TWI418177B - Random network security routing method - Google Patents

Random network security routing method Download PDF

Info

Publication number
TWI418177B
TWI418177B TW098101043A TW98101043A TWI418177B TW I418177 B TWI418177 B TW I418177B TW 098101043 A TW098101043 A TW 098101043A TW 98101043 A TW98101043 A TW 98101043A TW I418177 B TWI418177 B TW I418177B
Authority
TW
Taiwan
Prior art keywords
host
path
packet
value
source
Prior art date
Application number
TW098101043A
Other languages
Chinese (zh)
Other versions
TW201027949A (en
Original Assignee
Univ Ishou
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Ishou filed Critical Univ Ishou
Priority to TW098101043A priority Critical patent/TWI418177B/en
Publication of TW201027949A publication Critical patent/TW201027949A/en
Application granted granted Critical
Publication of TWI418177B publication Critical patent/TWI418177B/en

Links

Description

隨意網路安全路由方法Free network security routing method

本發明是有關於一種路由方法,特別是指一種隨意網路安全路由方法。The invention relates to a routing method, in particular to an arbitrary network security routing method.

在網路剛發展的最初階段,使用者使用網路的方式是透過有線的方式連接至網路。直到西元1999年,IEEE提出802.11無線區域網路標準(Wireless Local Area Networks,WLAN)後,WLAN便應運而生。此標準訂出後,各家設備廠商並依此標準製作出許多產品,而在此階段,無線網路的發展速度又更往前邁進了一大步,無線網路的主要願景是要使桌上型電腦主機、筆記型電腦或其它能夠使用無線網路的行動裝置,透過無線的方式登入網路,使得傳輸媒介從有形的網路線,轉變為無形的空氣,進而能夠達到在任何時間及任何地點,使用者都能透過無線網路連結至網路。In the initial stages of the development of the Internet, the way users use the Internet is to connect to the network through a wired connection. Until the 1999 IEEE proposed the 802.11 Wireless Local Area Networks (WLAN), WLAN came into being. After this standard is set, various equipment manufacturers have produced many products according to this standard. At this stage, the development speed of wireless networks has taken a big step forward. The main vision of wireless networks is to make tables. A host computer, laptop, or other mobile device capable of using a wireless network can wirelessly log into the network, transforming the transmission medium from a tangible network route to invisible air, thereby enabling it to reach any time and any Locations, users can connect to the Internet via wireless network.

此外,無線網路依其組成架構,主要可區分為需基地台(Access Point)的基礎架構網路(Infrastructure Network)與不需基地台的行動隨意網路(MANETs)等二種。其中,行動隨意無線網路因具有點對點(Peer to Peer)的性質,也就是連線方式可為相對應兩點直接的傳輸模式(Peer to Peer Mode),所以又可稱為點對點網路(Peer to Peer Network)。In addition, the wireless network is mainly divided into two types: an infrastructure network that requires an access point (Infrastructure Network) and a mobile network that does not require a base station (MANETs). Among them, the mobile wireless network has a peer-to-peer nature, that is, the connection mode can be a corresponding Peer to Peer Mode, so it can also be called a peer-to-peer network (Peer). To Peer Network).

由於行動隨意網路可自我動態組織並讓行動節點彼此之間能在無基礎架構的情況下,經由無線網路相關的技術來互相通訊而隨時建立連線(亦稱隨建即連),而具有相當大的便利性與機動性,因此,行動隨意網路也逐漸受到無線網路相關之學、業界的重視。Since the mobile network can organize itself dynamically and allow the mobile nodes to communicate with each other via wireless network-related technologies without any infrastructure, they can establish connections at any time (also known as built-in). With considerable convenience and mobility, mobile networks are gradually gaining attention from wireless networks and industry.

雖然,行動隨意網路可自我動態地組織,並讓行動節點彼此之間能在無基礎架構的情況,即可隨時建立並經由無線的技術來互相通訊,因此,看似具便利性與機動性,但卻由於無線電波的廣播特性、路由協定設計的缺陷與行動節點本身因素,造成許多的問題或安全性漏洞,而其最主要且極重大的安全問題主要有以下幾類:Although the mobile network can organize itself dynamically, and the mobile nodes can establish and communicate with each other via wireless technology without infrastructure, it seems convenient and mobile. However, due to the broadcast characteristics of radio waves, the defects of routing protocol design and the action node itself, many problems or security vulnerabilities are caused. The most important and significant security problems are mainly the following:

(一)節點資訊容易被取得:(1) Node information is easily obtained:

由於行動隨意網路是於開放的環境下進行通訊,如果所使用的路由協定在設計之初,並未將安全性納入考慮,那麼,在實際環境中使用,只要在無線電波的涵蓋範圍內,節點資訊便容易被欲攻擊者所取得,以竊聽為例,任何欲竊聽者只要將網卡的接收頻率調至傳送頻率便可順利的進行竊聽的動作,所以如果要透過無線網路來傳送資料,勢必要對資料進行保護的動作,以提高資料傳送的安全性。Since the mobile network is communicating in an open environment, if the routing protocol used is not designed with security in mind, it is used in the actual environment as long as it is covered by radio waves. Node information is easily obtained by an attacker. In the case of eavesdropping, any eavesdropper can smoothly perform eavesdropping by adjusting the receiving frequency of the network card to the transmission frequency. Therefore, if the information is to be transmitted over the wireless network, It is necessary to protect the data to improve the security of data transmission.

(二)路由資料容易被修改:(2) Routing information is easily modified:

由上述所延伸,攻擊者藉由取得節點資訊的方式,取得封包後,可修改封包內的內容,例如:來源節點位址、目的節點位址、序列號碼等,然後再重送至網路中,導致網路中的其他節點可能因此獲取錯誤的訊息。Extending from the above, the attacker can obtain the content of the node and obtain the content of the packet, for example, the source node address, the destination node address, the serial number, etc., and then resend to the network. , causing other nodes in the network to get the wrong message.

(三)黑洞攻擊:(3) Black hole attack:

此攻擊方式,如同愛因斯坦所提出的廣義相對論中,所提到名為黑洞的特殊天體特徵,黑洞內的萬有引力非常強大,任何物質皆無法從此區域內逃逸出去,甚至光線都被它強大引力拉回;因此,在隨意網路中,則存在有黑洞攻擊,惡意節點於路由找尋階段,利用路由協定的特性宣稱自己有至所指定的目的節點最短路徑,以使部分節點的封包流經此惡意節點,惡意節點收到封包後,便將之丟棄,藉此便可達到攔截封包的目的。This attack method, as in the general relativity proposed by Einstein, refers to the special celestial features of the black hole. The gravitational attraction in the black hole is very powerful. No matter can escape from this area, even the light is strongly attracted by it. Pull back; therefore, in the random network, there is a black hole attack, the malicious node in the route search phase, using the characteristics of the routing protocol to declare that it has the shortest path to the specified destination node, so that the packets of some nodes flow through this A malicious node, after receiving a packet, the malicious node discards the packet, thereby achieving the purpose of intercepting the packet.

因此,如何提出一種改善隨意網路路由協定一般潛在漏洞之安全方法,便成為相關學、業界所欲努力達成解決的目標。Therefore, how to propose a security method to improve the general potential vulnerabilities of random network routing protocols has become a goal that related schools and the industry are trying to achieve.

因此,本發明之目的,即在提供一種利用發送一虛構封包來偵測是否有惡意主機潛藏於傳送路徑內之隨意網路安全路由方法。Accordingly, it is an object of the present invention to provide an arbitrary network secure routing method that utilizes the transmission of a fictitious packet to detect whether a malicious host is hidden in a transmission path.

於是,本發明隨意網路安全路由方法,包含以下步驟:Therefore, the random network security routing method of the present invention comprises the following steps:

(a)一來源主機欲傳送一資料封包至一目的主機前,判斷一路由表中是否有至該目的主機之一路徑資訊,若否,則進行下一步驟。(a) Before the source host wants to transmit a data packet to a destination host, it determines whether there is a path information to the destination host in a routing table, and if not, proceeds to the next step.

(b)該來源主機發送一具有一虛構目的位址之路徑詢問封包至複數中繼主機。(b) The source host sends a path query packet with a fictitious destination address to the plurality of relay hosts.

(c)該來源主機判斷是否有一與該路徑詢問封包對應之路徑回應封包回傳,若是,則表示該等中繼主機中包括至少一惡意主機,分析該路徑回應封包之發送來源,並將該惡意主機之來源列入一黑名單中。(c) the source host determines whether there is a path response packet backhaul corresponding to the path query packet, and if yes, indicating that the relay host includes at least one malicious host, analyzing the source of the path response packet, and The source of the malicious host is included in a blacklist.

此外,本發明之另一目的,即在提供一種利用溝通金鑰對資料加密之隨意網路安全路由方法。Further, another object of the present invention is to provide an arbitrary network secure routing method for encrypting data using a communication key.

於是,本發明隨意網路安全路由方法,包含以下步驟:Therefore, the random network security routing method of the present invention comprises the following steps:

(a)一傳送主機於發送一包括一不變欄位及一可變欄位之路徑詢問封包前,進行一驗證作業,即該傳送主機產生一驗證數值,再運用一雜湊運算函數對該驗證數值進行一第一跳數值次數之雜湊運算,產生一驗證雜湊值,並將該驗證雜湊值及該驗證數值置入該不變欄位內,而將該第一跳數值置入該可變欄位內。(a) A transmitting host performs a verification operation before transmitting a path inquiry packet including a constant field and a variable field, that is, the transmitting host generates a verification value, and then uses a hash operation function to verify the packet. The value performs a hash operation of the first hop count number, generates a verification hash value, and places the verification hash value and the verification value into the constant field, and places the first hop value into the variable column Within the bit.

(b)再利用該傳送主機之一傳送私密金鑰對該不變欄位進行加密,並送出該路徑詢問封包。(b) Reusing the private key to transmit the private key to encrypt the unchanged field and send the path inquiry packet.

(c)一接收主機於收到經該傳送私密金鑰加密之路徑詢問封包時,運用該傳送主機之一傳送公開金鑰對該不變欄位進行解密,得出該驗證數值及該驗證雜湊數值,並利用該雜湊運算函數對該驗證數值,進行一第二跳數值次數之雜湊運算,產生一待驗雜湊值。(c) upon receiving the path query packet encrypted by the transport private key, the receiving host uses one of the transmitting host to transmit the public key to decrypt the unchanged field, and obtains the verification value and the verification hash. The value is used, and the hash value is used to perform a hash operation of the second hop number of times on the verification value to generate a hash value to be tested.

(d)該接收主機對該驗證雜湊值與該待驗雜湊值進行比對,若相同,則表示該驗證作業運作正確。(d) The receiving host compares the verification hash value with the to-be-tested hash value. If they are the same, it indicates that the verification operation works correctly.

(e)當該傳送主機為一欲傳送一資料之來源主機時,於進行該驗證作業且傳送該資料前,該來源主機再產生一第一數值,並用一目的主機之一公開金鑰對該第一數值加密,且置入該路徑詢問封包內,再送出該路徑詢問封包。(e) when the transmitting host is a source host for transmitting a data, the source host generates a first value and performs a public key with one of the destination hosts before performing the verification operation and transmitting the data. The first value is encrypted and placed in the path query packet, and the path inquiry packet is sent.

(f)當該接收主機為該目的主機時,於該驗證作業運作正確且收到該路徑詢問封包後,利用該目的主機之一私密金鑰解出該第一數值。(f) When the receiving host is the destination host, after the verification operation is correct and the path inquiry packet is received, the first value is solved by using a private key of the destination host.

(g)該目的主機於發送一路徑回應封包前,產生一第二數值,並用該來源主機之一公開金鑰對該第二數值加密,且置入該路徑回應封包內,再送出該路徑回應封包。(g) the destination host generates a second value before sending a path response packet, and encrypts the second value with a public key of the source host, and places the path response packet, and sends the path response. Packet.

(h)當該來源主機收到該路徑回應封包時,利用該來源主機之一私密金鑰解出該第二數值。(h) When the source host receives the path response packet, the second value is solved by using a private key of the source host.

(i)該來源主機利用一運算機制對該第一數值及所解出之第二數值進行運算,得出一溝通金鑰,而該目的主機利用該運算機制對該第二數值及所解出之第一數值進行運算,得出該溝通金鑰。(i) the source host uses an operation mechanism to calculate the first value and the solved second value to obtain a communication key, and the destination host uses the operation mechanism to solve the second value and the solution The first value is calculated to obtain the communication key.

(j)該來源主機利用該溝通金鑰對該資料加密後,再傳送至該目的主機。(j) The source host encrypts the data using the communication key and transmits it to the destination host.

本發明之功效,藉由該來源主機發送具有該虛構目的位址之路徑詢問封包至該等中繼主機,並觀察相關路徑回應封包的回傳狀況,以剔除惡意主機;再者,透過兩方主機之公開及私密金鑰的加解密機制,以及數位簽章與雜湊函數運算之輔助,達到防止傳輸資料遭受竄改的風險。The effect of the present invention is that the source host sends a path query packet with the fictitious destination address to the relay hosts, and observes the return status of the relevant path response packet to remove the malicious host; The public and private key encryption and decryption mechanisms of the host, as well as the assistance of digital signatures and hash function operations, prevent the risk of tampering with the transmitted data.

有關本發明之前述及其他技術內容、特點與功效,在以下配合參考圖式之二個較佳實施例的詳細說明中,將可清楚的呈現。The above and other technical contents, features and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments of the invention.

在本發明被詳細描述之前,要注意的是,在以下的說明內容中,類似的元件是以相同的編號來表示。Before the present invention is described in detail, it is noted that in the following description, similar elements are denoted by the same reference numerals.

參閱圖1及圖2,本發明網路安全路由方法之第一較佳實施例,包含以下步驟:首先,如步驟61所示,一來源主機1欲傳送一資料封包10至一目的主機2前,如步驟62所示,判斷一路由表11中是否有至該目的主機2之一路徑資訊111:若是,即當該來源主機1判斷出有至該目的主機2之路徑資訊111時,則如步驟63所示,直接依照該路徑資訊111傳送該資料封包10至該目的主機2。Referring to FIG. 1 and FIG. 2, a first preferred embodiment of the network security routing method of the present invention includes the following steps. First, as shown in step 61, a source host 1 wants to transmit a data packet 10 to a destination host 2 As shown in step 62, it is determined whether there is a path information 111 to the destination host 2 in a routing table 11: if yes, that is, when the source host 1 determines that there is path information 111 to the destination host 2, As shown in step 63, the data packet 10 is directly transmitted to the destination host 2 according to the path information 111.

若否,則如步驟64所示,該來源主機1發送一具有一虛構目的位址之路徑詢問封包12至複數中繼主機3。If not, then as shown in step 64, the source host 1 sends a path query packet 12 having a fictitious destination address to the plurality of relay hosts 3.

然後,如步驟65所示,該來源主機1判斷是否有一與該路徑詢問封包12對應之路徑回應封包311回傳:若是,則如步驟66所示,表示該等中繼主機3中包括至少一惡意主機31,再如步驟67所示,分析該路徑回應封包311之發送來源,並將該惡意主機31之來源列入一黑名單13中。Then, as shown in step 65, the source host 1 determines whether there is a path response packet 311 corresponding to the path query packet 12: if yes, as shown in step 66, it indicates that the relay host 3 includes at least one The malicious host 31 analyzes the source of the path response packet 311 as shown in step 67, and lists the source of the malicious host 31 in a blacklist 13.

若否,也就是當該來源主機1判斷出無路徑回應封包311之回傳時,則如步驟68所示,即運用一路徑找尋機制,配合未被列於該黑名單13中之該等中繼主機3建立一封包傳送路徑,而將該資料封包10傳送至該目的主機2。If not, that is, when the source host 1 determines that there is no backhaul response packet 311 backhaul, as shown in step 68, a path finding mechanism is used to cooperate with the ones not listed in the blacklist 13. After the host 3 establishes a packet transmission path, the data packet 10 is transmitted to the destination host 2.

值得一提的是,該路徑找尋機制在本較佳實施例中是採用隨意網路需求距離向量路由(Ad Hoc On-demand Distance Vector Routing)協定,然而,於實務上可以是安全隨意網路需求距離向量路由(Secure Ad Hoc On-demand Distance Vector Routing)協定或適應性安全隨意網路需求距離向量路由(Adaptive-Securing Ad Hoc On-demand Distance Vector Routing)協定,此為具有相關背景者所易於思及而變化運用,故不應受本較佳實施例之特定範例為限。It is worth mentioning that the path finding mechanism adopts the Ad Hoc On-demand Distance Vector Routing protocol in the preferred embodiment. However, in practice, it can be a secure and random network requirement. The Secure Ad Hoc On-demand Distance Vector Routing protocol or the Adaptive-Securing Ad Hoc On-demand Distance Vector Routing protocol, which is easy for those with relevant backgrounds. And variations are employed and should not be limited to the specific examples of the preferred embodiments.

最後,如步驟69所示,於進行該步驟67後,若當未被列於該黑名單13中之任一中繼主機3收到該路徑回應封包311時,將該路徑回應封包311丟棄。Finally, as shown in step 69, after the step 67 is performed, if any of the relay hosts 3 not listed in the blacklist 13 receives the path response packet 311, the path response packet 311 is discarded.

因此,藉由本發明網路安全路由方法之第一較佳實施例所提供之發送具有虛構不存在的目的位址的路徑詢問封包12至網路中的方式,來反制前述之惡意主機31進行隨意網路的「黑洞攻擊」模式。Therefore, the malicious host 31 is reversed by the manner in which the path of the destination address with the fictitious non-existent destination is sent to the network by the first preferred embodiment of the network secure routing method of the present invention. Free network black hole attack mode.

此外,為了進一步防止前述一般隨意網路之「節點資訊容易被取得」及「路由資料容易被修改」等風險發生,而使得相關傳輸資料被窺竊或竄改,接下來,請參閱圖3至圖6所提供之本發明網路安全路由方法的第二較佳實施例,本較佳實施例包含以下步驟:首先,參閱圖3A及圖4,如步驟701所示,一傳送主機8於發送一包括一不變欄位141及一可變欄位142之路徑詢問封包14前,進行一驗證作業,即如步驟702所示,該傳送主機8產生一驗證數值81,再運用一雜湊運算函數(Hash Function)82對該驗證數值進行一第一跳數值83(在此為一最大跳數值)次數之雜湊運算,產生一驗證雜湊值84。在本較佳實施例中,該驗證數值81為隨機亂數形式,而該雜湊運算函數82是採用單向雜湊函數(One Way Hash Function)。In addition, in order to further prevent risks such as "node information is easily obtained" and "route information is easily modified" in the above-mentioned general random network, the related transmission data is sneaked or tampered with. Next, please refer to FIG. 3 to A second preferred embodiment of the network security routing method of the present invention is provided. The preferred embodiment includes the following steps. First, referring to FIG. 3A and FIG. 4, as shown in step 701, a transmitting host 8 transmits one. Before the path query packet 14 including the invariant field 141 and the variable field 142, a verification operation is performed, that is, as shown in step 702, the transfer host 8 generates a verification value 81, and then applies a hash operation function ( Hash Function 82 performs a hash operation on the verification value for a first hop value of 83 (here, a maximum hop value) to generate a verification hash value 84. In the preferred embodiment, the verification value 81 is in the form of a random random number, and the hash operation function 82 is a One Way Hash Function.

其次,如步驟703所示,將該驗證雜湊值84及該驗證數值81置入該不變欄位141內,而將該第一跳數值83(即最大跳數值)置入該可變欄位142內。Next, as shown in step 703, the verification hash value 84 and the verification value 81 are placed in the constant field 141, and the first hop value 83 (ie, the maximum hop value) is placed in the variable field. Within 142.

接著,如步驟704所示,再利用該傳送主機8之一傳送私密金鑰85對該不變欄位141進行加密,並送出該路徑詢問封包14。在本較佳實施例中,於相關學理上,此步驟704即在進行數位簽章之作業,然而,前述之本發明數位簽章作法與習知學理上不同處在於,在本發明中加入了為隨機亂數形式之驗證數值81,使得此驗證數值81為一具有時變參數性質之有時效的數值,進而有效地避免數位簽章被惡意主機31攔截、儲存及重複使用。Next, as shown in step 704, the invariant field 141 is encrypted by transmitting the private key 85 by one of the transmitting hosts 8, and the path inquiry packet 14 is sent. In the preferred embodiment, in step 704, the step 704 is performed on the digital signature. However, the foregoing digital signature method of the present invention differs from the prior art in that it is added to the present invention. The verification value 81 is a random random number, so that the verification value 81 is a time-varying value having a time-varying parameter property, thereby effectively preventing the digital signature from being intercepted, stored and reused by the malicious host 31.

緊接著,參閱圖3A及圖5,如步驟705所示,一接收主機9於收到經該傳送私密金鑰85加密之路徑詢問封包14時,運用該傳送主機8之一傳送公開金鑰86對該不變欄位141進行解密,得出該驗證數值81及該驗證雜湊值84。Next, referring to FIG. 3A and FIG. 5, as shown in step 705, a receiving host 9 transmits a public key 86 using one of the transmitting hosts 8 upon receiving the path query packet 14 encrypted by the transmitting private key 85. The invariant field 141 is decrypted to obtain the verification value 81 and the verification hash value 84.

再來,如步驟706所示,利用該雜湊運算函數82對該驗證數值81,進行一第二跳數值91(在此為該最大跳數值次數減去一接收跳數值)次數之雜湊運算,產生一待驗雜湊值92。Then, as shown in step 706, the hash function is performed by the hash operation function 82, and a hash operation of the second hop value 91 (here, the maximum hop count number minus one receive hop value) is generated. A waiting hash value of 92.

而後,如步驟707所示,該接收主機9對該驗證雜湊值84與該待驗雜湊值92進行比對。Then, as shown in step 707, the receiving host 9 compares the verification hash value 84 with the to-be-tested hash value 92.

若比對結果相同,則如步驟708所示,即表示該驗證作業運作正確。If the comparison result is the same, as shown in step 708, the verification operation is correct.

若比對結果不同,則如步驟709所示,即表示該驗證作業運作失敗,該接收主機9將該路徑詢問封包14丟棄。If the comparison result is different, as shown in step 709, the verification operation fails, and the receiving host 9 discards the path inquiry packet 14.

接著,參閱圖3A、3B及圖6,如步驟710所示,當該傳送主機8為一欲傳送一資料5之來源主機1時,於進行該步驟701至步驟709所提之驗證作業並於傳送該資料5前,該來源主機1再產生一第一數值15。Next, referring to FIG. 3A, FIG. 3B and FIG. 6, as shown in step 710, when the transfer host 8 is a source host 1 for transmitting a data 5, the verification operation proposed in steps 701 to 709 is performed. The source host 1 generates a first value of 15 before transmitting the data 5.

並如步驟711所示,該來源主機1用該目的主機2之一公開金鑰21對該第一數值15加密,且將已加密之第一資料151置入該路徑詢問封包14內,再送出該路徑詢問封包14。在本較佳實施例中,該第一數值15為隨機亂數形式。And as shown in step 711, the source host 1 encrypts the first value 15 with the public key 21 of the destination host 2, and places the encrypted first data 151 into the path query packet 14, and then sends it out. The path asks for packet 14. In the preferred embodiment, the first value 15 is in the form of a random random number.

然後,如步驟712所示,當該接收主機9為該目的主機時,於該驗證作業運作正確且收到該路徑詢問封包14後,利用該目的主機2之一私密金鑰22解出該第一數值15。Then, as shown in step 712, when the receiving host 9 is the destination host, after the verification operation is correct and the path inquiry packet 14 is received, the private key 22 of the destination host 2 is used to solve the number. A value of 15.

再來,如步驟713所示,該目的主機2於發送一路徑回應封包23前,產生一第二數值24,並如步驟714所示,用該來源主機1之一公開金鑰16對該第二數值24加密,且將已加密之第二數值241置入該路徑回應封包23內,再送出該路徑回應封包23。在本較佳實施例中,該第二數值24為隨機亂數形式。Then, as shown in step 713, the destination host 2 generates a second value 24 before sending a path response packet 23, and as shown in step 714, the primary key 1 is used to disclose the key 16 to the first The second value 24 is encrypted, and the encrypted second value 241 is placed in the path response packet 23, and the path response packet 23 is sent. In the preferred embodiment, the second value 24 is in the form of a random random number.

接著,如步驟715所示,當該來源主機1收到該路徑回應封包23時,利用該來源主機1之一私密金鑰17解出該第二數值24。Next, as shown in step 715, when the source host 1 receives the path response packet 23, the second value 24 is solved by using the private key 17 of the source host 1.

緊接著,如步驟716所示,該來源主機1利用一運算機制對該第一數值15及所解出之第二數值24進行運算,得出一溝通金鑰4,而該目的主機2利用該運算機制對該第二數值24及所解出之第一數值15進行運算,得出相同的溝通金鑰4。在本較佳實施例中,該運算機制為對該第一數值15與該第二數值24進行一互斥或運算,然而,於實務上,亦可以採取其他一般具有相關領域之人士針對該第一數值15及該第二數值24之輸入而產生該溝通金鑰4所思及的各種方式。Next, as shown in step 716, the source host 1 uses a computing mechanism to calculate the first value 15 and the second value 24 that is solved to obtain a communication key 4, and the destination host 2 utilizes the The arithmetic mechanism operates the second value 24 and the first value 15 that is solved to obtain the same communication key 4. In the preferred embodiment, the operation mechanism is to perform a mutually exclusive operation on the first value 15 and the second value 24. However, in practice, other people in the related fields may also adopt other A value of 15 and the input of the second value 24 result in various ways in which the communication key 4 is contemplated.

然後,如步驟717所示,該來源主機1利用該溝通金鑰4對該資料5加密後,再將該已加密之資料51傳送至該目的主機2。Then, as shown in step 717, the source host 1 encrypts the data 5 by using the communication key 4, and then transmits the encrypted data 51 to the destination host 2.

值得一提的是,該來源主機1利用該溝通金鑰4對該資料5進行加密之方式是採用AES加密方式,然而,於實務上,亦可以採用DES或其他各類加密方式,此為一般具有相關領域背景者所易於變化轉用,因此並不應以本較佳實施例中所揭露者為限。It is worth mentioning that the source host 1 uses the communication key 4 to encrypt the data 5 by using the AES encryption method. However, in practice, DES or other types of encryption methods may also be used. Those skilled in the relevant art will readily appreciate the use of the present invention and should not be limited to those disclosed in the preferred embodiments.

最後,如步驟718所示,當該目的主機2接收到由該來源主機1所傳送之已加密之資料51後,利用該溝通金鑰4對該已加密之資料51進行解密,得出該資料5。Finally, as shown in step 718, after the destination host 2 receives the encrypted data 51 transmitted by the source host 1, the encrypted data 51 is decrypted by the communication key 4 to obtain the data. 5.

綜上所述,透過本發明網路安全路由方法之第一較佳實施例所提供之機制,即藉由該來源主機1發送具有該虛構目的位址之路徑詢問封包12至該等中繼主機3,並觀察相關路徑回應封包311的回傳狀況,以判斷在此該等中繼主機3中是否有惡意主機31存在,並可進一步地將惡意主機31找出而列入黑名單13中,以確保資料封包10於傳送時,能避免遭受到「黑洞攻擊」,而順利地到達該目的主機2。In summary, the mechanism provided by the first preferred embodiment of the network security routing method of the present invention, that is, the source host 1 sends a path query packet 12 having the fictitious destination address to the relay hosts. 3, and observe the return status of the relevant path response packet 311, to determine whether there is a malicious host 31 in the relay host 3, and further find the malicious host 31 and blacklist 13 In order to ensure that the data packet 10 is transmitted, it can avoid the "black hole attack" and smoothly reach the destination host 2.

此外,運用本發明網路安全路由方法之第二較佳實施例所提供之機制,即加入具有時變性質之驗證數值81,並利用該數位簽章與雜湊運算函數82之運算,而有效地避免數位簽章被惡意主機31攔截、儲存及重複使用;此外,還利用兩方主機(來源主機1與目的主機2)之本身的公開及私密金鑰,配合該第一、二數值15、24之隨機亂數型態的加密,而增加對該資料5之安全保護;因此,藉由本發明之第二較佳實施例,防止因「節點資訊容易被取得」及「路由資料容易被修改」之情況發生所導致傳輸資料5遭受竄改的風險。Furthermore, the mechanism provided by the second preferred embodiment of the network secure routing method of the present invention is to add a verification value 81 having a time-varying property and to utilize the operation of the digital signature and the hash operation function 82 to effectively Avoid the digital signature being intercepted, stored and reused by the malicious host 31; in addition, the public and private keys of the two hosts (source host 1 and destination host 2) are used together with the first and second values 15, 24 The encryption of the random random number type increases the security protection of the data 5; therefore, by the second preferred embodiment of the present invention, the "node information is easily obtained" and the "routing data is easily modified" is prevented. The risk of tampering with the transmission of data 5 caused by the situation.

因此,本發明之第一、二較佳實施例所述之方法確實能達成本發明之目的。Therefore, the methods described in the first and second preferred embodiments of the present invention can achieve the object of the present invention.

惟以上所述者,僅為本發明之二較佳實施例而已,當不能以此限定本發明實施之範圍,即大凡依本發明申請專利範圍及發明說明內容所作之簡單的等效變化與修飾,皆仍屬本發明專利涵蓋之範圍內。However, the above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, that is, the simple equivalent changes and modifications made in accordance with the scope of the present invention and the description of the invention. All remain within the scope of the invention patent.

1...來源主機1. . . Source host

10...資料封包10. . . Data packet

11...路由表11. . . Routing table

111...路徑資訊111. . . Path information

12...虛構目的位址之路徑詢問封包12. . . Path query packet for fictitious destination address

13...黑名單13. . . blacklist

14...路徑詢問封包14. . . Path inquiry packet

141...不變欄位141. . . Invariant field

142...可變欄位142. . . Variable field

15...第一數值15. . . First value

151...加密之第一數值151. . . First value of encryption

16...來源主機公開金鑰16. . . Source host public key

17...來源主機私密金鑰17. . . Source host private key

2...目的主機2. . . Destination host

21...目的主機公開金鑰twenty one. . . Destination host public key

22...目的主機私密金鑰twenty two. . . Destination host private key

23...路徑回應封包twenty three. . . Path response packet

24...第二數值twenty four. . . Second value

241...加密之第二數值241. . . Second value of encryption

3...中繼主機3. . . Relay host

31...惡意主機31. . . Malicious host

311...虛構目的位址之路徑回應封包311. . . Path response packet for fictitious destination address

4...溝通金鑰4. . . Communication key

5...資料5. . . data

51...加密之資料51. . . Encrypted data

61~69...步驟61~69. . . step

701~718...步驟701~718. . . step

8...傳送主機8. . . Transfer host

81...驗證數值81. . . Verification value

82...雜湊運算函數82. . . Hash function

83...第一跳數值83. . . First hop value

84...驗證雜湊值84. . . Verify the hash value

85...傳送私密金鑰85. . . Transfer private key

86...傳送公開金鑰86. . . Send public key

9...接收主機9. . . Receiving host

91...第二跳數值91. . . Second hop value

92...待驗雜湊值92. . . Hundred value

圖1是一流程圖,說明本發明網路安全路由方法之第一較佳實施例的相關步驟;1 is a flow chart showing the steps of a first preferred embodiment of the network security routing method of the present invention;

圖2是一方塊圖,說明該第一較佳實施例之各相關元件的配置及運作態樣;Figure 2 is a block diagram showing the configuration and operation of the relevant components of the first preferred embodiment;

圖3A、3B是流程圖,說明本發明網路安全路由方法之第二較佳實施例的相關步驟;3A and 3B are flowcharts showing related steps of a second preferred embodiment of the network security routing method of the present invention;

圖4是一方塊圖,說明該第二較佳實施例之各相關元件於進行數位簽章及雜湊運算之態樣;4 is a block diagram showing the aspects of the digital signature and hash operation of the related components of the second preferred embodiment;

圖5是一方塊圖,說明該第二較佳實施例之各相關元件於驗證數位簽章及雜湊數值之態樣;及Figure 5 is a block diagram showing the aspects of the verification of the digital signature and the hash value of the relevant components of the second preferred embodiment; and

圖6是一方塊圖,說明該第二較佳實施例之各相關元件於建立一溝通金鑰之態樣。Figure 6 is a block diagram showing the manner in which the various components of the second preferred embodiment establish a communication key.

61~69...步驟61~69. . . step

Claims (5)

一種隨意網路安全路由方法,包含以下步驟:(a)一來源主機欲傳送一資料封包至一目的主機前,判斷一路由表中是否有至該目的主機之一路徑資訊,若否,則進行下一步驟;(b)該來源主機發送一具有一虛構目的位址之路徑詢問封包至複數中繼主機;及(c)該來源主機判斷是否有一與該路徑詢問封包對應之路徑回應封包回傳,若是,則表示該等中繼主機中包括至少一惡意主機,分析該路徑回應封包之發送來源,並將該惡意主機之來源列入一黑名單中。An arbitrary network security routing method includes the following steps: (a) a source host wants to transmit a data packet to a destination host, and determines whether there is a path information to the destination host in a routing table, and if not, proceed a next step; (b) the source host sends a path query packet having a fictitious destination address to the plurality of relay hosts; and (c) the source host determines whether there is a path response packet return corresponding to the path query packet If yes, it indicates that the relay host includes at least one malicious host, analyzes the source of the path response packet, and lists the source of the malicious host in a blacklist. 依據申請專利範圍第1項所述之隨意網路安全路由方法,其中,在該(c)步驟中,當未被列於該黑名單中之任一中繼主機收到該路徑回應封包時,將該路徑回應封包丟棄。The random network security routing method according to claim 1, wherein in the step (c), when any of the relay hosts not listed in the blacklist receives the path response packet, Discard the path response packet. 依據申請專利範圍第1或2項所述之隨意網路安全路由方法,其中,在該(c)步驟中,當該來源主機判斷出無路徑回應封包之回傳時,即運用一路徑找尋機制,配合未被列於該黑名單中之該等中繼主機建立一封包傳送路徑,而將該資料封包傳送至該目的主機。According to the random network security routing method described in claim 1 or 2, in the step (c), when the source host determines that there is no path response packet backhaul, a path searching mechanism is used. And establishing a packet transmission path with the relay hosts not listed in the blacklist, and transmitting the data packet to the destination host. 依據申請專利範圍第3項所述之隨意網路安全路由方法,其中,在該(c)步驟中,該路徑找尋機制是選自於由隨意網路需求距離向量路由協定、安全隨意網路需求距離向量路由協定,及適應性安全隨意網路需求距離向量路由協定所組成之群組。 The random network security routing method according to claim 3, wherein in the step (c), the path searching mechanism is selected from a random network demand distance vector routing protocol, and a secure random network requirement Distance vector routing protocol, and a group of adaptive secure random network demand distance vector routing protocols. 依據申請專利範圍第4項所述之隨意網路安全路由方法,其中,在該(a)步驟中,當該來源主機判斷出有至該目的主機之路徑資訊時,直接依照該路徑資訊傳送該資料封包至該目的主機。According to the method of claim 4, the method of claim 4, wherein, in the step (a), when the source host determines that there is path information to the destination host, directly transmitting the path information according to the path information. The data is encapsulated to the destination host.
TW098101043A 2009-01-13 2009-01-13 Random network security routing method TWI418177B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW098101043A TWI418177B (en) 2009-01-13 2009-01-13 Random network security routing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW098101043A TWI418177B (en) 2009-01-13 2009-01-13 Random network security routing method

Publications (2)

Publication Number Publication Date
TW201027949A TW201027949A (en) 2010-07-16
TWI418177B true TWI418177B (en) 2013-12-01

Family

ID=44853355

Family Applications (1)

Application Number Title Priority Date Filing Date
TW098101043A TWI418177B (en) 2009-01-13 2009-01-13 Random network security routing method

Country Status (1)

Country Link
TW (1) TWI418177B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3043620B1 (en) * 2013-09-02 2018-03-28 Fujitsu Ltd. Node failure determination based on reference-hop-count in wireless sensor networks
TWI510952B (en) * 2015-01-26 2015-12-01 Acer Inc Method and system for retrieving private key

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW532024B (en) * 2000-08-01 2003-05-11 Hereuare Communications Inc System for distributed network authentication and access control
TW200704014A (en) * 2005-07-05 2007-01-16 Zyxel Communications Corp Network device for secure packet dispatching via port isolation
TW200726145A (en) * 2005-12-28 2007-07-01 Zyxel Communications Corp Terminal and related method for detecting malicious data for computer network
US20080140795A1 (en) * 2006-12-08 2008-06-12 Motorola, Inc. Method and apparatus for alerting nodes of a malicious node in a mobile ad-hoc communication system
US20080313500A1 (en) * 2007-06-15 2008-12-18 Alcatel Lucent Proctor peer for malicious peer detection in structured peer-to-peer networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW532024B (en) * 2000-08-01 2003-05-11 Hereuare Communications Inc System for distributed network authentication and access control
TW200704014A (en) * 2005-07-05 2007-01-16 Zyxel Communications Corp Network device for secure packet dispatching via port isolation
TW200726145A (en) * 2005-12-28 2007-07-01 Zyxel Communications Corp Terminal and related method for detecting malicious data for computer network
US20080140795A1 (en) * 2006-12-08 2008-06-12 Motorola, Inc. Method and apparatus for alerting nodes of a malicious node in a mobile ad-hoc communication system
US20080313500A1 (en) * 2007-06-15 2008-12-18 Alcatel Lucent Proctor peer for malicious peer detection in structured peer-to-peer networks

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Asad Amir Pirzada and Chris McDonald,"Secure Routing with the AODV Protocol", Asia-Pacific Conference on Communications, October 3-5, 2005, pp. 57-61 *
Manel Guerrero Zapata and N. Asokan,"Securing Ad Hoc Routing Protocols", Proceedings of the 1st ACM Workshop on Wireless Security (WiSE'02), September 28, 2002, pp. 1-10 *
Semih Dokurer, Y. M. Erten and Can Erkin Acar,"Performance Analysis of Ad-Hoc Networks under Black Hole Attacks", Proceedings of SoutheastCon, IEEE, March 22-25, 2007, pp. 148-153 *

Also Published As

Publication number Publication date
TW201027949A (en) 2010-07-16

Similar Documents

Publication Publication Date Title
Qiu et al. A mutual authentication and key establishment scheme for M2M communication in 6LoWPAN networks
CN101512537B (en) Method and system for secure processing of authentication key material in an ad hoc wireless network
Minar et al. Bluetooth security threats and solutions: a survey
JP5490898B2 (en) Method and apparatus for deriving, communicating and / or verifying ownership of an expression
Haataja et al. Man-in-the-middle attacks on bluetooth: a comparative analysis, a novel attack, and countermeasures
Kumar et al. A literature review of security threats to wireless networks
KR101485279B1 (en) Switch equipment and data processing method for supporting link layer security transmission
JP2015511082A5 (en)
Haataja et al. Bluetooth security attacks: comparative analysis, attacks, and countermeasures
KR20090016029A (en) Method and system for providing a mesh key
Thankappan et al. Multi-Channel Man-in-the-Middle attacks against protected Wi-Fi networks: A state of the art review
Sekhar et al. Security in wireless sensor networks with public key techniques
Kumar et al. Security analysis and implementation of a simple method for prevention and detection against Evil Twin attack in IEEE 802.11 wireless LAN
TWI418177B (en) Random network security routing method
Kaur et al. A review on security attacks in mobile ad-hoc networks
Aneja et al. A Study of Security Issues Related With Wireless Fidelity (WI-FI)
Garg Wireless Network Security Threats
TWI828848B (en) Data transmission methods, communication processing methods, communication devices and communication processing programs
Pandikumar et al. Wi-Fi security and test bed implementation for WEP and WPA cracking
CN103037365B (en) Wireless Mesh network security system based on Ad-hoc and wireless Mesh network security method based on the Ad-hoc
US11791994B1 (en) Quantum cryptography in an internet key exchange procedure
Toradmalle et al. A secure protocol for trust management in OLSR
Musale et al. Security Risks in Bluetooth Devices
Nguyen Wireless Network Security: A Guide for Small and Medium Premises
JP2006033443A (en) System, method and program for internet connection

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees