WO2011110096A1

WO2011110096A1 - Method and device for realizing trusted network connection through router or switch

Info

Publication number: WO2011110096A1
Application number: PCT/CN2011/071679
Authority: WO
Inventors: 谢建平; 南湘浩; 林肇; 程晓卫; 陈六广
Original assignee: 上海通用化工技术研究所; 北京易恒信认证科技有限公司
Priority date: 2010-03-10
Filing date: 2011-03-10
Publication date: 2011-09-15
Also published as: CN101808142B; CN101808142A

Abstract

The present invention discloses a method and device for realizing trusted network connection through a router or a switch, which prevent invalid access of DOS attack, relay attack and invasion of Trojan horse and other malicious software and guarantee routing privacy. The technical solution of the invention is that: through extension of the existed IP header at the router, a source address and a destination address are verified, thereby address authenticity certification and address lifetime certification are provided, and the invalid access of the DOS attack is prevented; the freshness certification of the current connection is provided to prevent the relay attack on the router; the credibility of the routing operating environment is provided to prevent the invasion of the Trojan horse and other malicious software on the router; and the decryption function is added to the router to guarantee the routing privacy. The method and the device are used in the offices, organizations and departments with privacy and safety requirements.

Description

Method and apparatus for implementing trusted network connection through a router or switch

Field of invention

The present invention relates to a communication connection technology, and more particularly to a communication method and apparatus for implementing a trusted network connection through a router or a switch. Background technique

The implementation of Internet information network security technology is an important measure for computer Internet information units and networked units to protect the Internet and its own safe production, and prevent illegal elements from using the Internet to carry out sabotage activities and disseminate harmful information. Traditional Internet information network security technologies generally have two categories: log auditing and anti-virus and anti-hacking techniques.

Internet log auditing measures are the cornerstone for maintaining the Internet and information security, and are an important basis for public security organs to combat computer crime. The Internet access unit shall provide the network topology and IP address and allocation usage. Establish a complete log audit record on the host computer, gateway, and firewall. The log audit focuses on the system clock and operating system logs. The technical indicators mainly include: system startup time, user login account number, login time, user operation, shutdown time, and so on. For each network connection, record the source IP address of the connection, the IP address of the destination machine, the time of the connection, and the protocol used. In principle, the log auditing system uses products that have passed the test of the public security organs. ISPs and ICP units with strong technical strength can develop their own products.

Anti-virus and anti-hacking technical measures are to prevent criminals from using the Internet to carry out sabotage activities and to protect the information security of the Internet and their own units. All units should develop the following security measures for anti-virus and anti-hacker attacks:

1. All computers connected to the Internet should use anti-virus products that have passed the test by the public security organs and regularly download virus signatures to upgrade the anti-virus software to ensure that the computer will not be attacked by the discovered viruses.

2. Ensure physical network security and prevent security risks caused by physical media, signal radiation, etc.

3. Using network security control technology, the networked unit should use firewall, IDS and other equipment to protect the network security.

4. Develop system security technical measures, use vulnerability scanning software to scan for system vulnerabilities, and close unnecessary service ports. 5. Develop a password management system to prevent system passwords from being leaked and hacked.

6. Develop a system patch management system, determine system patch updates, installations, and release measures to block system vulnerabilities in a timely manner.

In summary, most of the existing network security technologies use hardware and software firewalls or anti-virus software and conventional security technologies to ensure network security, which cannot fundamentally control and increase costs. Many anti-killing Trojans software and firewalls are built on switches, terminal computers, etc., and cannot control the security of Trojan attacks and information from the source.

In the past, routers only focused on the routing of the next hop, and did not care about where the packet came from or the lifetime and freshness of the packet. Therefore, if the verification of the starting address of the data packet and the lifetime and freshness of the data packet are not solved, the illegal access and attack by the hacker or the Trojan virus cannot be overcome, and the network of the individual, the enterprise, the security unit, and the like is insecure. Summary of invention

SUMMARY OF THE INVENTION An object of the present invention is to solve the above problems and to provide a method for implementing a trusted network connection through a router or a switch, which can prevent unauthorized access.

Another object of the present invention is to provide a device for implementing a trusted network connection, which can prevent illegal access of DOS attacks, prevent resend attacks, prevent malware such as Trojans, and ensure the privacy of routes.

The technical solution of the present invention is: The present invention discloses a method for implementing a trusted network connection through a router or a switch, which implements a trusted network connection between network devices of a router or a switch and a network terminal, in a router or a switch. The network device uses the source IP address or the destination IP address in the header, the source hardware address or the destination hardware address, all or part of the specified or randomly defined numbers and characters to be parallel or superimposed as the identifier for mutual signature authentication, in the networked computer Parallel or superimposed as the identification of each other in the header or source IP address, source hardware address or destination hardware address, specified or randomly defined numbers and characters in the header, the method includes:

Source and destination computers, routers, or switches all have numeric or character-defined router or switch hardware addresses, IP addresses, specified or randomly defined numbers and characters, computer hardware addresses, IP addresses, specified or randomly defined numbers and characters Provides accurate time proof in whole or in part, and verifies that the time proof has been modified, combined with hardware address, IP address, specified or randomly generated Digitally sign all or part of the digital and character data and generate a time certificate, a lifetime certificate and a hardware address, an IP address, a specified or randomly generated number and all or part of the data of the character for parallel or superimposed hybrid signatures, Delivered to the next hop router or switch along with the data;

The router or switch checks the time certificate of the networked computer, the lifetime certificate and hardware address, the IP address, the data signature of the specified or randomly generated numbers and characters, and receives and forwards the data if the verification passes, otherwise discards or data annihilates ;

Router or switch for hardware address, IP address, specified or randomly defined numbers and characters, networked computer source hardware address, IP address, specified or randomly defined numbers and characters, all or part of the exact time, lifetime certificate and encryption Or non-encrypted checksum, CPK check authentication data, CA-certified verification authentication data for digital signature, generate time certificate, validity period proof signature and checksum, CPK signature, CA authentication for parallel or superimposed hybrid signature, And handed over to the next hop router along with the forwarding data;

The router or switch verifies the signature of the previous hop router or switch. The signature verification is performed step by step. Each layer performs signature verification on the upper layer. At the same time, the router or switch needs to sign the corresponding object of this layer, and also passes different IP versions. The protocol tunneling route or protocol conversion software or computer of different IP versions sends the signature verification to the destination router or switch to ensure its authenticity. If the verification passes, the forwarding data is forwarded to the next hop router or switch to the destination router. Or switch;

After the forwarding data arrives at the destination router or switch, the signature verification operation is performed. After the destination router or switch decrypts the verified parallel or superimposed mixed signature data into the designed received data, the destination packet is forwarded to the destination computer.

In accordance with an embodiment of the present invention, a method of implementing a trusted network connection by a router or switch, the IP address is an address of a plurality of version IP protocols.

In accordance with an embodiment of the method of implementing a trusted network connection by a router or switch in accordance with the present invention, all or a portion of the designated or randomly defined numbers and characters are mutually authenticated as an identity.

In accordance with an embodiment of the present invention, a method of implementing a trusted network connection by a router or switch, the hardware address is a multi-defined hardware address.

An embodiment of a method for implementing a trusted network connection by a router or switch in accordance with the present invention, a source or destination networked computer, router or switch defining a router or switch for numbers and characters Hardware address, IP address, specified or randomly defined numbers and characters, source or destination of the networked computer's source hardware address, IP address, specified or randomly defined numbers and characters, all or part of which provide accurate time proof and expiration date And verify that the time certificate and validity period have been modified, the accurate time proof, and verify that the time certificate and validity period have been modified by the digital signature and the verification of the digital signature result is specified or randomly generated All or part of the hardware address, IP address, specified or randomly generated numbers and characters are digitally parallel or superimposed with a mixed signature.

According to an embodiment of the method for implementing a trusted network connection by a router or a switch according to the present invention, the source address and the destination address or the verification content of the additional information are added to the IP header, and the originating router, the transit router, and the destination router are configured for each IP. The header is tested to provide proof of authenticity of the address or additional information.

In accordance with an embodiment of the method of implementing a trusted network connection by a router or switch in accordance with the present invention, all signatures are stored in an IP header.

The present invention also discloses an apparatus for implementing a trusted network connection, including: preventing an illegal access module from determining whether the pair is verified by digital parallel or superimposed hybrid signature in the original IP address header when receiving the forwarded data. Forward data for reception to prevent illegal access;

Prevent the retransmission attack module from preventing retransmission attacks by the IP address of the connected digital parallel or superimposed hybrid signature and the freshness proof of the time validity period of the signature;

To prevent the Trojan intrusion module, the router and switch connected by the trusted network perform digital parallel or superimposed hybrid signature on the router and the switch. If the network data carrying the Trojan is not signed, the destination computer cannot be reached, and the credibility of the routing operation environment is adopted. Prevent Trojan intrusion from non-forwarding destination computers;

The de-encryption module ensures the privacy of the route by de-encrypting the forwarded data.

An embodiment of an apparatus for implementing a trusted network connection in accordance with the present invention is a switch of a router or circuit network of an IP network. Compared with the prior art, the present invention has the following beneficial effects: The present invention verifies the original address and the destination address by extending the existing IP header on the router, thereby providing the address authenticity certificate and the address lifetime certificate, and preventing the DOS attack. Illegal access; provide this connection freshness proof, in routing Prevent resend attacks on the device; Provide credibility of the routing operation environment, prevent malware such as Trojans from invading the router; Add de-encryption on the router to ensure the privacy of the route, for confidentiality or security needs Unit, institution or department. DRAWINGS

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a flow diagram of an embodiment of a method of implementing a trusted network connection by a router or switch of the present invention.

2A to 2B are diagrams showing the format of the IPV4 header of the present invention.

3 is a schematic diagram of an IPV6, IPV9 header format of the present invention.

4 is a schematic diagram of an embodiment of an apparatus for implementing a trusted network connection of the present invention.

Figure 5 is a schematic illustration of the trusted routing of the present invention compatible with current V4/V6 and future operating modes of the new protocol. Detailed description of the invention

The invention will now be further described with reference to the drawings and specific embodiments set forth below. Routers in information networks are the basic components of the Internet. This scheme adopts the identification authentication technology for the first time in the router design, providing address authenticity proof and lifetime time proof to prevent illegal access; providing this connection freshness proof to prevent retransmission attacks; first adopting software or hardware The identification authentication technology provides the credibility of the router operating environment and prevents malware such as Trojans from intruding. This design also provides encryption and encryption to ensure privacy. This is a key security requirement for next-generation Internet protocols and future network protocols. This design approach combines new addressing technologies with geolocation addressing to build routers for the next generation of the Internet. This technology is also used in the design of new switches in telecommunications networks.

The router works in the network layer of the 0SI seven-layer protocol. Its main function is to connect the network and the network, and forward the data packets between the networks. Routers have become the most important network equipment, so the research of next-generation routers will become the core technology of future Internet research. Due to the IPv4 and IPv6 protocols that the Internet has been running, it does not meet the new requirements for Cyber Security trusted network connections. The TCP/IP protocol does not consider security issues, does not provide proof of address authenticity and lifetime credentials, does not prevent illegal access, and does not resist DOS attacks. Currently, all kinds of malware and spam are rampant on the Internet, serious The environment in which the Internet is polluted directly affects the survival of the Internet. Therefore, countries have carried out research on the future Internet. In 2008, 65 scientific research institutions in the European Union jointly issued the Brad Declaration, calling for the development of a new generation of the Internet. The EU has raised 9.1 billion euros to support future Internet research and development. The Obama administration of the United States has just proposed identification and addressing systems as its main research tasks this year, and has emphasized international cooperation. The International Standards Organization ISO proposed a future network plan in 2007.

In the future, China has not formally proposed a future Internet plan, but the work is quietly carried out. China's IPv9 has implemented a geographical location addressing method, which solves the problem of real-name address combining IP address and geographic location. Later, South Korea also proposed the idea of geographical location and addressing, becoming the second country to propose a new addressing method. The CPK logo authentication technology is mature and can be used in Internet protocols to implement trusted network connections.

For the method of implementing a trusted network connection through a router or switch, Figure 1 shows the flow of this method. In order to implement a trusted network connection between routers and users, a user name (for example, pel in FIG. 1) and a routing address (for example, router alf in FIG. 1) are identified for identity authentication. Between the routers, the IP addresses are used as the identifiers for mutual authentication, and the users are authenticated by the user name as the identifier. Assuming that the pcl ID is the username of a client, AlfalD is the IP address of a router, then PC1 and ALFA represent their respective public keys (uppercase), and pel and alfa represent their respective private keys (lowercase). If a CPK-card defined as AlfalD is inserted on any router, then the router becomes the router identified as AlfalD. Similarly, any router inserts a CPK-card defined as BetalD, and the router becomes a router identified as BetalD. As an example, assume that Mf _a ID = "China, Beijing, Haidian, Peking University", BetaID = "China, Beijing, Haidian, Tsinghua University".

Now assume that the starting address is AlfalD and the destination address is BetalD. The connection process is shown in Figure 1. The dotted line indicates the path of the packet data using the user Pcl ID to the user Pc2ID via the router. Each router will verify the original address ( The original address in this embodiment is the AlfalDo in Figure 1. As for the user Pc2ID to authenticate the Pcl ID, it belongs to the transaction authentication, and can only be opened after the data packet is opened, which is the task of the user layer.

The IP packet of the departure router passes through multiple transit routers (also known as transit routers) and finally reaches the destination router. It is easy to illegally access in the intermediate transit router. Traditional routers only focus on the next hop routing, and don't care where this packet comes from. In order to implement a trusted network connection, the router in this embodiment must satisfy the following four conditions: (1) The originating address must give a proof of the sending address, which can be any place. To verify; (2) all path routers verify the original address, if they do not match, refuse to forward; (3) can prevent illegal access, resist DOS attacks; (4) the computing environment inside the router is trusted.

For the connection process where the destination address is AlfalD and the destination address is BetalD, the dotted line in Figure 1 indicates that the CPK-card is used and the primary address authentication is performed.

Path 1 : The following steps are all based on the IPV9 protocol and CPK-card:

First, the client Pel ID signs the time and MAC, and delivers the signature data to the router AlfaID. Second, the router AlfalD checks the time signature and MAC signature of the client Pel ID, and if the authentication passes, it receives, otherwise it rejects.

Then, the router AlfalD signs the time, checksum, and forwards it to the next router.

After the router AlfalD, routing operations such as GamID, LamID, and BetalD are the same as those of the router AlfalD. That is: the next router verifies the original address signature and the signature of the previous router, and if the verification passes, the data data is forwarded to the next router.

Finally, the destination router BetalD forwards the data data to the receiving user Pc2ID.

Path 2: In the following steps, the client uses the IPV9 protocol but does not use CPK-card:

The user Pc3ID does not use the CPK-card but passes the PT conversion (protocol conversion router) to the IPV9 protocol. The data is sent to the user Pc4ID via the router AlfalD. The router AlfalD obtains the source address of the packet as the public key, and verifies the correctness of the source. If the illegal address is found, the data is discarded.

Path 3: In the following steps, the client does not use the IPV9 protocol and does not use CPK-card:

The user Pc3ID does not use the CPK-card and uses the IPV4/IPV6 protocol to send data to the user Pc4ID via the router AlfalD. The router DeltalD and SigID arrive at the router BetalD and forward the data to the user Pc4ID.

Path 4: In the following steps, the client adopts the IPV9 protocol and uses the CPK-card, but the intermediate IPV9 route does not use the CPK-card:

(1) The user Pel ID is signed using the local address as the public key, and the data is sent to the user Pc2ID via the router AlfalD.

(2) The router AlfalD obtains the source address of the packet as the public key and verifies the correctness of the source. If an illegal address is encountered, the data is discarded. After the source address is verified correctly, the original signature is removed and the local address is used as the public key signature. After the signature, normal routing data is forwarded.

(3) The routing GamID does not use the CPK-card, obtain the source address of the data packet as the public key, and verify If the source is correct, the data is discarded if an illegal address is encountered. If it is normal, the normal routing data is forwarded.

(4) The routing operations of routers such as LamID and BetalD are the same as above.

(5) The router BetelD forwards the data to the destination user Pc2 ID.

Trusted Route Compatible The working mode of the IPV4/IPV6 protocol is shown in Figure 5. In order to implement a trusted IP network connection, a new IP header format is required. The header includes at least a source address, a transmission time, an address-to-time signature, a destination address, and an address-to-checksum signature (ie, an authentication code). The signature of the address to the checksum (called the authentication code) can be included in the header format or placed after the data. Data encryption only affects the data format and does not affect the IP header format. The header format of IPV4 can be changed, wherein the insertion point of time and the authentication code can be changed, and thus has two formats as shown in Figs. 2A and 2B, and the header format of IPV9 is as shown in Fig. 3.

For the smooth implementation of the method in this embodiment, the router needs to be configured with a CPK-card (or a signature algorithm using a similar mechanism and corresponding hardware, exemplified by CPK below), so that it has a digital signature and a key exchange function. The CPK system is used to identify the originating address. Assume that the origin is AlfalD, the next router is GammalD, and AlfalD sends data data. The application format is:

Mas1 AlfalD→GammalD: { Alfa, signl, Beta, time data , checksum}

Where AlfalD is the original address, signl is the signature of the original address, ie sign^ G^ me;) ,

BetalD is the destination address, SIG is the signature function, and alfa is the signature private key, provided by CPK-card. Where data is data, from the application layer, data may be plain text, or cipher text. The task of the router is to pass data to the next router.

GammalD verifies the signature of the origin: SIGKtime) = signV ,

Where SIG- ¹ is the verification function and ALFA is the public key. If si _g nl=s ignl ' , then this connection is allowed, Msgl is forwarded, and audited. The replay attack is identified in a time-dependent manner.

The router encryption and decryption process is as follows.

The structure of the data data is defined as follows: Data: { PcHD, Pc2ID, data, mac}, where PcHD is the sender and Pc2ID is the receiver.

When the data is plain text, Data={ PcHD, Pc2ID, clear-text, mac}, where Pcl lD and

Pc2ID is the username, clear-text is the plaintext content, and mac is the mac address of the router.

When the data is cipher text, Data= { Pcl lD, Pc2ID, coded-key, coded-data, mac} , where coded-key is the password, coded-data is the encrypted content, and mac is the mac address of the router.

If the encryption function is provided by the router, set Alfa encryption, Beta decryption, then data encryption It can only be done offline, so encryption can only be done with a system key.

If the router assumes the encryption and decryption function, and the data data is encrypted data, you need to interpret coded-key and coded-data, and perform a series of steps:

1) Generate a random number R3, AlfalD calculates the key: key=R3 χ (G); where G is the base point of the elliptic curve, and key will be used for data encryption;

2) Calculate the sending key: R3x (BETA) = coded-key, where BETA is the public key of BetalD, and send the coded-key to BetalD;

3) Encrypt data: E _key (data) = cipher-text, where E _key ( ) is the data encryption function. Send the ciphertext cipher-text and coded-key to BetalD.

When BetalD receives the signal from AlfalD, it automatically enters the de-binding process:

1) BetalD calculates the inverse of the private key: beta- ¹

2) BetalD compute session key: beta- ¹ (coded-key) = key

3) Data decryption: D _key (cipher-text)= data, where D _key ( ) is a de-cixing function.

In order to ensure the credibility of the router operation, all execution code in the router must pass the manufacturer's certification (level 1 certification), that is, all the execution code is signed by the manufacturer when the game is played. Each router has an authentication function (provided by CPK-card).

The first is the proof of the software code - the manufacturer has a CPK-card that can be used to sign the manufacturer of all system software in the router. The execution software is divided into software identification (codelD) and software ontology (codeBD), which are signed by the manufacturer:

One (codelD)=sign1

(codeBD)=sign2

Among them, SIG is the signature function, manufacturer is the private key of the manufacturer, codelD is the execution code name, and codeBD is the HASH value of the execution code ontology. Any execution code in the router has its own proofs sign1 and sign2.

Then there is the authentication of the software code - the router inserts the CPK-card to have CPK authentication. There are two ways to verify the router: one is unified verification when booting, the code that has not passed the verification is uniformly deleted, and the system of the router is restored to the original state; the other is when the software code is called, the first verification is performed. For the signl and sign2, another J verification:

SlG^ _NUFAC „(codelD)=sign1 '

SIG^TMTM (codeBD)=sign2'

Where MANUFACTURER is the manufacturer's public key. If sign1 =sign1 'and sign2=sign2', execution is allowed, otherwise execution is refused. This ensures that the code executed in this router is a factory-certified code, and all other codes are not executed, and are protected from viruses and Trojans.

The TCP/IP protocol does not guarantee a trusted network connection and must be modified. In this embodiment, based on geographic location addressing and addressing, three key technologies for trusted network connection are proposed: a mechanism capable of identifying addresses to prevent illegal connections; a random question and answer mechanism to prevent repeated attacks; The code can identify the mechanism to prevent viruses and Trojans from intruding.

The above design method is fully applicable to the trusted network connection of the physical layer. There are two physical layers: one is the physical layer defined in the seven-layer protocol of the information network, and the platform supporting the information network is the application program interface (API). The second is the physical layer defined in the telecommunication network, and the platform supporting the telecommunication network is the information reference point (TRP). In the information network, if the network layer can guarantee the credibility of the transmission, the security of the physical layer can be replaced by the network layer, and there is no need to work on the physical layer. However, the physical layer in the telecommunication network cannot be connected to the trusted network without being modified, and the illegal access cannot be prevented. The modification method is exactly the same as that of the router.

The method for implementing trusted network connection by signature verification of a router or a switch of the present invention is to implement a trusted network connection between network devices of a router or a switch and a network terminal, and between network devices of a router or a switch The source IP address or destination IP address in the header (both source IP address and destination IP address are present in the packet), source hardware address or destination hardware address, specified or randomly defined numbers and characters are all parallel or superimposed As identification mutual signature authentication (also known as identification mutual authentication), between the networked computers with the source IP address or destination IP address in the header, the source hardware address or the destination hardware address, the specified or randomly defined numbers and characters all or Partially parallel or superimposed as identification mutual signature authentication.

This method includes the following steps:

(1) The source computer and the destination computer, router or switch both define the router or switch hardware address for the number and characters (the hardware address can also be a multi-defined hardware address), IP address (these IP addresses are multiple versions of the IP protocol) Address, specified or randomly defined numbers and characters, computer hardware address, IP address, specified or randomly defined numbers and characters, all or part of which provide accurate proof of time And proof of lifetime, and verify that its time certificate and lifetime certificate have been modified, and digitally signed in combination with hardware addresses, IP addresses, specified or randomly generated numbers and character data (all in the present invention) The signatures are stored in the IP header) and generate time proofs, lifetime certificate signatures and hardware addresses, IP addresses, specified or randomly generated numbers and all or part of the data for parallel or overlay mixed signatures, along with the data Hand over to the next hop router or switch.

(2) The router or switch checks the time certificate of the networked computer, the lifetime certificate and hardware address, the IP address, the data signature of the specified or randomly generated numbers and characters, and receives and forwards the data if the verification passes, otherwise discards Or the data is annihilated.

(3) The router or switch has a hardware address, an IP address, a specified or randomly defined number and character, a source computer address of a networked computer, an IP address, a specified or randomly defined number and all or part of the exact time, lifetime Proof and encrypted or non-encrypted checksum (derived by the built-in algorithm of the router and client), CPK verification and authentication data, CA-certified verification and authentication data for digital signature, generation of time certificate, proof of validity and verification of validity Parallel or superimposed hybrid signatures with CPK signatures and CA certificates are sent to the next hop router along with the forwarding data. If not, the data is annihilated.

(4) The router or switch verifies the signature of the previous hop router or switch. The signature verification is performed step by step. Each layer performs signature verification on the upper layer. At the same time, the router or switch needs to sign the corresponding object of this layer. Different IP versions of protocol tunnel routing or protocol conversion software or computers of different IP versions send signature verification to the destination router or switch to ensure their authenticity. If the verification passes, the forwarding data is forwarded to the next hop router or switch. Until the destination router or switch (the router needs to sign the corresponding object of this layer to ensure its authenticity).

(5) After forwarding the data to the destination router or switch, the signature verification will be performed. The destination router or switch decrypts the data that has been verified to pass parallel or superimposed mixed signatures into the designed received data, and then forwards the data packet to the destination. computer.

4 illustrates an embodiment of a router of the present invention that implements a trusted network connection. Routers in information networks are the basic components of the Internet. This scheme adopts the identification authentication technology for the first time in the design of the router, and provides the authenticity of the address to prevent illegal access. The first use of the question and answer technology of "random questioning and one signature answer" provides the certificate of freshness of this connection, preventing heavy Attacks; The first use of software identification authentication technology to provide credibility of the router operating environment to prevent intrusion of malware and other malware. This design also provides encryption and encryption to ensure privacy. This is a key security requirement for a new generation of Internet protocols or the future of the Internet. This design method Combine with the new addressing technology of geolocation addressing to build routers for the next generation of the Internet or the future of the Internet.

The router accepts packets from a network interface and forwards them to the next destination address. The destination address is provided by the routing table. If the destination address is found, the next MAC address is added before the frame of the packet, and the TTL (time to ive) field of the IP header begins to be decremented, and the checksum is recalculated. When a packet is sent to the output port, it needs to wait in order for transmission to the output link. The router decomposes the larger data into packets of the appropriate size according to predetermined rules, and then sends the packets through the same and different paths. When these packets arrive at the destination in order, they are restored to the original data format in a certain order.

The process of storing and forwarding its data packets is as follows:

1) When the data packet arrives at the router, according to the physical interface type of the network, the router runs the corresponding link layer function module, interprets the link layer protocol header of the data packet, and performs data integrity verification, including CRC check and frame length check. .

2) According to the destination IP address of the IP header in the frame, look up the IP address of the next hop in the routing table, and at the same time, the TTL field of the IP packet header starts to be decremented, and the checksum is recalculated.

3) According to the next hop IP address, the IP data packet is sent to the corresponding output link layer, encapsulated into a corresponding link layer header, and sent out through the network physical interface.

The above is a simple working process of the router, and does not describe other additional functions, such as access control, network address translation, queuing priority, and so on. Because some work is not related to the authentication system, it will be included in the ID-based router trusted connection discussed below.

In this embodiment, the router 1 implementing the trusted network connection is composed of four modules: an illegal access module 10, a retransmission attack prevention module 12, a Trojan intrusion prevention module 14, and a de-encryption module 16. The illegal access module 10 is prevented from receiving the forwarded data by verifying the digital parallel or superimposed hybrid signature in the original IP address header when receiving the forwarded data to prevent illegal access. Preventing the retransmission attack module 12 from the unique IP address of the connected digital parallel or superimposed hybrid signature and the freshness of the time validity period of the signature and the lifetime of the IP address (so-called freshness is basically the same as the time and arrival time of the data packet) To prevent resend attacks. In the Trojan intrusion prevention module 14, the Trojan intrusion module is prevented, the router and the switch connected by the trusted network perform digital parallel or superimposed hybrid signature on the router and the switch, and if the network data carrying the Trojan is not signed, the destination computer cannot be reached. Routing operation Environmental credibility prevents Trojan intrusion from non-forwarding destination computers. The de-encryption module 16 ensures routing privacy by de-encrypting (ie, decrypting) the forwarding data.

The internal structure of the router of the above embodiment may also be the internal structure of the switch.

In order to achieve a trusted network connection between routers, the IP address is used as the identifier of the router, and the guarantee is unique. Let Alfa be the IP address of a router and Beta be the IP address of another router. If a CPK-card defined as Alfa is inserted on any router, then the router becomes the router identified as Alfa. Similarly, any router inserts a CPK-card defined as Beta, and the router becomes a router identified as Beta. As an example, suppose Alfa = "China Beijing Haidian-Peking University", Beta = "China-Beijing-Haidian-Tsinghua University".

The IP packet of the departure router passes through multiple transit routers and finally reaches the destination router. It is easy to illegally access the intermediate transit router. Beta may not know where the accessed data packet comes from, and thus A proof of the departure address and a problem with the place of delivery were generated. The proof of departure can be verified at any forwarding address, but this authentication is redundant, and it can be done at the same time when processing the data data on the destination router, because the authenticity of the two ends must be proved in each hop forwarding. . As can be seen from the working principle of the above router, the previous router only pays attention to the routing of the next hop, and does not care where the data packet comes from. Therefore, if the verification of the sending address is not resolved, the illegal access cannot be overcome.

Some people try to solve the illegal access problem by encryption, but in the case of public key system, this is futile. For example, Beta is the recipient, and its public key is public. Anyone can encrypt Beta, so Beta still has no way of knowing who the sender is.

For the anti-illegal access module 10, the router must satisfy: (1) The originating address must be given a proof of the sending address, which can be verified by any place; (2) All path routers verify the original address, if not Then refuse to forward; (3) can prevent illegal access, resist DOS attacks; (4) the computing environment inside the router is trusted.

The anti-illegal access module 10 implements the following steps - first, the client Pel ID signs the time and MAC, and delivers the signature data to the router AlfaID. Second, the router AlfalD checks the time signature and MAC signature of the client Pel ID, and if the authentication passes, it receives, otherwise it rejects.

After the router AlfalD, routing operations via routers GamID, LamID, BetalD, etc. Same as router AlfalD. SP: The next router verifies the signature of the originating address and the signature of the previous router. If the verification passes, the data is forwarded to the next router.

This uses the CPK cryptosystem. In the CPK cryptosystem, the entity identifier EentitylD is mapped to the point ENTITY on the elliptic curve E:y ² =x ³ +ax+b (mod p) with T={a,b,G,n,p} as the parameter, And an integer satisfies ENTITY=(entity)G, then ENTITY is the public key, eintity is the private key, the public key can be calculated by anyone, and the private key is provided by ID-card. Therefore, in general, any IdentitylD maps to public and private key pairs IDENTITY and identity:

The signature can be expressed by SiG,. _& „ (time)=sign;

Verification can

(time)=sign, indicating.

The router is configured with CPK-card to have digital signature and key exchange functions. The contents of CPK-card are as follows: Set the IP address of the router to alfa (Alfa may be the real name of China, Beijing, Haidian, Peking University, etc. Become the code executable by the machine). Take the ID-card of the router alfa as an example. The content is as follows:

Regarding the address authentication block, it is assumed that the sending address is Alfa, the receiving address is Gamma, the public key of AlfalD is ALFA, and the private key is alfa. The connection request is issued by Alfa, and the application format is Msg1:

Mas1: Alfa→Gamma, { AlfalD, BetalD, T, signl }

Where AlfalD is the sending address, the destination address of BetalD, T is the time, signl is the signature of the sender Alfa on time, SP: SlG (T)=sign1, where SIG is the signature function. Gamma recipient via address, verifies the signature of the _{sender: SiG FA (T) = sign1} ', SIG_ 1 is a validation function. in case Sign1 =sign1 ', Gamma thinks that the sender is Alfa, if Alfa is a legitimate user (check table), then send a random number r and sign the (T-1): SIGw (T-1)=sign2, send sign2 To Alfa:

Msg2 : Gamma→Alfa, {r, sign2}

Alfa verifies sign2: SIG^ _AMMA (T-1)=sign2', if sign2=sign2', Alfa determines that the receiver is via address Gamma, and if the receiver is legal (check table), then r and (T+1) Signature, send data data and signature to checksum:

SlG _o;/fl (r)=sign3

SIG coffee (T+1)=sign4

SiG _a!fa (checksum)=sign5

Msg3: Alfa→Gamma, {sign3, data, sign4,sign5}

Gamma check signature:

SlG _FA (T+1 )=sign4',

^SIG ALFA (checksum)=sign5'

If sign3=sign3', the sender is Alfa, and the connection is allowed. If sign4=sign4', it proves that the data is from Alfa, and the receipt is correct, and the receipt information is sent, that is, the signature of Gamma on the check code. -

SU ecksum)=sign6,

Mag4: Gamma→Alfa, {sign6}

Alfa verification sign5:

(checksum)=sign6', if sign6=sign6', the proof data is sent to Gamma.

In many cases, the data may be divided into several segments: data = data ₀ // data II data ₂ // ... data _n , there may be two cases in the segment data transmission: First, the router at both ends of the established connection Between the two, the second is that there is no connection between the two ends of the router. Suppose data goes Alfa→Gamma, and data ₂ goes Alfa→Delta. But the second case is impossible because there is no trusted network connection process yet. If you want to take the second road, you must first establish a trusted network connection. Therefore, all problems fall into the first case, that is, how to send segmentation data in the case where a connection has been established.

While the connection request has been transmitted data ^ how transmission data _2. If the process of sending data ₂ is taken as an independent process, it is OK to go through the application process, but now the situation is that both Alafa and Gamma are mutually On the basis of the determination, therefore, except for the first stage, only the above Msg3 and Msg4 can be repeated: First paragraph: Mas1: Alfa→Gamma, { Alfa, Beta, T, sign 1 }

Msg2: Gamma→Alfa, {r, sign2}

Msg3i : Alfa→Gamma, {sigr^ , data! , sign sigr^}

Mag4 _{1 :} Gamma→Alfa, {sigr^}

Second paragraph: Msg3 ₂ : Alfa→Gamma, {data ₂ , sign4 ₂ sign5 ₂ ,}

Mag4 ₂ : Gamma→Alfa, {sign6 ₂ };

Third paragraph: Msg3 ₃ : Alfa→Gamma, { data ₃ , sign4 ₃ , sign5 ₃ }

Mag4 ₃ : Gamma→Alfa, {sign6 ₃ }; where sign4i= SlG. _r . (T+i), (i=1,2,...), because (T+i) is a changing factor, and Alfa and Gamma are signed, they can continue to maintain the connection state of mutual trust.

When the connection process is completed, the next hop connection process is entered, and the sender becomes the sender via the address Gamma, and becomes the receiver via the address Lamda. By analogy, the router forwards and hops, and finally to the terminal router. At this point, all connections to each path are proven. Destination Address Beta last processed data.

In the de-encryption module 16, the structure of the data data is defined as follows: Data = { Alfa, Beta, time, sign, data}, where Alfa is the sender, Beta is the receiver, sigr^ SK^ time

When the data is in plain text, Data={Alfa, Beta, time, sign, clear-text}

When the data is ciphertext, Data= { Alfa, Beta, time, sign, coded-key, coded-data} The destination router first authenticates the authenticity of the sender: SIG^ _FA (; time^sign', if sign= Sign',

Beta believes that the sender is Alfa and enters the densification process.

If the encryption and decryption function is provided by the router, Alfa encryption and Beta de-binding are used. Since the communication between Alfa and Beta is multi-hop communication, the encryption can only be implemented by using the split key of CPK, and the key pool size is regarded as Depending on the situation.

If this data data is data that needs to be encrypted:

1) Generate a random number r, Alfa calculates key=r(G); where G is the base point of the round curve;

2) Encrypt the key with the other party's public key: ENC _BETA (key)=coded-key;

3) The key is added to the user's role key role-key modulo 2 to get new-key, where role-key is provided by ID-card. Key erole-key= new-key; 4) Encrypt data: E _new-key (data) =coded-data;

Send ciphertext cipher=text and coded-key to Beta.

The signal that Beta receives from Alfa will automatically enter the de-binding process.

1) Beta calculation private key _decryption : DEC _teto (coded-key)=key where private key beta is provided by ID-card

2) Key Key and role key modulo 2 plus new-key:

Key ten role-key=new-key;

3) Data decryption: D _new-key (coded-data)= data; Based on the above specific implementation, the present invention provides an extension of the existing IP header on the router to verify the original address and the destination address, thereby providing Proof of address authenticity and lifetime, prevent illegal access by DOS attack; Provide proof of freshness and lifetime of this connection, prevent retransmission attacks on the router; Provide credibility of routing operation environment, prevent Trojans on the router, etc. Malware intrusion; add de-encryption on the router to ensure the privacy of the route, for units, institutions or departments with confidentiality or security needs. The above embodiments are provided to enable a person skilled in the art to implement or use the present invention, and those skilled in the art can make various modifications or changes to the above embodiments without departing from the inventive concept. The scope of protection of the invention is not limited by the embodiments described above, but should be the maximum range of the innovative features mentioned in the claims.

Claims

Claim

1. A method for implementing a trusted network connection through a router or a switch, implementing a trusted network connection between network devices of a router or a switch and a network terminal, and a source in a header between network devices of a router or a switch IP address or destination IP address, source hardware address or destination hardware address, all or part of specified or randomly defined numbers and characters are parallel or superimposed as identification mutual signature authentication, between the networked computers with the source IP address in the header or The destination IP address, the source hardware address or the destination hardware address, all or part of the specified or randomly defined numbers and characters are parallel or superimposed as the identification mutual signature authentication, and the method includes:

Source and destination computers, routers, or switches all have numeric or character-defined router or switch hardware addresses, IP addresses, specified or randomly defined numbers and characters, computer hardware addresses, IP addresses, specified or randomly defined numbers and characters Provides accurate time proof in whole or in part, and verifies that the time proof has been modified, and digitally signs and generates time proofs in combination with hardware addresses, IP addresses, specified or randomly generated numbers and character data, all or part of it. The lifetime proof signature and the hardware address, IP address, all or part of the data of the specified or randomly generated numbers and characters are parallel or superimposed, and are handed over to the next hop router or switch along with the data;

The router or switch checks the time certificate of the networked computer, the lifetime certificate and the hardware address, the IP address, the data signature of the specified or randomly generated numbers and characters, and receives and forwards the data if the verification passes, otherwise discards or annihilates the data;

Router or switch for hardware address, IP address, specified or randomly defined numbers and characters, networked computer source hardware address, ip address, specified or randomly defined numbers and characters, all or part of the exact time, lifetime certificate and encryption Or non-encrypted checksum, CPK verification authentication data, CA-certified verification authentication data for digital signature, generation of diurnal certificate, validity period certification signature and checksum, CPK signature, CA authentication for parallel or superimposed hybrid signature And forwarded to the next hop router along with the forwarding data; the router or switch verifies the signature of the previous hop router or switch, where the signature verification is performed step by step, each layer performs signature verification on the upper layer, and the router or switch It is necessary to sign the corresponding object of this layer, and also send the signature verification to the destination router or switch through protocol tunnel routing of different IP versions or protocol conversion software or computer of different IP versions to ensure the authenticity of the layer. If the verification is passed, Forward data to the next hop router or exchange Until the destination router or switch; when forwarding the data reaches the destination router or switch, the signature verification work, the destination router Or the switch forwards the data to the destination computer after decrypting the verified parallel or superimposed mixed signature data into the designed received data.

2. A method of implementing a trusted network connection by a router or switch according to claim 1, wherein the IP address is an address of a plurality of version IP protocols.

A method of implementing a trusted network connection by a router or a switch according to claim 1, wherein all or part of the designated or randomly defined numbers and characters are mutually authenticated as the identification.

4. A method of implementing a trusted network connection by a router or switch according to claim 1, wherein the hardware address is a multi-defined hardware address.

5. A method of implementing a trusted network connection by a router or switch according to claim 1 wherein the source or destination networked computer, router or switch defines the hardware address and IP address of the router or switch for numbers and characters. , specified or randomly defined numbers and characters, source or destination networked computer source hardware addresses, IP addresses, specified or randomly defined numbers and characters, all or part of which provide accurate time proof and expiration date, and verify their time proof And whether the validity period has been modified, the accurate time proof, and the verification of the time certificate and the validity period have been modified by the digital signature and the verification of the digital signature result is through the specified or randomly generated hardware address, IP address, All or part of the specified or randomly generated numbers and characters are digitally parallel or superimposed with a mixed signature.

6. The method for implementing a trusted network connection by a router or a switch according to claim 1, wherein the source address and the destination address or the verification content of the additional information are added to the IP header, the departure router, the transit router, and the destination. The router verifies each IP header to provide proof of authenticity of the address or additional information.

7. A method of implementing a trusted network connection by a router or switch according to claim 1, wherein all signatures are stored in an IP header.

8. A device for implementing a trusted network connection, comprising:

Preventing the illegal access module from determining whether to forward the forwarded data by detecting the digital parallel or superimposed mixed signature in the original IP address header when receiving the forwarded data to prevent illegal access; preventing the retransmission attack module from being Prevent retransmission attacks by the IP address of the connected digital parallel or superimposed hybrid signature and the freshness of the time validity of the signature;

To prevent Trojan intrusion module, the router and switch connected by trusted network perform digital parallel or superimposed hybrid signature on router and switch. If the network data carrying Trojan is not signed, it cannot reach the destination computer, and the credibility of routing operation environment Prevent Trojan intrusion from non-forwarding destination computers; De-encryption module ensures routing privacy by de-encrypting the forwarding data.

9. Apparatus for implementing a trusted network connection according to claim 8, wherein the apparatus is a router of a IP network or a switch of a circuit network.