CN1764200B - Network safety access control architecture and realizing method - Google Patents
Network safety access control architecture and realizing method Download PDFInfo
- Publication number
- CN1764200B CN1764200B CN200510104358A CN200510104358A CN1764200B CN 1764200 B CN1764200 B CN 1764200B CN 200510104358 A CN200510104358 A CN 200510104358A CN 200510104358 A CN200510104358 A CN 200510104358A CN 1764200 B CN1764200 B CN 1764200B
- Authority
- CN
- China
- Prior art keywords
- data
- node
- segment
- sign
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention provides a network security access control system structure, which comprises: composing receive and transmit nodes respectively by an upper adaptor, a bottom adaptor, a data processor, and encode/decode device; the transmission node treats the data packaged by network layer to send into transmission queue in data link layer; the receive node receives and treats data from data link layer to send to network layer, and controls the data security and access right by node label and system time. Based on cryptography calculation, this invention encodes data packet to make terminals of different groups invisible with each other and user need not input name and password by inner mechanism, and provides security guarantee to terminal communication.
Description
1, technical field
The present invention relates to a kind of Computer Applied Technology, specifically a kind of network safety access control architecture and implementation method.
2, background technology
Existing network technology only is concerned about information encryption more than the transport layer usually at secure context, yet, in real world applications, there are a lot of servers or node still to be subjected to various infringements, as: implanted trojan horse program make that some important user names and close value are stolen, the password of the leading subscriber that cracks server and invade the deception of server, diverse network layer, as based on the pseudo-D.O.S etc. that connects of the TCP of ARP deception.Again since the present invention the uniqueness of ' node identification ' of being explained, use user of the present invention need not input user name and password just can land automatically at server end.The present invention is this with safety, can effectively prevent most hacker's behavior, and other need the network information field of high security that safety guarantee is provided for ecommerce and company's internal network etc.
3, summary of the invention
The purpose of this invention is to provide a kind of network safety access control architecture and implementation method.
The present invention can simply be described as: increased a transparent filter on network layer and data link layer, non-safe data (hacker's behavior also is based on data) are isolated in below the network layer, make non-safe node exchange data with this node.For non-node of the present invention; node involved in the present invention is just as a black hole, and physical presence but can't perception can't be understood the data of interchange; each node automatic network layer begins to be protected like this, greatly improves the level of security of network with less cost.
The objective of the invention is to realize in the following manner: send in transmitting-receiving the upper strata adapter is set respectively in the node, the bottom adapter, data processor and encryption and decryption device, data after sending node is packed network layer are successively through the upper strata adapter, data processor, after the processing of enciphering/deciphering device and bottom adapter, send into the data link layer transmit queue and send to receiving node, after receiving node receives data in link layer, pass through the bottom adapter respectively, the enciphering/deciphering device, data processor and upper strata adapter are sent into network layer after handling, and by node identification and system time safety of data and access rights are controlled; The server responsible node sign in the network and the granting of system time are also safeguarded ' node identification-MAC-IP table '.
The task of upper strata adapter is: when sending data, the data of network layer are split into plurality of sections, and add unique identification in every segment data front; Having the uniquely identified data segment comprises: the quantity of the data segment that the numbering of network layer packet, bag split, the position of data segment, the length and the decomposed data section of data segment have uniquely identified data segment choosing several and be combined into one section new data and send data processor at random with split; When the upper strata adapter receives data, receive that data processor splits have uniquely identified data segment data after, be reduced into the former packet that network layer can be discerned according to the sign before the data segment, be sent to network layer.
When data processor sends data, the data of transmitting for the upper strata adapter increase header, comprise that destination node sign, sending node identify, form the system time sign of this segment data, the value of disturbing, data segment, length identify at random, and adding the parity values of this segment data in this data back, the destination node sign is a basis
The corresponding relation of ' node identification-MAC-IP table ' is determined.
When receiving data, in the data after ' enciphering/deciphering device ' deciphering, isolates by data processor the destination node sign, the sending node sign, form the system time sign of this segment data, the length mark of data segment and the information such as parity check code of data segment, whether verification msg destination node sign is this node, whether the sending node sign of data is known node, whether the verification system time format is correct, the system time of the data that receive of checking whether in the effective time of agreement, the destination node of the data that the corresponding relation checking of being write down according to ' node identification-MAC-IP table ' receives and the correctness of sending node and verify the parity values of this data segment.
The task of enciphering/deciphering device is: when sending data, the data that encryption ' data processor ' is made up also send the bottom adapter to; When receiving data, deciphering ' bottom adapter ' institute's data processed also sends data processor to, and the key of using during encryption and decryption is that the server in the present networks generates and provides according to node identification, the elements such as MAC, IP of server; The algorithm of using during encryption and decryption is that the server in the present networks generates and provides.
The task of bottom adapter is: when sending data, before the data that ' enciphering/deciphering device ' encrypted increase and existing system compatible header and after data the parity values of these data of increase; When receiving data, check the parity values of data and remove the data appended header information, and be sent to the enciphering/deciphering device., wherein, header mainly comprises: send and network layer address, the upper-layer protocol of receiving node identify, are used to distinguish the security domain label etc. of belonging network.
Node identification is the unique identification of this node in present networks, and the MAC Address of node is different with network layer address therewith for it; This sign is in the server issues of present networks, and is associated with the MAC Address and the network layer address of this node; Server is responsible for Maintenance Point sign with the relation table of this node M AC address and network layer address promptly: node identification-MAC-IP table, after a certain node receives the data of unknown node in the network, ask for the reliability of this correspondence table with the verification msg source, data processor regularly transmit a request to server to obtain the mapping table of up-to-date ' node identification-MAC-IP table '.
System time is the data that are used to identify whole network time; There is the node of identical cryptographic algorithm to have only a system time; System time is to be sent by server end node time encryption.
Architecture of the present invention and method are calculated based on close value student movement, packet by the refined net layer, make the terminal node of non-homologue invisible mutually, and internal mechanism makes the user need not input user name and close value when using native system, for each communication between terminals in the network provides safety assurance.
4, description of drawings
Accompanying drawing 1 is the structural representation of data transmitting node;
Accompanying drawing 2 is the structural representation of data reception node;
Accompanying drawing 3 is the security protection schematic diagram of sending node and receiving node;
Accompanying drawing 4 is the data processing work view of node;
Accompanying drawing 5 is the data segment frame structure schematic diagram by forming behind the adapter of upper strata;
Accompanying drawing 6 is the data segment frame structure schematic diagram after the processor processing.
Description of drawings: the P_Num among Fig. 5 is a former packet flowing water number; P_Count is the number that former packet is decomposed; PartNum is the serial number of data segment; Len is for decomposing the length of back data segment.
5, embodiment
Explain below with reference to accompanying drawing network system security access control method of the present invention being done.
At first, node A and Node B are registered at server end respectively, obtain node identification separately, encryption key and algorithm, necessary datas such as the security domain label of belonging network, when one group with the irrelevant network data Data of upper-layer protocol when node A sends to Node B, Data forms one section network layer data that is called bag through each above step of A meshed network layer earlier, it is passed to A node described in the invention ' upper strata adapter ' then, ' upper strata adapter ' resolves into plurality of sections with Data, numbering according to bag, the quantity that bag is decomposed, the position of the former bag in data segment place, the label of the synthetic data segment of information sets such as the length of segment invests the front of each small data segments, like this, promptly avoided causing the long problem of frame owing to increased excessive data, make the identical upper layer data Data also can be not identical after handling again, also increase the difficulty that goes out key and algorithm by data analysis clocklike.
Small data segments is passed to ' data processor ' of A node described in the invention subsequently, and ' data processor ' the partial data section is pieced together at random is combined into new data, and adds the higher authorities and verification.Wherein, header comprises: the sign of destination node, the sign of sending node, the form system time of this segment data, the scrambler that generates immediately, the length of data segment etc.The destination node of destination node identification data is though existing IP and MAC as the address, because IP and MAC can't guarantee uniqueness, identify so need to increase this field; Sending node sign is the source node sign, is used for receiving node and judges the safety of whether originating; The system time that forms this segment data is a unified time in the marked network, and this system time is actually one group of character string that regularly increases, and guarantees that data are not forged or repeatedly reception; Length is the length of load data; Verification is the parity values of load data.
' the enciphering/deciphering device ' of A node next described in the invention begins its encryption.Wherein, encrypting used key is to be generated by node identification and other individual informations of server according to server node, and each node is distributed when server end is registered; Encrypting used algorithm also is to be generated and be distributed when each node is registered by the actual conditions of server according to present networks.In the network a plurality of security domains can be arranged, different security domains is distinguished by different keys and algorithm.Different security domains in the same network can have identical IP address.The length of key and the complexity of algorithm can suitably be adjusted according to the key data on upper strata, and for example: the data that the upper strata is mainly moved are important and data volume is not very big, and then key can be often, algorithm can be complicated; If the upper strata has VOD or real-time audio and video, in order to reduce time-delay, can shorten key length, reduce the algorithm complexity.
Data encrypted will be passed through the processing of ' the bottom adapter ' of A node described in the invention, makes it to look like the data that common upper strata is come.This just needs to increase header: the network layer address of destination node and sending node, upper-layer protocol type, security domain label etc., and the check value of computational load data invests data trailer.The security domain label is used to identify the network of each different cryptographic algorithm, data can be exchanged mutually in the network of each different cryptographic algorithm, such as label is the network use key key1 of a, algorithm M1, label uses key key2 for the b network, algorithm M2, the router in the network just can also encrypt with the key and the algorithm of b network the data decryption from a network according to key and the algorithm of network label a, thereby the data of saying a network are sent to the b network.Data after the processing are given data link layer, send by normal data.
The B node receives data, and at first ' the bottom adapter ' of B node receives the data of data link layer, and ' bottom adapter ' checks that earlier whether the upper-layer protocol territory in the header is the mark of network described in the invention, if not then abandoning this data; Check then whether check value correct, lose data to prove that these data were not modified midway, if not to abandon this data.
By the data of ' bottom adapter ' trial inspection after removing header and afterbody, be decrypted by ' the enciphering/deciphering device ' of B node.Because the B node is under the jurisdiction of identical security domain together with the A node, so key is identical with the A node with algorithm.
Data after the deciphering are responsible for inspection by ' data processor ' of B node. and review time territory at first if data do not solve that normal character, time representation do not meet agreement, the time is done sth. in advance or be overtime etc., all will be dropped; Check then whether the destination node sign is this node, if not then abandoning data; Inspection source node sign, whether corresponding with the MAC-IP of source node, if,, then abandon these data if still not right or not looking for server to send request to obtain the mapping table of up-to-date ' node identification-MAC-IP '; Check the check value of data, if not to abandon data;
Data through inspection are safe data basically, ' the upper strata adapter ' of B node splits it, form several little data segments, and with the der group synthetic original data of these data segments according to sequencing that identifies on the label information and place bag, after the data that comprised of bag all receive, this bag is passed to upper strata (network layer).
Claims (4)
1. method for controlling secure access, it is characterized in that in receiving sending node, the upper strata adapter being set respectively, the bottom adapter, data processor and enciphering/deciphering device, data after sending node is packed network layer are successively through the upper strata adapter, data processor, after the processing of enciphering/deciphering device and bottom adapter, send into the data link layer transmit queue and send to receiving node, after receiving node receives data in link layer, pass through the bottom adapter respectively, the enciphering/deciphering device, data processor and upper strata adapter are sent into network layer after handling, and by node identification and system time safety of data and access rights are controlled; The server responsible node sign in the network and the granting of system time are also safeguarded ' node identification-MAC-IP table ', wherein, the task of upper strata adapter is: when sending data, the data of network layer are split into plurality of sections, and add unique identification in every segment data front; Having the uniquely identified data segment comprises: the quantity of the data segment that the numbering of network layer packet, bag split, the position of data segment, the length and the decomposed data section of data segment have uniquely identified data segment choosing several and be combined into one section new data and send data processor at random with split;
When receiving data, the upper strata adapter receives that data processor splits have uniquely identified data segment data after, be reduced into the former packet that network layer is discerned according to the sign before the data segment when receiving data, be sent to network layer again;
When data processor sends data, data increase header, destination node sign, the sending node that transmits to the upper strata adapter identifies, forms the system time sign of this segment data, the value of disturbing, data segment, length identify at random, and add that in this data back the parity values of this segment data, destination node sign are to determine according to the corresponding relation of ' node identification-MAC-IP table ';
When receiving data, in the data after the deciphering of enciphering/deciphering device, isolates by data processor the destination node sign, the sending node sign, form the system time sign of this segment data, the parity check code information of the length mark of data segment and data segment, whether verification msg destination node sign is this node, whether the sending node sign of data is known node, whether the verification system time format is correct, the system time of the data that receive of checking whether in the effective time of agreement, the destination node of the data that the corresponding relation checking of being write down according to ' node identification-MAC-IP table ' receives and the correctness of sending node and verify the parity values of this data segment;
The task of bottom adapter is: when sending data, before the data that the enciphering/deciphering device was encrypted, increase and existing system compatible header and after data the parity values of these data of increase; When receiving data, check the parity values of data and remove the data appended header information, and be sent to the enciphering/deciphering device, wherein,
Header mainly comprises: the network layer address of transmission and receiving node, upper-layer protocol identify, are used to distinguish the security domain label of belonging network.
2. method for controlling secure access according to claim 1 is characterized in that the task of enciphering/deciphering device is: when sending data, the data that cryptic data processor made up also send the bottom adapter to; When receiving data, deciphering bottom adapter institute's data processed also sends data processor to, and the key of using during encryption and decryption is that the server in the present networks generates and provides according to node identification, MAC, the IP of server; The algorithm of using during encryption and decryption is that the server in the present networks generates and provides.
3. method for controlling secure access according to claim 1 is characterized in that node identification is the unique identification of this node in present networks, and the MAC Address of node is different with network layer address therewith for it; This sign is in the server issues of present networks, and is associated with the MAC Address and the network layer address of this node; Server is responsible for Maintenance Point sign with the relation table of this node M AC address and network layer address promptly:
' node identification-MAC-IP table ', after a certain node receives the data of unknown node in the network, ask for the reliability of this correspondence table with the verification msg source, data processor regularly transmit a request to server to obtain the mapping table of up-to-date ' node identification-MAC-IP table '.
4. method for controlling secure access according to claim 1 is characterized in that system time is the data that are used to identify whole network time; There is the node of identical cryptographic algorithm to have only a system time; System time is to be sent by server end node time encryption.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510104358A CN1764200B (en) | 2005-10-27 | 2005-10-27 | Network safety access control architecture and realizing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510104358A CN1764200B (en) | 2005-10-27 | 2005-10-27 | Network safety access control architecture and realizing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1764200A CN1764200A (en) | 2006-04-26 |
| CN1764200B true CN1764200B (en) | 2010-05-05 |
Family
ID=36748135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200510104358A Expired - Fee Related CN1764200B (en) | 2005-10-27 | 2005-10-27 | Network safety access control architecture and realizing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1764200B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105307055A (en) * | 2015-10-30 | 2016-02-03 | 深圳云聚汇数码有限公司 | Timestamp-based network data access encryption method |
| CN106131801B (en) * | 2016-06-30 | 2019-10-01 | 成都西可科技有限公司 | One kind being based on the connectionless environment enciphered data transmission method of android system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1218346A (en) * | 1997-09-25 | 1999-06-02 | 索尼株式会社 | Communication method, and data communications terminal, with data communication protocol for Inter-layer flow control |
| CN1219054A (en) * | 1997-11-10 | 1999-06-09 | 通用仪器公司 | Block treatment relay agent for providing link layer transmission in one-way wired/radio/satellite modem |
| CN1270463A (en) * | 1999-04-08 | 2000-10-18 | 上海贝尔电话设备制造有限公司 | Communication system in network management |
| EP1089495A2 (en) * | 1999-10-01 | 2001-04-04 | Nortel Networks Limited | Method and system for switching between two network access technologies without interrupting active network applications |
-
2005
- 2005-10-27 CN CN200510104358A patent/CN1764200B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1218346A (en) * | 1997-09-25 | 1999-06-02 | 索尼株式会社 | Communication method, and data communications terminal, with data communication protocol for Inter-layer flow control |
| CN1219054A (en) * | 1997-11-10 | 1999-06-09 | 通用仪器公司 | Block treatment relay agent for providing link layer transmission in one-way wired/radio/satellite modem |
| CN1270463A (en) * | 1999-04-08 | 2000-10-18 | 上海贝尔电话设备制造有限公司 | Communication system in network management |
| EP1089495A2 (en) * | 1999-10-01 | 2001-04-04 | Nortel Networks Limited | Method and system for switching between two network access technologies without interrupting active network applications |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1764200A (en) | 2006-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101479984B (en) | Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks | |
| CN107770182A (en) | The date storage method and home gateway of home gateway | |
| CN103812854B (en) | Identity authentication system, device and method and identity authentication requesting device | |
| CN107846282A (en) | A kind of electronic data distribution keeping method and system based on block chain technology | |
| CN106789090A (en) | Public key infrastructure system and semi-random participating certificate endorsement method based on block chain | |
| CN105933315B (en) | A kind of network service safe communication means, device and system | |
| Ji et al. | A novel covert channel based on length of messages | |
| CN101558599B (en) | Client device, mail system, program, and recording medium | |
| CN102594823A (en) | Trusted system for remote secure access of intelligent home | |
| CN105072025B (en) | For the security protection gateway and system of modern industrial control system network service | |
| CN107172030B (en) | High-privacy and anti-tracing communication method | |
| KR20200138092A (en) | Method, electronic device, computer program, and system for secure data sharing using blockchain network | |
| CN104618369A (en) | Method, device and system for unique authorization of Internet-of-Things equipment based on OAuth | |
| CN109617875A (en) | A kind of the secure accessing platform and its implementation of terminal communication network | |
| CN111797431B (en) | Encrypted data anomaly detection method and system based on symmetric key system | |
| WO2013172743A1 (en) | Method for protected interaction between a client device and a server via the internet | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| CN100512108C (en) | Method for identifying physical uniqueness of networked terminal, and access authentication system for terminals | |
| CN108650096A (en) | A kind of industrial field bus control system | |
| CN105049448A (en) | Single sign-on device and method | |
| CN110602083A (en) | Secure transmission and storage method of digital identity authentication data | |
| CN110198320A (en) | A kind of ciphered information transmission method | |
| CN1764200B (en) | Network safety access control architecture and realizing method | |
| CN107835168A (en) | A kind of authentication method being multiplied based on client information sequence spreading matrix transposition | |
| CN106534144A (en) | Network covert channel construction method based on Web application directory tree |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100505 Termination date: 20101027 |