WO2005057845A1 - Procede de verification sur entre un gestionnaire et un mandataire dans un reseau - Google Patents

Procede de verification sur entre un gestionnaire et un mandataire dans un reseau Download PDF

Info

Publication number
WO2005057845A1
WO2005057845A1 PCT/CN2004/001425 CN2004001425W WO2005057845A1 WO 2005057845 A1 WO2005057845 A1 WO 2005057845A1 CN 2004001425 W CN2004001425 W CN 2004001425W WO 2005057845 A1 WO2005057845 A1 WO 2005057845A1
Authority
WO
WIPO (PCT)
Prior art keywords
manager
agent
algorithm
ciphertext
network transmission
Prior art date
Application number
PCT/CN2004/001425
Other languages
English (en)
Chinese (zh)
Inventor
Muhong Zhu
Ruijie Zhou
Qiang Wu
Bangqing Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2005057845A1 publication Critical patent/WO2005057845A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to a method for security verification in a network, and in particular, to a method for mutual security calibration between managers and agents.
  • the existing network management and control architecture uses a system management model of remote monitoring and logical management.
  • the core of the system management model is a pair of system management entities: a manager and an agent, which are interconnected through a management communication protocol.
  • the manager is the entity that manages the management process of the system
  • the agent is the peer process entity in the managed system.
  • the manager issues a management operation command to the agent, and the agent is responsible for accessing the managed objects in the management information database managed by the manager, executing the operation command issued by the manager, and reporting the operation result to the manager.
  • the agent will actively pass the notification of the managed object to the manager.
  • the transmission of related operation commands, operation results, and notifications depends on relevant standard communication protocols, such as the Open System Interconnect Reference Model (OS I for short), Transmission Control Protocol / Internet Protocol ( Transfer Control Protocol / International Protocol (known as "TCP / IP").
  • OS I Open System Interconnect Reference Model
  • TCP / IP Transfer Control Protocol / International Protocol
  • a management node issues an operation command to another management node, it is a manager; and when it accepts an operation command from another management node, it is an agent. Therefore, the manager and the agent can also be regarded as two roles of a management entity.
  • the management entity composed of the roles of the manager and the agent has the following characteristics: First, it can take the role of manager.
  • EMS Elastic Management System
  • the above solution has the following problems: first, the user management system of each agent cannot exist independently of the manager system; second, the problem of the complexity of the manager system cannot be solved; third, it cannot Solve the problem that illegal users can steal user names and passwords through the network.
  • the main reason for this is that, first of all, managers use The user and password information is part of the agent's security management information. If an agent modifies its own security management information, such as modifying or deleting a user, the administrator must be notified to make the corresponding changes before the follow-up can be performed. Management. This system management method inevitably leads to the existence of an agent's user management system depending on the manager system.
  • the method that one manager manages multiple agents is currently more commonly used, and the passwords and passwords of each agent are different. In this way, the manager must save and record the passwords and passwords of all these agents.
  • the direct result is It is because the complexity of security management is too high, which not only increases the workload of maintenance, but also reduces the security of the system.
  • the main object of the present invention is to provide a method for mutual security verification between managers and agents in network transmission, so that each agent's user management system can exist independently of the manager system, improving security The maintainability of the system improves management efficiency.
  • the present invention provides a method for mutual security verification between a manager and an agent in network transmission, including the following steps:
  • a agent determines the encrypted ciphertext and sends the encrypted ciphertext to the manager
  • said manager uses a third algorithm to encrypt said encrypted ciphertext and sends it to said agent;
  • the agent uses the reverse algorithm of the third algorithm to decrypt the received ciphertext
  • the agent determines whether the identity check passes by comparing whether the decrypted ciphertext and the encrypted ciphertext are equal.
  • the step A further includes: the agent adds the encrypted ciphertext using the first algorithm
  • the step B further comprises: the manager decrypts the received dense secret using a reverse algorithm of the first algorithm.
  • the encrypted cipher text described in step A is a random number generated by the agent.
  • the third algorithm and the first algorithm are different algorithms. Actually, the third algorithm is a custom simple algorithm, or a data encryption standard algorithm, or a very small encryption algorithm.
  • the first algorithm may also be a custom simple algorithm, or a data encryption standard algorithm, or a very small encryption algorithm.
  • the manager described above is a telecommunications network element management system, and the agent is a network element.
  • the technical solution of the present invention replaces the original authentication of the password with the process of verifying the security algorithm, unifying the managers and agents.
  • the user management system of each agent can exist independently of the manager system, which simplifies the manager's security management mode.
  • the technical solution of the present invention implements two-way verification between the manager and the agent, which improves the security of the manager's connection with the agent, improves the verification speed, and increases the maintainability of the entire system. This technical solution difference brings relatively obvious beneficial effects.
  • the technical solution of the present invention enables the user management system of each agent to be independent of The manager system exists, so that agents and managers no longer rely on their respective security management systems.
  • the technical solution of the present invention makes the security management of the agent independent, so that the manager can save the need to save and record the password and password of each agent, thereby simplifying the security of the manager. Effect of management mode.
  • the technical solution of the present invention With the agent, a certain verification mechanism is used to ensure their permanent mutual trust, so that the security of the manager's connection with the agent is guaranteed, the speed is increased, and the entire system has good maintainability.
  • the technical solution of the present invention solves the shortcomings of the current EMS management system well, can simplify the security verification steps under the premise of ensuring security, and significantly improves the maintainability of the security system. Improving management efficiency has high practical value.
  • FIG. 1 is a schematic flowchart of mutual security verification between a manager and an agent in network transmission according to an embodiment of the present invention.
  • step 100 in the process of mutual security verification between the manager and the agent according to an embodiment of the present invention, when the manager is ready to establish a connection with the agent, step 100 is first performed, and the manager sends the message to the agent.
  • a connection request requires identity verification.
  • the connection is usually initiated by the manager. This is because the manager's job is to issue management operation commands to the agent, and the agent is only responsible for accessing the managed objects in its own management information database and executing the operation commands issued by the manager. And return the operation result to the manager.
  • step 110 is executed, and the agent generates a random number M after receiving the connection request sent by the manager.
  • the generation of random numbers is generally generated by a random function. There is no fixed relationship between the generated random numbers. Even if they are captured during transmission, it is difficult for criminals to find the rules, and it is impossible to crack the acceptance of transmission. Encryption algorithm used by both parties.
  • step 120 is performed, and the agent uses the first algorithm to generate the random number generated in the previous step.
  • M encrypts to obtain the first ciphertext, and then sends it to the manager.
  • the encryption algorithm is, for example, the most typical data encryption standard algorithm (Da ta Encryption Standard, referred to as "DES"), or a very small encryption algorithm (Tiny Encryption Algor i thm, referred to as "TEA").
  • DES data encryption standard
  • TAA Transport Encryption Algor i thm
  • the first cipher text in step 120 may be determined by the agent and then sent directly to the manager, and directly proceeds to step 140 without encryption and decryption.
  • the first ciphertext may also be agreed in advance by both parties.
  • the process proceeds to step 130.
  • the manager uses the reverse algorithm of the first algorithm to decrypt the first ciphertext to obtain the second ciphertext. Because the administrator needs to use a reverse algorithm to decrypt the received cipher text, the manager and the agent must fix the encryption algorithm to be used and the corresponding reverse algorithm before establishing a connection, so that they can be managed in the management.
  • the agent and agent perform encryption and decryption respectively.
  • step 140 uses the third algorithm to encrypt the second ciphertext just decrypted again, and then transmits the obtained third ciphertext to the manager, and the agent executes step 150.
  • step 150 the agent decrypts the third ciphertext by using the reverse of the third algorithm and the fourth algorithm to obtain the fourth ciphertext.
  • the relationship between the third algorithm and the fourth algorithm is the same as the relationship between the first algorithm and the second algorithm above. They are a pair of reciprocal algorithms, which makes the ciphertext M pass through the first algorithm. After four operations, the second algorithm, the third algorithm, and the fourth algorithm can be restored to the ciphertext M, the technical solution of the present invention uses this principle for verification.
  • step 160 is executed.
  • the agent compares the calculated fourth ciphertext with the initial random number M. If they are equal, the check passes and sends a message to the manager to establish a connection. If they are not equal, the check fails and the connection is established. termination. It should be noted that the above entire process can actually be attributed to the relationship between managers and agents In the process of two-way verification between parties, this kind of calibration strictly guarantees the identity of both parties in the process of data transmission between the two parties in the future. In addition, encrypted random numbers are transmitted on the network. Even if they are captured maliciously, criminals cannot know how the encryption algorithms of both sides are implemented, so they have high security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé de vérification sûr dans un réseau, procédé au moyen duquel un gestionnaire et un mandataire peuvent se vérifier l'un l'autre de façon sûre dans une transmission de réseau, et qui permet de rendre le système de gestion d'utilisateur de chaque mandataire indépendant du système de gestionnaire et qui permet d'améliorer la maintenance du système de sécurité et l'efficacité de gestion. Ce procédé au moyen duquel le gestionnaire et le mandataire peuvent se vérifier l'un l'autre de façon sûre dans une transmission de réseau comprend les étapes suivantes: A. le mandataire détermine le texte chiffré et transmet ce texte chiffré au gestionnaire, B. le gestionnaire chiffre le texte chiffré avec un troisième algorithme et le transmet au mandataire, C. le mandataire déchiffre le texte chiffré reçu avec l'algorithme inversé du troisième algorithme, D. le mandataire détermine si la vérification est passée par comparaison du texte déchiffré et du texte chiffré.
PCT/CN2004/001425 2003-12-10 2004-12-07 Procede de verification sur entre un gestionnaire et un mandataire dans un reseau WO2005057845A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200310119341.2 2003-12-10
CN 200310119341 CN1627680A (zh) 2003-12-10 2003-12-10 网络传输中管理者与代理者相互安全校验的方法

Publications (1)

Publication Number Publication Date
WO2005057845A1 true WO2005057845A1 (fr) 2005-06-23

Family

ID=34661414

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/001425 WO2005057845A1 (fr) 2003-12-10 2004-12-07 Procede de verification sur entre un gestionnaire et un mandataire dans un reseau

Country Status (2)

Country Link
CN (1) CN1627680A (fr)
WO (1) WO2005057845A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105893833A (zh) * 2016-03-31 2016-08-24 山东超越数控电子有限公司 一种用于固件安全管理的硬件接口

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905436B (zh) * 2005-07-28 2010-05-05 北京航空航天大学 保证数据交换安全的方法
CN101321172B (zh) * 2008-07-22 2011-07-13 中兴通讯股份有限公司 链路两端管理权限一致性的校验装置及方法
US10277559B2 (en) * 2014-05-21 2019-04-30 Excalibur Ip, Llc Methods and systems for data traffic control and encryption

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5590199A (en) * 1993-10-12 1996-12-31 The Mitre Corporation Electronic information network user authentication and authorization system
CN1167381A (zh) * 1996-05-20 1997-12-10 索尼公司 识别信号记录方法和装置
CN1208296A (zh) * 1997-06-17 1999-02-17 株式会社东芝 利用一组多个密钥鉴别设备的设备鉴别器
CN1259260A (zh) * 1997-06-06 2000-07-05 汤姆森消费电子有限公司 机顶盒的有条件访问系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5590199A (en) * 1993-10-12 1996-12-31 The Mitre Corporation Electronic information network user authentication and authorization system
CN1167381A (zh) * 1996-05-20 1997-12-10 索尼公司 识别信号记录方法和装置
CN1259260A (zh) * 1997-06-06 2000-07-05 汤姆森消费电子有限公司 机顶盒的有条件访问系统
CN1208296A (zh) * 1997-06-17 1999-02-17 株式会社东芝 利用一组多个密钥鉴别设备的设备鉴别器

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105893833A (zh) * 2016-03-31 2016-08-24 山东超越数控电子有限公司 一种用于固件安全管理的硬件接口

Also Published As

Publication number Publication date
CN1627680A (zh) 2005-06-15

Similar Documents

Publication Publication Date Title
US6377691B1 (en) Challenge-response authentication and key exchange for a connectionless security protocol
JP4304055B2 (ja) クライアントセッションフェイルオーバーを提供する方法および構造
US7356601B1 (en) Method and apparatus for authorizing network device operations that are requested by applications
US20110170696A1 (en) System and method for secure access
US20080195740A1 (en) Maintaining session state information in a client server system
US20090113537A1 (en) Proxy authentication server
WO2003042798A2 (fr) Procede, appareil et programmes informatiques realisant un protocole d'authentification par defi-reponse mutuel au moyen des capacites du systeme d'exploitation
US8099602B2 (en) Methods for integrating security in network communications and systems thereof
JPH07325785A (ja) ネットワーク利用者認証方法および暗号化通信方法とアプリケーションクライアントおよびサーバ
US7363486B2 (en) Method and system for authentication through a communications pipe
Groß et al. Browser model for security analysis of browser-based protocols
CN108289074A (zh) 用户账号登录方法及装置
WO2005057841A1 (fr) Procede de production de cryptogramme dynamique dans une transmission de reseau et procede de transmission de donnees de reseau
US20090185685A1 (en) Trust session management in host-based authentication
US8112629B2 (en) Stateless challenge-response protocol
WO2005057845A1 (fr) Procede de verification sur entre un gestionnaire et un mandataire dans un reseau
CN116633576A (zh) 安全可信NC-Link代理器、控制方法、设备及终端
Zou et al. Information Security Transmission Technology in Internet of Things Control System.
WO2021253852A1 (fr) Procédé et système d'authentification d'autorité à base de multidiffusion de chiffrement de réseau 5g de centre de données
EP1396961B1 (fr) Procédé, système et appareil pour authentifier la communication de données
Buchheim et al. Implementing the intrusion detection exchange protocol
WO2013182151A1 (fr) Système et procédé d'authentification basés sur une application de service internet
CN106453336B (zh) 一种内网主动提供外网主机调用服务的方法
CN117155717B (zh) 基于标识密码的认证方法、跨网跨域数据交换方法及系统
CN115622715B (zh) 一种基于令牌的分布式存储系统、网关和方法

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase