TWI531194B - Cable modem and method for reissuing a digital certificate - Google Patents

Cable modem and method for reissuing a digital certificate Download PDF

Info

Publication number
TWI531194B
TWI531194B TW098101674A TW98101674A TWI531194B TW I531194 B TWI531194 B TW I531194B TW 098101674 A TW098101674 A TW 098101674A TW 98101674 A TW98101674 A TW 98101674A TW I531194 B TWI531194 B TW I531194B
Authority
TW
Taiwan
Prior art keywords
address
digital certificate
update request
data packet
packet
Prior art date
Application number
TW098101674A
Other languages
Chinese (zh)
Other versions
TW201029411A (en
Inventor
羅佑銘
Original Assignee
鴻海精密工業股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 鴻海精密工業股份有限公司 filed Critical 鴻海精密工業股份有限公司
Priority to TW098101674A priority Critical patent/TWI531194B/en
Publication of TW201029411A publication Critical patent/TW201029411A/en
Application granted granted Critical
Publication of TWI531194B publication Critical patent/TWI531194B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Description

纜線數據機及其數位證書更新方法 Cable data machine and digital certificate updating method thereof

本發明涉及一種電子設備及其安全管控方法,尤其關於一種纜線數據機及其數位證書更新方法。 The invention relates to an electronic device and a safety management method thereof, in particular to a cable data machine and a digital certificate updating method thereof.

隨著通訊和資訊技術的發展,傳統的三大資訊網路(電信網路、電腦網路、有線電視網路)正在相互滲透、相互融合。光纖/同軸電纜混合網路(Hybrid Fiber/coax,HFC)利用習知的有線電視網路,以其先進的光纖傳輸技術和帶寬優勢,成為相容電話、有線電視和電腦聯網功能的寬頻綜合資訊網路。 With the development of communication and information technology, the traditional three major information networks (telecom network, computer network, cable TV network) are intermingling and integrating with each other. Hybrid Fiber/coax (HFC) utilizes the well-known cable TV network to provide broadband and comprehensive information for compatible telephony, cable TV and computer networking functions with its advanced optical fiber transmission technology and bandwidth advantages. network.

然而,由於HFC網路自身採用共用頻道的拓撲結構,用戶可以收到網路上傳輸的所有資料,因此存在很大的安全隱患。用戶可能假冒或偽裝成其他網路終端向伺服器發出申請,獲取未經授權的業務,或者假冒伺服器終端發出非法應答。駭客也可能在公共線路上偵聽、竊取、惡意篡改資訊,嚴重者可以導致整個網路阻塞甚至癱瘓。因此,確保資料在HFC網路上的安全非常重要。 However, since the HFC network itself adopts the topology of the shared channel, the user can receive all the data transmitted on the network, so there is a great security risk. The user may impersonate or pretend that other network terminals send an application to the server to obtain unauthorized services, or the fake server terminal sends an illegal response. Hackers may also listen, steal, and maliciously tamper with information on public lines. In severe cases, the entire network may be blocked or even embarrassed. Therefore, it is very important to ensure the security of the data on the HFC network.

為此,每一個纜線數據機(Cable Modem,CM)都固化了一個經過認證中心(Certificate Authority,CA)簽發的數位證書,該數位證書包括一對配套的密鑰(即密鑰對)。在基線加密(BPI)協議中,纜線數據機前端系統(Cable Modem Terminal System,CMTS)透過該數位證書來驗證CM的合法身份,有效防止了偽裝者盜用其他合法用戶的可能。 To this end, each cable modem (CM) has cured a digital certificate issued by a Certificate Authority (CA), which includes a pair of matching keys (ie, key pairs). In the Baseline Encryption (BPI) protocol, the Cable Modem Terminal System (CMTS) verifies the legal identity of the CM through the digital certificate, which effectively prevents the pretender from stealing other legitimate users.

CM的數位證書有一個有效期,例如20年。當數位證書到期後,CM的合法身份失效,用戶就不能利用CM享受HFC網路提供的服務。如果數位證書具有較短的有效期,或者數位證書快要到期,為了確保用戶能夠在較長期限內正常使用,需要對CM更新數位證書。 The CM digital certificate has an expiration date, such as 20 years. When the digital certificate expires, the legal identity of the CM expires, and the user cannot use the CM to enjoy the services provided by the HFC network. If the digital certificate has a short expiration date, or if the digital certificate is about to expire, in order to ensure that the user can use it for a longer period of time, the digital certificate needs to be updated for the CM.

鑒於以上內容,有必要提出一種纜線數據機及其數位證書更新方法。 In view of the above, it is necessary to propose a cable data machine and a digital certificate update method thereof.

一種可更新數位證書的纜線數據機,包括:判斷模組,用於根據該纜線數據機當前的數位證書,判斷是否需要更新數位證書;請求模組,用於發送更新請求數據包給認證中心;分析模組,用於監測並分析收到的數據包,以獲得來自於認證中心的更新請求回應數據包;及寫入模組,用於將更新請求回應數據包中重新簽發的數位證書寫入纜線數據機的記憶體中並取代當前的數位證書。 A cable data machine capable of updating a digital certificate, comprising: a determining module, configured to determine whether a digital certificate needs to be updated according to a current digital certificate of the cable data machine; and a requesting module, configured to send an update request data packet to the authentication The analysis module is configured to monitor and analyze the received data packet to obtain an update request response data packet from the certification center; and a write module for re-issuing the digital certificate in the update request response data packet Write to the memory of the cable modem and replace the current digital certificate.

一種纜線數據機數位證書更新方法,包括步驟:根據該纜線數據機當前的數位證書,判斷是否需要更新數位證書;發送更新請求數據包給認證中心;監測並分析收到的數據包,以獲得來自於認證中心的更新請求回應數據包;及將更新請求回應數據包中重新簽發的數位證書寫入纜線數據機的記憶體中並取代當前的數位證書。 A cable data machine digital certificate updating method, comprising the steps of: determining whether to update a digital certificate according to a current digital certificate of the cable data machine; sending an update request data packet to a certification center; monitoring and analyzing the received data packet, Obtain an update request response packet from the certificate authority; and write the reissued digital certificate in the update request response packet into the memory of the cable modem and replace the current digital certificate.

利用本發明,能夠安全地更新數位證書,確保纜線數據機在期望期限內正常使用。 With the present invention, the digital certificate can be securely updated to ensure that the cable modem is functioning properly for the desired period of time.

參閱圖1所示,係本發明纜線數據機較佳實施例的運行環境示意圖。纜線數據機(Cable Modem,CM)2運行於數位證書更新系統5中,數位證書更新系統5還包括:纜線數據機前端系統(Cable Modem Terminal System,CMTS)1、用戶端前置設備(Custom Premise Equipment,CPE)3及認證中心(Certificate Authority,CA)4。纜線數據機2透過乙太網路介面或USB介面與用戶端前置設備3相連。纜線數據機2接收來自於用戶端前置設備3的數據包,將其調製成射頻信號並形成上行資料送到纜線數據機前端系統1,以及將下行的射頻信號調製為數位信號輸出到用戶端前置設備3。纜線數據機前端系統1透過光纖/同軸電纜混合(Hybrid Fiber/coax,HFC)網路與至少一個纜線數據機2(圖中只畫出一個)相連,用於對纜線數據機2進行管理,包括鑒別纜線數據機2的合法身份、接收下行資料並傳送到纜線數據機2、接收來自於纜線數據機2的上行資料並傳送到網際網路。用戶端前置設備3是用戶終端設備,包括個人電腦、Voip電話等,每個纜線數據機2連接至少一個用戶端前置設備3(圖中只畫出一個)。認證中心4透過網際網路與纜線數據機前端系統1連接,用於回應纜線數據機2的更新請求,為纜線數據機2重新簽發數位證書。 Referring to Figure 1, there is shown a schematic diagram of the operating environment of a preferred embodiment of the cable modem of the present invention. The cable modem (CM) 2 runs in the digital certificate updating system 5, and the digital certificate updating system 5 further includes: a cable modem terminal system (CMTS) 1, a user front device ( Custom Premise Equipment, CPE) 3 and Certificate Authority (CA) 4. The cable modem 2 is connected to the client front device 3 via an Ethernet interface or a USB interface. The cable data machine 2 receives the data packet from the user front device 3, modulates it into a radio frequency signal and forms the uplink data to the cable data machine front end system 1, and modulates the downlink radio frequency signal into a digital signal output to Client front device 3. The cable modem front end system 1 is connected to at least one cable data machine 2 (only one shown) through a fiber/coax hybrid (Hybrid Fiber/coax, HFC) network for cable data machine 2 The management includes authenticating the legal identity of the cable modem 2, receiving the downlink data and transmitting it to the cable modem 2, receiving the upstream data from the cable modem 2 and transmitting it to the Internet. The client front device 3 is a user terminal device, including a personal computer, a Voip phone, etc., and each cable data machine 2 is connected to at least one client front device 3 (only one is shown). The authentication center 4 is connected to the cable modem front end system 1 via the Internet for responding to the update request of the cable data machine 2, and reissuing the digital certificate for the cable data machine 2.

參閱圖2所示,係本發明纜線數據機較佳實施例的功能模組圖。所述纜線數據機2包括判斷模組20、獲取模組21、請求模組22、分析模組23及寫入模組24。 Referring to Figure 2, there is shown a functional block diagram of a preferred embodiment of the cable modem of the present invention. The cable data machine 2 includes a determination module 20, an acquisition module 21, a request module 22, an analysis module 23, and a write module 24.

所述判斷模組20用於根據纜線數據機2當前的數位證書, 判斷是否需要更新數位證書。在本實施例中,若數位證書的有效期小於期望時間,則需要更新數位證書。例如,纜線數據機2當前的數位證書的有效期是10年,期望時間是15年,則需要對纜線數據機2更新數位證書。還可以根據其他的條件進行判斷。例如,若當前的數位證書的剩餘有效時間小於最小剩餘時間,則需要更新數位證書。 The determining module 20 is configured to use the current digital certificate of the cable data machine 2, Determine if you need to update the digital certificate. In this embodiment, if the validity period of the digital certificate is less than the expected time, the digital certificate needs to be updated. For example, if the cable modem 2's current digital certificate is valid for 10 years and the expected time is 15 years, the cable modem 2 needs to be updated with the digital certificate. It can also be judged based on other conditions. For example, if the remaining valid time of the current digital certificate is less than the minimum remaining time, the digital certificate needs to be updated.

所述獲取模組21用於獲取一個公網IP位址。在本實施例中,纜線數據機2具有一個私網IP位址。在這種情況下,纜線數據機2不能利用自身的私網IP位址與認證中心4通訊。為了與認證中心4通訊,纜線數據機2需要獲得一個公網IP位址。為了保證數據機2能夠與外網正常通訊,在本實施例中,獲取模組21根據收到的數據包的源IP位址獲得所需的公網IP位址。若數據包的源IP位址是公網IP位址,則表明目的IP位址也是公網IP位址,同時表明數據機2能夠與外網正常通訊。具體方法如下:監測是否收到發送給用戶端前置設備3的數據包;若收到數據包,判斷該數據包的源IP位址是否是公網IP位址;若該數據包的源IP位址是公網IP位址,則將該數據包的目的IP位址保存為獲取的公網IP位址。若給纜線數據機2分配了一個公網IP位址,則可以直接利用該公網IP位址與認證中心4進行通訊。 The obtaining module 21 is configured to obtain a public network IP address. In the present embodiment, the cable modem 2 has a private network IP address. In this case, the cable modem 2 cannot communicate with the authentication center 4 using its own private IP address. In order to communicate with the Certification Authority 4, the Cable Data Machine 2 needs to obtain a public IP address. In order to ensure that the data machine 2 can communicate with the external network normally, in this embodiment, the obtaining module 21 obtains the required public network IP address according to the source IP address of the received data packet. If the source IP address of the data packet is a public network IP address, it indicates that the destination IP address is also a public network IP address, and indicates that the data machine 2 can normally communicate with the external network. The specific method is as follows: monitoring whether the data packet sent to the user front device 3 is received; if the data packet is received, determining whether the source IP address of the data packet is a public network IP address; if the source IP address of the data packet If the address is a public IP address, the destination IP address of the packet is saved as the obtained public IP address. If a cable IP address is assigned to the cable modem 2, the public network IP address can be directly used to communicate with the authentication center 4.

所述請求模組22用於以獲取的公網IP位址為源IP位址,透過纜線數據機前端系統1發送更新請求數據包給認證中心4。更新請求數據包包括源IP位址、目的IP位址、源埠 號、目的埠號、校驗數、設備物理位址、證書長度、證書資訊等。其中,源IP位址為獲取的公網IP位址,目的IP位址為認證中心4的公網IP位址;源埠號和目的埠號為預先設定的兩個埠號。例如,更新請求數據包的源埠號為29370,目的埠號為53539。校驗數用來校驗更新請求數據包,防止資料被更改。例如,更新請求數據包的校驗數設定為0x97687654。當認證中心4收到更新請求數據包後,根據該校驗數判斷更新請求數據包是否正確,若正確,認證中心4發送更新請求回應數據包。在本實施例中,利用一個隨機計時器A產生隨機延時,以避免同時有多個纜線數據機2向認證中心4發送更新請求數據包。若多個纜線數據機2同時與認證中心4通訊,容易造成資料丟失。在本實施例中,隨機計時器A的定時時間為0至10分鐘。 The requesting module 22 is configured to send the update request data packet to the authentication center 4 through the cable modem front end system 1 by using the obtained public network IP address as the source IP address. The update request packet includes the source IP address, the destination IP address, and the source port. Number, destination nickname, check number, device physical address, certificate length, certificate information, etc. The source IP address is the obtained public network IP address, and the destination IP address is the public network IP address of the authentication center 4; the source nickname and the destination nickname are two preset nicknames. For example, the source code for the update request packet is 29370 and the destination nickname is 53539. The checksum is used to verify the update request packet to prevent the data from being changed. For example, the checksum of the update request packet is set to 0x97687654. When the authentication center 4 receives the update request data packet, it determines whether the update request data packet is correct according to the check number. If it is correct, the authentication center 4 sends an update request response data packet. In the present embodiment, a random timer A is used to generate a random delay to avoid simultaneous transmission of an update request packet by the plurality of cable modems 2 to the authentication center 4. If a plurality of cable modems 2 communicate with the authentication center 4 at the same time, data loss is likely to occur. In the present embodiment, the timing of the random timer A is 0 to 10 minutes.

所述分析模組23用於監測及分析來自於網際網路的數據包以獲得更新請求回應數據包。在本實施例中,利用一個隨機計時器B來監測來自於網際網路的數據包。在本實施例中,隨機計時器B的定時時間為0至10分鐘。在隨機計時器B的定時時間到達時,若未收到來自於網際網路的數據包,或者收到的數據包不是更新請求回應數據包,則請求模組22重新發送更新請求數據包給認證中心4。若收到來自於網際網路的數據包,分析模組23判斷收到的數據包是否是更新請求回應數據包。與更新請求數據包相對應,更新請求回應數據包包括源IP位址、目的IP位址、源埠號、目的埠號、校驗數、設備物理位址、證書 長度、證書資訊等。並且,更新請求回應數據包的源IP位址、目的IP位址、源埠號、目的埠號分別與更新請求數據包相對應。例如,更新請求回應數據包的源IP位址是更新請求數據包的目的IP位址,更新請求回應數據包的目的IP位址是更新請求數據包的源IP位址。在本實施例中,分析模組23根據收到的數據包的格式判斷是否是更新請求回應數據包。例如,首先判斷該數據包的源IP位址是否是認證中心4的公網IP位址,目的IP位址是否是獲取的公網IP位址。若該數據包的源IP位址是認證中心4的公網IP位址,並且目的IP位址是獲取的公網IP位址,則判斷該數據包的源埠號和目的埠號是否是正確。例如,請求模組22發送的更新請求數據包的源埠號為29370,目的埠號為53539,若收到的數據包的源埠號為53539,目的埠號為29370,則該收到的數據包的源埠號和目的埠號正確。若收到的數據包的源埠號和目的埠號正確,則判斷校驗數是否正確。例如,設定的更新請求回應數據包的校驗數是0x75493023,則若收到的數據包的校驗數是0x75493023,則校驗數正確。若校驗數正確,則該數據包是更新請求回應數據包。若不是更新請求回應數據包,則分析模組23將該數據包傳送給相對應的用戶端前置設備3。 The analysis module 23 is configured to monitor and analyze data packets from the Internet to obtain an update request response data packet. In this embodiment, a random timer B is utilized to monitor packets from the Internet. In the present embodiment, the timing of the random timer B is 0 to 10 minutes. When the scheduled time of the random timer B arrives, if the data packet from the Internet is not received, or the received data packet is not the update request response data packet, the request module 22 resends the update request data packet to the authentication. Center 4. If a packet from the Internet is received, the analysis module 23 determines whether the received packet is an update request response packet. Corresponding to the update request packet, the update request response packet includes a source IP address, a destination IP address, a source nickname, a destination nickname, a check digit, a device physical address, and a certificate. Length, certificate information, etc. Moreover, the source IP address, the destination IP address, the source nickname, and the destination nickname of the update request response packet respectively correspond to the update request packet. For example, the source IP address of the update request response packet is the destination IP address of the update request packet, and the destination IP address of the update request response packet is the source IP address of the update request packet. In this embodiment, the analysis module 23 determines whether it is an update request response packet according to the format of the received data packet. For example, first determine whether the source IP address of the data packet is the public network IP address of the authentication center 4, and whether the destination IP address is the obtained public network IP address. If the source IP address of the data packet is the public network IP address of the authentication center 4, and the destination IP address is the obtained public network IP address, it is determined whether the source nickname and the destination nickname of the data packet are correct. . For example, the source nickname of the update request packet sent by the request module 22 is 29370, and the destination nickname is 53539. If the source nickname of the received data packet is 53539 and the destination nickname is 29370, the received data is received. The source nickname and destination nickname of the package are correct. If the source nickname and destination nickname of the received packet are correct, it is judged whether the checksum is correct. For example, if the checksum of the set update request response packet is 0x75493023, if the checksum of the received packet is 0x75493023, the checksum is correct. If the checksum is correct, the packet is an update request response packet. If it is not the update request response packet, the analysis module 23 transmits the data packet to the corresponding client front device 3.

所述寫入模組24用於當更新請求回應數據包中重新簽發的數位證書符合要求時,將重新簽發的數位證書寫入纜線數據機2的記憶體中並取代當前的數位證書。在本實施例中,若重新簽發的數位證書的有效期大於或者等於期 望時間,則該數位證書符合要求。若重新簽發的數位證書不符合要求,則丟棄該數據包。在本實施例中,將重新簽發的數位證書寫入纜線數據機2的快閃記憶體中。重新簽發的數位證書在纜線數據機2重新啟動後生效。 The writing module 24 is configured to write the re-signed digital certificate into the memory of the cable data machine 2 and replace the current digital certificate when the digital certificate re-issued in the update request response data packet meets the requirements. In this embodiment, if the reissued digital certificate has a validity period greater than or equal to the period Looking at the time, the digital certificate meets the requirements. If the reissued digital certificate does not meet the requirements, the packet is discarded. In the present embodiment, the reissued digital certificate is written into the flash memory of the cable modem 2. The reissued digital certificate takes effect after the cable modem 2 is restarted.

參閱圖3所示,係本發明纜線數據機數位證書更新方法較佳實施例的流程圖。 Referring to Figure 3, there is shown a flow chart of a preferred embodiment of the method for updating a digital data certificate of a cable modem of the present invention.

步驟S301,開啟纜線數據機2。 In step S301, the cable modem 2 is turned on.

步驟S302,判斷模組20根據該纜線數據機2當前的數位證書,判斷是否需要更新數位證書。若不需要更新數位證書,流程結束。在本實施例中,若數位證書的有效期小於期望時間,則需要更新數位證書。例如,纜線數據機2當前的數位證書的有效期是10年,期望時間是15年,則需要對纜線數據機2更新數位證書。還可以根據其他的條件進行判斷。例如,若當前的數位證書的剩餘有效時間小於最小剩餘時間,則需要更新數位證書。 In step S302, the determining module 20 determines whether it is necessary to update the digital certificate according to the current digital certificate of the cable data machine 2. If you do not need to update the digital certificate, the process ends. In this embodiment, if the validity period of the digital certificate is less than the expected time, the digital certificate needs to be updated. For example, if the cable modem 2's current digital certificate is valid for 10 years and the expected time is 15 years, the cable modem 2 needs to be updated with the digital certificate. It can also be judged based on other conditions. For example, if the remaining valid time of the current digital certificate is less than the minimum remaining time, the digital certificate needs to be updated.

步驟S303,若需要更新數位證書,則獲取模組21監測是否收到發送給用戶端前置設備3的數據包。若未收到數據包,則繼續監測。 Step S303, if it is necessary to update the digital certificate, the obtaining module 21 monitors whether the data packet sent to the user front device 3 is received. If the packet is not received, continue monitoring.

步驟S304,若收到數據包,獲取模組21判斷該數據包的源IP位址是否是公網IP位址。若該數據包的源IP位址不是公網IP位址,則返回步驟S303。 Step S304, if the data packet is received, the obtaining module 21 determines whether the source IP address of the data packet is a public network IP address. If the source IP address of the data packet is not a public network IP address, then return to step S303.

步驟S305,若該數據包的源IP位址是公網IP位址,則獲取模組21將該數據包的目的IP位址保存為獲取的公網IP位址。 Step S305: If the source IP address of the data packet is a public network IP address, the obtaining module 21 saves the destination IP address of the data packet as the obtained public network IP address.

在本實施例中,纜線數據機2具有一個私網IP位址。在這種情況下,纜線數據機2不能利用自身的私網IP位址與認證中心4通訊。為了與認證中心4通訊,纜線數據機2需要獲得一個公網IP位址。步驟S303至S305為纜線數據機2獲取一個公網IP位址的具體步驟。此外,在本實施例中,為了保證數據機2能夠與外網正常通訊,獲取模組21根據收到的數據包的源IP位址獲得所需的公網IP位址。若數據包的源IP位址是公網IP位址,則表明目的IP位址也是公網IP位址,並且表明數據機2能夠與外網正常通訊。若給纜線數據機2分配了一個公網IP位址,則可以直接利用該公網IP位址與認證中心4進行通訊。 In the present embodiment, the cable modem 2 has a private network IP address. In this case, the cable modem 2 cannot communicate with the authentication center 4 using its own private IP address. In order to communicate with the Certification Authority 4, the Cable Data Machine 2 needs to obtain a public IP address. Steps S303 to S305 are specific steps for the cable data machine 2 to acquire a public network IP address. In addition, in this embodiment, in order to ensure that the data machine 2 can normally communicate with the external network, the obtaining module 21 obtains the required public network IP address according to the source IP address of the received data packet. If the source IP address of the data packet is a public network IP address, it indicates that the destination IP address is also a public network IP address, and indicates that the data machine 2 can normally communicate with the external network. If a cable IP address is assigned to the cable modem 2, the public network IP address can be directly used to communicate with the authentication center 4.

步驟S306,啟動一個隨機計時器A,當隨機計時器A的定時時間到時,執行步驟S307。若多個纜線數據機2同時與認證中心4通訊,容易造成資料丟失。在本實施例中,利用隨機計時器A產生隨機延時,以避免同時有多個纜線數據機2向認證中心4發送更新請求數據包。在本實施例中,隨機計時器A的定時時間為0至10分鐘。 In step S306, a random timer A is started. When the timing of the random timer A expires, step S307 is performed. If a plurality of cable modems 2 communicate with the authentication center 4 at the same time, data loss is likely to occur. In the present embodiment, the random timer A is used to generate a random delay to avoid simultaneous transmission of the update request packet by the plurality of cable modems 2 to the authentication center 4. In the present embodiment, the timing of the random timer A is 0 to 10 minutes.

步驟S307,請求模組22以獲取的公網IP位址為源IP位址,透過纜線數據機前端系統1發送更新請求數據包給認證中心4,並啟動一個隨機計時器B。更新請求數據包包括源IP位址、目的IP位址、源埠號、目的埠號、校驗數、設備物理位址、證書長度、證書資訊等。其中,源IP位址為獲取的公網IP位址,目的IP位址為認證中心4的公網IP位址;源埠號和目的埠號為預先設定的兩個埠號。例如,更新請求數據包的源埠號為29370,目的埠號為 53539。校驗數用來校驗更新請求數據包,防止資料被更改。例如,更新請求數據包的校驗數設定為0x97687654。當認證中心4收到更新請求數據包後,根據該校驗數判斷更新請求數據包是否正確,若正確,認證中心4發送更新請求回應數據包。在本實施例中,隨機計時器B的定時時間為0至10分鐘。 Step S307, the requesting module 22 sends the update request data packet to the authentication center 4 through the cable data machine front end system 1 by using the acquired public network IP address as the source IP address, and starts a random timer B. The update request packet includes a source IP address, a destination IP address, a source nickname, a destination nickname, a check number, a device physical address, a certificate length, and a certificate information. The source IP address is the obtained public network IP address, and the destination IP address is the public network IP address of the authentication center 4; the source nickname and the destination nickname are two preset nicknames. For example, the source nickname of the update request packet is 29370, and the destination nickname is 53539. The checksum is used to verify the update request packet to prevent the data from being changed. For example, the checksum of the update request packet is set to 0x97687654. When the authentication center 4 receives the update request data packet, it determines whether the update request data packet is correct according to the check number. If it is correct, the authentication center 4 sends an update request response data packet. In the present embodiment, the timing of the random timer B is 0 to 10 minutes.

步驟S308,分析模組23監測是否收到來自於網際網路的數據包。若未收到來自於網際網路的數據包,則執行步驟S309;否則,若收到來自於網際網路的數據包,則執行步驟S310。 In step S308, the analysis module 23 monitors whether a data packet from the Internet is received. If the data packet from the Internet is not received, step S309 is performed; otherwise, if the data packet from the Internet is received, step S310 is performed.

步驟S309,分析模組23判斷隨機計時器B的定時時間是否到達,若定時時間未到,返回S308,否則返回步驟S307。 In step S309, the analysis module 23 determines whether the timing time of the random timer B has arrived. If the timing time has not arrived, the process returns to S308, otherwise returns to step S307.

步驟S310,分析模組23判斷收到的數據包是否是更新請求回應數據包。與更新請求數據包相對應,更新請求回應數據包也包括源IP位址、目的IP位址、源埠號、目的埠號、校驗數、設備物理位址、證書長度、證書資訊等。並且,更新請求回應數據包的源IP位址、目的IP位址、源埠號、目的埠號分別與更新請求數據包相對應。例如,更新請求回應數據包的源IP位址是更新請求數據包的目的IP位址,更新請求回應數據包的目的IP位址是更新請求數據包的源IP位址。在本實施例中,分析模組23根據收到的數據包的格式判斷是否是更新請求回應數據包。例如,首先判斷該數據包的源IP位址是否是認證中心4的公網IP位址,目的IP位址是否是獲取的公網IP位址 。若該數據包的源IP位址是認證中心4的公網IP位址,並且目的IP位址是獲取的公網IP位址,則判斷該數據包的源埠號和目的埠號是否是正確。例如,在步驟S307中,更新請求數據包的源埠號為29370,目的埠號為53539,若收到的數據包的源埠號為53539,目的埠號為29370,則該收到的數據包的源埠號和目的埠號正確。若收到的數據包的源埠號和目的埠號正確,則判斷校驗數是否正確。例如,設定的更新請求回應數據包的校驗數是0x75493023,則若收到的數據包的校驗數是0x75493023,則校驗數正確。若校驗數正確,則該數據包是更新請求回應數據包。 In step S310, the analysis module 23 determines whether the received data packet is an update request response data packet. Corresponding to the update request data packet, the update request response data packet also includes a source IP address, a destination IP address, a source nickname, a destination nickname, a check number, a device physical address, a certificate length, and a certificate information. Moreover, the source IP address, the destination IP address, the source nickname, and the destination nickname of the update request response packet respectively correspond to the update request packet. For example, the source IP address of the update request response packet is the destination IP address of the update request packet, and the destination IP address of the update request response packet is the source IP address of the update request packet. In this embodiment, the analysis module 23 determines whether it is an update request response packet according to the format of the received data packet. For example, first determine whether the source IP address of the data packet is the public network IP address of the authentication center 4, and whether the destination IP address is the obtained public network IP address. . If the source IP address of the data packet is the public network IP address of the authentication center 4, and the destination IP address is the obtained public network IP address, it is determined whether the source nickname and the destination nickname of the data packet are correct. . For example, in step S307, the source nickname of the update request packet is 29370, and the destination nickname is 53539. If the source nickname of the received packet is 53539 and the destination nickname is 29370, the received packet is received. The source nickname and destination nickname are correct. If the source nickname and destination nickname of the received packet are correct, it is judged whether the checksum is correct. For example, if the checksum of the set update request response packet is 0x75493023, if the checksum of the received packet is 0x75493023, the checksum is correct. If the checksum is correct, the packet is an update request response packet.

步驟S311,若不是更新請求回應數據包,則分析模組23將該數據包傳送給相對應的用戶端前置設備3,並轉向步驟S309。 In step S311, if it is not the update request response packet, the analysis module 23 transmits the data packet to the corresponding client front device 3, and proceeds to step S309.

步驟S312,若是更新請求回應數據包,則寫入模組24判斷該數據包中重新簽發的數位證書是否符合要求。在本實施例中,若重新簽發的數位證書的有效期大於或者等於期望時間,則該數位證書符合要求。 Step S312, if the update request response packet is received, the writing module 24 determines whether the digital certificate re-issued in the data packet meets the requirement. In this embodiment, if the re-issued digital certificate has a validity period greater than or equal to the expected time, the digital certificate meets the requirements.

步驟S313,若重新簽發的數位證書不符合要求,則寫入模組24丟棄該數據包,隨機計時器B停止計時,並返回步驟S307。 In step S313, if the re-issued digital certificate does not meet the requirement, the writing module 24 discards the data packet, and the random timer B stops counting, and returns to step S307.

步驟S314,若重新簽發的數位證書符合要求,則隨機計時器B停止計時,寫入模組24將該重新簽發的數位證書寫入纜線數據機2的記憶體中並取代當前的數位證書,例如 寫入纜線數據機2的快閃記憶體中。重新簽發的數位證書在纜線數據機2重新啟動後生效。 Step S314, if the re-issued digital certificate meets the requirement, the random timer B stops counting, and the writing module 24 writes the re-signed digital certificate into the memory of the cable data machine 2 and replaces the current digital certificate. E.g Write to the flash memory of the cable modem 2. The reissued digital certificate takes effect after the cable modem 2 is restarted.

此外,在上述實施例中,認證中心4負責接收來自於纜線數據機2的更新請求數據包,並判斷是否需要更新數位證書;若需要更新數位證書,則重新簽發數位證書,將重新簽發的數位證書發送給纜線數據機2,並在認證中心4的資料庫中生成一條重新簽發數位證書的記錄。認證中心4採用與纜線數據機2相同的判別方法確定是否需要更新數位證書,例如,若纜線數據機2當前的數位證書的有效期小於期望時間,則需要更新數位證書。 In addition, in the above embodiment, the authentication center 4 is responsible for receiving the update request data packet from the cable data machine 2, and determining whether it is necessary to update the digital certificate; if the digital certificate needs to be updated, the digital certificate is reissued and will be reissued. The digital certificate is sent to the cable modem 2, and a record of reissuing the digital certificate is generated in the database of the certification center 4. The authentication center 4 uses the same discriminating method as the cable modem 2 to determine whether the digital certificate needs to be updated. For example, if the current digital certificate of the cable modem 2 has a validity period less than the expected time, the digital certificate needs to be updated.

以上所述僅為本發明之較佳實施例而已,且已達廣泛之使用功效,凡其他未脫離本發明所揭示之精神下所完成之均等變化或修飾,均應包含在下述之申請專利範圍內。 The above is only the preferred embodiment of the present invention, and has been used in a wide range of applications. Any other equivalent changes or modifications which are not departing from the spirit of the present invention should be included in the following claims. Inside.

1‧‧‧纜線數據機前端系統 1‧‧‧ Cable Data Machine Front End System

2‧‧‧纜線數據機 2‧‧‧ Cable Data Machine

3‧‧‧用戶端前置設備 3‧‧‧Customer front device

4‧‧‧認證中心 4‧‧‧ Certification Center

5‧‧‧數位證書更新系統 5‧‧‧Digital Certificate Update System

20‧‧‧判斷模組 20‧‧‧Judgement module

21‧‧‧獲取模組 21‧‧‧Getting module

22‧‧‧請求模組 22‧‧‧Request Module

23‧‧‧分析模組 23‧‧‧Analysis module

24‧‧‧寫入模組 24‧‧‧Write module

S301‧‧‧開啟纜線數據機 S301‧‧‧Open cable data machine

S302‧‧‧是否更新數位證書 S302‧‧‧Whether to update the digital certificate

S303‧‧‧是否收到發送給用戶端前置設備的資料 S303‧‧‧Do you receive the data sent to the user's front-end device?

S304‧‧‧源IP位址是否是公網IP位址 S304‧‧‧ Whether the source IP address is a public IP address

S305‧‧‧將數據包的目的IP位址作為與認證中心通訊的公網IP位址 S305‧‧‧Use the destination IP address of the packet as the public IP address to communicate with the certificate authority

S306‧‧‧啟動隨機計時器A S306‧‧‧Start random timer A

S307‧‧‧發送更新請求數據包,啟動隨機計時器B S307‧‧‧ Send update request packet, start random timer B

S308‧‧‧是否收到來自於網際網路的資料 S308‧‧‧Do you receive information from the Internet?

S309‧‧‧隨機計時器B的定時時間是否到達 S309‧‧‧ Whether the time of the random timer B has arrived

S310‧‧‧是否是更新請求回應數據包 S310‧‧‧ Is it an update request response packet?

S311‧‧‧將該數據包傳送給相對應的用戶端前置設備 S311‧‧‧Transfer the data packet to the corresponding client front device

S312‧‧‧數位證書是否符合要求 S312‧‧‧Digital certificate meets the requirements

S313‧‧‧丟棄該數據包,隨機計時器B停止計時 S313‧‧‧ discard the packet, random timer B stops timing

S314‧‧‧隨機計時器B停止計時,將重新簽發的數位證書寫入纜線數據機 S314‧‧‧ Random timer B stops timing and writes the reissued digital certificate to the cable modem

圖1係本發明纜線數據機較佳實施例的運行環境示意圖。 1 is a schematic diagram of an operating environment of a preferred embodiment of a cable modem of the present invention.

圖2係本發明纜線數據機較佳實施例的功能模組圖。 2 is a functional block diagram of a preferred embodiment of the cable modem of the present invention.

圖3係本發明纜線數據機數位證書更新方法較佳實施例的流程圖。 3 is a flow chart of a preferred embodiment of a method for updating a digital data certificate of a cable data machine of the present invention.

2‧‧‧纜線數據機 2‧‧‧ Cable Data Machine

20‧‧‧判斷模組 20‧‧‧Judgement module

21‧‧‧獲取模組 21‧‧‧Getting module

22‧‧‧請求模組 22‧‧‧Request Module

23‧‧‧分析模組 23‧‧‧Analysis module

24‧‧‧寫入模組 24‧‧‧Write module

Claims (10)

一種可更新數位證書的纜線數據機,包括:判斷模組,用於根據該纜線數據機當前的數位證書,判斷數位證書的有效期限是否滿足預先設定的要求;請求模組,用於當數位證書的有效期限不滿足預先設定的要求時,啟動一個隨機計時器,當隨機計時器的定時時間到時,發送更新請求數據包給認證中心;分析模組,用於監測並分析收到的數據包,以獲得來自於認證中心的更新請求回應數據包;及寫入模組,用於將更新請求回應數據包中重新簽發的數位證書寫入纜線數據機的記憶體中並取代當前的數位證書。 A cable data machine capable of updating a digital certificate, comprising: a determining module, configured to determine, according to a current digital certificate of the cable data machine, whether a validity period of the digital certificate meets a preset requirement; and a request module is used for When the validity period of the digital certificate does not meet the preset requirements, a random timer is started. When the random timer expires, the update request packet is sent to the authentication center; the analysis module is used to monitor and analyze the received data. a data packet to obtain an update request response data packet from the authentication center; and a write module for writing the reissued digital certificate in the update request response data packet into the memory of the cable data machine and replacing the current Digital certificate. 如申請專利範圍第1項所述之纜線數據機,該纜線數據機還包括獲取模組,用於獲取一個公網IP位址,所述更新請求數據包以獲取的公網IP位址為源IP位址。 The cable data machine of claim 1, wherein the cable data machine further comprises an acquisition module, configured to acquire a public network IP address, and the update request data packet is obtained by acquiring a public network IP address. Is the source IP address. 如申請專利範圍第2項所述之纜線數據機,其中,所述獲取模組獲取一個公網IP位址的具體方法如下:監測是否收到發送給與所述纜線數據機相連的用戶端前置設備的數據包;若收到數據包,判斷該數據包的源IP位址是否是公網IP位址;若該數據包的源IP位址是公網IP位址,則將該數據包的目的IP位址保存為獲取的公網IP位址。 The cable data machine of claim 2, wherein the obtaining module acquires a public network IP address by the following method: monitoring whether the user is sent to the user connected to the cable data machine The data packet of the front device; if the data packet is received, it is determined whether the source IP address of the data packet is a public network IP address; if the source IP address of the data packet is a public network IP address, The destination IP address of the packet is saved as the obtained public IP address. 如申請專利範圍第1項所述之纜線數據機,其中,所述更新請求數據包包括校驗數,認證中心根據該校驗數校驗更新請求數據包。 The cable data machine of claim 1, wherein the update request data packet includes a check number, and the authentication center checks the update request data packet according to the check number. 如申請專利範圍第1項所述之纜線數據機,其中,所述更新請求回應數據包包括校驗數,分析模組根據該校驗數校 驗更新請求回應數據包。 The cable data machine of claim 1, wherein the update request response data packet includes a check digit, and the analysis module is configured according to the checksum number. The update request response packet. 一種纜線數據機數位證書更新方法,包括步驟:根據該纜線數據機當前的數位證書,判斷數位證書的有效期限是否滿足預先設定的要求;當數位證書的有效期限不滿足預先設定的要求時,啟動一個隨機計時器,當隨機計時器的定時時間到時,發送更新請求數據包給認證中心;監測並分析收到的數據包,以獲得來自於認證中心的更新請求回應數據包;及將更新請求回應數據包中重新簽發的數位證書寫入纜線數據機的記憶體中並取代當前的數位證書。 A method for updating a digital certificate of a cable data machine, comprising the steps of: determining, according to a current digital certificate of the cable data machine, whether a validity period of the digital certificate meets a predetermined requirement; when the validity period of the digital certificate does not meet a predetermined requirement Activating a random timer, sending an update request packet to the authentication center when the random timer expires; monitoring and analyzing the received data packet to obtain an update request response packet from the authentication center; The reissued digital certificate in the update request response packet is written into the memory of the cable modem and replaces the current digital certificate. 如申請專利範圍第6項所述之纜線數據機數位證書更新方法,其中,在步驟發送更新請求數據包給認證中心之前還包括:獲取一個公網IP位址,所述更新請求數據包以獲取的公網IP位址為源IP位址。 The cable data machine digital certificate updating method according to claim 6, wherein before the sending the update request data packet to the authentication center, the method further comprises: acquiring a public network IP address, wherein the update request data packet is The obtained public IP address is the source IP address. 如申請專利範圍第7項所述之纜線數據機數位證書更新方法,其中,所述獲取一個公網IP位址的具體方法如下:監測是否收到發送給與所述纜線數據機相連的用戶端前置設備的數據包;若收到數據包,判斷該數據包的源IP位址是否是公網IP位址;若該數據包的源IP位址是公網IP位址,則將該數據包的目的IP位址保存為獲取的公網IP位址。 The cable data machine digital certificate updating method according to claim 7, wherein the specific method for obtaining a public network IP address is as follows: monitoring whether a transmission is received and connected to the cable data machine. The data packet of the user premises device; if the data packet is received, it is determined whether the source IP address of the data packet is a public network IP address; if the source IP address of the data packet is a public network IP address, The destination IP address of the data packet is saved as the obtained public network IP address. 如申請專利範圍第6項所述之纜線數據機數位證書更新方法,其中,所述更新請求數據包包括校驗數,認證中心根據該校驗數校驗更新請求數據包。 The cable data machine digital certificate updating method according to claim 6, wherein the update request data packet includes a check number, and the authentication center checks the update request data packet according to the check number. 如申請專利範圍第6項所述之纜線數據機數位證書更新方 法,其中,所述更新請求回應數據包包括校驗數,纜線數據機根據該校驗數校驗更新請求回應數據包。 The cable data machine digital certificate update party as described in item 6 of the patent application scope The method, wherein the update request response packet includes a check number, and the cable modem verifies the update request response packet according to the check number.
TW098101674A 2009-01-16 2009-01-16 Cable modem and method for reissuing a digital certificate TWI531194B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW098101674A TWI531194B (en) 2009-01-16 2009-01-16 Cable modem and method for reissuing a digital certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW098101674A TWI531194B (en) 2009-01-16 2009-01-16 Cable modem and method for reissuing a digital certificate

Publications (2)

Publication Number Publication Date
TW201029411A TW201029411A (en) 2010-08-01
TWI531194B true TWI531194B (en) 2016-04-21

Family

ID=44854017

Family Applications (1)

Application Number Title Priority Date Filing Date
TW098101674A TWI531194B (en) 2009-01-16 2009-01-16 Cable modem and method for reissuing a digital certificate

Country Status (1)

Country Link
TW (1) TWI531194B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI479874B (en) * 2010-08-25 2015-04-01 Hon Hai Prec Ind Co Ltd Communication terminal device and method for updating certification of the device
TWI668971B (en) * 2018-02-12 2019-08-11 和碩聯合科技股份有限公司 A modem device and a method for verifying data

Also Published As

Publication number Publication date
TW201029411A (en) 2010-08-01

Similar Documents

Publication Publication Date Title
US8181262B2 (en) Network user authentication system and method
US8356179B2 (en) Entity bi-directional identificator method and system based on trustable third party
US6782474B1 (en) Network connectable device and method for its installation and configuration
JP4347335B2 (en) Network relay program, network relay device, communication system, and network relay method
CN107659406B (en) Resource operation method and device
US8214482B2 (en) Remote log repository with access policy
KR100738526B1 (en) Smart Intermediate Authentication Manager SYSTEM AND METHOD for Multi Permanent Virtual Circuit access environment
US20090158033A1 (en) Method and apparatus for performing secure communication using one time password
US8274401B2 (en) Secure data transfer in a communication system including portable meters
US10826711B2 (en) Public key infrastructure and method of distribution
US20100005300A1 (en) Method in a peer for authenticating the peer to an authenticator, corresponding device, and computer program product therefore
CA3032717C (en) Improved security using self-signed certificate that includes an out-of-band shared secret
CN109714360B (en) Intelligent gateway and gateway communication processing method
US8495712B2 (en) Peer-to-peer access control method of triple unit structure
KR20150024117A (en) Data certification and acquisition method for vehicle
JP4709470B2 (en) Internet user identification method and internet access point device
CN105681030A (en) Key management system, method and device
CN108011873A (en) A kind of illegal connection determination methods based on set covering
EP2583412A1 (en) Method for efficient initialization of a telecommunications network and telecommunications network
CN109962781A (en) A kind of digital certificate diostribution device
TWI531194B (en) Cable modem and method for reissuing a digital certificate
CN111404659B (en) Privacy protection communication method, server and communication system based on chaotic system
CN113169953B (en) Method and apparatus for authenticating a device or user
CN101656738A (en) Method and device for verifying terminal accessed to network
CN101729257A (en) Cable modem and digital certificate updating method thereof

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees