first verification message sent by management equipment; the first authentication message includes: the second digital certificate and the first encrypted verification data corresponding to the management equipment; the second digital certificate includes: a second public key corresponding to the management device and a second digital signature; the second digital signature is obtained by encrypting the second public key by the authentication authority; the first encrypted verification data is data obtained by encrypting the first verification data based on the first public key; the first authentication data includes: the first random number and the first moment of generating the first random number; signing the second digital certificate according to the public key of the authentication authority to obtain a second signing verification result; if the second signature verification result is passed, judging whether the difference value between the first moment and the sending moment is in a preset range; the sending time is the time of sending the verification request message; transmitting a second verification message to the management device when the difference between the first time and the transmission time is within a preset range; the second authentication message includes: second encrypted authentication data; the second encrypted verification data is data obtained by encrypting the second verification data based on a second public key; the second verification data comprises a second random number, a third random number and a second moment for generating the third random number; receiving a third verification message sent by the management equipment; the third authentication message includes: third encrypted authentication data; the third encrypted verification data is data obtained by encrypting the third verification data based on the first public key; the third verification data comprises a fourth random number and a third moment of generating the third verification data; responding to the third verification message, judging whether the fourth random number is the same as the third random number, and judging whether the difference value between the third moment and the second moment is within a preset range; and sending a verification passing message to the first gateway equipment under the condition that the fourth random number is the same as the third random number and the difference value between the third moment and the second moment is in a preset range.
In a third aspect, a networking communication device is provided, and is applied to a management device in a networking communication system, where the networking communication system further includes a first gateway device and at least one second gateway device, the first gateway device is a gateway device to be verified, and the second gateway device is a gateway device that has passed bidirectional identity authentication with the management device; the device comprises a processing unit and a sending unit; the processing unit is used for carrying out bidirectional identity authentication on the first gateway equipment under the condition that the first gateway equipment has the authority of joining the networking communication system; and the sending unit is used for sending the target key and the target encryption mode to the first gateway device under the condition that the first gateway device passes the bidirectional identity authentication with the management device, so that the first gateway device communicates with the second gateway device based on the target key and the target encryption mode.
In one possible implementation manner, the apparatus further includes a receiving unit, configured to receive an authentication request message sent by the first gateway device; the authentication request message includes: a first digital certificate and a first gateway device identifier corresponding to the first gateway device; the first digital certificate includes: a first public key corresponding to the first gateway device, and a first digital signature; the first digital signature is obtained by encrypting the first public key by an authentication authority; the processing unit is also used for checking the first digital certificate according to the public key of the authentication authority to obtain a first checking result; the processing unit is further used for judging whether the first gateway equipment has the authority to join the networking communication system according to the first gateway equipment identifier and the preset list when the first signature verification result is passed; the preset list stores gateway device identifications having the authority to join the networking communication system.
In a possible implementation manner, the processing unit is specifically configured to: transmitting a first authentication message to the first gateway device in case the first gateway device has the right to join the networking communication system; the first authentication message includes: the second digital certificate and the first encrypted verification data corresponding to the management equipment; the second digital certificate includes: a second public key corresponding to the management device and a second digital signature; the second digital signature is obtained by encrypting the second public key by the authentication authority; the first encrypted verification data is data obtained by encrypting the first verification data based on the first public key; the first authentication data includes: the first random number and the first moment of generating the first random number; receiving a second verification message sent by the first gateway device; the second authentication message includes: second encrypted authentication data; the second encrypted verification data is data obtained by encrypting the second verification data based on a second public key; the second verification data comprises a second random number, a third random number and a second moment for generating the third random number; responding to the second verification message, judging whether the second random number is the same as the first random number or not, and judging whether the difference value between the second moment and the first moment is within a preset range or not; transmitting a third verification message to the first gateway device under the condition that the second random number is the same as the first random number and the difference value between the second moment and the first moment is within a preset range; the third authentication message includes: third encrypted authentication data; the third encrypted verification data is data obtained by encrypting the third verification data based on the first public key; the third verification data comprises a fourth random number and a third moment of generating the third verification data; and responding to the verification passing message sent by the first gateway device, and determining that the bidirectional identity authentication of the first gateway device and the management device passes.
In a possible implementation manner, the device further comprises a generating unit; and the generating unit is used for generating a second public key and a second private key corresponding to the second public key based on the first encryption algorithm.
In one possible implementation manner, before the sending the target key and the target encryption mode to the first gateway device, the apparatus further includes a determining unit; the determining unit is used for determining a target encryption mode based on the second encryption algorithm; the processing unit is also used for generating a fifth random number and determining a target key according to the fifth random number and a derivative function conforming to the target encryption mode; the processing unit is also used for processing the target encryption mode and the target key based on the third encryption algorithm to obtain a data abstract; the processing unit is also used for processing the data abstract based on the second private key to obtain first encrypted data; the processing unit is further used for processing the target encryption mode, the target key and the first encryption data based on the first public key to obtain second encryption data; the above-mentioned sending unit is specifically configured to: the second encrypted data is sent to the first gateway device.
In a possible implementation manner, the sending unit is specifically configured to: the second encrypted data is sent to the first gateway device based on the encrypted channel.
In a possible implementation manner, the processing unit is further configured to: and periodically updating the target encryption mode and the target key.
In a fourth aspect, a networking communication apparatus is provided, which is applied to a first gateway device in a networking communication system, where the networking communication system further includes a management device and at least one second gateway device, the first gateway device is a gateway device to be verified, and the second gateway device is a gateway device that has passed bidirectional identity authentication with the management device; the device comprises a receiving unit, a processing unit and a sending unit; the receiving unit is used for receiving the target key and the target encryption mode sent by the management equipment; the processing unit is used for encrypting the data packet based on the target key and the target encryption mode to obtain an encrypted data packet; and the sending unit is used for sending the encrypted data packet to the second gateway equipment.
In a possible implementation manner, the sending unit is further configured to: sending a verification request message to the management device, so that the management device judges whether the first gateway device has the authority to join the networking communication system according to the verification request message; the authentication request message includes: a first digital certificate and a first gateway device identifier corresponding to the first gateway device; the first digital certificate includes: a first public key corresponding to the first gateway device, and a first digital signature; the first digital signature is obtained by encrypting the first public key by the authentication authority.
In a possible implementation manner, in a case that the first gateway device has the authority to join the networking communication system, the receiving unit is further configured to receive a first verification message sent by the management device; the first authentication message includes: the second digital certificate and the first encrypted verification data corresponding to the management equipment; the second digital certificate includes: a second public key corresponding to the management device and a second digital signature; the second digital signature is obtained by encrypting the second public key by the authentication authority; the first encrypted verification data is data obtained by encrypting the first verification data based on the first public key; the first authentication data includes: the first random number and the first moment of generating the first random number; the processing unit is further used for checking the second digital certificate according to the public key of the authentication authority to obtain a second checking result; the processing unit is further used for judging whether the difference value between the first moment and the sending moment is in a preset range or not under the condition that the second signature verification result is passed; the sending time is the time of sending the verification request message; the sending unit is further used for sending a second verification message to the management equipment when the difference value between the first moment and the sending moment is within a preset range; the second authentication message includes: second encrypted authentication data; the second encrypted verification data is data obtained by encrypting the second verification data based on a second public key; the second verification data comprises a second random number, a third random number and a second moment for generating the third random number; the receiving unit is further used for receiving a third verification message sent by the management equipment; the third authentication message includes: third encrypted authentication data; the third encrypted verification data is data obtained by encrypting the third verification data based on the first public key; the third verification data comprises a fourth random number and a third moment of generating the third verification data; the processing unit is further used for responding to the third verification message, judging whether the fourth random number is the same as the third random number or not, and judging whether the difference value between the third moment and the second moment is in a preset range or not; and the sending unit is further used for sending a verification passing message to the first gateway equipment under the condition that the fourth random number is the same as the third random number and the difference value between the third moment and the second moment is in a preset range.
In a fifth aspect, there is provided an electronic device comprising: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute instructions to implement the method of the first aspect and any of its possible embodiments, or the method of the second aspect and any of its possible embodiments.
In a sixth aspect, a computer readable storage medium is provided, which when executed by a processor of an electronic device, enables the electronic device to perform the method of the first aspect and any of the possible embodiments thereof, or the method of the second aspect and any of the possible embodiments thereof.
In a seventh aspect, a computer program product is provided, the computer program product comprising computer instructions which, when run on an electronic device, cause the electronic device to perform the method of the first aspect and any of the possible embodiments thereof, or the method of the second aspect and any of the possible embodiments thereof.
The technical scheme provided by the application in the first aspect at least has the following beneficial effects: in the prior art, full-interconnection networking or half-interconnection networking is generally realized by establishing a large number of tunnels, but establishing a large number of tunnels consumes a large amount of network performance resources, so that networking maintenance is difficult and the network is unstable. The management device performs bidirectional identity authentication on the first gateway device under the condition that the first gateway device has the authority to join the networking communication system. And then, the management equipment sends the target key and the target encryption mode to the first gateway equipment under the condition that the first gateway equipment passes the mutual identity authentication with the management equipment. Further, the first gateway device encrypts the data packet based on the target key and the target encryption mode to obtain an encrypted data packet, and sends the encrypted data packet to the second gateway device. The second gateway device is a gateway device which passes the bidirectional identity authentication with the management device. Therefore, the communication without tunnel between the first gateway device and the second gateway device can be realized, so that the method of establishing a large number of tunnels in the prior art can be avoided to realize a full-interconnection networking communication system or a half-interconnection networking communication system, the cost can be reduced, the data transmission efficiency can be improved, and the safety of the networking communication system can be improved based on the target secret key and the target encryption mode.
It should be noted that, the technical effects caused by any implementation manner of the second aspect to the seventh aspect may refer to the technical effects caused by the corresponding implementation manner in the first aspect, which are not described herein.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application and do not constitute a undue limitation on the application.
FIG. 1 is a network architecture diagram of a networked communication system, shown in accordance with an exemplary embodiment;
FIG. 2 is a flow chart illustrating a method of networking communication, according to an exemplary embodiment;
FIG. 3 is a schematic diagram of an encrypted data packet according to an exemplary embodiment;
FIG. 4 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 5 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 6 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 7 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 8 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 9 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 10 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 11 is a flowchart illustrating yet another method of networking communication, according to an example embodiment;
FIG. 12 is a block diagram of a networking communication device, according to an example embodiment;
FIG. 13 is a block diagram of a networking communication device, according to an exemplary embodiment;
fig. 14 is a block diagram of an electronic device, according to an example embodiment.
Detailed Description
In order to enable a person skilled in the art to better understand the technical solutions of the present application, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
Before the networking communication method provided by the application is described in detail, an implementation environment (implementation architecture) related to the application is briefly described.
The networking communication method provided by the embodiment of the application can be applied to a networking communication system. Fig. 1 shows a schematic structural diagram of the networking communication system. As shown in fig. 1, the networking communication system 10 includes a first gateway device 11, a management device 12, a second gateway device (fig. 1 exemplarily shows the second gateway device 131 and the second gateway device 132, and in a practical application process, there may be more or fewer second gateway devices, which is not limited in the present application), and a network 14. The first gateway device 11, the management device 12 and the second gateway device are connected through a network 14. The first gateway device 11 is a gateway device to be authenticated, and the second gateway device is a gateway device that has passed the bidirectional identity authentication with the management device 12.
The first gateway device 11 is configured to receive, when the bidirectional identity authentication with the management device 12 is passed, the target key and the target encryption scheme sent by the management device 12. The first gateway device 11 is further configured to encrypt the data packet based on the target key and the target encryption mode, obtain an encrypted data packet, and send the encrypted data packet to the second gateway device.
A management device 12 for performing bidirectional identity authentication on the first gateway device 11 in case that the first gateway device 11 has the right to join the networking communication system 10. In the case where the first gateway apparatus 11 passes the mutual authentication with the management apparatus 12, the target key and the target encryption scheme are transmitted to the first gateway apparatus 11 so that the first gateway apparatus 11 communicates with the second gateway apparatus based on the target key and the target encryption scheme.
In practical applications, the first gateway device 11 has a first cryptographic means built therein. The first cryptographic means is configured to generate a first public key corresponding to the first gateway device 11 and a first private key corresponding to the first public key based on a first encryption algorithm (e.g. SM 2). The first cryptographic device is further configured to decrypt data encrypted using the first public key based on the first private key. The first cryptographic device is further configured to sign the second digital signature based on a public key of the authentication authority. The first cipher device is also used for decrypting the data obtained by encrypting the second private key based on the second public key to finish signature verification. The first cryptographic device is further configured to encrypt the data based on the second public key to obtain encrypted data. The first cryptographic means is also for generating a random number.
In practical applications, the second cryptographic means are built into the management device 12. The second cryptographic means are for generating a second public key corresponding to the management device 12 and a second private key corresponding to the second public key based on the first encryption algorithm (e.g. SM 2). The second cryptographic device is further configured to decrypt data encrypted using the second public key based on the second private key. The second cryptographic device is further configured to verify the first digital signature based on a public key of the authentication authority. The second cipher device is also used for decrypting the data obtained by encrypting the first private key based on the first public key to finish signature verification. The second cryptographic device is further configured to encrypt the data based on the first public key to obtain encrypted data. The second cryptographic device is also used to generate a random number.
For easy understanding, the networking communication method provided by the application is specifically described below with reference to the accompanying drawings.
Fig. 2 is a flow chart illustrating a method of networking communication, according to an exemplary embodiment. The networking communication method can be applied to the management equipment and the first gateway equipment in the networking communication system. As shown in fig. 2, the method comprises the steps of:
s201, the management device performs bidirectional identity authentication on the first gateway device under the condition that the first gateway device has the authority to join the networking communication system.
As a possible implementation, the management device sends the first authentication message to the first gateway device in case the first gateway device has the right to join the networking communication system. Wherein the first authentication message comprises: and managing the second digital certificate and the first encrypted verification data corresponding to the equipment. The second digital certificate includes: and managing a second public key and a second digital signature corresponding to the equipment. The second digital signature is obtained by encrypting the second public key by the authentication authority. The first encrypted authentication data is data obtained by encrypting the first authentication data based on the first public key. The first authentication data includes: the first random number and the first moment of generating the first random number.
And the first gateway equipment responds to the first verification message, and performs signature verification on the second digital certificate according to the public key of the authentication authority to obtain a second signature verification result. And then, the first gateway equipment sends a second verification message to the management equipment under the condition that the second verification result is passed and the difference value between the first moment and the sending moment is within a preset range. Wherein the second authentication message comprises: the second encrypted authentication data. The second encrypted authentication data is data obtained by encrypting the second authentication data based on the second public key. The second verification data includes a second random number, a third random number, and a second time at which the third random number is generated.
Further, the management device determines whether the second random number is the same as the first random number in response to the second verification message, and determines whether a difference between the second time and the first time is within a preset range. And then, the management device sends a third verification message to the first gateway device under the condition that the second random number is the same as the first random number and the difference value between the second moment and the first moment is within a preset range. Wherein the third authentication message includes: and third encrypting the authentication data. The third encrypted authentication data is data obtained by encrypting the third authentication data based on the first public key. The third verification data includes a fourth random number, a third time at which the third verification data was generated.
And then, the first gateway equipment responds to the third verification message, judges whether the fourth random number is the same as the third random number or not, and judges whether the difference value between the third moment and the second moment is in a preset range or not. Then, the first gateway device sends a verification passing message to the first gateway device in the case that the fourth random number is the same as the third random number and the difference value between the third time and the second time is within a preset range. And then, the management device responds to the verification passing message to determine that the bidirectional identity authentication of the first gateway device and the management device passes.
For a specific implementation of this step, reference may be made to the following description of the embodiments of the present application, which is not described herein in detail.
S202, the management device sends a target key and a target encryption mode to the first gateway device under the condition that the first gateway device passes the mutual identity authentication with the management device.
S203, the first gateway device receives the target key and the target encryption mode sent by the management device.
S204, the first gateway device encrypts the data packet based on the target key and the target encryption mode to obtain an encrypted data packet.
Fig. 3 is a schematic diagram of an encrypted data packet. As shown in fig. 3, the encrypted data packet includes: original internet protocol (internet protocol, IP) header, encapsulated security payload (encapsulate security payload, ESP) header, IP payload, ESP tail, ESP authentication. Wherein the original IP header includes an original source address and a target IP address, the ESP header and the ESP are used to indicate that data between the ESP header and the ESP trailer is encrypted data, the IP header and the IP payload are original data, and the ESP authentication includes sender information of the encrypted data packet.
In practical applications, the ESP authentication may be ESP Auth.
S205, the first gateway device sends the encrypted data packet to the second gateway device.
It can be appreciated that in the prior art, full-interconnection networking or half-interconnection networking is generally implemented by establishing a large number of tunnels, but establishing a large number of tunnels consumes a large amount of network performance resources, which makes networking maintenance difficult and network instability. The management device performs bidirectional identity authentication on the first gateway device under the condition that the first gateway device has the authority to join the networking communication system. And then, the management equipment sends the target key and the target encryption mode to the first gateway equipment under the condition that the first gateway equipment passes the mutual identity authentication with the management equipment. Further, the first gateway device encrypts the data packet based on the target key and the target encryption mode to obtain an encrypted data packet, and sends the encrypted data packet to the second gateway device. The second gateway device is a gateway device which passes the bidirectional identity authentication with the management device. Therefore, the communication without tunnel between the first gateway device and the second gateway device can be realized, so that the method of establishing a large number of tunnels in the prior art can be avoided to realize a full-interconnection networking communication system or a half-interconnection networking communication system, the cost can be reduced, the data transmission efficiency can be improved, and the safety of the networking communication system can be improved based on the target secret key and the target encryption mode.
In some embodiments, in order to determine whether the first gateway device has the authority to join the networking communication system, as shown in fig. 4, the networking communication method provided by the embodiment of the present application further includes:
s301, the first gateway device sends a verification request message to the management device.
Wherein the authentication request message includes: the first digital certificate and the first gateway equipment identifier corresponding to the first gateway equipment. The first digital certificate includes: the first public key and the first digital signature corresponding to the first gateway device. The first digital signature is obtained by encrypting the first public key by the authentication authority.
As one possible implementation, the first gateway device generates a first public key and a first private key corresponding to the first public key based on a first encryption algorithm. The first gateway device then submits the first public key to the authentication authority. The authentication authority encrypts the first public key based on a private key of the authentication authority to obtain a first digital signature. The authentication authority then generates a first digital certificate based on the first public key, the first digital signature. The authentication authority then transmits the first digital certificate and the digital certificate of the authentication authority to the first gateway device.
Further, the first gateway device receives the first digital certificate and the digital certificate of the authentication authority, and verifies the validity of the digital certificate of the authentication authority. And then, the first gateway equipment generates a verification request message according to the first digital certificate and the first gateway equipment identifier, and sends the verification request message to the management equipment.
For example, the certification authority may not be a publicly trusted certification authority, or may be a certification authority built for a networking communication system.
S302, the management device receives the verification request message sent by the first gateway device.
S303, the management equipment performs signature verification on the first digital certificate according to the public key of the authentication authority to obtain a first signature verification result.
As a possible implementation manner, the management device decrypts the first digital signature according to the public key of the authentication authority, so as to obtain the third public key. And then, the management equipment determines that the first signature verification result passes under the condition that the third public key is the same as the first public key. And the management equipment determines that the first signature verification result is not passed under the condition that the third public key is different from the first public key.
And S304, the management equipment judges whether the first gateway equipment has the authority to join the networking communication system according to the first gateway equipment identifier and the preset list under the condition that the first signature verification result is passed.
The preset list stores gateway equipment identifiers with authority to join the networking communication system.
As a possible implementation manner, if the first signature verification result is passed, the management device determines, according to the first gateway device identifier and the preset list, whether the preset list stores the first gateway device identifier. Further, the management device determines that the first gateway device does not have the authority to join the networking communication system under the condition that the first gateway device identifier is not stored in the preset list. And under the condition that the management device stores the first gateway device identifier in the preset list, determining that the first gateway device has the authority to join the networking communication system.
It can be appreciated that, according to the first gateway device identifier and the preset list, it can be quickly determined whether the first gateway device has the authority to join the networking communication system.
In some embodiments, in order to perform two-way identity authentication between the management device and the first gateway device, as shown in fig. 5, S201 may be implemented as follows:
s401, the management device sends a first verification message to the first gateway device under the condition that the first gateway device has the authority to join the networking communication system.
Wherein the first authentication message comprises: and managing the second digital certificate and the first encrypted verification data corresponding to the equipment. The second digital certificate includes: and managing a second public key and a second digital signature corresponding to the equipment. The second digital signature is obtained by encrypting the second public key by the authentication authority. The first encrypted authentication data is data obtained by encrypting the first authentication data based on the first public key. The first authentication data includes: the first random number and the first moment of generating the first random number.
As one possible implementation, the management device generates the second public key and the second private key corresponding to the second public key based on the first encryption algorithm. The management device then submits the second public key to the certificate authority. The authentication authority encrypts the second public key based on the private key of the authentication authority to obtain a second digital signature. The certificate authority then generates a second digital certificate based on the second public key, the second digital signature. The certification authority then sends the second digital certificate and the certification authority's digital certificate to the management device.
Further, the management device receives the second digital signature and the digital certificate of the authentication authority, and verifies the validity of the digital certificate of the authentication authority. Then, the management device generates a first random number when the digital certificate of the authentication authority is valid and the first gateway device has authority to join the networking communication system, and generates first verification data according to the first random number and a first moment of generating the first random number. Then, the management device encrypts the first authentication data based on the first public key, resulting in first encrypted authentication data.
Then, the management device generates a first authentication message based on the second digital certificate and the first encrypted authentication data, and transmits the first authentication message to the first gateway device.
Illustratively, taking the first random number r1 and the first time t1 as examples, the first verification data includes r1 and t1, and the first encrypted verification data includes f1 (r 1 and t 1).
S402, the first gateway device receives a first verification message sent by the management device.
S403, the first gateway device performs signature verification on the second digital certificate according to the public key of the authentication authority to obtain a second signature verification result.
As a possible implementation manner, the first gateway device decrypts the second digital signature according to the public key of the authentication authority, so as to obtain the fourth public key. And then, the management equipment determines that the second signature verification result passes under the condition that the fourth public key is the same as the second public key. And the management equipment determines that the second signature verification result is not passed under the condition that the fourth public key is different from the second public key.
S404, the first gateway device judges whether the difference value between the first moment and the sending moment is in a preset range or not under the condition that the second signature verification result is passed.
The sending time is the time of sending the verification request message.
As a possible implementation manner, the first gateway device decrypts the first encrypted verification data based on the first private key, to obtain the first verification data. And then, the first gateway equipment determines the difference value between the first time and the sending time according to the first time and the sending time, and judges whether the difference value between the first time and the sending time is in a preset range or not.
And S405, the first gateway device sends a second verification message to the management device when the difference value between the first moment and the sending moment is within a preset range.
Wherein the second authentication message comprises: the second encrypted authentication data. The second encrypted authentication data is data obtained by encrypting the second authentication data based on the second public key. The second verification data includes a second random number, a third random number, and a second time at which the third random number is generated.
As a possible implementation manner, the first gateway device generates the third random number when the difference between the first time and the sending time is within a preset range, and generates the second verification data based on the second random number, the third random number, and the second time when the third random number is generated. And then, the first gateway device encrypts the second verification data based on the second public key to obtain second encrypted verification data, and generates a second verification message based on the second encrypted verification data. Further, the first gateway device sends a second authentication message to the management device.
Illustratively, taking the second random number r2, the third random number r3, and the second time t2 as examples, the second authentication data includes r2, r3, and t2, and the second encrypted authentication data includes f2 (r 2, r3, and t 2).
S406, the management device receives the second verification message sent by the first gateway device.
S407, the management device responds to the second verification message to judge whether the second random number is the same as the first random number or not and judge whether the difference value between the second moment and the first moment is in a preset range or not.
As a possible implementation manner, the management device decrypts the second encrypted verification data based on the second private key, to obtain the second verification data. And then, the management equipment determines a difference value between the second moment and the first moment according to the second moment and the first moment, judges whether the difference value between the second moment and the first moment is in a preset range or not, and judges whether the second random number is the same as the first random number or not.
Illustratively, the management device determines whether the second random number r2 is the same as the first random number r 1.
S408, the management device sends a third verification message to the first gateway device under the condition that the second random number is the same as the first random number and the difference value between the second moment and the first moment is in a preset range.
Wherein the third authentication message includes: and third encrypting the authentication data. The third encrypted authentication data is data obtained by encrypting the third authentication data based on the first public key. The third verification data includes a fourth random number, a third time at which the third verification data was generated.
As a possible implementation manner, the management device generates the third verification data according to the fourth random number in a case that the second random number is the same as the first random number and a difference value between the second time and the first time is within a preset range. Then, the management device encrypts the third verification data based on the first public key to obtain third encrypted verification data, and generates a third verification message based on the third encrypted verification data. Thereafter, the management device sends a third authentication message to the first gateway device.
S409, the first gateway device receives the third verification message sent by the management device.
S410, the first gateway device responds to the third verification message, judges whether the fourth random number is the same as the third random number, and judges whether the difference value between the third moment and the second moment is in a preset range.
As a possible implementation manner, the first gateway device decrypts the third encrypted verification data based on the first private key, to obtain the third verification data. And then, the first gateway equipment management equipment determines a difference value between the third moment and the second moment according to the third moment and the second moment, judges whether the difference value between the third moment and the second moment is in a preset range or not, and judges whether the fourth random number is the same as the third random number or not.
S411, the first gateway device sends a verification passing message to the first gateway device under the condition that the fourth random number is the same as the third random number and the difference value between the third moment and the second moment is in a preset range.
S412, the management device receives the verification passing message.
S413, the management device responds to the verification passing message sent by the first gateway device, and determines that the two-way identity authentication of the first gateway device and the management device passes.
It can be appreciated that the security of the networking communication system can be improved through the bidirectional identity authentication.
In some embodiments, in order to improve security of the networking communication system, as shown in fig. 6, the networking communication method provided by the embodiment of the present application further includes:
s501, the management device generates a second public key and a second private key corresponding to the second public key based on the first encryption algorithm.
The first encryption algorithm may be SM2, for example.
It can be appreciated that, through the first encryption algorithm, the security of the subsequent bidirectional identity authentication according to the encrypted data can be improved, thereby improving the security of the networking communication system.
In some embodiments, before sending the target key and the target encryption manner to the first gateway device, in order to improve security of the networking communication system, as shown in fig. 7, the networking communication method provided by the embodiment of the present application further includes:
S601, the management device determines a target encryption mode based on a second encryption algorithm.
Illustratively, the second encryption algorithm may be SM4, the target encryption mode may include an encryption bit number, and the encryption bit number may be 128 bits. The number of encryption bits may also be 256 bits.
S602, the management device generates a fifth random number, and determines a target key according to the fifth random number and a derivative function conforming to the target encryption mode.
And S603, the management equipment processes the target encryption mode and the target key based on the third encryption algorithm to obtain a data abstract.
The third encryption algorithm may be SM3, for example.
S604, the management device processes the data abstract based on the second private key to obtain first encrypted data.
S605, the management device processes the target encryption mode, the target key and the first encryption data based on the first public key to obtain second encryption data.
S606, the management device sends the second encrypted data to the first gateway device.
It can be appreciated that, by the second encryption algorithm, the security of the subsequent data transmission according to the target key and the target encryption mode can be improved. By means of the third encryption algorithm, message integrity protection can be provided, and therefore safety of the networking communication system is further improved.
In some embodiments, in order to improve the security of the networking communication system, as shown in fig. 8, S606 may be implemented as follows:
s701, the management device sends second encrypted data to the first gateway device based on the encrypted channel.
Illustratively, the encryption channel may be a transmission control protocol (transmission control protocol, TCP) link, and the encryption channel may also be a user datagram protocol (user Datagram Protocol, UDP) link.
It can be appreciated that the security of the second encrypted data can be improved by sending the second encrypted data through the encrypted channel, and the security of the networking communication system can be further improved.
In some embodiments, in order to improve security of the networking communication system, as shown in fig. 9, the networking communication method provided by the embodiment of the present application further includes:
s801, the management device periodically updates the target encryption mode and the target key.
It can be appreciated that by periodically updating the target encryption scheme and the target encryption key, the security of the networking communication system can be improved.
The embodiment of the application provides a networking communication method, which is applied to management equipment in a networking communication system, as shown in fig. 10, and comprises the following steps:
And S901, the management equipment performs bidirectional identity authentication on the first gateway equipment under the condition that the first gateway equipment has the authority of joining the networking communication system.
For the specific implementation of this step, reference may be made to the description in S201 above in the embodiment of the present application, and no further description is given here.
And S902, the management device sends the target key and the target encryption mode to the first gateway device under the condition that the first gateway device passes the bidirectional identity authentication with the management device, so that the first gateway device communicates with the second gateway device based on the target key and the target encryption mode.
For the specific implementation of this step, reference may be made to the description in S202 in the above embodiment of the present application, and no further description is given here.
The embodiment of the application provides another networking communication method, which is applied to a first gateway device in a networking communication system, as shown in fig. 11, and comprises the following steps:
s1001, the first gateway device receives a target key and a target encryption mode sent by the management device.
For the specific implementation of this step, reference may be made to the description in S203 in the above embodiment of the present application, and no further description is given here.
S1002, the first gateway device encrypts the data packet based on the target key and the target encryption mode to obtain an encrypted data packet.
For the specific implementation of this step, reference may be made to the description in S204 in the above embodiment of the present application, and no further description is given here.
S1003, the first gateway device sends the encrypted data packet to the second gateway device.
For the specific implementation of this step, reference may be made to the description in S205 in the above embodiment of the present application, and no further description is given here.
The foregoing description of the solution provided by the embodiments of the present application has been mainly presented in terms of a method. To achieve the above functions, the networking communication device or the electronic apparatus includes a hardware structure and/or a software module that performs the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
According to the method, the networking communication device or the electronic device can be divided into functional modules, for example, the networking communication device or the electronic device can comprise each functional module corresponding to each functional division, or two or more functions can be integrated into one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.
Fig. 12 is a block diagram illustrating a networking communication apparatus 1100 applied to a management device in a networking communication system according to an exemplary embodiment. As shown in fig. 12, the networking communication apparatus 1100 includes a processing unit 1101, a transmitting unit 1102, a receiving unit 1103, a generating unit 1104, and a determining unit 1105.
The processing unit 1101 is configured to perform bidirectional identity authentication on the first gateway device if the first gateway device has a right to join the networking communication system.
And the sending unit 1102 is configured to send, to the first gateway device, the target key and the target encryption mode, so that the first gateway device communicates with the second gateway device based on the target key and the target encryption mode, where the first gateway device performs bidirectional identity authentication with the management device.
Optionally, in order to determine whether the first gateway device has the authority to join the networking communication system, as shown in fig. 12, the receiving unit 1103 provided in the embodiment of the present application is configured to receive the authentication request message sent by the first gateway device. The authentication request message includes: the first digital certificate and the first gateway equipment identifier corresponding to the first gateway equipment. The first digital certificate includes: the first public key and the first digital signature corresponding to the first gateway device. The first digital signature is obtained by encrypting the first public key by the authentication authority.
The processing unit 1101 is further configured to sign the first digital certificate according to the public key of the authentication authority, so as to obtain a first sign-checking result.
The processing unit 1101 is further configured to determine, according to the first gateway device identifier and the preset list, whether the first gateway device has permission to join the networking communication system if the first signature verification result is passed. The preset list stores gateway device identifications having the authority to join the networking communication system.
Optionally, in order to perform bidirectional identity authentication between the management device and the first gateway device, as shown in fig. 12, the processing unit 1101 provided in the embodiment of the present application is specifically configured to:
The first authentication message is sent to the first gateway device in case the first gateway device has the right to join the networking communication system. The first authentication message includes: and managing the second digital certificate and the first encrypted verification data corresponding to the equipment. The second digital certificate includes: and managing a second public key and a second digital signature corresponding to the equipment. The second digital signature is obtained by encrypting the second public key by the authentication authority. The first encrypted authentication data is data obtained by encrypting the first authentication data based on the first public key. The first authentication data includes: the first random number and the first moment of generating the first random number.
And receiving a second verification message sent by the first gateway device. The second authentication message includes: the second encrypted authentication data. The second encrypted authentication data is data obtained by encrypting the second authentication data based on the second public key. The second verification data includes a second random number, a third random number, and a second time at which the third random number is generated.
And responding to the second verification message, judging whether the second random number is the same as the first random number or not, and judging whether the difference value between the second moment and the first moment is in a preset range or not.
And sending a third verification message to the first gateway equipment under the condition that the second random number is the same as the first random number and the difference value between the second moment and the first moment is in a preset range. The third authentication message includes: and third encrypting the authentication data. The third encrypted authentication data is data obtained by encrypting the third authentication data based on the first public key. The third verification data includes a fourth random number, a third time at which the third verification data was generated.
And responding to the verification passing message sent by the first gateway device, and determining that the bidirectional identity authentication of the first gateway device and the management device passes.
Optionally, in order to improve security of the networking communication system, as shown in fig. 12, the generating unit 1104 provided in the embodiment of the present application is configured to generate, based on the first encryption algorithm, the second public key and the second private key corresponding to the second public key.
Optionally, before sending the target key and the target encryption mode to the first gateway device, in order to improve security of the networking communication system, as shown in fig. 12, the determining unit 1105 provided in the embodiment of the present application is configured to determine the target encryption mode based on the second encryption algorithm.
The processing unit 1101 is further configured to generate a fifth random number, and determine a target key according to the fifth random number and a derivative function according to the target encryption scheme.
The processing unit 1101 is further configured to process the target encryption mode and the target key based on the third encryption algorithm, to obtain a data digest.
The processing unit 1101 is further configured to process the data digest based on the second private key, to obtain first encrypted data.
The processing unit 1101 is further configured to process the target encryption mode, the target key, and the first encrypted data based on the first public key, to obtain second encrypted data.
The sending unit 1102 is specifically configured to:
the second encrypted data is sent to the first gateway device.
Optionally, in order to improve the security of the networking communication system, as shown in fig. 12, the sending unit 1102 provided in the embodiment of the present application is specifically configured to:
the second encrypted data is sent to the first gateway device based on the encrypted channel.
Optionally, in order to improve the security of the networking communication system, as shown in fig. 12, the processing unit 1101 provided in the embodiment of the present application is further configured to:
and periodically updating the target encryption mode and the target key.
Fig. 13 is a block diagram illustrating a networking communication apparatus 1200 according to an exemplary embodiment, which is applied to a first gateway device in a networking communication system. As shown in fig. 13, the networking communication apparatus 1200 includes a receiving unit 1201, a processing unit 1202, and a transmitting unit 1203.
And the receiving unit 1201 is used for receiving the target key and the target encryption mode sent by the management device.
The processing unit 1202 is configured to encrypt the data packet based on the target key and the target encryption mode, to obtain an encrypted data packet.
A sending unit 1203, configured to send the encrypted data packet to the second gateway device.
Optionally, in order to determine whether the first gateway device has authority to join the networking communication system, as shown in fig. 13, the sending unit 1203 provided in the embodiment of the present application is further configured to:
And sending a verification request message to the management device so that the management device judges whether the first gateway device has the authority to join the networking communication system according to the verification request message. The authentication request message includes: the first digital certificate and the first gateway equipment identifier corresponding to the first gateway equipment. The first digital certificate includes: the first public key and the first digital signature corresponding to the first gateway device. The first digital signature is obtained by encrypting the first public key by the authentication authority.
Optionally, in case that the first gateway device has the authority to join the networking communication system, in order to perform bidirectional identity authentication between the management device and the first gateway device, as shown in fig. 13, the receiving unit 1201 provided in the embodiment of the present application is further configured to receive a first verification message sent by the management device. The first authentication message includes: and managing the second digital certificate and the first encrypted verification data corresponding to the equipment. The second digital certificate includes: and managing a second public key and a second digital signature corresponding to the equipment. The second digital signature is obtained by encrypting the second public key by the authentication authority. The first encrypted authentication data is data obtained by encrypting the first authentication data based on the first public key. The first authentication data includes: the first random number and the first moment of generating the first random number.
The processing unit 1202 is further configured to sign the second digital certificate according to the public key of the authentication authority, so as to obtain a second sign-checking result.
The processing unit 1202 is further configured to determine whether a difference between the first time and the sending time is within a preset range if the second signature verification result is passed. The transmission time is the time at which the authentication request message is transmitted.
The sending unit 1203 is further configured to send a second verification message to the management device if the difference between the first time and the sending time is within a preset range. The second authentication message includes: the second encrypted authentication data. The second encrypted authentication data is data obtained by encrypting the second authentication data based on the second public key. The second verification data includes a second random number, a third random number, and a second time at which the third random number is generated.
The receiving unit 1201 is further configured to receive a third verification message sent by the management device. The third authentication message includes: and third encrypting the authentication data. The third encrypted authentication data is data obtained by encrypting the third authentication data based on the first public key. The third verification data includes a fourth random number, a third time at which the third verification data was generated.
The processing unit 1202 is further configured to determine, in response to the third verification message, whether the fourth random number is the same as the third random number, and whether a difference between the third time and the second time is within a preset range.
The sending unit 1203 is further configured to send a verification passing message to the first gateway device if the fourth random number is the same as the third random number and the difference between the third time and the second time is within a preset range.
Fig. 14 is a block diagram of an electronic device, according to an example embodiment. As shown in fig. 14, electronic device 1300 includes, but is not limited to: a processor 1301, and a memory 1302.
The memory 1302 is used for storing executable instructions of the processor 1301. It is understood that the processor 1301 is configured to execute instructions to implement the networking communication method in the above embodiment.
It should be noted that the electronic device structure shown in fig. 14 is not limited to the electronic device, and the electronic device may include more or less components than those shown in fig. 14, or may combine some components, or may have different arrangements of components, as will be appreciated by those skilled in the art.
Processor 1301 is a control center of the electronic device, connects various parts of the entire electronic device using various interfaces and lines, and performs various functions of the electronic device and processes data by running or executing software programs and/or modules stored in memory 1302, and calling data stored in memory 1302, thereby performing overall monitoring of the electronic device. Processor 1301 may include one or more processing units. Alternatively, processor 1301 may integrate an application processor that primarily handles operating systems, user interfaces, applications, etc., with a modem processor that primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 1301.
The memory 1302 may be used to store software programs as well as various data. The memory 1302 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, application programs required for at least one functional module, and the like (e.g., a processing unit, a transmitting unit, a receiving unit, a generating unit, a determining unit). In addition, memory 1302 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.
In an exemplary embodiment, a computer readable storage medium is also provided, e.g., a memory, comprising instructions executable by a processor of an electronic device to implement the networking communication method of the above embodiments.
In actual implementation, the functions of the processing unit 1101, the transmitting unit 1102, the receiving unit 1103, the generating unit 1104, the determining unit 1105, or the receiving unit 1201, the processing unit 1202, and the transmitting unit 1203 may be implemented by the processor 1301 in fig. 14 calling a computer program stored in the memory 1302. For specific implementation, reference may be made to the description of the networking communication method in the foregoing embodiments, and details are not repeated here.
Alternatively, the computer readable storage medium may be a non-transitory computer readable storage medium, for example, a read-only memory (ROM), a random-access memory (random access memory, RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, embodiments of the application also provide a computer program product comprising one or more instructions executable by a processor of an electronic device to perform the method of the above-described embodiments.
It should be noted that, when the instructions in the computer readable storage medium or one or more instructions in the computer program product are executed by the processor of the electronic device, the processes of the foregoing method embodiments are implemented, and the technical effects similar to those of the foregoing method can be achieved, so that repetition is avoided, and no further description is provided herein.
From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of modules or units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another apparatus, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and the parts shown as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
The present application is not limited to the above embodiments, and any changes or substitutions within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims (14)

1. The networking communication method is characterized by being applied to management equipment in a networking communication system, wherein the networking communication system further comprises first gateway equipment and at least one second gateway equipment, the first gateway equipment is gateway equipment to be verified, and the second gateway equipment is gateway equipment which passes through bidirectional identity authentication with the management equipment; the method comprises the following steps:
Under the condition that the first gateway equipment has the authority to join the networking communication system, performing bidirectional identity authentication on the first gateway equipment;
and under the condition that the first gateway equipment passes the bidirectional identity authentication with the management equipment, a target key and a target encryption mode are sent to the first gateway equipment, so that the first gateway equipment communicates with the second gateway equipment based on the target key and the target encryption mode.
2. The method according to claim 1, wherein the method further comprises:
receiving an authentication request message sent by the first gateway device; the authentication request message includes: the first digital certificate and the first gateway equipment identifier corresponding to the first gateway equipment; the first digital certificate includes: a first public key and a first digital signature corresponding to the first gateway equipment; the first digital signature is obtained by encrypting the first public key by an authentication authority;
signing the first digital certificate according to the public key of the authentication authority to obtain a first signing verification result;
judging whether the first gateway equipment has the authority to join the networking communication system or not according to the first gateway equipment identifier and a preset list under the condition that the first signature verification result is passed; the preset list stores gateway equipment identifiers with authority to join the networking communication system.
3. The method according to claim 2, wherein said performing bidirectional identity authentication on said first gateway device in case said first gateway device has the right to join said networking communication system, comprises:
sending a first verification message to the first gateway device if the first gateway device has the right to join the networking communication system; the first authentication message includes: the second digital certificate and the first encrypted verification data corresponding to the management equipment; the second digital certificate includes: the second public key and the second digital signature corresponding to the management equipment; the second digital signature is obtained by encrypting the second public key by the authentication and authorization mechanism; the first encrypted verification data is data obtained by encrypting the first verification data based on the first public key; the first authentication data includes: a first random number, a first moment of generating the first random number;
receiving a second verification message sent by the first gateway device; the second authentication message includes: second encrypted authentication data; the second encrypted verification data is data obtained by encrypting the second verification data based on the second public key; the second verification data comprises a second random number, a third random number and a second moment for generating the third random number;
Responding to the second verification message, judging whether the second random number is the same as the first random number or not, and judging whether the difference value between the second moment and the first moment is in a preset range or not;
transmitting a third authentication message to the first gateway device when the second random number is the same as the first random number and the difference between the second time and the first time is within the preset range; the third authentication message includes: third encrypted authentication data; the third encrypted verification data is encrypted based on the first public key; the third verification data comprises a fourth random number and a third moment of generating the third verification data;
and responding to the verification passing message sent by the first gateway equipment, and determining that the bidirectional identity authentication of the first gateway equipment and the management equipment passes.
4. A method according to claim 3, characterized in that the method further comprises:
the second public key and a second private key corresponding to the second public key are generated based on a first encryption algorithm.
5. The method of claim 4, wherein prior to said sending the target key and target encryption scheme to the first gateway device, the method further comprises:
Determining the target encryption mode based on a second encryption algorithm;
generating a fifth random number, and determining the target secret key according to the fifth random number and a derivative function conforming to the target encryption mode;
processing the target encryption mode and the target key based on a third encryption algorithm to obtain a data abstract;
processing the data abstract based on the second private key to obtain first encrypted data;
processing the target encryption mode, the target key and the first encryption data based on the first public key to obtain second encryption data;
the sending the target key and the target encryption mode to the first gateway device includes:
and sending the second encrypted data to the first gateway device.
6. The method of claim 5, wherein the sending the second encrypted data to the first gateway device comprises:
and sending the second encrypted data to the first gateway device based on an encrypted channel.
7. The method according to any one of claims 1-6, further comprising:
and periodically updating the target encryption mode and the target key.
8. The networking communication method is characterized by being applied to first gateway equipment in a networking communication system, wherein the networking communication system further comprises management equipment and at least one second gateway equipment, the first gateway equipment is gateway equipment to be verified, and the second gateway equipment is gateway equipment which passes through bidirectional identity authentication with the management equipment; the method comprises the following steps:
receiving a target key and a target encryption mode sent by the management equipment;
encrypting the data packet based on the target key and the target encryption mode to obtain an encrypted data packet;
and sending the encrypted data packet to the second gateway device.
9. The method of claim 8, wherein the method further comprises:
sending a verification request message to the management device, so that the management device judges whether the first gateway device has the authority to join the networking communication system according to the verification request message; the authentication request message includes: the first digital certificate and the first gateway equipment identifier corresponding to the first gateway equipment; the first digital certificate includes: a first public key and a first digital signature corresponding to the first gateway equipment; the first digital signature is obtained by encrypting the first public key by an authentication authority.
10. The method according to claim 9, wherein in case the first gateway device has the right to join the networking communication system, the method further comprises:
receiving a first verification message sent by the management equipment; the first authentication message includes: the second digital certificate and the first encrypted verification data corresponding to the management equipment; the second digital certificate includes: the second public key and the second digital signature corresponding to the management equipment; the second digital signature is obtained by encrypting the second public key by the authentication and authorization mechanism; the first encrypted verification data is data obtained by encrypting the first verification data based on the first public key; the first authentication data includes: a first random number, a first moment of generating the first random number;
signing the second digital certificate according to the public key of the authentication authority to obtain a second signing verification result;
if the second signature verification result is passing, judging whether the difference value between the first moment and the sending moment is in a preset range or not; the sending time is the time of sending the verification request message;
Transmitting a second verification message to the management device when the difference between the first time and the transmission time is within the preset range; the second authentication message includes: second encrypted authentication data; the second encrypted verification data is data obtained by encrypting the second verification data based on the second public key; the second verification data comprises a second random number, a third random number and a second moment for generating the third random number;
receiving a third verification message sent by the management equipment; the third authentication message includes: third encrypted authentication data; the third encrypted verification data is encrypted based on the first public key; the third verification data comprises a fourth random number and a third moment of generating the third verification data;
responding to the third verification message, judging whether the fourth random number is the same as the third random number, and judging whether the difference value between the third moment and the second moment is within the preset range;
and sending a verification passing message to the first gateway device under the condition that the fourth random number is the same as the third random number and the difference value between the third moment and the second moment is in the preset range.
11. The networking communication device is characterized by being applied to management equipment in a networking communication system, wherein the networking communication system further comprises a first gateway device and at least one second gateway device, the first gateway device is a gateway device to be verified, and the second gateway device is a gateway device which passes through bidirectional identity authentication with the management equipment; the device comprises: a processing unit and a transmitting unit;
the processing unit is used for performing bidirectional identity authentication on the first gateway equipment under the condition that the first gateway equipment has the authority to join the networking communication system;
the sending unit is configured to send, to the first gateway device, a target key and a target encryption manner under a condition that the first gateway device performs bidirectional identity authentication with the management device, so that the first gateway device communicates with the second gateway device based on the target key and the target encryption manner.
12. The networking communication device is characterized by being applied to first gateway equipment in a networking communication system, wherein the networking communication system further comprises management equipment and at least one second gateway equipment, the first gateway equipment is gateway equipment to be verified, and the second gateway equipment is gateway equipment which passes through bidirectional identity authentication with the management equipment; the device comprises: the device comprises a receiving unit, a processing unit and a sending unit;
The receiving unit is used for receiving the target key and the target encryption mode sent by the management equipment;
the processing unit is used for encrypting the data packet based on the target key and the target encryption mode to obtain an encrypted data packet;
the sending unit is configured to send the encrypted data packet to the second gateway device.
13. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the method of any of claims 1-7, or 8-10.
14. A computer readable storage medium, characterized in that, when computer-executable instructions stored in the computer readable storage medium are executed by a processor of an electronic device, the electronic device is capable of performing the method of any one of claims 1-7, or 8-10.
CN202311118550.9A 2023-08-31 2023-08-31 Networking communication method, device, equipment and storage medium Pending CN117155656A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311118550.9A CN117155656A (en) 2023-08-31 2023-08-31 Networking communication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311118550.9A CN117155656A (en) 2023-08-31 2023-08-31 Networking communication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117155656A true CN117155656A (en) 2023-12-01

Family

ID=88900244

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311118550.9A Pending CN117155656A (en) 2023-08-31 2023-08-31 Networking communication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117155656A (en)

Similar Documents

Publication Publication Date Title
US10218499B1 (en) System and method for secure communications between controllers in a vehicle network
US10951423B2 (en) System and method for distribution of identity based key material and certificate
CN111416807B (en) Data acquisition method, device and storage medium
US20200358764A1 (en) System and method for generating symmetric key to implement media access control security check
KR101032016B1 (en) Constrained cryptographic keys
US8724819B2 (en) Credential provisioning
CN107105060A (en) A kind of method for realizing electric automobile information security
US20120324218A1 (en) Peer-to-Peer Trusted Network Using Shared Symmetric Keys
CN103931220A (en) Key derivative function for network communications
WO2017167771A1 (en) Handshake protocols for identity-based key material and certificates
CN108964897B (en) Identity authentication system and method based on group communication
CN113016201B (en) Key provisioning method and related product
US20210167963A1 (en) Decentralised Authentication
CN111614621A (en) Internet of things communication method and system
CN102884756A (en) Communication device and communication method
KR101481403B1 (en) Data certification and acquisition method for vehicle
CN110383755B (en) Network device and trusted third party device
CN110832806B (en) ID-based data plane security for identity-oriented networks
CN116132043B (en) Session key negotiation method, device and equipment
CN111245613A (en) Identity-based three-level key negotiation method for in-vehicle and out-vehicle networks
CN114389804B (en) Intelligent terminal control method and device, electronic equipment and storage medium
CN115834210A (en) Quantum secure network data transmitting and receiving method and communication system
CN112069487B (en) Intelligent equipment network communication safety implementation method based on Internet of things
CN117155656A (en) Networking communication method, device, equipment and storage medium
WO2021236078A1 (en) Simplified method for onboarding and authentication of identities for network access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination