CN118555570A - Safety control access method of APN6 - Google Patents
Safety control access method of APN6 Download PDFInfo
- Publication number
- CN118555570A CN118555570A CN202410927151.5A CN202410927151A CN118555570A CN 118555570 A CN118555570 A CN 118555570A CN 202410927151 A CN202410927151 A CN 202410927151A CN 118555570 A CN118555570 A CN 118555570A
- Authority
- CN
- China
- Prior art keywords
- application
- information
- public key
- edge sensing
- apn6
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 14
- 230000008447 perception Effects 0.000 claims description 5
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 abstract description 5
- 238000005242 forging Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a safety control access method of APN6, which uses the extension head of IPv6 message to carry application information, so that the network can identify the application, and sense the requirement of the application on the network, thereby providing accurate and differentiated network service for different application services. The application can carry out safe access control on the APN6, can prevent the forging of information among different devices, can prevent the information from being tampered on a transmission link, can effectively prevent the processing of invalid packets, and improves the efficiency and the speed of processing the packets by a server.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to a security control access method of APN 6.
Background
The construction idea of the APN6 network is to re-couple the network and the application information which are originally positioned at different layers of the TCI/IP protocol stack and are mutually decoupled by means of the expandability of the IPv6 header and carry the application information. For a network, the device can perceive application information by parsing the extension header; for applications, application information may be customized. However, since the application information carried by the APN6 is in plain text, the information may be falsified or maliciously tampered during the transmission process, which may cause resource waste caused by receiving an invalid data packet by the server, and may destroy the security of the server.
Disclosure of Invention
The invention provides a secure control access method of APN6, which can ensure secure transmission of data, and a server side can identify normal messages and provide normal services for the messages.
The technical scheme of the invention is as follows:
The method is realized by combining a public key management system based on a serial architecture consisting of a user side, access edge sensing equipment, an APN6 network, transfer-out edge sensing equipment, an operator server and a database, and specifically comprises the following steps of:
The first step: the user terminal uses the application information as a private key and registers with a public key management system; the access edge sensing device, the transfer-out edge sensing device and the operator server register the public key management system with the business capability code to generate a private key; the application information comprises network quality information in application identification information and application demand information, and the network quality information comprises application request network bandwidth, acceptable network maximum time delay, acceptable maximum jitter and acceptable maximum packet loss rate;
And a second step of: the user side sends application information to the access edge sensing equipment, the access edge equipment checks whether the received information carries the application information, if yes, the report passes through, and the application information is directly forwarded to the operator server through the transfer-out edge sensing equipment; if not, the five-tuple is packaged and then forwarded to an operator server through the roll-out edge perception device, the operator server searches a database to judge whether the user is legal or not, if yes, the user returns to the user side to support the user side to continue to access; if not, the report is not passed;
And a third step of: the access edge sensing device and the transfer-out edge sensing device send the public key to an operator server, and the operator server negotiates whether the data in the database are consistent with the received public key by comparing the public key with the public key, if so, the shared key is returned to the access edge sensing device and the transfer-out edge sensing device; if not, returning to failure;
Fourth step: the user terminal generates a summary of the application information of the APN6 network and generates an authentication code by using a shared key signature;
Fifth step: the user end sends a message to the access edge sensing equipment, the access edge sensing equipment decrypts the shared secret key to verify whether the message is a legal APN6 message, if so, the next step is executed; if not, packaging the backup information of the user terminal into a message for re-encryption, selecting network quality information conforming to the application, and forwarding the message to the edge sensing equipment through an APN6 network;
sixth step: after receiving the message, the edge sensing equipment judges whether the application information of the user side passes through the message, if so, the application information is forwarded to an operator server; if not, discarding.
Further, the application identification information comprises an App ID, a User ID, and a Session ID, and is used for uniquely determining the service of the User.
Further, in the first step, after the public key management system receives the registration information, the public key management system checks the validity of the information and updates the database system of the public key management system, and the correspondence table between the public key and the private key is increased.
Due to the adoption of the technical scheme, the application has the following beneficial effects:
the application carries out safety access control on the APN6 in the third step and the fifth step, can prevent the forging of information among different devices, can prevent the information from being tampered on a transmission link, can effectively prevent the processing of invalid packets, and improves the efficiency and the speed of processing the packets by a server.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a system architecture diagram of the present application;
FIG. 2 is a process diagram of the present application in the standby phase;
fig. 3 is a process diagram of the present application during an authentication phase.
Detailed Description
Referring to fig. 1-3, the application provides a secure control access method for an APN6, which is realized by combining a serial architecture consisting of a user side, an access edge sensing device, an APN6 network, a roll-out edge sensing device, an operator server and a database with a public key management system.
The application information of the APN6 may be divided into two parts, wherein one part is application identification information including App ID, user ID, session ID, and the application identification information is used for uniquely determining the service of the User. The other part is application demand information, wherein the application demand information is network quality information comprising application request network bandwidth, acceptable network maximum time delay, acceptable maximum jitter and acceptable maximum packet loss rate.
The method specifically comprises the following steps:
the first step: the user terminal uses the application information as a private key and registers with a public key management system; the access edge perception device, the transfer-out edge perception device and the operator server register the public key management system with the business capability code to generate a private key.
In the first step, after the public key management system receives the registration information, the public key management system checks the validity of the information and updates the database system of the public key management system, and the corresponding relation table of the public key and the private key is increased.
And a second step of: the user side sends application information to the access edge sensing equipment, the access edge equipment checks whether the received information carries the application information, if yes, the report passes through, and the application information is directly forwarded to the operator server through the transfer-out edge sensing equipment; if not, the five-tuple is packaged and then forwarded to an operator server through the roll-out edge perception device, the operator server searches a database to judge whether the user is legal or not, if yes, the user returns to the user side to support the user side to continue to access; if not, the report is not passed.
And a third step of: the access edge sensing device and the transfer-out edge sensing device send the public key to an operator server, and the operator server negotiates whether the data in the database are consistent with the received public key by comparing the public key with the public key, if so, the shared key is returned to the access edge sensing device and the transfer-out edge sensing device; if not, returning to failure.
In the third step, the returned shared key is used for decrypting the transceiving messages in the subsequent step. It will be appreciated by those skilled in the art that the public key and the private key are a set of keys in pairs, i.e., the public key and the private key are one key pair obtained by an algorithm, one of which is disclosed to the outside, referred to as the public key; and the other is reserved by itself and is called a private key.
Fourth step: the user terminal generates a digest of the application information of the APN6 network and generates an authentication code by using the shared key signature.
Fifth step: the user end sends a message to the access edge sensing equipment, the access edge sensing equipment decrypts the shared secret key to verify whether the message is a legal APN6 message, if so, the next step is executed; if not, packaging the backup information of the user terminal into a message for re-encryption, selecting network quality information conforming to the application, and forwarding the message to the edge sensing equipment through an APN6 network;
Sixth step: after receiving the message, the edge sensing equipment judges whether the application information of the user side passes through the message, if so, the application information is forwarded to an operator server, and the operator normally serves the operator server; if not, discarding, and the operator does not provide service.
The application can improve the transmission safety of the APN6 and release the information passing the authentication. The application can block invalid data and discard data packets which do not pass the authentication. The application has strong expansibility, APN6 uses the expansion head of IPv6, and the carried application information can be automatically modified according to the requirement.
The application can be realized by adopting or referring to the prior art at the places which are not described in the application.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (3)
1. The method is characterized in that the method is realized by combining a public key management system based on a serial architecture consisting of a user side, an access edge sensing device, an APN6 network, a transfer-out edge sensing device, an operator server and a database, and specifically comprises the following steps:
The first step: the user terminal uses the application information as a private key and registers with a public key management system; the access edge sensing device, the transfer-out edge sensing device and the operator server register the public key management system with the business capability code to generate a private key; the application information comprises network quality information in application identification information and application demand information, and the network quality information comprises application request network bandwidth, acceptable network maximum time delay, acceptable maximum jitter and acceptable maximum packet loss rate;
And a second step of: the user side sends application information to the access edge sensing equipment, the access edge equipment checks whether the received information carries the application information, if yes, the report passes through, and the application information is directly forwarded to the operator server through the transfer-out edge sensing equipment; if not, the five-tuple is packaged and then forwarded to an operator server through the roll-out edge perception device, the operator server searches a database to judge whether the user is legal or not, if yes, the user returns to the user side to support the user side to continue to access; if not, the report is not passed;
And a third step of: the access edge sensing device and the transfer-out edge sensing device send the public key to an operator server, and the operator server negotiates whether the data in the database are consistent with the received public key by comparing the public key with the public key, if so, the shared key is returned to the access edge sensing device and the transfer-out edge sensing device; if not, returning to failure;
Fourth step: the user terminal generates a summary of the application information of the APN6 network and generates an authentication code by using a shared key signature;
Fifth step: the user end sends a message to the access edge sensing equipment, the access edge sensing equipment decrypts the shared secret key to verify whether the message is a legal APN6 message, if so, the next step is executed; if not, packaging the backup information of the user terminal into a message for re-encryption, selecting network quality information conforming to the application, and forwarding the message to the edge sensing equipment through an APN6 network;
sixth step: after receiving the message, the edge sensing equipment judges whether the application information of the user side passes through the message, if so, the application information is forwarded to an operator server; if not, discarding.
2. The method for secure control access to APN6 of claim 1,
The application identification information comprises an App ID, a User ID and a Session ID, and is used for uniquely determining the service of the User.
3. The method for secure control access to APN6 of claim 1,
In the first step, after the public key management system receives the registration information, the public key management system checks the validity of the information and updates the database system of the public key management system, and the corresponding relation table of the public key and the private key is increased.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410927151.5A CN118555570A (en) | 2024-07-11 | 2024-07-11 | Safety control access method of APN6 |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410927151.5A CN118555570A (en) | 2024-07-11 | 2024-07-11 | Safety control access method of APN6 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118555570A true CN118555570A (en) | 2024-08-27 |
Family
ID=92444323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410927151.5A Pending CN118555570A (en) | 2024-07-11 | 2024-07-11 | Safety control access method of APN6 |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118555570A (en) |
-
2024
- 2024-07-11 CN CN202410927151.5A patent/CN118555570A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7116668B2 (en) | Method for time stamp-based replay protection and PDSN synchronization at a PCF | |
| O'shea et al. | Child-proof authentication for MIPv6 (CAM) | |
| CN101965722B (en) | Re-establishment of a security association | |
| Durham et al. | The COPS (common open policy service) protocol | |
| AU2003294330B2 (en) | Methods and apparatus for dynamic session key generation and rekeying in mobile IP | |
| KR100651715B1 (en) | Method for generating and accepting address automatically in IPv6-based Internet and data structure thereof | |
| US20030147537A1 (en) | Secure key distribution protocol in AAA for mobile IP | |
| US20070101408A1 (en) | Method and apparatus for providing authorization material | |
| EP1639780B1 (en) | Security for protocol traversal | |
| CN113395247B (en) | Method and equipment for preventing replay attack on SRv6HMAC verification | |
| CA2280906C (en) | Secure packet radio network | |
| JP2009526455A (en) | A method for ensuring the authenticity of messages exchanged according to the mobile internet protocol | |
| Galvin et al. | SNMP Security Protocols | |
| Rodeh et al. | Ensemble security | |
| CN113473456B (en) | Million-level Internet of things terminal security access method and system based on domestic passwords | |
| Liu et al. | Secure name resolution for identifier-to-locator mappings in the global internet | |
| CN102315996A (en) | Network admission control method and system | |
| US8644153B2 (en) | Infrastructure for mediation device to mediation device communication | |
| CN116235462A (en) | Method for protecting encrypted user identity from replay attacks | |
| US8086908B2 (en) | Apparatus and a method for reporting the error of each level of the tunnel data packet in a communication network | |
| CN118555570A (en) | Safety control access method of APN6 | |
| KR20060129071A (en) | Protocol expansion of a signaling message | |
| US7949878B2 (en) | Telecommunication-assisted time stamp | |
| CN100536471C (en) | Method for effective protecting signalling message between mobile route and hometown agent | |
| JP3632167B2 (en) | Cryptographic communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |