CN117201005B - IPv6 address dynamic coding method based on ZUC encryption and decryption and application method - Google Patents
IPv6 address dynamic coding method based on ZUC encryption and decryption and application method Download PDFInfo
- Publication number
- CN117201005B CN117201005B CN202311160685.1A CN202311160685A CN117201005B CN 117201005 B CN117201005 B CN 117201005B CN 202311160685 A CN202311160685 A CN 202311160685A CN 117201005 B CN117201005 B CN 117201005B
- Authority
- CN
- China
- Prior art keywords
- key
- ipv6 address
- address
- decryption
- zuc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 78
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 72
- 238000012795 verification Methods 0.000 claims abstract description 37
- 238000012360 testing method Methods 0.000 claims abstract description 9
- 238000001514 detection method Methods 0.000 claims description 13
- 239000013598 vector Substances 0.000 claims description 13
- 238000004891 communication Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 description 15
- 230000008569 process Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000009193 crawling Effects 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000032683 aging Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Abstract
The invention provides an IPv6 address dynamic coding (ZBDA) method based on ZUC encryption and decryption and an application method thereof, wherein the IPv6 address dynamic coding method based on ZUC encryption comprises the steps of generating a secret key based on a ZUC algorithm, encrypting an MAC address by using the secret key to obtain an interface identifier, and combining the interface identifier and a network prefix into an IPv6 address; and detecting the repeated address of the IPv6 address to obtain the IPv6 address without conflict. The IPv6 address dynamic coding method based on ZUC decryption comprises the steps of obtaining a source IPv6 address of a data packet; generating a decryption key library based on a ZUC algorithm; and carrying out decryption test on the source IPv6 address and the secret keys in the secret key library one by one, and if the decryption is successful, obtaining the source MAC address and updating the decryption secret key library. The ZBDA method solves the problem of personal privacy leakage caused by improper IPv6 addressing, meets the network access requirement based on IP address control, has high IPv6 address coding and address verification speed, and has certain practical application value.
Description
Technical Field
The invention belongs to the technical field of communication, and particularly relates to an IPv6 address dynamic coding method based on ZUC encryption and decryption and an application method.
Background
As IPv4 addresses are gradually exhausted, IPv6 networks are accelerating deployment. It is known from telecom operators that, taking Jiangsu as an example, in the current provincial internal fixed internet, the flow rate of IPv6 is about 15%, and the flow rate of IPv6 in the mobile internet is up to 50%.
Global IPv6 traffic ratio for Google statistics up to 41% [1] . IPv6 addresses are 128 bits in length and thus use a huge address space, and each IPv6 terminal can be assigned a routable global unicast address. The IPv6 address is divided into two parts, namely a network Prefix (Subnet Prefix) and an interface identifier (IID, interface Identifier), wherein the network Prefix is allocated by a telecom operator, and the interface identifier can be manually configured, randomly generated or generated, and is generated according to the terminal MAC address by using an EUI-64 format defined by IEEE. The interface identifier generated by the EUI-64 is unique, and even if the network prefix is rotated by an operator, the terminal generating the IPv6 address according to the EUI-64 can be easily tracked, which brings about the risk of personal privacy disclosure [2][3][4] 。
When a terminal with an IPv6 address in static configuration accesses the Internet, the IPv6 address always remains unchanged. When daily internet activities such as internet banking transactions, internet shopping, mail sending and receiving, network searching, web browsing, instant messaging, social messaging and the like are respectively carried out by the same IPv6 address, the multiparty data association of the internet enterprises can easily track the internet activity track of the individual. The fixed IPv6 address is used for a long time, and the method is similar to writing all personal information such as the real name, the identification card number, the mobile phone number, the home address and the like of a person on clothes in real life, and people know who is. The fixed IPv6 address, in fact equivalent to the identity of the individual, severely threatens the network space security of the individual.
Aiming at the problems of privacy disclosure and the like of static IPv6 addresses, RFC4941 [5] It is suggested to use privacy extension mode to concatenate the IID in EUI-64 format with the history value (initially 64-bit random number) and perform MD5 hashing operation, with the upper 64 bits of the digest as the new IID and the lower 64 bits stored as the history value for the next IID generation, so that the generated IID can change over time, reducing monitored and informationRisk of collection. RFC7217 [6] It is proposed to hash the Network Prefix, the Network interface net_iface, the Network identification network_id, the address collision number dad_counter and the key secret_key, take the lower 64 bits of the digest as IID, and the IID generated by this method is random but remains unchanged in the same Network. Odero S. Et al [7] The method of RFC7217 is improved, optional network_ID parameters are incorporated into the hash operation, and dynamic IID generation is achieved by changing the network_ID parameters.
The dynamic IP address can improve network access security, but many information systems (especially enterprise networks) on the internet are used to check the source IP address of the visitor to initially verify the identity of the visitor, and the visitor needs to use a fixed IP address, which forms a contradiction.
Disclosure of Invention
The invention aims to: aiming at the defects of the prior art, the invention provides an IPv6 address dynamic coding method based on ZUC encryption and an application method thereof.
In order to solve the technical problem, in a first aspect, an IPv6 address dynamic encoding method (ZBDA, ZUC-Based Dynamic Addressing) based on ZUC encryption is disclosed, which includes generating a key based on a ZUC (progenitor burst) algorithm, encrypting a MAC address with the key to obtain an interface identifier, where the interface identifier and a network prefix are combined to form an IPv6 address;
and detecting the repeated address of the IPv6 address to obtain the IPv6 address without conflict.
Further, generating a key based on the ZUC algorithm, and when the key is used for encrypting the MAC address, the encryption keys of different terminal interface identifiers in the same local area network are different; the encryption keys of the same terminal are different when applying for the IPv6 address in different periods.
Further, the generating a key based on the ZUC algorithm, encrypting the MAC address using the key, and obtaining the interface identifier includes: initializing a ZUC algorithm based on a preset seed key and an initial vector; after the ZUC algorithm is initialized, a plurality of Key pairs are generated, the Key mark of each Key pair is recorded as a Key ID, the Key mark Key ID is increased according to the generation time of the Key pair, the Key mark generated by each Key pair is Key0, the Key mark generated by the Key pair is Key1, and the interface mark IID calculation formula is shown in formula (1):
wherein H32 represents taking the upper 32 bits, L16 represents taking the lower 16 bits, the not represents a bitwise exclusive or operation, ||represents a bit string connector;
the formula (1) shows that the high 32 bits of the MAC address are subjected to exclusive OR operation with Key0 bit by bit to generate a high 32-bit numerical value; the low 16 bits of the MAC address are connected with the Key identification low 16 in series and then are subjected to exclusive OR operation with the Key1 bit by bit, so that a low 32-bit numerical value is generated; the two operation results are connected in series to generate a 64-bit numerical value, namely the interface identifier.
Further, the detecting the repeated address of the IPv6 address, to obtain an IPv6 address without collision includes: and (3) performing repeated address detection on the IPv6 address, if the IPv6 address conflict exists, adding 1 to the key identification (KeyID) of the key pair, then calculating again according to the formula (1) and generating a new IPv6 address, and performing repeated address detection again until the generated IPv6 address does not conflict.
In a second aspect, an IPv6 address dynamic encoding method based on ZUC decryption is disclosed, including:
acquiring a source IPv6 address of a data packet;
generating a decryption key library based on a ZUC algorithm;
the source IPv6 address and the secret key in the secret key library are decrypted and tested one by one, if decryption is successful, the source MAC address is obtained, and the decryption secret key library is updated; if all keys in the key store fail to decrypt, the data packet is directly discarded.
Further, the generating the decryption keystore based on the ZUC algorithm includes: the number of terminals for transmitting data packets is recorded as n which is more than or equal to 1, the maximum packet loss rate of network transmission is p which is more than or equal to 0 and less than or equal to p<1, setting the size of a decryption key store as
Initializing a ZUC algorithm based on a preset seed key and an initial vector; after the ZUC algorithm is initialized, K Key pairs are generated, the Key mark of each Key pair is recorded as a Key ID, the Key mark Key ID is increased according to the generation time of the Key pair, the Key mark generated by each Key pair is marked as a Key0, and the Key mark generated by the Key pair is marked as a Key1; the K key pairs constitute a decryption keystore.
Further, the step of decrypting the source IPv6 address with the key in the key store one by one includes: performing exclusive OR operation on the low 32 bits of the interface identifier IID in the source IPv6 address and Key1 in a first pair of keys in the decryption Key library bit by bit, taking the low 16 bits, if the result is equal to the low 16 bits of the pair of Key identifiers KeyID, indicating that the decryption Key is correct, decrypting according to a formula (2) to obtain a source MAC address, and updating the decryption Key library;
wherein L32 represents the lower 32 bits;
if the exclusive OR operation result is not equal to the low 16 bits of the key identification (KeyID), the key is incorrect, and a matching test of the next pair of keys is performed until a correct key is found; if the correct key is not found by traversing the complete decryption keystore, the data packet is directly discarded.
Further, the updating the decryption keystore includes: deleting the successfully decrypted key from the decryption key store; checking a decryption key library and deleting an expiration key; the expired keys comprise keys with a difference value exceeding K+n with the maximum key identification (KeyID), and the expired keys are usually IPv6 addresses encrypted by a sending end and do not reach a receiving end; when the decryption keystore is updated, deleting pairs of keys requires generating the same number of new key pairs at the end of the decryption keystore, i.e. keeping the size of the decryption keystore unchanged.
In a third aspect, an application method of an IPv6 address dynamic encoding method based on ZUC encryption and decryption is disclosed, applied to communications between a plurality of client sites and server sites respectively,
the client station comprises a DHCPv6 server, and the DHCPv6 server generates an IPv6 address without conflict by using the IPv6 address dynamic coding method based on ZUC encryption; the client site sends a data packet taking the IPv6 address without conflict as a source address to a server site;
the server site receives a data packet sent by the client site, the server site comprises an IPv6 address verification server, the IPv6 address verification server obtains a source MAC address by using the IPv6 address dynamic coding method based on ZUC decryption, and if the obtained source MAC address is the same as a preset MAC address, the source IPv6 address passes verification.
Further, the server site further comprises a traffic cleaning device and an application server, the traffic cleaning device establishes BGP neighbors with the IPv6 address verification server, the IPv6 address verification server informs the traffic cleaning device of the source IPv6 address which passes verification, and the traffic cleaning device directly forwards traffic of the source IPv6 address which passes verification to the application server for processing through a route.
The beneficial effects are that: the application provides an IPv6 address dynamic coding method based on the sequence password encryption of the ancestral punch, which can give consideration to the risk of personal privacy disclosure and the problem of identity verification by adopting a fixed IP address to a visitor. And at the receiving end, the ZUC algorithm is used for decrypting the interface identifier of the source IPv6 address, the source MAC address of the visitor is obtained, if the MAC is the authorized access terminal address, the communication data packet is released, and otherwise, the access of the data packet is refused, so that the network security access control is realized.
Drawings
The foregoing and/or other advantages of the invention will become more apparent from the following detailed description of the invention when taken in conjunction with the accompanying drawings and detailed description.
Fig. 1 is a global unicast address structure.
FIG. 2 is an EUI-64 address translation process.
Fig. 3 is a ZUC algorithm encryption process.
Fig. 4 is a schematic flow chart of an IPv6 address dynamic encoding method based on ZUC decryption according to an embodiment of the present application.
Fig. 5 is an IPv6 address encoding time of an IPv6 address dynamic encoding method based on ZUC encryption according to an embodiment of the present application.
Fig. 6 is an application scenario of an application method of an IPv6 address dynamic encoding method based on ZUC encryption and decryption according to an embodiment of the present application.
Detailed Description
Embodiments of the present invention will be described below with reference to the accompanying drawings.
Firstly, the IPv6 address generating method and the ZUC encryption and decryption algorithm are briefly introduced.
IPv6 Address coding
IPv4 addresses are 32 bits in length, and IPv4 address maldistribution causes IPv4 address shortage in many countries including china. IPv6 is also called the next generation internet (IPng), and the length of the IPv6 address is 128 bits, so that the problem of insufficient address space is thoroughly solved. IPv6 addresses are classified into Unicast (Unicast), multicast (Multicast), anycast (Anycast), and Unicast addresses are classified into global Unicast addresses, link local addresses, compatible addresses, and the like. The IPv6 address dynamic coding algorithm provided by the embodiment of the application is only aimed at global unicast addresses.
The global unicast address structure is divided into network prefix and interface identifier, and the network prefix is divided into global routable prefix and subnet identifier [8] The global unicast address structure is shown in fig. 1.
(1) Global routable prefix: the prefix representing the site is assigned to the telecom operator (ISP, internet Service Provider) and other institutions by the internet address assignment institution (IANA, internet Assigned Numbers Authority) and its subordinate institutions. The highest 3 bits of the global routable prefix is 001, i.e., the global unicast address range is 2000::/3. The global routable prefix is a maximum of 48 bits, and consecutive prefixes may be aggregated into shorter prefixes.
(2) A subnet identifier representing a subnet within the site represented by the global routable prefix, the subnet identifier being self-divided by the ISP and assigned to the end user, the global routable prefix and the subnet identifier together forming a 64-bit network prefix.
(3) The interface identifier is used for identifying different interfaces in the subnet, has uniqueness and is fixed to be 64-bit in length. The interface identifier may be manually configured, randomly generated by the terminal, or automatically generated in EUI-64 format.
EUI-64 [9] Is an IEEE defined encoding method that generates an interface identifier by MAC address translation, the MAC address has only 48 bits, and the interface identifier has 64 bits. In the conversion process of the EUI-64 format, a 16-bit number FFFE is inserted between the first 24 bits and the last 24 bits of the MAC address, and the value of the U/L bit (the highest byte bit 1) of the MAC address is changed from 0 to 1, so that a 64-bit interface identifier is generated, and the interface identifier is globally unique. Fig. 2 illustrates the process of translating a MAC address into an EUI-64 interface identification.
According to the EUI-64 interface identification generation method, the MAC address of the terminal can be easily calculated from the EUI-64 interface identification. The first 24 bits of the MAC address represent an organization unique identification (OUI, organizationally Unique Identifier) [10] The last 24 bits are unique extension identifiers allocated by the manufacturer, so that the brand and type of the IPv6 terminal can be deduced from the interface identifier of the EUI-64, which brings about a risk of disclosure of personal privacy. Therefore, when generating the interface identifier based on the MAC address, it is necessary to convert or encrypt the MAC to reduce the risk of privacy disclosure caused by the IPv6 address.
ZUC cryptographic algorithm
The cryptographic algorithms can be classified into symmetric cryptographic algorithms, public key cryptographic algorithms, and cryptographic hash algorithms, wherein the symmetric cryptographic algorithms are further classified into sequence cryptographic algorithms and block cryptographic algorithms [11] . In order to increase encryption and decryption speed and shorten generation time of IPv6 addresses, the IPv6 address dynamic coding algorithm provided by the embodiment of the application adopts a ZUC sequence cipher algorithm of ancestral impulse (ZUC)And (5) encrypting and decrypting the line.
The ZUC cipher algorithm is a commercial sequence cipher algorithm issued in China, has higher safety redundancy and high algorithm speed, and can be used for protecting confidentiality and integrity of data [12] Has become an international standard for 4G mobile communication cryptographic algorithms in 2011. The ZUC algorithm key length is 128 bits, the data encryption key stream with 32 bit width is generated by the combined action of the 128 bit seed key and the 128 bit initial vector, and the encryption of the data can be realized by the exclusive OR operation of the plaintext data and the key stream.
The ZUC algorithm logic is divided into an upper layer, a middle layer and a lower layer, the upper layer is a 16-stage linear feedback shift register LFSR (Linear Feedback Shift Register), and the output of the ZUC algorithm logic has good random characteristics; the middle layer is Bit-Reorganization BR (Bit-Reorganization), 128 bits are fetched from LFSR state to form 3 words (X) 0 ,X 1 ,X 2 ) To a nonlinear function F to form another 1 word (X 3 ) Participating in key calculation; the lower layer is a nonlinear function F, and nonlinear mapping is realized. Finally, the nonlinear function Foutput W and the bit reorganization BR output are exclusive-or, and a key stream is generated [13] . The working process of the ZUC algorithm can be divided into an initialization stage and a working stage, and the algorithm encryption process is shown in fig. 3.
The 32-bit plaintext and the 32-bit secret key are subjected to bitwise exclusive OR operation, so that a 32-bit ciphertext can be obtained, then the next 32-bit secret key is generated, and the 32-bit plaintext and the next 32-bit plaintext are subjected to bitwise exclusive OR operation, and the steps are circulated until all the plaintext are encrypted. The decryption process of the ZUC algorithm is completely the same as encryption, and the receiving end and the transmitting end share the seed key and the initial vector in advance, so that a key stream sequence which is completely consistent with the key stream can be generated and transmitted, and the ciphertext stream and the key stream are subjected to bitwise exclusive OR operation, so that the plaintext stream can be obtained.
Fixed IP addresses not only present a privacy risk, but also do not meet specific network access requirements, such as port scanning, web crawling, etc. Dynamic IP addresses may increase personal security for network visitors, but do not meet IP address-based network access control. The IPv6 address dynamic coding (ZBDA) method based on the sequence cipher encryption and decryption of the ancestral punch can solve the two problems.
The first embodiment of the application discloses an IPv6 address dynamic coding method based on ZUC encryption, which comprises the following steps:
generating a key based on a ZUC algorithm, encrypting the MAC address by using the key to obtain an interface identifier, wherein the interface identifier and a network prefix are combined into an IPv6 address;
and detecting the repeated address of the IPv6 address to obtain the IPv6 address without conflict.
The IPv6 address is composed of a network prefix and an interface identifier, where the network prefix is generally allocated by an operator, and the embodiment is mainly used for generating the interface identifier of IPv6, and the main idea of the method is to encrypt the MAC address by using a ZUC algorithm. The encryption strategy is one-time pad, namely the encryption keys of different terminal interface identifiers in the same local area network are different; the encryption keys of the same terminal are different when applying for the IPv6 address in different periods. ZUC is a sequence cipher algorithm, so the key order of encryption and decryption must be consistent.
The ZUC algorithm generates one 32-bit key at a time and the interface identifier is 64 bits, so two keys are required for each interface identifier encryption, in this embodiment referred to as a pair of keys, labeled with a key identifier (KeyID). Initializing a ZUC algorithm based on a preset seed key and an initial vector; after the ZUC algorithm is initialized, the KeyID of the generated first pair of keys is 0, the KeyID of the second pair of keys is 1, and so on. In the pair of keys, the Key generated first is marked as Key0, the Key generated later is marked as Key1, and an interface identification calculation formula is defined as shown in formula (1).
Wherein the operator convention is as follows:
h32 Taking the high 32 bits
L32 takes the low 32 bits
H16 Taking the high 16 bits
L16 takes the lower 16 bits
Bitwise exclusive-or operation
Bitwise operation
Bit string connector
Right shift of k bits > k
The formula (1) shows that the high 32 bits of the MAC address are subjected to exclusive OR operation with Key0 bit by bit to generate a high 32-bit numerical value; the low 16 bits of the MAC address are connected with the Key identification low 16 in series and then are subjected to exclusive OR operation with the Key1 bit by bit, so that a low 32-bit numerical value is generated; the two operation results are connected in series to generate a 64-bit numerical value, namely the interface identifier.
The generated interface identifier and the network prefix are combined into an IPv6 address, which IPv6 address may collide with an existing address, and although this probability is very low, it is required to go through duplicate address detection (DAD, duplicate Address Detection) [14] It can be confirmed whether the IPv6 address is available, if there is an address collision, then the KeyID needs to be added with 1, then a new IPv6 address is calculated and generated again according to formula (1), and DAD detection is performed again until the generated IPv6 address has no collision.
The following describes the calculation of the IPv6 address, taking the example that the seed key k and the initial vector iv are 128 bits all 0. After the ZUC algorithm is initialized, the generated first pair of keys is [27BEDE74,018082DA ], and the generated second pair of keys is [87D4E5B6,9F18BF66]. If the MAC address of one terminal 1 is: 0011-2233-4455, then the interface generated according to this embodiment is identified as:
(00112233⊕27BEDE74)||((4455||0000)⊕018082DA)=27AFFC4745D582DA
assuming that the network prefix is 2409:8a20:4a3:38d0::, the generated IPv6 address of the terminal 1 is 2409:8a20:4a3:38d0:27af:fc47:45d5:82da.
If another terminal 2 immediately applies for an IPv6 address, its MAC address is: AABB-CCDD-EEFF, then the interface identifier generated by the terminal is:
(AABBCCDD⊕87D4E5B6)||((EEFF||0001)⊕9F18BF66)=2D6F296B71E7BF67
i.e. the generated IPv6 address of terminal 2 is 2409:8a20:4a3:38d0:2d6f:296b:71e7:bf67.
The second embodiment of the application discloses an IPv6 address dynamic coding method based on ZUC decryption, which comprises the following steps:
acquiring a source IPv6 address of a data packet;
generating a decryption key library based on a ZUC algorithm;
the source IPv6 address and the secret key in the secret key library are decrypted and tested one by one, if decryption is successful, the source MAC address is obtained, and the decryption secret key library is updated; if all keys in the key store fail to decrypt, the data packet is directly discarded.
After the data packet with the IPv6 address generated by the ZBDA algorithm as the source address is sent out, in order to verify the authority of the access terminal at the receiving end, the MAC address needs to be decrypted from the interface identifier of the source IPv6 address. ZUC is a sequence cipher algorithm, and a received ciphertext sequence must be consistent with a transmitting end to be decrypted normally, but the condition that the received ciphertext sequence is inconsistent with the transmitting end can occur due to the following reasons:
(1) After the IPv6 address is generated, the terminal does not communicate with the receiving and sending end, or the communication data loses packets, and after the lifetime of the IPv6 address is over, the terminal acquires the new IPv6 address again.
(2) The generated IPv6 addresses collide and a new pair of keys is needed to regenerate the new IPv6 addresses.
(3) The data packet occurs first and then due to multipath transmission.
Therefore, decryption cannot be performed completely according to the key sequence of the transmitting end, and the decryption key is searched in a key bank with a certain range, and the IPv6 address dynamic encoding method based on ZUC decryption provided in this embodiment can be summarized as follows: the receiving end generates a certain number of decryption key libraries according to the seed keys and the initial vectors which are pre-shared with the sending end, the received IPv6 addresses and the keys in the key libraries are decrypted one by one for testing, and the source MAC addresses are obtained after decryption is successful and the key libraries need to be updated; if all the keys in the key store fail to be decrypted, the received IPv6 address is generated by a non-ZBDA algorithm and is directly discarded.
The IPv6 address verification process is shown in fig. 4, and the detailed steps can be divided into the following 4 steps:
(1) Initializing: the receiving end firstly generates a key library, if the number of terminals of the sending end is n more than or equal to 1, the maximum packet loss rate of network transmission is p, and p is more than or equal to 0<1, then the key store size of the receiving end is set asFor example: if the packet loss rate is equal to 50%, the key pool size is 2n.
Initializing a ZUC algorithm based on a preset seed key and an initial vector; after the ZUC algorithm is initialized, K Key pairs are generated, the Key mark of each Key pair is recorded as a Key ID, the Key mark Key ID is increased according to the generation time of the Key pair, the Key mark generated by each Key pair is marked as a Key0, and the Key mark generated by the Key pair is marked as a Key1; the K key pairs constitute a decryption keystore.
(2) Decryption test 1: after receiving a data packet, carrying out exclusive OR operation on the low 32 bits of the interface identifier IID in the source IPv6 address and Key1 in the first pair of keys in the Key bank bit by bit and taking the low 16 bits, if the result is equal to the low 16 bits of the pair of Key identifiers KeyID, indicating that the decryption Key is correct, further decrypting the MAC address according to the formula (2), carrying out updating of the Key bank in the step (4), and passing address verification.
(3) Decryption test 2: if the exclusive or operation result is not equal to the low 16 bits of the key identification KeyID, the key is incorrect, a matching test of the next pair of keys is performed, and the steps (2) - (3) are repeated until the correct key is found. If the correct key cannot be found by traversing the complete key store, the IPv6 address is not generated by the ZBDA algorithm, namely, the unauthorized terminal accesses and is directly discarded.
(4) Updating a key store: because of the 'one-time pad', the keys which have been successfully decrypted are deleted from the key store; the keystore is also checked and the expired keys, which include keys whose differences from the maximum key identification KeyID exceed k+n, are deleted, and these expired keys are usually that the IPv6 address encrypted by the sender does not reach the receiver. When the keystore is updated, deleting several pairs of keys requires generating the same number of new key pairs at the end of the keystore, i.e. keeping the size of the keystore unchanged.
Examples:
assuming that the data packet of the terminal 2 arrives before the data packet of the terminal 1, the verification process of the receiving end is as follows:
(1) Initializing: let n=2, and the packet loss rate p <0.5, the size k=4 of the decryption key bank. The key k and the initial vector iv of the receiving end must be the same as those of the transmitting end, and 128 bits are still 0 cases. At this time, the key store generated by the receiving end is { [27BEDE74,018082DA ], [87D4E5B6,9F18BF66], [32070E0F,39B7B692], [ B4673EDC,3184A48E ] }, and the corresponding key identification keyID is {0,1,2,3}.
(2) After receiving the IPv6 packet of the terminal 2, obtaining the interface identifier IID of the terminal 2 as 2d6f:296b:71e7:bf67, testing the 1 st pair of keys in the key library, that is, calculating by using the key pair of keyid=0:
(71E7BF67⊕018082DA)&FFFF=3DBD≠0
the key ID obtained by decryption is inconsistent with the current key ID, so that incorrect keys are solved.
(3) The 2 nd pair key is then tested, i.e. calculated with key pair keyid=1:
(71E7BF67⊕9F18BF66)&FFFF=0001
the obtained key ID is consistent with the current key ID, and the decryption key is successfully found, so that the MAC address can be decrypted, and calculation is performed:
(2D6F296B⊕87D4E5B6)||(((71E7BF67⊕9F18BF66)>>16)&FFFF)=AABBCCDDEEFF
the MAC address of the terminal 2 is obtained as AABB-CCDD-EEFF.
(4) Updating a key store: the key pair which is successfully decrypted is deleted from the key store, and a new key pair is generated, wherein the key store is { [27BEDE74,018082DA ], [32070E0F,39B7B692], [ B4673EDC,3184A48E ], [27636F44,14510D62] }, and the corresponding key identification KeyID is {0,2,3,4}. At this time, the minimum KeyID in the keybank is 0, the maximum KeyID is 4, the difference is 4, and is smaller than 6 (k+n), i.e. no expired key is in the keybank.
(5) In this way, steps (2) - (4) are repeated, and the MAC address of the decryption terminal 1 can be 0011-2233-4455 with the key pair keyid=0.
Experimental analysis
In order to verify the performance of the ZBDA method, experiments were performed on a 12-core Intel i5-1240P 1.70GHz CPU, 16GB memory, windows 11 operating system and Python 3.10.11-installed notebook computer, and the EUI-64 was comparatively analyzed by writing a Python program [9] 、RFC4941 [5] 、RFC7217 [6] And performance of a ZBDA algorithm, wherein EUI-64, RFC4941 and the ZBDA algorithm all encode IPv6 addresses based on the randomly generated MAC addresses; the RFC7217 algorithm fixes the value of Prefix=FE80 in that network_ID= "inet", DAD_counter=0, secret_key=0 (128 bits), and each time the conversion Net_Iface is increased by 1 from 0. The experiment was mainly conducted with the following 3 aspects of analysis:
(1) And (3) verifying the functionality of the method: the experimental program realizes the IPv6 address coding and address decoding functions of the ZBDA method, and verifies the functional feasibility of the ZBDA method.
(2) Address collision rate analysis: the 4 methods continuously generate 10000 IPv6 addresses, and the situation that one instance of IPv6 address conflict does not occur is verified that the 4 methods have lower address conflict rate.
(3) Address coding aging comparison: the 4 methods respectively carry out IPv6 address coding for 10, 100, 1000 and 10000 cycles, and the test does not carry out repeated address conflict detection. Experiments record the run-time of these 4 methods to generate different numbers of IPv6 addresses, as shown in fig. 5. It is apparent that the safer and more complex the algorithm, the longer it takes to generate an IPv6 address.
Of these 4 methods, although the ZBDA method has a relatively long running time, the time required to generate 10000 IPv6 addresses is only 95.7403 milliseconds, which is far less than the time required for duplicate address detection, and thus is fully acceptable in practical applications. On the other hand, in the 4 methods, only the ZBDA algorithm can decrypt the MAC address from the IPv6 address, thereby realizing the privacy protection brought by the dynamic IPv6 address and meeting the network access control requirement based on the IP address.
The third embodiment of the application discloses an application method of an IPv6 address dynamic coding method based on ZUC encryption and decryption, which is applied to the communication between a plurality of client stations and server stations respectively,
the client station comprises a DHCPv6 server, and the DHCPv6 server generates an IPv6 address without conflict by using the IPv6 address dynamic coding method based on ZUC encryption; the client site sends a data packet taking the IPv6 address without conflict as a source address to a server site;
the server site receives a data packet sent by the client site, the server site comprises an IPv6 address verification server, the IPv6 address verification server obtains a source MAC address by using the IPv6 address dynamic coding method based on ZUC decryption, and if the obtained source MAC address is the same as a preset MAC address, the source IPv6 address passes verification.
The server site also comprises a flow cleaning device and an application server, wherein the flow cleaning device establishes BGP neighbors with the IPv6 address verification server, the IPv6 address verification server informs the flow cleaning device of the source IPv6 address which has passed verification, and the flow cleaning device directly forwards the flow of the source IPv6 address which has passed verification to the application server for processing through a route.
The ZBDA algorithm has a certain practical application value for protecting personal privacy and improving the safety of the IPv6 network. Fig. 6 illustrates one of the application scenarios. Site A has a plurality of IPv6 network terminals which are always engaged in the work such as website content crawling on the Internet, and in order to avoid the detection of websites and other network security application requirements, the terminals need to constantly change the IPv6 addresses; on the other hand, the network terminal of site a also uploads the crawling result to the application server of site B, or downloads the feature data from the application server, but the server in site B is not open to the internet public and only allows access by a specific authorized host. In the application scene, the site A is a client site, and all terminals adopt a ZBDA algorithm to carry out IPv6 address dynamic coding; and site B is a server site, which employs a conventional fixed IPv6 address.
Site A and site B adopt pre-sharing seed key and initial vector mode to finish encryption and decryption of terminal MAC address cooperatively, site A reports MAC address of terminal in network to site B in advance. After receiving the IPv6 message, the station B decrypts the source MAC address, if the source MAC address is an authorized terminal reported in advance, the station B processes the response to the authorized terminal, and otherwise, the station B discards the received data packet.
1 dynamic address addressing scheme
Both site a's network device and terminal run IPv6 neighbor discovery protocol (ND, neighbor Discovery for IP Version 6) [14] The network administrator configures certain rules, the access router periodically sends router advertisement messages (RA, router Advertisements) to the multicast addresses FF 02:1 of all nodes in the local link range [15] The M flag (Managed address configuration) and the O flag (Other stateful configuration) in the RA message are set, i.e. all terminals within range of the local link are informed to adopt a stateful address auto-configuration mechanism [16] . Each terminal applies global unicast address to the DHCPv6 server, the DHCPv6 server extracts the MAC address from the DHCP unique identifier (DUID, DHCP Unique Identifier) of the terminal, generates interface identifier IID by using ZBDA algorithm proposed in the first embodiment of the present application, and generates an IPv6 unicast address by combining with a network prefix, and the DHCPv6 server regenerates IPv6 if address collision is found through duplicate address detection. In addition, the DHCPv6 server can also set appropriate parameters such as a preferred Lifetime (Preferred Lifetime) and a Valid Lifetime (Valid Lifetime) so as to meet corresponding service requirements. The DHCPv6 server pushes the generated dynamic IPv6 address, the DNS server and other network parameters to each terminal, so that all terminals in the site A obtain the dynamic IPv6 address containing the encrypted MAC address information, and the DHCPv6 server is applied for replacing the new IPv6 address at regular time.
2 flow detection and identification scheme
Site B deploys traffic cleaning equipment at its network boundaryThe device establishes BGP neighbors with an IPv6 address verification server, and the IPv6 address verification server routes through BGP FlowSpec [17] The source IPv6 address which passes verification is announced to the flow cleaning device, the flow cleaning device converts BGP Flowspec route into flow control strategy of forwarding layer, the flow of the source IPv6 address which passes verification is directly forwarded to the application server through route for processing, and the flow of the source IPv6 address which does not pass verification is redirected to the IPv6 address verification server.
And the IPv6 address verification server verifies the source IPv6 address of the received traffic according to the IPv6 address dynamic coding method based on ZUC decryption, and if the source IPv6 address is found to be the access of an unauthorized terminal, the illegal traffic is directly discarded. If the access of the terminal is authorized, the IPv6 address verification server on one hand re-annotates the legal access flow to the flow cleaning equipment, and the flow cleaning equipment forwards the legal access flow to the application server for processing through a route; on the other hand, the IPv6 address which is legal to be verified is announced to the flow cleaning equipment through the BGP FlowSpec route, so that the terminal is not redirected to the address verification server when accessing next time, but is directly forwarded to the application server for processing through the flow cleaning equipment, and the flow identification verification speed of the site B is improved.
3-multi-party communication scheme
Fig. 6 is a simplified application scenario, in practical application, site B is a service site, and not only needs to communicate with site a, but also will communicate with other multiple sites, and assuming that another site C that is peer to site a exists, all terminals of site C also use ZBDA algorithm to generate a dynamic IPv6 address, site C and site B pre-share another set of seed keys and initial vectors, and after receiving traffic, site B distinguishes whether the traffic is sent from site a or site C according to a network prefix, and then decrypts with a corresponding key bank, thereby achieving the purpose that site B communicates with site a and site C respectively. At this time, all terminals of the station a and the station C are dynamic IPv6 addresses, and thus communication between the two terminals cannot be directly performed through the IPv6 addresses. The communication problem between sites which both use the ZBDA algorithm to generate dynamic IPv6 addresses can be used as the research direction of the next step.
In the gradual migration of the Internet from IPv4 to IPv6, the IPv6 address has a length of 128 bits and is divided into a network prefix and an interface identifier, wherein the network prefix is distributed by a telecom operator, and the interface identifier can be manually configured, randomly generated or generated through an EUI-64 format. The research finds that the static IPv6 address manually configured or generated through the EUI-64 format has network security risk of personal privacy disclosure; while the IPv6 addresses generated randomly improve security, they do not meet the application requirements for network access control based on IP addresses in some scenarios. Therefore, the embodiment of the application provides an IPv6 address dynamic coding (ZBDA) method based on ZUC encryption and decryption, which can solve the problems in both aspects. The ZBDA method is based on ZUC encryption and decryption, has high algorithm security and high IPv6 address coding and address verification speed, and has certain practical application value in network and information security systems.
Reference is made to:
[1]Google.Google IPv6 statistics[EB/OL].[2023-05-05].
https://www.google.com/intl/en/ipv6/statistics.html.
[2]S.J.Saidi,O.Gasser,G.Smaragdakis.One bad apple can spoil your IPv6
privacy[J].ACM SIGCOMM Computer Communication Review,Volume 52Issue 2,April 2022:10-19
[3]Dunlop M,Groat S,Marchany R,et al.IPv6:Now You See Me,Now YouDon't[C].The Tenth International Conference on Networks,2011:18-23.
[4]Groat S,Dunlop M,Marchany R,et al.The privacy implications of stateless IPv6
addressing[M].2010.
[5]T.Narten,R.Draves,S.Krishnan,Privacy extensions for stateless addressautoconfiguration in IPv6[S],RFC 4941,IETF,2007,https://www.rfc-editor.org/rfc/pdfrfc/rfc4941.txt.pdf
[6]F.Gont.A Method for Generating Semantically Opaque Interface Identifiers withIPv6 Stateless Address Autoconfiguration(SLAAC)[S].RFC 7217,IETF,2014,https://www.rfc-editor.org/rfc/pdfrfc/rfc7217.txt.pdf
[7]Odero S,Dargahi T,Takruri H.Privacy Enhanced Interface Identifiers inIPv6[J].IEEE,2020.DOI:10.1109/CSNDSP49049.2020.9249512.
[8] IPv6 technology [ M ] Beijing: qinghua university Press, 2010:12-16.
[9]R.Hinden,S.Deering.IP Version 6Addressing Architecture[S].RFC 8291,IETF,
2006.https://www.rfc-editor.org/rfc/pdfrfc/rfc4291.txt.pdf
[10]Organizationally Unique Identifier[EB/OL].[2023-05-05].
https://standards-oui.ieee.org/oui/oui.txt.
[11] Huo, guo Qiquan, magin commercial password application and Security assessment [ M ]. Beijing: electronic industry Press 2020:29-40.
[12] Li Zichen the principle of commercial cryptographic algorithm and the implementation of C language [ M ]. Beijing: electronic industry Press 2020:8-27.
[13] The information security technology ancestral code algorithm part 1: the algorithm describes GB/T33133.1-2016 [ S ], beijing: china national standards administration Committee, 2017:4-15.
[14]T.Narten,E.Nordmark,W.Simpson,et al.Neighbor Discovery for IPVersion 6(IPv6)[S],RFC 4861,IETF,2007.https://www.rfc-editor.org/rfc/pdfrfc/rfc4861.txt.pdf
[15]S.Thomson,T.Narten,T.Jinmei.IPv6 Stateless AddressAutoconfiguration[S],RFC 4862,IETF,2007.https://www.rfc-editor.org/rfc/pdfrfc/rfc4862.txt.pdf
[16]T.Mrugalski,M.Siodelski,B.Volz,et al.Dynamic Host ConfigurationProtocol for IPv6(DHCPv6)[S],RFC 8415,IETF,2018.https://www.rfc-editor.org/rfc/pdfrfc/rfc8415.txt.pdf
[17]J.Uttaro,J.Haas,M.Texier,et al.BGP Flow-Spec Redirect to IP Action[S],IETF draft-ietf-idr-flowspec-redirect-ip,2015.
In a specific implementation, the application provides a computer storage medium and a corresponding data processing unit, wherein the computer storage medium can store a computer program, and the computer program can run the invention content of the IPv6 address dynamic coding method and the application method based on ZUC encryption and decryption and part or all steps in each embodiment when being executed by the data processing unit. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a random-access memory (random access memory, RAM), or the like.
It will be apparent to those skilled in the art that the technical solutions in the embodiments of the present invention may be implemented by means of a computer program and its corresponding general hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied essentially or in the form of a computer program, i.e. a software product, which may be stored in a storage medium, and include several instructions to cause a device (which may be a personal computer, a server, a single-chip microcomputer, MUU or a network device, etc.) including a data processing unit to perform the methods described in the embodiments or some parts of the embodiments of the present invention.
The invention provides an IPv6 address dynamic coding method based on ZUC encryption and decryption and an application method thereof, and the method and the way for realizing the technical scheme are numerous, the above description is only a specific implementation mode of the invention, and it should be pointed out that a plurality of improvements and modifications can be made to those skilled in the art without departing from the principle of the invention, and the improvements and modifications are also regarded as the protection scope of the invention. The components not explicitly described in this embodiment can be implemented by using the prior art.
Claims (6)
1. An IPv6 address dynamic encoding method based on ZUC encryption, comprising:
generating a key based on a ZUC algorithm, encrypting the MAC address by using the key to obtain an interface identifier, wherein the interface identifier and a network prefix are combined into an IPv6 address;
detecting the repeated address of the IPv6 address to obtain an IPv6 address without conflict;
generating a key based on a ZUC algorithm, wherein when the key is used for encrypting the MAC address, the encryption keys of different terminal interface identifiers in the same local area network are different; the encryption keys of the same terminal are different when applying for the IPv6 address in different periods;
generating a key based on the ZUC algorithm, encrypting the MAC address by using the key, and obtaining the interface identifier comprises the following steps: initializing a ZUC algorithm based on a preset seed key and an initial vector; after the ZUC algorithm is initialized, a plurality of Key pairs are generated, the Key mark of each Key pair is recorded as a Key ID, the Key mark Key ID is increased according to the generation time of the Key pair, the Key mark generated by each Key pair is Key0, the Key mark generated by the Key pair is Key1, and the interface mark IID calculation formula is shown in formula (1):
wherein H32 represents taking the upper 32 bits, L16 represents taking the lower 16 bits, the not represents a bitwise exclusive or operation, ||represents a bit string connector;
the formula (1) shows that the high 32 bits of the MAC address are subjected to exclusive OR operation with Key0 bit by bit to generate a high 32-bit numerical value; the low 16 bits of the MAC address are connected with the Key identification low 16 in series and then are subjected to exclusive OR operation with the Key1 bit by bit, so that a low 32-bit numerical value is generated; the two operation results are connected in series to generate a 64-bit numerical value, namely the interface identifier.
2. The ZUC encryption based IPv6 address dynamic encoding method of claim 1 wherein said performing duplicate address detection on said IPv6 address includes: and (3) performing repeated address detection on the IPv6 address, if the IPv6 address conflict exists, adding 1 to the key identification (KeyID) of the key pair, then calculating again according to the formula (1) and generating a new IPv6 address, and performing repeated address detection again until the generated IPv6 address does not conflict.
3. An IPv6 address dynamic encoding method based on ZUC decryption, comprising:
acquiring a source IPv6 address of a data packet;
generating a decryption key library based on a ZUC algorithm;
the source IPv6 address and the secret key in the secret key library are decrypted and tested one by one, if decryption is successful, the source MAC address is obtained, and the decryption secret key library is updated; if all keys in the key library fail to decrypt, directly discarding the data packet;
the generating the decryption keystore based on the ZUC algorithm includes: the number of terminals for transmitting data packets is recorded as n which is more than or equal to 1, the maximum packet loss rate of network transmission is p which is more than or equal to 0 and less than or equal to p<1, setting the size of a decryption key store as
Initializing a ZUC algorithm based on a preset seed key and an initial vector; after the ZUC algorithm is initialized, K Key pairs are generated, the Key mark of each Key pair is recorded as a Key ID, the Key mark Key ID is increased according to the generation time of the Key pair, the Key mark generated by each Key pair is marked as a Key0, and the Key mark generated by the Key pair is marked as a Key1; the K key pairs form a decryption key library;
the step of decrypting the source IPv6 address and the secret key in the secret key library one by one comprises the following steps: performing exclusive OR operation on the low 32 bits of the interface identifier IID in the source IPv6 address and Key1 in a first pair of keys in the decryption Key library bit by bit, taking the low 16 bits, if the result is equal to the low 16 bits of the pair of Key identifiers KeyID, indicating that the decryption Key is correct, decrypting according to a formula (2) to obtain a source MAC address, and updating the decryption Key library;
wherein L32 represents the lower 32 bits;
if the exclusive OR operation result is not equal to the low 16 bits of the key identification (KeyID), the key is incorrect, and a matching test of the next pair of keys is performed until a correct key is found; if the correct key is not found by traversing the complete decryption keystore, the data packet is directly discarded.
4. The ZUC decryption based IPv6 address dynamic encoding method in accordance with claim 3 wherein said updating a decryption keystore includes: deleting the successfully decrypted key from the decryption key store; checking a decryption key library and deleting an expiration key; the expiration key comprises a key with a difference value exceeding K+n with a maximum key identification (KeyID); when the decryption keystore is updated, deleting pairs of keys requires generating the same number of new key pairs at the end of the decryption keystore, i.e. keeping the size of the decryption keystore unchanged.
5. An application method of IPv6 address dynamic coding method based on ZUC encryption and decryption is characterized in that the method is applied to the communication between a plurality of client stations and server stations respectively,
the client station comprises a DHCPv6 server, wherein the DHCPv6 server generates an IPv6 address without conflict by using the IPv6 address dynamic coding method based on ZUC encryption according to any one of claims 1-2; the client site sends a data packet taking the IPv6 address without conflict as a source address to a server site;
the server site receives a data packet sent by the client site, the server site comprises an IPv6 address verification server, the IPv6 address verification server obtains a source MAC address by using the IPv6 address dynamic coding method based on ZUC decryption according to any one of claims 3-4, and if the obtained source MAC address is the same as a preset MAC address, the source IPv6 address passes verification.
6. The application method of the ZUC encryption/decryption based IPv6 address dynamic encoding method according to claim 5, wherein said server site further includes a traffic washer and an application server, said traffic washer establishes BGP neighbors with an IPv6 address verification server, the IPv6 address verification server notifies the traffic washer of source IPv6 addresses that have passed verification, and the traffic washer forwards traffic of source IPv6 addresses that have passed verification directly to the application server for processing through routing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311160685.1A CN117201005B (en) | 2023-09-08 | 2023-09-08 | IPv6 address dynamic coding method based on ZUC encryption and decryption and application method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311160685.1A CN117201005B (en) | 2023-09-08 | 2023-09-08 | IPv6 address dynamic coding method based on ZUC encryption and decryption and application method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117201005A CN117201005A (en) | 2023-12-08 |
| CN117201005B true CN117201005B (en) | 2024-03-15 |
Family
ID=89004695
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311160685.1A Active CN117201005B (en) | 2023-09-08 | 2023-09-08 | IPv6 address dynamic coding method based on ZUC encryption and decryption and application method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201005B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681025A (en) * | 2016-01-29 | 2016-06-15 | 中国科学院信息工程研究所 | Security white box realizing method and device for national cipher standard algorithm SM4 |
| CN107277007A (en) * | 2017-06-14 | 2017-10-20 | 山东中创软件商用中间件股份有限公司 | A kind of data encryption and transmission method and device |
| CN109151096A (en) * | 2018-11-15 | 2019-01-04 | 南京邮电大学 | The low-power consumption bluetooth address mesh network IPv6 based on coordinate information generates configuration method |
| CN109347836A (en) * | 2018-10-25 | 2019-02-15 | 安徽问天量子科技股份有限公司 | A kind of IPv6 network node identity security guard method |
| CN110691074A (en) * | 2019-09-20 | 2020-01-14 | 西安瑞思凯微电子科技有限公司 | IPv6 data encryption method and IPv6 data decryption method |
| CN110768958A (en) * | 2019-09-20 | 2020-02-07 | 西安瑞思凯微电子科技有限公司 | IPv4 data encryption method and IPv4 data decryption method |
| CN110798311A (en) * | 2019-10-15 | 2020-02-14 | 中国电子科技集团公司第三十研究所 | IP encryption method for realizing one-time pad based on quantum true random number matrix |
| CN112367155A (en) * | 2020-10-13 | 2021-02-12 | 黑龙江大学 | FPGA-based ZUC encryption system IP core construction method |
| CN113015157A (en) * | 2019-12-20 | 2021-06-22 | 北京新岸线移动通信技术有限公司 | Method, device and system for supporting multiple encryption in wireless communication system |
| CN115460175A (en) * | 2022-08-11 | 2022-12-09 | 中国电信股份有限公司 | IPv6 address generation method and device, electronic equipment and storage medium |
| CN115766002A (en) * | 2022-11-15 | 2023-03-07 | 中电信量子科技有限公司 | Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100636209B1 (en) * | 2004-11-12 | 2006-10-19 | 삼성전자주식회사 | Method and apparatus for securing MAC address |
| US9319878B2 (en) * | 2012-09-14 | 2016-04-19 | Qualcomm Incorporated | Streaming alignment of key stream to unaligned data stream |
| US9930049B2 (en) * | 2015-01-16 | 2018-03-27 | Cisco Technology, Inc. | Method and apparatus for verifying source addresses in a communication network |
-
2023
- 2023-09-08 CN CN202311160685.1A patent/CN117201005B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681025A (en) * | 2016-01-29 | 2016-06-15 | 中国科学院信息工程研究所 | Security white box realizing method and device for national cipher standard algorithm SM4 |
| CN107277007A (en) * | 2017-06-14 | 2017-10-20 | 山东中创软件商用中间件股份有限公司 | A kind of data encryption and transmission method and device |
| CN109347836A (en) * | 2018-10-25 | 2019-02-15 | 安徽问天量子科技股份有限公司 | A kind of IPv6 network node identity security guard method |
| CN109151096A (en) * | 2018-11-15 | 2019-01-04 | 南京邮电大学 | The low-power consumption bluetooth address mesh network IPv6 based on coordinate information generates configuration method |
| CN110691074A (en) * | 2019-09-20 | 2020-01-14 | 西安瑞思凯微电子科技有限公司 | IPv6 data encryption method and IPv6 data decryption method |
| CN110768958A (en) * | 2019-09-20 | 2020-02-07 | 西安瑞思凯微电子科技有限公司 | IPv4 data encryption method and IPv4 data decryption method |
| CN110798311A (en) * | 2019-10-15 | 2020-02-14 | 中国电子科技集团公司第三十研究所 | IP encryption method for realizing one-time pad based on quantum true random number matrix |
| CN113015157A (en) * | 2019-12-20 | 2021-06-22 | 北京新岸线移动通信技术有限公司 | Method, device and system for supporting multiple encryption in wireless communication system |
| CN112367155A (en) * | 2020-10-13 | 2021-02-12 | 黑龙江大学 | FPGA-based ZUC encryption system IP core construction method |
| CN115460175A (en) * | 2022-08-11 | 2022-12-09 | 中国电信股份有限公司 | IPv6 address generation method and device, electronic equipment and storage medium |
| CN115766002A (en) * | 2022-11-15 | 2023-03-07 | 中电信量子科技有限公司 | Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition |
Non-Patent Citations (4)
| Title |
|---|
| IC卡安全性研究与应用分析;刘永清;《万方数据库》;20211110;全文 * |
| Security mechanism for IPv6 stateless address autoconfiguration;Supriyanto Praptodiyono等;《2015 International Conference on Automation, Cognitive Science, Optics, Micro Electro-Mechanical System, and Information Technology》;20160324;全文 * |
| 基于FPGA的祖冲之序列密码算法实现;郁宁亚;朱宇霞;;信息技术;20150925(09);全文 * |
| 基于ZUC-256的多通道加解密设备的设计与优化;周红;《中国优秀硕士学位论文全文数据库》;20230215(第第2期期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117201005A (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8630420B2 (en) | Method for auto-configuration of a network terminal address | |
| US8068414B2 (en) | Arrangement for tracking IP address usage based on authenticated link identifier | |
| US6353891B1 (en) | Control channel security for realm specific internet protocol | |
| US20040236937A1 (en) | Providing privacy to nodes using mobile IPv6 with route optimization | |
| CN110392128B (en) | Method and system for providing quasi-unaddressed IPv6 public web service | |
| KR20050078434A (en) | Apparatus and method of prosessing certification in ipv6 network | |
| US9930049B2 (en) | Method and apparatus for verifying source addresses in a communication network | |
| CN109688243B (en) | Sensing node IPv 6address allocation method based on trusted identity | |
| US7502932B2 (en) | Return routability method for secure communication | |
| Al-Ani et al. | Detection and defense mechanisms on duplicate address detection process in IPv6 link-local network: A survey on limitations and requirements | |
| Groat et al. | The privacy implications of stateless IPv6 addressing | |
| Li et al. | Secure DHCPv6 mechanism for DHCPv6 security and privacy protection | |
| Rehman et al. | Novel mechanism to prevent denial of service (DoS) attacks in IPv6 duplicate address detection process | |
| CN109347836B (en) | IPv6 network node identity safety protection method | |
| CN117201005B (en) | IPv6 address dynamic coding method based on ZUC encryption and decryption and application method | |
| Li et al. | SDN-Ti: a general solution based on SDN to attacker traceback and identification in IPv6 networks | |
| Abdulla | Survey of security issues in IPv4 to IPv6 tunnel transition mechanisms | |
| El Ksimi et al. | Towards a new algorithm to optimize IPv6 neighbor discovery security for small objects networks | |
| KR20200002599A (en) | Server apparatus, client apparatus and method for communicating based on network address mutation | |
| CN114422474A (en) | User IPv6 address generation method based on RADIUS server | |
| CN114006724A (en) | Method and system for discovering and authenticating encrypted DNS (Domain name Server) resolver | |
| Al-Ani et al. | Preventing denial of service attacks on address resolution in IPv6 link-local network: AR-match security technique | |
| Nazari et al. | A Lightweight Adaptable DNS Channel for Covert Data Transmission | |
| Arjuman et al. | Lightweight secure router discovery mechanism to overcome dos attack in ipv6 network | |
| Ackerman et al. | Covert channel using icmpv6 and ipv6 addressing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |