KR101591306B1 - Method and apparatus for communication using virtual MAC address - Google Patents
Method and apparatus for communication using virtual MAC address Download PDFInfo
- Publication number
- KR101591306B1 KR101591306B1 KR1020150057902A KR20150057902A KR101591306B1 KR 101591306 B1 KR101591306 B1 KR 101591306B1 KR 1020150057902 A KR1020150057902 A KR 1020150057902A KR 20150057902 A KR20150057902 A KR 20150057902A KR 101591306 B1 KR101591306 B1 KR 101591306B1
- Authority
- KR
- South Korea
- Prior art keywords
- node
- mac address
- virtual mac
- shared key
- communication
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H04L61/20—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
Abstract
Description
The present invention relates to a communication method and apparatus using a virtual MAC address, and more particularly, to a communication method and apparatus using a virtual MAC address, To a communication method and apparatus using a virtual MAC address that performs communication by allocating a virtual MAC address for both nodes.
With the generalization of communication services in recent years, there are various types of problems such as leakage of personal information due to hacking, network failure, financial accidents, and so on.
There are various kinds of hacking methods, but ARP (Address Resolution Protocol) spoofing, Denial-on-Service (DoS), and Distributed Denial-on-Service (DDoS) are examples of major hacking techniques for the network . For example, ARP spoofing can manipulate information on the ARP cache table of a switch or other network device by forging the MAC address of the attacking target, Refers to a method of detouring traffic between nodes to a third node such as an attacker's computer to obtain predetermined information from the detached traffic. The ARP spoofing technique or the like enables the attacker to acquire predetermined information such as password information about an attack target, to cause a malfunction of the attack target computer, or to disable the attack target.
As a conventional technique for preventing the ARP spoofing attack, if an ARP table of the same local network equipment is scanned and several IPs having the same MAC address are continuously found, an ARP spoofing attack is once performed , And a method of blocking an ARP spoofing attack by checking that an executable file containing malicious code is running on the problematic device. However, since malicious codes and the like constantly change or evolve, the above-mentioned countermeasures can only be temporary measures and can not be a fundamental solution.
In addition to the ARP spoofing attack, there are various hacking techniques that use the MAC address of an attack target. Therefore, a more fundamental scheme for hacking using the MAC address is required, but a proper solution has not been proposed yet have.
SUMMARY OF THE INVENTION It is an object of the present invention to provide a communication method and apparatus capable of preventing an attacker from hacking an attack target communication using a MAC address of an attack target do.
According to an aspect of the present invention,
A method of communication between a first node and a second node in a communication network, the method comprising: generating a predetermined shared key shared between the first node and the second node; Generating a first virtual MAC address for the first node using a first portion of the shared key; Generating a second virtual MAC address for the second node using a second portion of the shared key; And performing communication between the first node and the second node using the first virtual MAC address and the second virtual MAC address.
Generating an encryption key using a third portion of the shared key; And encrypting communication data between the first node and the second node using the encryption key.
The method may further include decrypting communication data between the first node and the second node using the encryption key.
The generating of the shared key may include exchanging a first public code of the first node and a second public code of the second node with each other; And generating the shared key using the first public code and the second public code at the first node and the second node.
At this time, the first node and the second node exchange the first public code and the second public code with each other using a Diffie-Hellman key exchange scheme, And generate the shared key using the second public code.
According to another aspect of the present invention,
A communication device communicating with a second node in a communication network, the communication device comprising: a shared key generation unit generating a shared key shared with the second node; Generating a first virtual MAC address for the communication device using a first portion of the shared key and generating a second virtual MAC address for the second node using a second portion of the shared key, An address generator; And a communication unit for communicating with the second node using the first virtual MAC address and the second virtual MAC address.
An encryption key generation unit generating an encryption key using a third portion of the shared key; And a data encryption unit encrypting communication data to be transmitted to the second node using the encryption key.
The information processing apparatus may further include a data decoding unit decoding the communication data received from the second node using the encryption key.
The shared key generation unit may exchange the first public code of the communication device and the second public code of the second node with each other and then transmit the first public code and the second public code to the communication device and the second node, And generate the shared key using the second public code.
The shared key generation unit may exchange the first public code and the second public code with the second node using a Diffie-Hellman key exchange scheme, And generate the shared key using the second public code.
According to an embodiment of the present invention, after a predetermined shared key is generated through exchange of mutual public codes at both nodes of a communication network, a part of the shared key is allocated as a virtual MAC address for both nodes, It is possible to provide a communication method and apparatus using a virtual MAC address that can prevent an attacker from hacking communication of an attack target using a MAC address of an attack target.
1 is a configuration diagram of a communication system according to an embodiment of the present invention.
2 is a flowchart of a communication method according to an embodiment of the present invention.
FIG. 3 is an explanatory diagram illustrating a shared key generation process according to an embodiment of the present invention.
4 is a configuration diagram of a MAC frame according to an embodiment of the present invention.
5 is a configuration diagram of a MAC frame according to another embodiment of the present invention.
6 is a configuration diagram of a communication apparatus according to an embodiment of the present invention.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments will be described in detail below with reference to the accompanying drawings.
The following examples are provided to aid in a comprehensive understanding of the methods, apparatus, and / or systems described herein. However, this is merely an example and the present invention is not limited thereto.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intention or custom of the user, the operator, and the like. Therefore, the definition should be based on the contents throughout this specification. The terms used in the detailed description are intended only to describe embodiments of the invention and should in no way be limiting. Unless specifically stated otherwise, the singular forms of the expressions include plural forms of meanings. In this description, the expressions "comprising" or "comprising" are intended to indicate certain features, numbers, steps, operations, elements, parts or combinations thereof, Should not be construed to preclude the presence or possibility of other features, numbers, steps, operations, elements, portions or combinations thereof.
It is also to be understood that the terms first, second, etc. may be used to describe various components, but the components are not limited by the terms, and the terms may be used to distinguish one component from another .
Hereinafter, exemplary embodiments of a communication method and apparatus using a virtual MAC address according to the present invention will be described in detail with reference to the accompanying drawings.
First, FIG. 1 illustrates a configuration of a
As shown in FIG. 1, the
Also, a
Here, the
The
In FIG. 1, the
2 is a flowchart illustrating a communication method using a virtual MAC address according to an embodiment of the present invention.
2, a communication method using a virtual MAC address according to an exemplary embodiment of the present invention includes a step S210 of generating a predetermined shared key shared between a first node and a second node, Generating a first virtual MAC address for the first node using a first portion of the keys (S220), generating a second virtual MAC address for the second node using the second portion of the shared keys (S240), encrypting the communication data between the first node and the second node using the encryption key (S250), encrypting the first virtual MAC address (S260) communication between the first node and the second node using a second virtual MAC address and a step (S270) of decrypting the communication data between the first node and the second node using the encryption key .
Hereinafter, a
First, in step S210, a predetermined shared key shared between the
3, the
3, the
Then, the
Next, the
Accordingly, the values of the first secret code a, the second secret code b, and the shared key g ab (mod p) are not known except for the
In addition, although a method of generating a secret shared key shared between the
Next, in step S220, a first virtual MAC address for the
Here, the MAC address is a physical address used for node-to-node delivery in network communication such as Ethernet, and is a unique identifier of a network interface card (NIC) . In this regard, FIG. 4A illustrates a typical structure of a MAC frame, and as shown in FIG. 4A, a MAC address is included in a MAC frame to be used for network communication. At this time, the MAC frame may include a
As shown in the MAC frame structure according to the prior art shown in FIG. 4A, when an attacker uses the
On the other hand, in the communication method using the virtual MAC address according to the embodiment of the present invention, the first virtual MAC address for the
In this case, since the attacker can not know the shared key generated in step S210, the first virtual MAC address of the
Also in step S230, the second virtual MAC address for the
At this time, a second virtual MAC address for the
The first virtual MAC address and the second virtual MAC address generated in steps S220 and S230 may be transmitted to the receiving
Further, in step S240, the encryption key may be generated using the third part of the shared key generated in step S210. For example, a lower byte of the shared key generated in step S210 may be used as the encryption key. Further, it is also possible to calculate the encryption key through a predetermined process from the third part, which is a part of the generated shared key.
When the cryptographic key is generated as described above, the
In step S250, communication data between the
In step S260, the
FIG. 6 illustrates a configuration of a
The
6, a
Hereinafter, the
First, the shared
In addition, the shared
Next, the virtual MAC
In addition, the
Furthermore, the cryptographic
The
By using the virtual MAC address as described above and further encrypting and transmitting the data, it is possible to effectively prevent the attacker from hacking the attack target communication using the MAC address of the attack target.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, . Therefore, the scope of the present invention should not be limited to the above-described embodiments, but should be determined by equivalents to the appended claims, as well as the appended claims.
100: communication system
110: First node
120: second node
130: Third node
140: Communication network
111: Shared key generation unit
112: Virtual MAC address generation unit
113:
114: Cryptographic key generation unit
115: Data encryption unit
116: Data decoding unit
Claims (10)
Generating a shared key shared between the first node and the second node;
Generating a first virtual MAC address for the first node using a first portion of the shared key;
Generating a second virtual MAC address for the second node using a second portion of the shared key; And
Performing communication between the first node and the second node using the first virtual MAC address and the second virtual MAC address,
Wherein the generating the shared key comprises:
Exchanging a first public code of the first node and a second public code of the second node with each other; And
And generating the shared key using the first public code and the second public code at the first node and the second node.
Generating an encryption key using a third portion of the shared key; And
And encrypting communication data between the first node and the second node using the encryption key.
And decrypting communication data between the first node and the second node using the encryption key.
Exchanging the first public code and the second public code with each other using a Diffie-Hellman key exchange scheme at the first node and the second node,
And the shared key is generated using the first public code and the second public code.
A shared key generation unit for generating a shared key shared with the second node;
Generating a first virtual MAC address for the communication device using a first portion of the shared key and generating a second virtual MAC address for the second node using a second portion of the shared key, An address generator; And
And a communication unit for communicating with the second node using the first virtual MAC address and the second virtual MAC address,
In the shared key generation unit,
After exchanging the first public code of the communication device and the second public code of the second node with each other using the first public code and the second public code at the communication device and the second node, Key to generate a key.
An encryption key generation unit generating an encryption key using a third part of the shared key; And
And a data encryption unit encrypting communication data to be transmitted to the second node using the encryption key.
Further comprising a data decoding unit for decoding the communication data received from the second node by using the encryption key.
In the shared key generation unit,
Exchanges the first public code and the second public code with the second node using a Diffie-Hellman key exchange scheme,
And generates the shared key using the first public code and the second public code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150057902A KR101591306B1 (en) | 2015-04-24 | 2015-04-24 | Method and apparatus for communication using virtual MAC address |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150057902A KR101591306B1 (en) | 2015-04-24 | 2015-04-24 | Method and apparatus for communication using virtual MAC address |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101591306B1 true KR101591306B1 (en) | 2016-02-04 |
Family
ID=55356253
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150057902A KR101591306B1 (en) | 2015-04-24 | 2015-04-24 | Method and apparatus for communication using virtual MAC address |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101591306B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11599321B2 (en) | 2018-02-23 | 2023-03-07 | Samsung Electronics Co., Ltd | Electronic device and operating method therefor |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101410380B1 (en) | 2009-03-31 | 2014-06-20 | 퀄컴 인코포레이티드 | Apparatus and method for virtual pairing using an existing wireless connection key |
KR101506564B1 (en) | 2014-01-07 | 2015-03-31 | 한밭대학교 산학협력단 | Method for generating parameter of public key infrastructure |
-
2015
- 2015-04-24 KR KR1020150057902A patent/KR101591306B1/en active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101410380B1 (en) | 2009-03-31 | 2014-06-20 | 퀄컴 인코포레이티드 | Apparatus and method for virtual pairing using an existing wireless connection key |
KR101506564B1 (en) | 2014-01-07 | 2015-03-31 | 한밭대학교 산학협력단 | Method for generating parameter of public key infrastructure |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11599321B2 (en) | 2018-02-23 | 2023-03-07 | Samsung Electronics Co., Ltd | Electronic device and operating method therefor |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109428867B (en) | Message encryption and decryption method, network equipment and system | |
US20200021982A1 (en) | System and method of counter management and security key update for device-to-device group communication | |
US8533465B2 (en) | System and method of encrypting network address for anonymity and preventing data exfiltration | |
KR100961087B1 (en) | Context limited shared secret | |
CN103975552B (en) | Via the data exchange of certified router | |
US7233782B2 (en) | Method of generating an authentication | |
KR20040098962A (en) | A method for discributing the key to mutual nodes to code a key on mobile ad-hoc network and network device using thereof | |
KR100512954B1 (en) | RR method for secure communication | |
CN101529805A (en) | Relay device | |
US10841840B2 (en) | Processing packets in a computer system | |
Noh et al. | Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks | |
CN111726346A (en) | Data secure transmission method, device and system | |
CN110832806B (en) | ID-based data plane security for identity-oriented networks | |
CN109347836B (en) | IPv6 network node identity safety protection method | |
KR101979157B1 (en) | Non-address network equipment and communication security system using it | |
KR101591306B1 (en) | Method and apparatus for communication using virtual MAC address | |
KR101784240B1 (en) | Communication security method and system using a non-address network equipment | |
Modares et al. | Enhancing security in mobile IPv6 | |
Sinha et al. | A Secure Three-Party Authenticated Key Exchange Protocol for Social Networks. | |
Lee et al. | Design of secure arp on MACsec (802.1 Ae) | |
Junaid et al. | Per packet authentication for IEEE 802.11 wireless LAN | |
Li | Exploring the Application of Data Encryption Technology in Computer Network Security | |
CN111031075B (en) | Network service security access method, terminal, system and readable storage medium | |
Jara et al. | Secure mobility management scheme for 6lowpan id/locator split architecture | |
KR101952351B1 (en) | Communication security method and system using a network equipment without unique number of network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20190104 Year of fee payment: 4 |