WO2016107359A1 - Signature method and apparatus - Google Patents

Signature method and apparatus Download PDF

Info

Publication number
WO2016107359A1
WO2016107359A1 PCT/CN2015/096030 CN2015096030W WO2016107359A1 WO 2016107359 A1 WO2016107359 A1 WO 2016107359A1 CN 2015096030 W CN2015096030 W CN 2015096030W WO 2016107359 A1 WO2016107359 A1 WO 2016107359A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
packet
source
signature
alg
Prior art date
Application number
PCT/CN2015/096030
Other languages
French (fr)
Chinese (zh)
Inventor
刘微
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016107359A1 publication Critical patent/WO2016107359A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the present invention relates to the field of communications, and in particular to a signature method and apparatus.
  • the signature machine network can effectively protect the network security, and ensure the integrity, authenticity and non-repudiation of the data by signing and protecting the data encryption of the marginal device.
  • the signature network deployment environment is as follows: First, the marginal device configuration on the user side is online, on which the signature de-signature function can be implemented, and the intermediate device is simulated. Finally, the marginal device on the network side is connected to the external network, and the signature solution can also be implemented. Signature function.
  • the network deployment environment is not limited to this.
  • Digital signatures also known as public key digital signatures, electronic signatures
  • a set of digital signatures usually defines two complementary operations, one for the signature and one for the verification, that is, the signature.
  • a digital signature is some data attached to a data unit, or a password transformation made to a data unit.
  • key segment cryptographic signatures of the message which are used by the receiver to confirm the data source, information integrity and prevent tampering during transmission.
  • the network address translation can only convert the IP address and port in the UDP or TCP packet header. Field conversion in layer data payloads is powerless.
  • the application level gateway (ALG) of the technology in the NAT solves this problem well, and can parse and translate the application layer protocol message information to ensure the correctness of the application layer communication.
  • ALG application level gateway
  • the NAT function will convert all the source IP addresses of the packet's three-layer header and four-layer header, and the signature. The key requirements for the machine environment are strictly the same.
  • the source IP address translation will result in the change of the encrypted plaintext, which will result in unsuccessful de-signature, so that the original legitimate packet is also discarded as an illegal packet, so that the intranet wants to access the external network ftp and other services. can not achieve.
  • the present invention provides a signature method and apparatus to at least solve the network address translation nat in the related art.
  • Application level gateway alg can not be applied in the signature machine network.
  • a signature method including: determining, when a packet to be sent is forwarded after being sent to an intermediate device, performing a conversion process of an application level gateway alg that performs network address translation nat; The source IP address or the destination IP address of the packet is used to sign the packet. When the source IP address is used for signature, the source IP address is retained in the packet processed by the nat alg conversion process. Used for deregistration.
  • a signature method comprising: receiving a message to be forwarded, wherein the message is signed by a source Internet Protocol IP address or a destination IP address; and the received message is received Performing a conversion process of the application-level gateway alg of the network address translation nat; forwarding the converted packet, wherein the converted packet is signed by the source IP address, and the converted packet is The source IP address before the alg conversion processing of nat is reserved for de-signing.
  • the method before forwarding the converted packet, further includes: when the packet before the conversion is signed by the source IP address, storing the source IP address before the alg conversion processing in the conversion In the payload field of the subsequent message, the converted message is marked.
  • a method for de-signing includes: receiving, by the intermediate device, a forwarding packet after the conversion processing of the application-level gateway alg of the network address translation nat, wherein the forwarding packet adopts a source The IP address of the Internet Protocol or the destination IP address is signed.
  • the forwarding packet is signed by the source IP address, the source IP address before the alg conversion processing of the nat is retained in the converted message;
  • the forwarded packet is de-signed by using the source IP address or the destination IP address.
  • a signature device comprising: a determining module, configured to determine an application level gateway alg that is to perform network address translation nat when a message to be sent is forwarded after being sent to an intermediate device. a conversion process, the signature module, configured to sign the message using a source Internet Protocol IP address or a destination IP address of the message, wherein the source IP address is retained when the source IP address is used for signature Used for de-signing in the message after the nat alg conversion process.
  • a signature apparatus comprising: a first receiving module, configured to receive a message to be forwarded, wherein the message is signed by a source Internet Protocol IP address or a destination IP address a conversion module, configured to perform a network address translation nat of the application level gateway alg for the received message, and a forwarding module configured to forward the converted message, wherein the message before the conversion
  • a first receiving module configured to receive a message to be forwarded, wherein the message is signed by a source Internet Protocol IP address or a destination IP address
  • a conversion module configured to perform a network address translation nat of the application level gateway alg for the received message
  • a forwarding module configured to forward the converted message, wherein the message before the conversion
  • the method further includes: a saving module, configured to: when the packet before the conversion is signed by the source IP address, save the source IP address before the alg conversion processing in the payload field of the converted packet Medium and Mark the converted message.
  • a saving module configured to: when the packet before the conversion is signed by the source IP address, save the source IP address before the alg conversion processing in the payload field of the converted packet Medium and Mark the converted message.
  • a de-signing device comprising: a second receiving module, configured to receive a forwarding message after the conversion processing of the application-level gateway alg of the network address translation nat of the intermediate device, wherein The forwarded message is signed by the source Internet Protocol IP address or the destination IP address.
  • the source IP address; the de-signing module is configured to perform de-signing processing on the received forwarding packet by using the source IP address or the destination IP address.
  • a user side marginal device comprising the signature device of the fourth aspect described above and the de-signature device of the sixth aspect described above is provided.
  • an intermediate device comprising the signing device of the fifth aspect described above.
  • a network side marginal device comprising the above-described fourth aspect signature device and the above-described sixth aspect de-signature device is provided.
  • the application level gateway alg of the network address translation nat is converted, and the source Internet protocol IP address or destination IP address of the packet is used.
  • the message is signed; the problem that the signature of the application-level gateway alg in the network of the signature machine is not solved after the conversion of the packet in the network of the signature machine is solved, and the consistency of the encrypted plaintext in the process of encryption and result is ensured.
  • the technical effect of signing and de-signing can be achieved by using the source IP address or the destination IP address of the packet.
  • FIG. 1 is a flow chart of an alternative signature method in accordance with the present invention.
  • FIG. 3 is a flow chart of an alternative signature method according to an embodiment of the present invention.
  • FIG. 4 is a block diagram showing the structure of a signature device according to an embodiment of the present invention.
  • FIG. 5 is a block diagram showing another structure of a signature device according to an embodiment of the present invention.
  • FIG. 6 is a block diagram showing the structure of a de-signing device according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an overall implementation of signature and de-signature according to an embodiment of the present invention.
  • FIG. 8 is a block diagram showing a connection structure of a marginal device and an intermediate device according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of an optional signature and de-signature implementation according to an embodiment of the present invention.
  • FIG. 10 is a flow chart showing the operation of an optional signature marginal device in accordance with a preferred embodiment of the present invention.
  • FIG. 11 is a flow chart showing the operation of an optional intermediate device in accordance with a preferred embodiment of the present invention.
  • FIG. 12 is a flowchart showing the operation of an optional de-signing device according to a preferred embodiment of the present invention.
  • FIG. 13 is a flowchart showing the operation of an optional signature device according to a preferred embodiment of the present invention.
  • FIG. 14 is a flow chart showing the operation of an optional intermediate device according to a preferred embodiment of the present invention.
  • 15 is a flow chart showing the operation of an optional de-signing device in accordance with a preferred embodiment of the present invention.
  • FIG. 1 is a flow chart of an optional signature method according to the present invention. As shown in FIG. 1, the flow includes the following steps:
  • Step S102 determining that the packet to be sent is to be forwarded after being sent to the intermediate device, and then performing conversion processing of the application level gateway alg of the network address translation nat;
  • Step S104 Sign the packet by using the source Internet Protocol IP address or the destination IP address of the packet.
  • the source IP address is reserved in the packet processed by the nat alg conversion process. Unsigned.
  • the source IP address is retained by the source IP address.
  • the message of the nat ag conversion process is used for de-signing, which solves the problem that the signature of the application-level gateway alg in the signature machine network in the signature machine network can not be solved after the conversion processing of the application-level gateway alg.
  • the technical effect of signature and de-signature can be achieved by using the source IP address or destination IP address of the packet.
  • the application layer protocol packet includes the MAC address of the Layer 2 header, the source IP address and destination IP address of the Layer 3 header, and the source IP address and destination IP address of the Layer 4 header packet payload.
  • the application layer protocol can be completed by using the nat alg conversion.
  • the source IP address is used as the plaintext encryption.
  • the source IP address in the Layer 3 header and the source IP address in the Layer 4 header are changed. As a result, the signature is unsuccessful.
  • Source Internet Association using messages When the IP address or destination IP address is used to sign the packet, the cryptographic signature result can be stored in the idle field of the packet.
  • the source IP address in the Layer 3 header and the Layer 4 header packet in the application layer data packet is retained in the packet payload processed by the nat alg conversion process, so that the source IP address is used for signature.
  • the conversion of the source IP address by the nat alg function does not affect the subsequent de-signing, and the original legal packet is discarded as an illegal packet.
  • the signature failure will be solved, and the nat of nat caused by the failure of the source IP address due to the change of the source IP address caused by the nat alg conversion in the application layer protocol packet is solved in the related art.
  • the conversion feature is not a technical issue in the signature machine network application.
  • FIG. 2 is a flowchart of another method for signing according to an embodiment of the present invention. As shown in FIG. 2, the process includes the following steps:
  • Step S202 Receive a packet to be forwarded, where the packet is signed by using a source Internet Protocol IP address or a destination IP address.
  • Step S204 performing a conversion process of the application level gateway alg of the network address translation nat on the received message
  • step S206 the converted packet is forwarded.
  • the source IP address before the alg conversion processing of the nat is reserved in the converted packet. Unsigned.
  • the method before forwarding the converted packet, further includes: when the packet before the conversion is signed by the source IP address, the source IP before the alg conversion process is performed. The address is stored in the payload field of the converted message and the converted message is marked.
  • This embodiment provides a solution to the case where the packet before the conversion is signed by the source IP address, that is, before the alg conversion process of the nat, the source IP address before the alg conversion process is saved in the converted report.
  • the source IP address is not changed and can be used for de-signing.
  • the source IP address pair is adopted in the signature network. After the data is encrypted and signed, the nat of the nat of the source IP address of the packet is processed, and the source IP address cannot be de-signed after the source IP address is changed. Therefore, the problem that the nat ag conversion cannot be applied in the signature machine network is realized.
  • the integrity, authenticity and non-repudiation of the data are ensured by encrypting and signing the packet data, and the nat ag conversion processing of the application layer data is guaranteed.
  • FIG. 3 is a flowchart of an optional de-signing method according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps:
  • Step S302 Receive the forwarding packet after the conversion processing of the application-level gateway alg of the network address translation nat, wherein the forwarding packet is signed by the source Internet protocol IP address or the destination IP address, and the source is used to forward the packet.
  • the source IP address before the alg conversion processing of the nat is retained in the conversion message;
  • Step S304 Perform de-signing processing on the received forwarded packet by using the source IP address or the destination IP address.
  • This embodiment provides a specific de-signing method after the signature is performed by using the source Internet protocol IP address or the destination IP address, that is, for the data packet signed by the source IP address, the nat alg conversion is retained in the converted message.
  • the source IP address before processing. Therefore, the source IP address is still used for de-signing and the success rate of the signature can be guaranteed.
  • the data packet signed by the destination IP address is not processed by the nat alg conversion.
  • the destination IP address will be involved, so the success rate of the signature can also be guaranteed.
  • the nat alg conversion does not affect the normal signature and de-signature of the signature network, thereby implementing the nat alg conversion function in the signature machine network.
  • FIG. 4 is a block diagram showing the structure of a signature device according to an embodiment of the present invention.
  • the signature device includes: a determining module 102, configured to determine that a packet to be sent is forwarded after being sent to an intermediate device. The conversion process of the application level gateway alg of the network address translation nat is to be performed; the signature module 104 is configured to sign the message using the source Internet Protocol IP address or the destination IP address of the message, wherein when the source IP address is used for signature The source IP address is reserved for signature after being processed by the nat alg conversion process.
  • FIG. 5 is a block diagram showing another structure of a signature device according to an embodiment of the present invention.
  • the signature device includes: a first receiving module 106, configured to receive a packet to be forwarded, where the packet is used.
  • the source network protocol IP address or the destination IP address is used for the signature;
  • the conversion module 108 is configured to perform the conversion process of the application level gateway alg of the network address translation nat of the received message;
  • the forwarding module 110 is configured to perform the converted message.
  • the forwarding process is performed.
  • the source IP address before the alg conversion process of the nat is reserved for the signature in the converted message.
  • the saving module 112 is configured to save the source IP address before the nat alg conversion process in the payload field of the converted message, and set the converted message to the converted message. The text is marked.
  • FIG. 6 is a block diagram showing a structure of a de-signing device according to an embodiment of the present invention.
  • the de-signing device includes: a second receiving module 114 configured to receive an intermediate device for network address translation nat.
  • the forwarded packet is processed by the gateway alg.
  • the forwarded packet is signed by the source IP address or the destination IP address.
  • the packet is retained in the converted packet.
  • the source IP address before the alg conversion processing is performed; the de-signing module 116 is configured to perform the de-signing process on the received forwarding packet by using the source IP address or the destination IP address.
  • FIG. 7 is a schematic structural diagram of an overall implementation of signature and de-signature according to an embodiment of the present invention.
  • the user side margin device 202 includes the above-mentioned signature device composed of the determination module 102 and the signature module 104.
  • the de-signature device consisting of the second receiving module 114 and the de-signing module 116; the user-side marginal device 202 is configured to go online, and the signature and de-signature functions can be implemented; and a network-side marginal device 206 is provided, which also includes the above-described determining module 102.
  • a signature device composed of the signature module 104 and designed by the second receiving module 114
  • the de-signing device composed by the module 116; the network side marginal device is connected to the external network, and can also implement the signature and de-signature function; at the same time, an intermediate device 204 is provided, including the first receiving module 106, the conversion module 108, and the forwarding module. 110.
  • the intermediate device 204 is disposed between the user side margin device 202 and the network side margin device 206, and is configured to implement a conversion processing function of the application level gateway alg of the nat.
  • the embodiment of the present invention does not need to change the existing network environment, does not need to add other devices, does not damage the security and integrity of the original network deployment environment, and only utilizes existing network conditions through software and hardware.
  • the solution to the above problem can be solved.
  • the encryption key can be a symmetric key or an asymmetric key.
  • the user side marginal device includes a message transceiver module, a decision module, and a signature module.
  • the signed marginal device configures the user to go online and configures the signature function. Because the marginal device on the user side already knows that the intermediate device will enable the alg service of the nat, and the service changes the original source IP address field of the packet, the specific method of the signature is to use the secret key to set the destination IP address of the packet.
  • the address field is encrypted and signed by the encryption algorithm.
  • the source IP address and payload field do not participate in the cryptographic signature calculation to prevent address and port translation by services such as nat.
  • the cryptographic signature result will be stored in the idle field of the message for verification by the de-signing device.
  • the marginal device on the user side completes the packet parsing through the packet receiving module.
  • the determining module determines whether the packet needs to be signed.
  • the signature module completes the packet signature, and the packet sending module completes the final packet transmission.
  • the intermediate device includes a message receiving module (corresponding to the first receiving module 106), a determination module of the alg alg, and an implementation module of the alg function of the nat (corresponding to the conversion module 108), and implements address and port conversion to the application layer protocol.
  • the intermediate device completes the packet receiving and parsing through the packet receiving module, and the determining module of the nat alg determines whether the nat alg function needs to be performed, and the nat agl module completes the nat alg function, and the packet source IP field is converted and modified.
  • the text sending module completes the last transmission of the message.
  • the marginal device on the network side includes a packet transceiver module, a determination module, and the de-signature module, wherein the packet transceiver module is responsible for receiving and transmitting the message, and the determination module includes whether the signature processing needs to be performed and whether the nat has been done. Address translation.
  • the network side marginal device is configured with a de-signature function, and the demarcation operation corresponding to the marginal device on the user side is performed.
  • the marginal device on the network side also knows whether the packet forwarded at this time implements the alg function of the nat, if Address translation, then only use the destination IP address field of the packet to de-sign, instead of using the source IP address or packet payload field, to check the validity of the packet.
  • the invention designs an implementation method of an application level gateway (alg) based on a signature machine network. Firstly, it describes the composition and principle of the signature machine network, then describes the principle application of nat's alg, and finally describes the specific implementation method of combining the two, and solves the practical application problem in a real network application.
  • alg application level gateway
  • the marginal device is both a signature device and a de-signature device.
  • the user host 201 is online on the user side margin device 202, and the user side margin device 202 is configured with a signature function.
  • the user side margin device 202 determines that if the current message needs to be signed, And this needs to do the nat alg service processing later, then only use the destination IP address of the message as the plaintext, and combine the secret key to encrypt the signature, and the source IP address and the payload field are not involved in the encryption calculation for being converted.
  • the calculation result is stored in the idle field of the message.
  • the intermediate device 204 simulates the alg function of the real overlay nat.
  • the network side margin device 206 is connected to the external network server 207, and after the determination is made corresponding to the user side margin device 202, if it needs to be de-signed and has been address-converted, only the destination IP address is used for the de-signing process.
  • the determining module determines whether it is necessary to perform signature or de-signature processing. If no signature or de-signature processing is required, the decision module directly sends the signal to the sending module, otherwise it is sent to the signature de-signing module for processing, and finally to the transmitting module. As shown in FIG. 9, the specific steps include:
  • S401 The packet enters a packet receiving module, and performs packet parsing.
  • the message passes the determination module to determine whether a message signature or a signature process needs to be performed. If the determination is no, the process jumps to S404.
  • the message is signed or de-signed.
  • the message is sent by the message sending module.
  • the end user accesses the existing internet network through the network side margin device 202 in the signature machine network.
  • the intermediate device 204 configures the alg function of the nat. The following process is described in detail.
  • the specific steps of the signature device include:
  • the signed marginal device receives the packet and parses it.
  • the determination module determines whether to perform signature processing. If the determination result is YES, the process jumps to S503. If the result of the determination is no, the process jumps to S506.
  • the nat determination module determines whether there is a nat alg service processing in the forwarding process. If the result of the determination is YES, the process jumps to S504, and if the result of the determination is NO, the process proceeds to S505.
  • the signature module uses the destination IP address field as the plaintext encryption signature for the received packet, and the source IP address and other fields that will be converted by the nat alg service will not be processed. Go to S506.
  • the signature module is normally signed.
  • the packet sending module sends the packet to the intermediate device.
  • the specific steps of the intermediate device include:
  • a packet receiving module of the intermediate device receives the packet and parses the packet.
  • the determining module of the intermediate device determines whether the device needs to perform the nat alg service. If the result of the determination is YES, the process goes to S603, and if the result of the determination is NO, the process goes to S604.
  • the nat alg module of the intermediate device performs the nat alg service processing, and the original source IP address of the packet is converted, and the destination IP address will not be changed.
  • the sending module of the intermediate device sends the message to the de-signed edge device.
  • S701 The signed edge device receives and parses the message.
  • the determining module of the de-signed signed margin device determines whether a de-signing process needs to be performed. If the result of the determination is YES, the process goes to S703, and if the result of the determination is NO, the process goes to S706.
  • the nat alg determination module of the de-signed signature device determines whether the received message has been subjected to the nat alg address translation. If the result of the determination is YES, the process goes to S704, and if the result of the determination is NO, the process goes to S705.
  • the de-signature module of the de-signed signature device uses only the destination IP address of the packet as a plaintext de-signature process.
  • the signed signature marginal device is normally de-signed.
  • S706 The message sending module of the demarcation marginal device sends the packet.
  • the embodiment of the invention uses the source IP address to perform cryptographic signature. Because the nat alg function converts the application layer three-layer header data packet payload and the source IP address in the four-layer header data packet payload, the de-signature is unsuccessful. Therefore, the data packet of the alg alg is marked on the intermediate device, and the source IP address field before the conversion is retained in the packet payload field. The marginal device that solves the signature is responsible for parsing the received message. First, it is determined whether the alg function of the nat has been done, and the source IP address field of the function packet is restored to the message field before the conversion, that is, The plaintext field is restored and deleted in the payload field. The replaced plaintext field is used for the cryptographic signature. The calculated result is compared with the idle field of the previous result. If they are inconsistent, they are discarded and the original decryption function is processed.
  • the user accesses the existing network of the Internet through the user of the marginal device on the user side and the marginal device on the network side. Both marginal devices can perform signature and signature processing.
  • the intermediate device judges whether or not the nat alg function is enabled, and transmits the message to the demarcation marginal device.
  • the signature device operates as shown in Figure 13, and the specific steps include:
  • the signed marginal device receives the packet and parses it.
  • the signed margin device determines whether the signature function is enabled, and if the determination result is YES, the process proceeds to S803, and if the determination result is NO, the process proceeds to S804.
  • S803 Sign the received packet, encrypt the signature of the source IP address field of the packet, and store the result in the idle field of the packet.
  • the operation of the intermediate device is as shown in FIG. 14, and the specific steps include:
  • S901 Enter an intermediate device configuration mode, and receive and parse the packet.
  • the intermediate device saves the source IP address field to the payload field, and marks the packet to implement the nat alg service processing.
  • the intermediate device sends the packet.
  • S1001 The de-signature marginal device receives and parses the message.
  • S1002 The de-signature marginal device determines whether it is necessary to enable the de-signature operation process. If the determination result is YES, the process proceeds to S1003. If the determination result is negative, the process proceeds to S1006.
  • S1003 The de-signature marginal device determines whether the received message has been processed by the nat alg service. If the determination result is YES, the process proceeds to S1004. If the determination result is negative, the process proceeds to S1005.
  • the de-signature marginal device restores the source IP address field before the nat alg service conversion, and uses the source IP address field before the conversion to perform the signature processing.
  • the signature signature marginal device is normally de-signed.
  • S1006 The de-signature marginal device sends a message.
  • the invention is based on the signature machine network environment, and according to the characteristics of the signature machine signature algorithm, two implementation methods of the nat alg function in the network environment are proposed.
  • Nat's alg function mainly converts the source IP address or port number of the application layer protocol. In this method, it is circumvented by this feature, and only the destination IP address field of the packet or the source IP address field before the conversion is reserved as the plaintext.
  • the signature is such that the conversion of the source IP address does not affect the correctness of the signature result, so that the packet is forwarded normally.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the signature method and apparatus provided by the embodiments of the present invention have the following beneficial effects: the problem that the signature cannot be de-signed after the conversion processing of the application-level gateway alg of the network address translation nat in the signature machine network in the related art is solved.
  • the technical effect of signature and de-signing can be achieved by using the source IP address or the destination IP address of the packet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

Disclosed are a signature method and apparatus. The signature method comprises: determining translation processing to be performed on an application level gateway (ALG) subjected to network address translation (NAT) when a message to be sent is forwarded after the message is sent to an intermediate device; and signing the message by using a source internet protocol (IP) address or a destination IP address of the message, wherein when the source IP address is used for signing, the source IP address is retained in the message after translation processing on the ALG subjected to NAT and is used for designature. The present invention solves the problem in the relevant art that designature cannot be performed after translation processing on the ALG subjected to NAT for the message in a signature machine network, thereby achieving the technical effects that signing and designature can be realized by using the source IP address or the destination IP address of the message.

Description

签名方法和装置Signature method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种签名方法和装置。The present invention relates to the field of communications, and in particular to a signature method and apparatus.
背景技术Background technique
网络技术飞速发展的同时,也受到了不同程度的侵害威胁。签名机网络可以有效地保护网络安全,通过对边际设备的数据加密做签名和保护来保证数据的完整性、真实性和不可抵赖性。签名机网络部署环境如下:首先,在用户侧的边际设备配置上线,在其上可以实施签名解签名功能,途经中间设备模拟,最后,网络侧的边际设备连接外网,同样也可以实施签名解签名功能。当然,网络部署环境并不限于此。While the rapid development of network technology, it has also been threatened by different degrees of infringement. The signature machine network can effectively protect the network security, and ensure the integrity, authenticity and non-repudiation of the data by signing and protecting the data encryption of the marginal device. The signature network deployment environment is as follows: First, the marginal device configuration on the user side is online, on which the signature de-signature function can be implemented, and the intermediate device is simulated. Finally, the marginal device on the network side is connected to the external network, and the signature solution can also be implemented. Signature function. Of course, the network deployment environment is not limited to this.
数字签名(又称公钥数字签名、电子签章)是一种类似写在纸上的普通的物理签名,但是使用了公钥加密解密领域的技术,用于辨别数字信息的方法。一套数字签名通常定义两种互补的运算,两台边际设备一个用于签名,一个用于验证,也就是解签名。简单的说,数字签名就是附加在数据单元的一些数据,或是对数据单元所做的密码变换。这里既是报文的一些关键字段加密签名,用于接收者确认数据来源、信息完整性以及防止传输过程中的篡改现象。Digital signatures (also known as public key digital signatures, electronic signatures) are similar to ordinary physical signatures written on paper, but use techniques in the field of public key encryption and decryption to identify digital information. A set of digital signatures usually defines two complementary operations, one for the signature and one for the verification, that is, the signature. Simply put, a digital signature is some data attached to a data unit, or a password transformation made to a data unit. Here are some key segment cryptographic signatures of the message, which are used by the receiver to confirm the data source, information integrity and prevent tampering during transmission.
在网络交互过程中,需要对数据的IP地址及端口进行转换,普通网络地址转换(Network Address Translation,简称为NAT)只能对UDP或者TCP报文头中的IP地址及端口进行转换,对应用层数据载荷中的字段转换无能为力。而NAT中的技术的应用级网关(Application Level Gateway,简称为ALG)很好地解决了这一问题,可以对应用层协议报文信息进行解析和地址转换,以保证应用层通信的正确性。然而,签名机网络在当前的加密签名算法中,如若使用报文的源IP地址作为明文来加密的话,NAT功能会将报文三层头和四层头内部源IP地址全部转换改变,而签名机环境的秘钥要求是严格相同的。这种源IP地址转换将导致加密明文被改变,从而导致解签名不成功,使得原本合法的报文也被当做非法报文而丢弃,从而使类似于内网想访问外网ftp等类业务都无法实现。During the network interaction process, the IP address and port of the data need to be converted. The network address translation (NAT) can only convert the IP address and port in the UDP or TCP packet header. Field conversion in layer data payloads is powerless. The application level gateway (ALG) of the technology in the NAT solves this problem well, and can parse and translate the application layer protocol message information to ensure the correctness of the application layer communication. However, in the current cryptographic signature algorithm, if the source IP address of the packet is used as the plaintext to encrypt the packet, the NAT function will convert all the source IP addresses of the packet's three-layer header and four-layer header, and the signature. The key requirements for the machine environment are strictly the same. The source IP address translation will result in the change of the encrypted plaintext, which will result in unsuccessful de-signature, so that the original legitimate packet is also discarded as an illegal packet, so that the intranet wants to access the external network ftp and other services. can not achieve.
针对相关技术中存在上述问题,目前尚未提出有效的解决方案。In view of the above problems in the related art, an effective solution has not yet been proposed.
发明内容Summary of the invention
本发明提供了一种签名方法和装置,以至少解决相关技术中网络地址转换nat的 应用级网关alg无法在签名机网络中应用的问题。The present invention provides a signature method and apparatus to at least solve the network address translation nat in the related art. Application level gateway alg can not be applied in the signature machine network.
根据本发明的一个方面,提供了一种签名方法,包括:确定待发送的报文在发送给中间设备后进行转发时,将要进行网络地址转换nat的应用级网关alg的转换处理;使用所述报文的源因特网协议IP地址或目的IP地址对所述报文进行签名,其中,使用所述源IP地址进行签名时,所述源IP地址保留在经过nat的alg转换处理后的报文中用于解签名。According to an aspect of the present invention, a signature method is provided, including: determining, when a packet to be sent is forwarded after being sent to an intermediate device, performing a conversion process of an application level gateway alg that performs network address translation nat; The source IP address or the destination IP address of the packet is used to sign the packet. When the source IP address is used for signature, the source IP address is retained in the packet processed by the nat alg conversion process. Used for deregistration.
根据本发明的另一方面,提供了一种签名方法,包括:接收待转发的报文,其中,所述报文采用源因特网协议IP地址或目的IP地址进行签名;对接收的所述报文进行网络地址转换nat的应用级网关alg的转换处理;将转换后的报文进行转发处理,其中,在转换前的报文采用所述源IP地址进行签名时,在转换后的所述报文中保留有nat的alg转换处理前的源IP地址用于解签名。According to another aspect of the present invention, a signature method is provided, comprising: receiving a message to be forwarded, wherein the message is signed by a source Internet Protocol IP address or a destination IP address; and the received message is received Performing a conversion process of the application-level gateway alg of the network address translation nat; forwarding the converted packet, wherein the converted packet is signed by the source IP address, and the converted packet is The source IP address before the alg conversion processing of nat is reserved for de-signing.
可选地,在将转换后的报文进行转发处理之前,还包括:在转换前的报文采用所述源IP地址进行签名时,将进行nat的alg转换处理前的源IP地址保存在转换后的报文的载荷字段中,并对转换后的报文进行标记。Optionally, before forwarding the converted packet, the method further includes: when the packet before the conversion is signed by the source IP address, storing the source IP address before the alg conversion processing in the conversion In the payload field of the subsequent message, the converted message is marked.
根据本发明的第三个方面,提供了一种解签名方法,包括:接收中间设备进行网络地址转换nat的应用级网关alg的转换处理后的转发报文,其中,所述转发报文采用源因特网协议IP地址或目的IP地址进行了签名,在所述转发报文采用所述源IP地址进行签名时,在所述转换报文中保留有nat的alg转换处理前的源IP地址;对接收的所述转发报文,采用所述源IP地址或目的IP地址进行解签名处理。According to a third aspect of the present invention, a method for de-signing is provided, which includes: receiving, by the intermediate device, a forwarding packet after the conversion processing of the application-level gateway alg of the network address translation nat, wherein the forwarding packet adopts a source The IP address of the Internet Protocol or the destination IP address is signed. When the forwarded packet is signed by the source IP address, the source IP address before the alg conversion processing of the nat is retained in the converted message; The forwarded packet is de-signed by using the source IP address or the destination IP address.
根据本发明的第四个方面,提供了一种签名装置,包括:确定模块,设置为确定待发送的报文在发送给中间设备后进行转发时,将要进行网络地址转换nat的应用级网关alg的转换处理;签名模块,设置为使用所述报文的源因特网协议IP地址或目的IP地址对所述报文进行签名,其中,使用所述源IP地址进行签名时,所述源IP地址保留在经过nat的alg转换处理后的报文中用于解签名。According to a fourth aspect of the present invention, a signature device is provided, comprising: a determining module, configured to determine an application level gateway alg that is to perform network address translation nat when a message to be sent is forwarded after being sent to an intermediate device. a conversion process, the signature module, configured to sign the message using a source Internet Protocol IP address or a destination IP address of the message, wherein the source IP address is retained when the source IP address is used for signature Used for de-signing in the message after the nat alg conversion process.
根据本发明的第五个方面,提供了一种签名装置,包括:第一接收模块,设置为接收待转发的报文,其中,所述报文采用源因特网协议IP地址或目的IP地址进行签名;转换模块,设置为对接收的所述报文进行网络地址转换nat的应用级网关alg的转换处理;转发模块,设置为将转换后的报文进行转发处理,其中,在转换前的报文采用所述源IP地址进行签名时,在转换后的所述报文中保留有nat的alg转换处理前的源IP地址用于解签名。According to a fifth aspect of the present invention, a signature apparatus is provided, comprising: a first receiving module, configured to receive a message to be forwarded, wherein the message is signed by a source Internet Protocol IP address or a destination IP address a conversion module, configured to perform a network address translation nat of the application level gateway alg for the received message, and a forwarding module configured to forward the converted message, wherein the message before the conversion When the source IP address is used for signature, the source IP address before the alg conversion processing of the nat is retained in the converted message for de-signing.
可选地,还包括:保存模块,设置为在转换前的报文采用所述源IP地址进行签名时,将进行nat的alg转换处理前的源IP地址保存在转换后的报文的载荷字段中,并 对转换后的报文进行标记。Optionally, the method further includes: a saving module, configured to: when the packet before the conversion is signed by the source IP address, save the source IP address before the alg conversion processing in the payload field of the converted packet Medium and Mark the converted message.
根据本发明的第六个方面,提供了一种解签名装置,包括:第二接收模块,设置为接收中间设备进行网络地址转换nat的应用级网关alg的转换处理后的转发报文,其中,所述转发报文采用源因特网协议IP地址或目的IP地址进行了签名,在所述转发报文采用所述源IP地址进行签名时,在所述转换报文中保留有nat的alg转换处理前的源IP地址;解签名模块,设置为对接收的所述转发报文,采用所述源IP地址或目的IP地址进行解签名处理。According to a sixth aspect of the present invention, there is provided a de-signing device, comprising: a second receiving module, configured to receive a forwarding message after the conversion processing of the application-level gateway alg of the network address translation nat of the intermediate device, wherein The forwarded message is signed by the source Internet Protocol IP address or the destination IP address. When the forwarded message is signed by the source IP address, the converted message retains the nat before the alg conversion process. The source IP address; the de-signing module is configured to perform de-signing processing on the received forwarding packet by using the source IP address or the destination IP address.
根据本发明的第七个方面,提供了一种用户侧边际设备,包括上述第四个方面的签名装置和上述第六个方面的解签名装置。According to a seventh aspect of the present invention, a user side marginal device comprising the signature device of the fourth aspect described above and the de-signature device of the sixth aspect described above is provided.
根据本发明的第八个方面,提供了一种中间设备,包括上述第五个方面的签名装置。According to an eighth aspect of the invention, there is provided an intermediate device comprising the signing device of the fifth aspect described above.
根据本发明的第九个方面,提供了一种网络侧边际设备,包括上述第四个方面签名装置和上述第六个方面的解签名装置。According to a ninth aspect of the present invention, a network side marginal device comprising the above-described fourth aspect signature device and the above-described sixth aspect de-signature device is provided.
本发明实施例采用确定待发送的报文在发送给中间设备后进行转发时,将要进行网络地址转换nat的应用级网关alg的转换处理,使用报文的源因特网协议IP地址或目的IP地址对报文进行签名;解决了相关技术中在签名机网络中报文进行网络地址转换nat的应用级网关alg的转换处理后无法解签名的问题,保证了加密明文在加密和结果过程中的一致性,进而达到了采用报文的源IP地址或目的IP地址都可以实现签名和解签名的技术效果。In the embodiment of the present invention, when the packet to be sent is forwarded after being sent to the intermediate device, the application level gateway alg of the network address translation nat is converted, and the source Internet protocol IP address or destination IP address of the packet is used. The message is signed; the problem that the signature of the application-level gateway alg in the network of the signature machine is not solved after the conversion of the packet in the network of the signature machine is solved, and the consistency of the encrypted plaintext in the process of encryption and result is ensured. In addition, the technical effect of signing and de-signing can be achieved by using the source IP address or the destination IP address of the packet.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据本发明可选的一种签名方法的流程图;1 is a flow chart of an alternative signature method in accordance with the present invention;
图2是根据本发明实施例可选的另一种签名方法的流程图;2 is a flow chart of another method of signing optional according to an embodiment of the present invention;
图3是根据本发明实施例可选的一种解签名方法的流程图;3 is a flow chart of an alternative signature method according to an embodiment of the present invention;
图4是根据本发明实施例可选的一种签名装置结构框图;4 is a block diagram showing the structure of a signature device according to an embodiment of the present invention;
图5是根据本发明实施例可选的另一种签名装置结构框图;FIG. 5 is a block diagram showing another structure of a signature device according to an embodiment of the present invention; FIG.
图6是根据本发明实施例可选的一种解签名装置结构框图; 6 is a block diagram showing the structure of a de-signing device according to an embodiment of the present invention;
图7是根据本发明实施例可选的一种签名、解签名总体实现结构图;FIG. 7 is a schematic structural diagram of an overall implementation of signature and de-signature according to an embodiment of the present invention; FIG.
图8是根据本发明实施例可选的一种边际设备、中间设备连接结构图;8 is a block diagram showing a connection structure of a marginal device and an intermediate device according to an embodiment of the present invention;
图9是根据本发明实施例可选的签名、解签名实现流程图;9 is a flowchart of an optional signature and de-signature implementation according to an embodiment of the present invention;
图10是根据本发明优选实施方式一可选的签名边际设备工作流程图;10 is a flow chart showing the operation of an optional signature marginal device in accordance with a preferred embodiment of the present invention;
图11是根据本发明优选实施方式一可选的中间设备工作流程图;11 is a flow chart showing the operation of an optional intermediate device in accordance with a preferred embodiment of the present invention;
图12是根据本发明优选实施方式一可选的解签名设备工作流程图;12 is a flowchart showing the operation of an optional de-signing device according to a preferred embodiment of the present invention;
图13是根据本发明优选实施方式二可选的签名设备工作流程图;13 is a flowchart showing the operation of an optional signature device according to a preferred embodiment of the present invention;
图14是根据本发明优选实施方式二可选的中间设备工作流程图;14 is a flow chart showing the operation of an optional intermediate device according to a preferred embodiment of the present invention;
图15是根据本发明优选实施方式二可选的解签名设备工作流程图。15 is a flow chart showing the operation of an optional de-signing device in accordance with a preferred embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
图1是根据本发明可选的一种签名方法的流程图,如图1所示,该流程包括如下步骤:1 is a flow chart of an optional signature method according to the present invention. As shown in FIG. 1, the flow includes the following steps:
步骤S102,确定待发送的报文在发送给中间设备后进行转发时,将要进行网络地址转换nat的应用级网关alg的转换处理;Step S102, determining that the packet to be sent is to be forwarded after being sent to the intermediate device, and then performing conversion processing of the application level gateway alg of the network address translation nat;
步骤S104,使用报文的源因特网协议IP地址或目的IP地址对报文进行签名,其中,使用源IP地址进行签名时,源IP地址保留在经过nat的alg转换处理后的报文中用于解签名。Step S104: Sign the packet by using the source Internet Protocol IP address or the destination IP address of the packet. When the source IP address is used for signature, the source IP address is reserved in the packet processed by the nat alg conversion process. Unsigned.
通过提供的上述两种签名方式,即采用报文的源因特网协议IP地址或目的IP地址加上报文载荷等明文字段进行签名,其中,使用源IP地址进行签名时,源IP地址保留在经过nat的alg转换处理后的报文中用于解签名,解决了相关技术中在签名机网络中报文进行网络地址转换nat的应用级网关alg的转换处理后无法解签名的问题,进而达到了采用报文的源IP地址或目的IP地址都可以实现签名和解签名的技术效果。By using the above two signature methods, that is, using the source Internet Protocol IP address or the destination IP address of the packet plus the plaintext field such as the packet payload, the source IP address is retained by the source IP address. The message of the nat ag conversion process is used for de-signing, which solves the problem that the signature of the application-level gateway alg in the signature machine network in the signature machine network can not be solved after the conversion processing of the application-level gateway alg. The technical effect of signature and de-signature can be achieved by using the source IP address or destination IP address of the packet.
应用层协议报文包括二层头的MAC地址、三层头的源IP地址和目的IP地址以及四层头报文载荷的源IP地址和目的IP地址,采用nat的alg转换可以完成应用层协议报文信息的解析和地址转换,采用源IP地址作为明文加密,三层头中的源IP地址和四层头中的源IP地址皆会发生改变,从而导致解签名不成功。采用报文的源因特网协 议IP地址或目的IP地址对报文进行签名时,加密签名结果可以存放于报文的空闲字段中。其中,使用源IP地址进行签名时,应用层数据报文中的三层头中和四层头报文载荷中的源IP地址保留在经过nat的alg转换处理后的报文载荷中,从而使nat的alg功能对源IP地址的转换对后续的解签名不产生影响,避免原本合法的报文被当做非法报文而丢弃。以保证签名和解签名明文的一致性,否则将导致解签名失败,解决了相关技术中在应用层协议报文中由于nat的alg转换导致源IP地址发生改变从而无法进行解签名导致的nat的alg转换功能无法在签名机网络应用的技术问题。The application layer protocol packet includes the MAC address of the Layer 2 header, the source IP address and destination IP address of the Layer 3 header, and the source IP address and destination IP address of the Layer 4 header packet payload. The application layer protocol can be completed by using the nat alg conversion. The source IP address is used as the plaintext encryption. The source IP address in the Layer 3 header and the source IP address in the Layer 4 header are changed. As a result, the signature is unsuccessful. Source Internet Association using messages When the IP address or destination IP address is used to sign the packet, the cryptographic signature result can be stored in the idle field of the packet. The source IP address in the Layer 3 header and the Layer 4 header packet in the application layer data packet is retained in the packet payload processed by the nat alg conversion process, so that the source IP address is used for signature. The conversion of the source IP address by the nat alg function does not affect the subsequent de-signing, and the original legal packet is discarded as an illegal packet. To ensure the consistency of the signature and the unsigned signature, otherwise the signature failure will be solved, and the nat of nat caused by the failure of the source IP address due to the change of the source IP address caused by the nat alg conversion in the application layer protocol packet is solved in the related art. The conversion feature is not a technical issue in the signature machine network application.
图2是根据本发明实施例可选的另一种签名方法的流程图,如图2所示,该流程包括如下步骤:FIG. 2 is a flowchart of another method for signing according to an embodiment of the present invention. As shown in FIG. 2, the process includes the following steps:
步骤S202,接收待转发的报文,其中,报文采用源因特网协议IP地址或目的IP地址进行签名;Step S202: Receive a packet to be forwarded, where the packet is signed by using a source Internet Protocol IP address or a destination IP address.
步骤S204,对接收的报文进行网络地址转换nat的应用级网关alg的转换处理;Step S204, performing a conversion process of the application level gateway alg of the network address translation nat on the received message;
步骤S206,将转换后的报文进行转发处理,其中,在转换前的报文采用源IP地址进行签名时,在转换后的报文中保留有nat的alg转换处理前的源IP地址用于解签名。In step S206, the converted packet is forwarded. When the packet before the conversion is signed by the source IP address, the source IP address before the alg conversion processing of the nat is reserved in the converted packet. Unsigned.
可选地,步骤S206中,在将转换后的报文进行转发处理之前,还包括:在转换前的报文采用所述源IP地址进行签名时,将进行nat的alg转换处理前的源IP地址保存在转换后的报文的载荷字段中,并对转换后的报文进行标记。Optionally, in step S206, before forwarding the converted packet, the method further includes: when the packet before the conversion is signed by the source IP address, the source IP before the alg conversion process is performed. The address is stored in the payload field of the converted message and the converted message is marked.
本实施例提供了在转换前的报文采用源IP地址进行签名时的解决方法,即在进行nat的alg转换处理前,将进行nat的alg转换处理前的源IP地址保存在转换后的报文的载荷字段中,不仅可以保证正常的nat的alg转换处理,且保证了源IP地址不被改变可以继续用来进行解签名;解决了相关技术中,在签名机网络中采用源IP地址对数据加密签名后,由于对报文的源IP地址进行的nat的alg转换处理,导致源IP地址改变后无法解签名,从而使nat的alg转换无法在签名机网络中应用的问题,实现了在签名机网络中,通过对报文数据进行加密签名和解签名保证数据的完整性、真实性和不可抵赖性的同时,保证了对应用层数据正常的nat的alg转换处理。This embodiment provides a solution to the case where the packet before the conversion is signed by the source IP address, that is, before the alg conversion process of the nat, the source IP address before the alg conversion process is saved in the converted report. In the payload field of the text, not only the normal nat alg conversion processing can be guaranteed, but also the source IP address is not changed and can be used for de-signing. In the related art, the source IP address pair is adopted in the signature network. After the data is encrypted and signed, the nat of the nat of the source IP address of the packet is processed, and the source IP address cannot be de-signed after the source IP address is changed. Therefore, the problem that the nat ag conversion cannot be applied in the signature machine network is realized. In the network of the signature machine, the integrity, authenticity and non-repudiation of the data are ensured by encrypting and signing the packet data, and the nat ag conversion processing of the application layer data is guaranteed.
图3是根据本发明实施例可选的一种解签名方法的流程图,如图3所示,该流程包括如下步骤:FIG. 3 is a flowchart of an optional de-signing method according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps:
步骤S302,接收中间设备进行网络地址转换nat的应用级网关alg的转换处理后的转发报文,其中,转发报文采用源因特网协议IP地址或目的IP地址进行了签名,在转发报文采用源IP地址进行签名时,在转换报文中保留有nat的alg转换处理前的源IP地址; Step S302: Receive the forwarding packet after the conversion processing of the application-level gateway alg of the network address translation nat, wherein the forwarding packet is signed by the source Internet protocol IP address or the destination IP address, and the source is used to forward the packet. When the IP address is signed, the source IP address before the alg conversion processing of the nat is retained in the conversion message;
步骤S304,对接收的转发报文,采用源IP地址或目的IP地址进行解签名处理。Step S304: Perform de-signing processing on the received forwarded packet by using the source IP address or the destination IP address.
本实施例提供了采用源因特网协议IP地址或目的IP地址进行签名后具体的解签名方法,即,对于采用源IP地址进行签名的数据报文,由于在转换报文中保留有nat的alg转换处理前的源IP地址,因此,在解签名时依然采用源IP地址进行解签名且能保证解签名的成功率;对于采用目的IP地址进行签名的数据报文,由于nat的alg转换处理并不会涉及目的IP地址,因此,也能够保证解签名的成功率。通过对源IP地址的签名方法进行改变,以及采用目的IP地址进行签名,从而使nat的alg转换对签名机网络正常的签名和解签名不产生影响,从而实现nat的alg转换功能在签名机网络中的应用。This embodiment provides a specific de-signing method after the signature is performed by using the source Internet protocol IP address or the destination IP address, that is, for the data packet signed by the source IP address, the nat alg conversion is retained in the converted message. The source IP address before processing. Therefore, the source IP address is still used for de-signing and the success rate of the signature can be guaranteed. The data packet signed by the destination IP address is not processed by the nat alg conversion. The destination IP address will be involved, so the success rate of the signature can also be guaranteed. By changing the signature method of the source IP address and signing with the destination IP address, the nat alg conversion does not affect the normal signature and de-signature of the signature network, thereby implementing the nat alg conversion function in the signature machine network. Applications.
图4是根据本发明实施例可选的一种签名装置结构框图,如图4所示,该签名装置包括:确定模块102,设置为确定待发送的报文在发送给中间设备后进行转发时,将要进行网络地址转换nat的应用级网关alg的转换处理;签名模块104,设置为使用报文的源因特网协议IP地址或目的IP地址对报文进行签名,其中,使用源IP地址进行签名时,源IP地址保留在经过nat的alg转换处理后的报文中用于解签名。FIG. 4 is a block diagram showing the structure of a signature device according to an embodiment of the present invention. As shown in FIG. 4, the signature device includes: a determining module 102, configured to determine that a packet to be sent is forwarded after being sent to an intermediate device. The conversion process of the application level gateway alg of the network address translation nat is to be performed; the signature module 104 is configured to sign the message using the source Internet Protocol IP address or the destination IP address of the message, wherein when the source IP address is used for signature The source IP address is reserved for signature after being processed by the nat alg conversion process.
图5是根据本发明实施例可选的另一种签名装置结构框图,如图5所示,该签名装置包括:第一接收模块106,设置为接收待转发的报文,其中,报文采用源因特网协议IP地址或目的IP地址进行签名;转换模块108,设置为对接收的报文进行网络地址转换nat的应用级网关alg的转换处理;转发模块110,设置为将转换后的报文进行转发处理,其中,在转换前的报文采用源IP地址进行签名时,在转换后的报文中保留有nat的alg转换处理前的源IP地址用于解签名。保存模块112,设置为在转换前的报文采用源IP地址进行签名时,将进行nat的alg转换处理前的源IP地址保存在转换后的报文的载荷字段中,并对转换后的报文进行标记。FIG. 5 is a block diagram showing another structure of a signature device according to an embodiment of the present invention. As shown in FIG. 5, the signature device includes: a first receiving module 106, configured to receive a packet to be forwarded, where the packet is used. The source network protocol IP address or the destination IP address is used for the signature; the conversion module 108 is configured to perform the conversion process of the application level gateway alg of the network address translation nat of the received message; and the forwarding module 110 is configured to perform the converted message. The forwarding process is performed. When the packet before the conversion is signed by the source IP address, the source IP address before the alg conversion process of the nat is reserved for the signature in the converted message. The saving module 112 is configured to save the source IP address before the nat alg conversion process in the payload field of the converted message, and set the converted message to the converted message. The text is marked.
图6是根据本发明实施例可选的一种解签名装置结构框图,如图6所示,该解签名装置包括:第二接收模块114,设置为接收中间设备进行网络地址转换nat的应用级网关alg的转换处理后的转发报文,其中,转发报文采用源因特网协议IP地址或目的IP地址进行了签名,在转发报文采用所述源IP地址进行签名时,在转换报文中保留有nat的alg转换处理前的源IP地址;解签名模块116,设置为对接收的转发报文,采用源IP地址或目的IP地址进行解签名处理。FIG. 6 is a block diagram showing a structure of a de-signing device according to an embodiment of the present invention. As shown in FIG. 6, the de-signing device includes: a second receiving module 114 configured to receive an intermediate device for network address translation nat. The forwarded packet is processed by the gateway alg. The forwarded packet is signed by the source IP address or the destination IP address. When the forwarded packet is signed by the source IP address, the packet is retained in the converted packet. The source IP address before the alg conversion processing is performed; the de-signing module 116 is configured to perform the de-signing process on the received forwarding packet by using the source IP address or the destination IP address.
图7是根据本发明实施例可选的一种签名、解签名总体实现结构图,如图7所示,包括用户侧边际设备202,包括上述由确定模块102和签名模块104组成的签名装置和由第二接收模块114、解签名模块116组成的解签名装置;用户侧边际设备202配置上线,可以实施签名和解签名功能;还提供了一种网络侧边际设备206,同样包括上述由确定模块102和签名模块104组成的签名装置和由第二接收模块114、解签名 模块116组成的解签名装置;网络侧边际设备连接外网,也可以实施签名和解签名功能;同时,还提供了一种中间设备204,包括上述由第一接收模块106、转换模块108、转发模块110、保存模块112组成的签名装置,中间设备204设置在用户侧边际设备202和网络侧边际设备206之间,设置为实现nat的应用级网关alg的转换处理功能。FIG. 7 is a schematic structural diagram of an overall implementation of signature and de-signature according to an embodiment of the present invention. As shown in FIG. 7, the user side margin device 202 includes the above-mentioned signature device composed of the determination module 102 and the signature module 104. The de-signature device consisting of the second receiving module 114 and the de-signing module 116; the user-side marginal device 202 is configured to go online, and the signature and de-signature functions can be implemented; and a network-side marginal device 206 is provided, which also includes the above-described determining module 102. And a signature device composed of the signature module 104 and designed by the second receiving module 114 The de-signing device composed by the module 116; the network side marginal device is connected to the external network, and can also implement the signature and de-signature function; at the same time, an intermediate device 204 is provided, including the first receiving module 106, the conversion module 108, and the forwarding module. 110. The signature device formed by the save module 112. The intermediate device 204 is disposed between the user side margin device 202 and the network side margin device 206, and is configured to implement a conversion processing function of the application level gateway alg of the nat.
在实施中,本发明实施例既不需要改变现有的网络环境,亦不需要增加其他设备,不会破坏原有网络部署环境的安全性和完整性,仅利用已有网络条件通过软硬件结合的方法即可解决前述问题。在签名机网络中,加密秘钥可以是对称秘钥,也可以为非对称秘钥。In an implementation, the embodiment of the present invention does not need to change the existing network environment, does not need to add other devices, does not damage the security and integrity of the original network deployment environment, and only utilizes existing network conditions through software and hardware. The solution to the above problem can be solved. In the network of the signature machine, the encryption key can be a symmetric key or an asymmetric key.
先以单方向为例详细说明本发明实施例的签名方法:First, the signature method of the embodiment of the present invention will be described in detail by taking a single direction as an example:
用户侧边际设备包括报文收发模块、判定模块和签名模块。签名的边际设备配置用户上线,并配置签名功能。因为用户侧的边际设备已经知道中间设备会启用所述nat的alg业务,而这种业务会改变报文原有的源IP地址字段,所以签名的具体方法是使用秘钥将报文的目的IP地址字段通过加密算法进行加密签名,源IP地址和载荷字段不参与加密签名计算,以防止被nat等业务进行地址和端口转换。加密签名结果将存放于报文的空闲字段中,用于所述解签名设备的验证。用户侧的边际设备通过报文接收模块完成报文解析,判定模块辨别报文是否需要做签名处理,签名模块完成报文签名,报文发送模块完成报文的最后发送。The user side marginal device includes a message transceiver module, a decision module, and a signature module. The signed marginal device configures the user to go online and configures the signature function. Because the marginal device on the user side already knows that the intermediate device will enable the alg service of the nat, and the service changes the original source IP address field of the packet, the specific method of the signature is to use the secret key to set the destination IP address of the packet. The address field is encrypted and signed by the encryption algorithm. The source IP address and payload field do not participate in the cryptographic signature calculation to prevent address and port translation by services such as nat. The cryptographic signature result will be stored in the idle field of the message for verification by the de-signing device. The marginal device on the user side completes the packet parsing through the packet receiving module. The determining module determines whether the packet needs to be signed. The signature module completes the packet signature, and the packet sending module completes the final packet transmission.
中间设备包括报文接收模块(相当于第一接收模块106),nat的alg的判定模块,nat的alg功能的实现模块(相当于转换模块108),实现对应用层协议的地址和端口转换。中间设备通过报文接收模块完成报文接收解析,nat的alg的判定模块辨别是否需要做nat的alg功能,nat的agl模块完成nat的alg功能,此时报文源IP字段会被转换修改,报文发送模块完成报文的最后发送。The intermediate device includes a message receiving module (corresponding to the first receiving module 106), a determination module of the alg alg, and an implementation module of the alg function of the nat (corresponding to the conversion module 108), and implements address and port conversion to the application layer protocol. The intermediate device completes the packet receiving and parsing through the packet receiving module, and the determining module of the nat alg determines whether the nat alg function needs to be performed, and the nat agl module completes the nat alg function, and the packet source IP field is converted and modified. The text sending module completes the last transmission of the message.
网络侧的边际设备中包括报文收发模块、判定模块和所述解签名模块,其中,报文收发模块负责接收和发送报文,判定模块包括是否需要做解签名处理和是否做过nat的alg地址转换。网络侧边际设备配置解签名功能,和用户侧的边际设备对应的进行解签名操作,网络侧的边际设备也知道此时转发过来的报文,是否实现了所述nat的alg功能,如果做了地址转换,那么也仅用报文的目的IP地址字段进行解签名,而不使用报文源IP地址或者报文载荷字段,以此来检查报文的合法性。The marginal device on the network side includes a packet transceiver module, a determination module, and the de-signature module, wherein the packet transceiver module is responsible for receiving and transmitting the message, and the determination module includes whether the signature processing needs to be performed and whether the nat has been done. Address translation. The network side marginal device is configured with a de-signature function, and the demarcation operation corresponding to the marginal device on the user side is performed. The marginal device on the network side also knows whether the packet forwarded at this time implements the alg function of the nat, if Address translation, then only use the destination IP address field of the packet to de-sign, instead of using the source IP address or packet payload field, to check the validity of the packet.
本发明设计了基于签名机网络的应用级网关(alg)的实现方法。首先讲述了签名机网络组成和原理,然后讲述nat的alg的原理应用,最后讲述将二者结合实现的具体实施方法,解决了一种真实网络应用中的实际应用问题。为了使得表述更加清楚,下面结合附图详细说明。 The invention designs an implementation method of an application level gateway (alg) based on a signature machine network. Firstly, it describes the composition and principle of the signature machine network, then describes the principle application of nat's alg, and finally describes the specific implementation method of combining the two, and solves the practical application problem in a real network application. In order to make the description clearer, the following detailed description will be made with reference to the accompanying drawings.
下面对本发明优选实施方式进行说明。Preferred embodiments of the invention are described below.
优选实施方式一:Preferred embodiment one:
下面仅仅以单方向为例来说明,实际上边际设备既是签名设备,同时也是解签名设备。如图8所示的签名机网络中,用户主机201在所述用户侧边际设备202上线,用户侧边际设备202配置签名功能,所用户侧边际设备202经过判定,如果当前报文需要做签名,并且此后面需要做nat的alg业务处理,那么就仅使用报文目的IP地址作为明文,结合秘钥来加密签名,对于将被转换改变源IP地址和载荷字段不参与加密计算。将计算结果存放于报文的空闲字段之中。中间设备204模拟实叠加nat的alg功能。网络侧边际设备206与与外网服务器207连接,与用户侧边际设备202对应地经过判定以后,如果需要做解签名,而且已经被地址转换,那么就仅使用目的IP地址进行解签名处理。如图9所示,报文进入所述边际设备的报文,解析完以后,要由判定模块进行判定是否需要做签名或解签名处理。如果不需要进行签名或解签名处理,则由判定模块直接发送给所述发送模块,否则发送给签名解签名模块处理,最后再发送给所述发送模块。如图9所示,其具体步骤包括:The following only illustrates the single direction as an example. In fact, the marginal device is both a signature device and a de-signature device. In the network of the signature machine shown in FIG. 8, the user host 201 is online on the user side margin device 202, and the user side margin device 202 is configured with a signature function. The user side margin device 202 determines that if the current message needs to be signed, And this needs to do the nat alg service processing later, then only use the destination IP address of the message as the plaintext, and combine the secret key to encrypt the signature, and the source IP address and the payload field are not involved in the encryption calculation for being converted. The calculation result is stored in the idle field of the message. The intermediate device 204 simulates the alg function of the real overlay nat. The network side margin device 206 is connected to the external network server 207, and after the determination is made corresponding to the user side margin device 202, if it needs to be de-signed and has been address-converted, only the destination IP address is used for the de-signing process. As shown in FIG. 9, after the message enters the message of the marginal device, after the parsing is completed, the determining module determines whether it is necessary to perform signature or de-signature processing. If no signature or de-signature processing is required, the decision module directly sends the signal to the sending module, otherwise it is sent to the signature de-signing module for processing, and finally to the transmitting module. As shown in FIG. 9, the specific steps include:
S401,报文进入报文接收模块,进行报文解析。S401: The packet enters a packet receiving module, and performs packet parsing.
S402,报文经过判定模块进行判定是否需要做报文签名或解签名处理。在判断为否的情况下,跳转至S404。S402. The message passes the determination module to determine whether a message signature or a signature process needs to be performed. If the determination is no, the process jumps to S404.
S403,报文做签名或解签名处理。S403. The message is signed or de-signed.
S404,报文经由报文发送模块发送。S404. The message is sent by the message sending module.
终端用户在签名机网络中,通过网络侧边际设备202来访问internet现有网络。中间设备204配置nat的alg功能。下面过程进行具体描述。The end user accesses the existing internet network through the network side margin device 202 in the signature machine network. The intermediate device 204 configures the alg function of the nat. The following process is described in detail.
如图10所示,签名设备具体步骤包括:As shown in FIG. 10, the specific steps of the signature device include:
S501,签名的边际设备接收报文并解析。S501. The signed marginal device receives the packet and parses it.
S502,判定模块判定是否要做签名处理,在判断结果为是的情况下跳转到S503。在判断结果为否的情况下,跳转至S506。S502. The determination module determines whether to perform signature processing. If the determination result is YES, the process jumps to S503. If the result of the determination is no, the process jumps to S506.
S503,nat判定模块判定此转发过程中是否有nat的alg业务处理。在判断结果为是的情况下跳转到S504,在判断结果为否的情况下,跳转至S505。S503. The nat determination module determines whether there is a nat alg service processing in the forwarding process. If the result of the determination is YES, the process jumps to S504, and if the result of the determination is NO, the process proceeds to S505.
S504,签名模块对接收到的报文,使用目的IP地址字段作为明文加密签名,对于将会被nat的alg业务所转换的源IP地址等字段将不予处理。跳转至S506。 S504: The signature module uses the destination IP address field as the plaintext encryption signature for the received packet, and the source IP address and other fields that will be converted by the nat alg service will not be processed. Go to S506.
S505,签名模块正常签名处理。S505. The signature module is normally signed.
S506,报文发送模块将报文发送给中间设备。S506. The packet sending module sends the packet to the intermediate device.
如图11所示,中间设备具体步骤包括:As shown in FIG. 11, the specific steps of the intermediate device include:
S601,中间设备的报文接收模块,接收报文并解析。S601: A packet receiving module of the intermediate device receives the packet and parses the packet.
S602,中间设备的判定模块判定此设备是否需要做nat的alg业务。在判断结果为是的情况下,跳转至S603,在判断结果为否的情况下,跳转至S604。S602. The determining module of the intermediate device determines whether the device needs to perform the nat alg service. If the result of the determination is YES, the process goes to S603, and if the result of the determination is NO, the process goes to S604.
S603,中间设备的nat的alg模块进行nat的alg业务处理,此时会转换掉报文原有的源IP地址,而目的IP地址将不会改变。S603, the nat alg module of the intermediate device performs the nat alg service processing, and the original source IP address of the packet is converted, and the destination IP address will not be changed.
S604,中间设备的发送模块将报文发送至解签名的边际设备。S604. The sending module of the intermediate device sends the message to the de-signed edge device.
如图12所示,解签名边际设备具体步骤如下:As shown in Figure 12, the specific steps for de-signing the marginal device are as follows:
S701,解签名的边际设备进行报文接收并解析。S701: The signed edge device receives and parses the message.
S702,解签名的边际设备的判定模块判定是否需要做解签名处理。在判断结果为是的情况下,跳转至S703,在判断结果为否的情况下,跳转至S706。S702. The determining module of the de-signed signed margin device determines whether a de-signing process needs to be performed. If the result of the determination is YES, the process goes to S703, and if the result of the determination is NO, the process goes to S706.
S703,解签名的边际设备的nat的alg判定模块判定接收到的报文是否已做过nat的alg地址转换。在判断结果为是的情况下,跳转至S704,在判断结果为否的情况下,跳转至S705。S703. The nat alg determination module of the de-signed signature device determines whether the received message has been subjected to the nat alg address translation. If the result of the determination is YES, the process goes to S704, and if the result of the determination is NO, the process goes to S705.
S704,解签名的边际设备的解签名模块仅使用报文的目的IP地址作为明文解签名处理。S704. The de-signature module of the de-signed signature device uses only the destination IP address of the packet as a plaintext de-signature process.
S705,解签名的边际设备正常解签名处理。S705. The signed signature marginal device is normally de-signed.
S706,解签名的边际设备的报文发送模块将报文发送出去。S706: The message sending module of the demarcation marginal device sends the packet.
优选实施方式二:Preferred Embodiment 2:
本发明实施例采用源IP地址进行加密签名。由于nat的alg功能会将应用层三层头数据报文载荷和四层头数据报文载荷中的源IP地址进行转换从而导致解签名不成功。因此,中间设备上将做过nat的alg的数据报文做以标记,同时要将转换前的源IP地址字段保留到报文载荷字段当中。解签名的边际设备负责将接收到的报文解析,首先判别是否有做过nat的alg功能,将做过此功能报文的源IP地址字段还原为转换前的报文字段,也就是说要还原明文字段,同时将其在载荷字段中删除,用替换后的明文字段进行加密签名,计算的结果与之前所述结果的空闲字段比对,一致则认为合法报文,正常处理通过。如若不一致,则丢弃,行使原有解签名功能的处理。 The embodiment of the invention uses the source IP address to perform cryptographic signature. Because the nat alg function converts the application layer three-layer header data packet payload and the source IP address in the four-layer header data packet payload, the de-signature is unsuccessful. Therefore, the data packet of the alg alg is marked on the intermediate device, and the source IP address field before the conversion is retained in the packet payload field. The marginal device that solves the signature is responsible for parsing the received message. First, it is determined whether the alg function of the nat has been done, and the source IP address field of the function packet is restored to the message field before the conversion, that is, The plaintext field is restored and deleted in the payload field. The replaced plaintext field is used for the cryptographic signature. The calculated result is compared with the idle field of the previous result. If they are inconsistent, they are discarded and the original decryption function is processed.
用户在签名机网络中,通过用户侧的边际设备用户上线,网络侧的边际设备来访问internet现有网络,两台边际设备均可做签名、解签名处理。中间设备对本身是否启用nat的alg功能进行判断,并向解签名的边际设备进行传输报文。In the network of the signature machine, the user accesses the existing network of the Internet through the user of the marginal device on the user side and the marginal device on the network side. Both marginal devices can perform signature and signature processing. The intermediate device judges whether or not the nat alg function is enabled, and transmits the message to the demarcation marginal device.
签名设备操作如图13所示,其具体步骤包括:The signature device operates as shown in Figure 13, and the specific steps include:
S801,签名的边际设备接收报文并解析。S801. The signed marginal device receives the packet and parses it.
S802,签名的边际设备判定是否启用签名功能,在判断结果为是的情况下,跳转至S803,在判断结果为否的情况下,跳转至S804。S802, the signed margin device determines whether the signature function is enabled, and if the determination result is YES, the process proceeds to S803, and if the determination result is NO, the process proceeds to S804.
S803,对接收到的报文进行签名,将报文的源IP地址字段加密签名,计算结果存放于报文的空闲字段当中。S803: Sign the received packet, encrypt the signature of the source IP address field of the packet, and store the result in the idle field of the packet.
S804,后将报文发送给所述中间设备。S804. The message is sent to the intermediate device.
中间设备操作如图14所示,其具体步骤包括:The operation of the intermediate device is as shown in FIG. 14, and the specific steps include:
S901,进入中间设备配置模式,接收并解析报文。S901: Enter an intermediate device configuration mode, and receive and parse the packet.
S902,判定是否需要做nat的alg业务处理,在判断结果为是的情况下,跳转至S903,在判断结果为否的情况下,跳转至S904。In S902, it is determined whether or not the alg service processing of the nat needs to be performed. If the determination result is YES, the process proceeds to S903, and if the determination result is NO, the process proceeds to S904.
S903,中间设备保存源IP地址字段到载荷字段中,并标记报文,实施nat的alg业务处理。S903: The intermediate device saves the source IP address field to the payload field, and marks the packet to implement the nat alg service processing.
S904,中间设备将报文发送出去。S904. The intermediate device sends the packet.
解签名边际设备操作如图15所示,其具体步骤包括:The solution of the signature signature device is shown in Figure 15, and the specific steps include:
S1001,解签名边际设备接收并解析报文。S1001: The de-signature marginal device receives and parses the message.
S1002,解签名边际设备判断是否需要启用解签名操作处理,在判断结果为是的情况下,跳转至S1003,在判断结果为否的情况下,跳转至S1006。S1002: The de-signature marginal device determines whether it is necessary to enable the de-signature operation process. If the determination result is YES, the process proceeds to S1003. If the determination result is negative, the process proceeds to S1006.
S1003,解签名边际设备判断接收到的报文是否做过nat的alg业务处理,在判断结果为是的情况下,跳转至S1004,在判断结果为否的情况下,跳转至S1005。S1003: The de-signature marginal device determines whether the received message has been processed by the nat alg service. If the determination result is YES, the process proceeds to S1004. If the determination result is negative, the process proceeds to S1005.
S1004,解签名边际设备还原nat的alg业务转换前的源IP地址字段,并利用转换前的源IP地址字段做解签名处理。S1004: The de-signature marginal device restores the source IP address field before the nat alg service conversion, and uses the source IP address field before the conversion to perform the signature processing.
S1005,解签名边际设备正常解签名处理。S1005, the signature signature marginal device is normally de-signed.
S1006,解签名边际设备发送报文。 S1006: The de-signature marginal device sends a message.
本发明基于签名机网络环境,根据签名机签名算法的特性,提出了两种在此网络环境下nat的alg功能的实现方法。Nat的alg功能主要转换了应用层协议的源IP地址或者端口号,在本方法中正是规避了此特征,仅利用报文的目的IP地址字段或保留转换前的源IP地址字段作为明文来解签名,使得源IP地址的转换不会影响到解签名结果的正确性,从而保证报文正常转发。The invention is based on the signature machine network environment, and according to the characteristics of the signature machine signature algorithm, two implementation methods of the nat alg function in the network environment are proposed. Nat's alg function mainly converts the source IP address or port number of the application layer protocol. In this method, it is circumvented by this feature, and only the destination IP address field of the packet or the source IP address field before the conversion is reserved as the plaintext. The signature is such that the conversion of the source IP address does not affect the correctness of the signature result, so that the packet is forwarded normally.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
如上所述,本发明实施例提供的签名方法和装置具有以下有益效果:解决了相关技术中在签名机网络中报文进行网络地址转换nat的应用级网关alg的转换处理后无法解签名的问题,达到了采用报文的源IP地址或目的IP地址都可以实现签名和解签名的技术效果。 As described above, the signature method and apparatus provided by the embodiments of the present invention have the following beneficial effects: the problem that the signature cannot be de-signed after the conversion processing of the application-level gateway alg of the network address translation nat in the signature machine network in the related art is solved. The technical effect of signature and de-signing can be achieved by using the source IP address or the destination IP address of the packet.

Claims (11)

  1. 一种签名方法,包括:A signature method that includes:
    确定待发送的报文在发送给中间设备后进行转发时,将要进行网络地址转换nat的应用级网关alg的转换处理;After the packet to be sent is forwarded after being sent to the intermediate device, the application level gateway alg of the network address translation nat is to be converted;
    使用所述报文的源因特网协议IP地址或目的IP地址对所述报文进行签名,其中,使用所述源IP地址进行签名时,所述源IP地址保留在经过nat的alg转换处理后的报文中用于解签名。And signing the packet by using a source Internet Protocol IP address or a destination IP address of the packet, where the source IP address is retained by the nat alg conversion process when the source IP address is used for signature. Used in the message to de-sign.
  2. 一种签名方法,包括:A signature method that includes:
    接收待转发的报文,其中,所述报文采用源因特网协议IP地址或目的IP地址进行签名;Receiving a packet to be forwarded, where the packet is signed by using a source Internet Protocol IP address or a destination IP address;
    对接收的所述报文进行网络地址转换nat的应用级网关alg的转换处理;Performing conversion processing of the application level gateway alg of the network address translation nat on the received message;
    将转换后的报文进行转发处理,其中,在转换前的报文采用所述源IP地址进行签名时,在转换后的所述报文中保留有nat的alg转换处理前的源IP地址用于解签名。Forwarding the converted packet, wherein, when the packet before the conversion is signed by the source IP address, the source IP address before the alg conversion processing of the nat is retained in the converted packet. Sign the signature.
  3. 根据权利要求2所述的方法,其中,在将转换后的报文进行转发处理之前,还包括:The method of claim 2, wherein before the forwarding of the converted message, the method further comprises:
    在转换前的报文采用所述源IP地址进行签名时,将进行nat的alg转换处理前的源IP地址保存在转换后的报文的载荷字段中,并对转换后的报文进行标记。When the packet before the conversion is signed by the source IP address, the source IP address before the alg conversion processing is stored in the payload field of the converted packet, and the converted packet is marked.
  4. 一种解签名方法,包括:A method of de-signing, including:
    接收中间设备进行网络地址转换nat的应用级网关alg的转换处理后的转发报文,其中,所述转发报文采用源因特网协议IP地址或目的IP地址进行了签名,在所述转发报文采用所述源IP地址进行签名时,在所述转换报文中保留有nat的alg转换处理前的源IP地址;Receiving, by the intermediate device, the forwarding packet of the application-level gateway alg of the network address translation nat, wherein the forwarding packet is signed by using the source Internet protocol IP address or the destination IP address, and the forwarding packet is used in the forwarding packet. When the source IP address is signed, the source IP address before the alg conversion processing of the nat is retained in the converted message;
    对接收的所述转发报文,采用所述源IP地址或目的IP地址进行解签名处理。The source IP address or the destination IP address is used for de-signing processing on the received forwarding packet.
  5. 一种签名装置,包括:A signature device comprising:
    确定模块,设置为确定待发送的报文在发送给中间设备后进行转发时,将要进行网络地址转换nat的应用级网关alg的转换处理;The determining module is configured to determine that the to-be-sent packet is to be forwarded after being sent to the intermediate device, and then the network-level address conversion nat is applied to the application-level gateway alg.
    签名模块,设置为使用所述报文的源因特网协议IP地址或目的IP地址对所述报文进行签名,其中,使用所述源IP地址进行签名时,所述源IP地址保留在经过nat的alg转换处理后的报文中用于解签名。 a signature module, configured to sign the message by using a source Internet Protocol IP address or a destination IP address of the packet, wherein when the source IP address is used for signature, the source IP address is retained by the nat The message after the alg conversion process is used for de-signing.
  6. 一种签名装置,包括:A signature device comprising:
    第一接收模块,设置为接收待转发的报文,其中,所述报文采用源因特网协议IP地址或目的IP地址进行签名;The first receiving module is configured to receive a packet to be forwarded, where the packet is signed by using a source Internet Protocol IP address or a destination IP address;
    转换模块,设置为对接收的所述报文进行网络地址转换nat的应用级网关alg的转换处理;The conversion module is configured to perform a conversion process of the application level gateway alg that performs network address translation nat on the received message;
    转发模块,设置为将转换后的报文进行转发处理,其中,在转换前的报文采用所述源IP地址进行签名时,在转换后的所述报文中保留有nat的alg转换处理前的源IP地址用于解签名。The forwarding module is configured to perform forwarding processing on the converted packet, where the packet before the conversion is signed by the source IP address, and the nat alg conversion processing is retained in the converted packet. The source IP address is used for deregistration.
  7. 根据权利要求6所述的装置,其中,还包括:The apparatus of claim 6 further comprising:
    保存模块,设置为在转换前的报文采用所述源IP地址进行签名时,将进行nat的alg转换处理前的源IP地址保存在转换后的报文的载荷字段中,并对转换后的报文进行标记。The saving module is configured to save the source IP address before the alg ag conversion process in the payload field of the converted message, and convert the converted message to the payload field of the converted message. The message is marked.
  8. 一种解签名装置,包括:A de-signing device includes:
    第二接收模块,设置为接收中间设备进行网络地址转换nat的应用级网关alg的转换处理后的转发报文,其中,所述转发报文采用源因特网协议IP地址或目的IP地址进行了签名,在所述转发报文采用所述源IP地址进行签名时,在所述转换报文中保留有nat的alg转换处理前的源IP地址;The second receiving module is configured to receive the forwarding packet after the conversion processing of the application-level gateway alg of the network address translation nat, wherein the forwarding packet is signed by the source Internet protocol IP address or the destination IP address. When the forwarded packet is signed by using the source IP address, the source IP address before the alg conversion processing of the nat is retained in the converted packet;
    解签名模块,设置为对接收的所述转发报文,采用所述源IP地址或目的IP地址进行解签名处理。The de-signing module is configured to perform de-signing processing on the received forwarding packet by using the source IP address or the destination IP address.
  9. 一种用户侧边际设备,包括权利要求5所述的签名装置和权利要求8所述解签名装置。A user side marginal device comprising the signature device of claim 5 and the de-signature device of claim 8.
  10. 一种中间设备,包括权利要求6或7所述的签名装置。An intermediate device comprising the signature device of claim 6 or 7.
  11. 一种网络侧边际设备,包括权利要求5所述的签名装置和权利要求8所述的解签名装置。 A network side marginal device comprising the signature device of claim 5 and the de-signature device of claim 8.
PCT/CN2015/096030 2014-12-29 2015-11-30 Signature method and apparatus WO2016107359A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410848360.7 2014-12-29
CN201410848360.7A CN105812137A (en) 2014-12-29 2014-12-29 Signature method and signature device

Publications (1)

Publication Number Publication Date
WO2016107359A1 true WO2016107359A1 (en) 2016-07-07

Family

ID=56284194

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/096030 WO2016107359A1 (en) 2014-12-29 2015-11-30 Signature method and apparatus

Country Status (2)

Country Link
CN (1) CN105812137A (en)
WO (1) WO2016107359A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115617862A (en) * 2021-07-15 2023-01-17 华为技术有限公司 Method and intermediate device for optimizing data access performance

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420423A (en) * 2007-10-26 2009-04-29 株式会社日立制作所 Network system
CN101515882A (en) * 2008-02-20 2009-08-26 深圳华为通信技术有限公司 Method, device and system for communication between local area network and public network
CN102209124A (en) * 2011-06-08 2011-10-05 杭州华三通信技术有限公司 Method for communication between private network and public network and network address translation equipment
CN102843375A (en) * 2012-09-07 2012-12-26 沈阳通用软件有限公司 Method for controlling network access based on identification in IP (Internet Protocol) protocol

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808142B (en) * 2010-03-10 2013-03-27 上海十进制网络信息技术有限公司 Method and device for realizing trusted network connection through router or switch

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420423A (en) * 2007-10-26 2009-04-29 株式会社日立制作所 Network system
CN101515882A (en) * 2008-02-20 2009-08-26 深圳华为通信技术有限公司 Method, device and system for communication between local area network and public network
CN102209124A (en) * 2011-06-08 2011-10-05 杭州华三通信技术有限公司 Method for communication between private network and public network and network address translation equipment
CN102843375A (en) * 2012-09-07 2012-12-26 沈阳通用软件有限公司 Method for controlling network access based on identification in IP (Internet Protocol) protocol

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KIVINEN, T. ET AL.: "Negotiation of NAT -Traversal in the IKE", RFC3947, 31 January 2005 (2005-01-31) *

Also Published As

Publication number Publication date
CN105812137A (en) 2016-07-27

Similar Documents

Publication Publication Date Title
Cui et al. HCPA-GKA: A hash function-based conditional privacy-preserving authentication and group-key agreement scheme for VANETs
AU2016266557B2 (en) Secure dynamic communication network and protocol
US8098823B2 (en) Multi-key cryptographically generated address
CN101960814B (en) IP address delegation
CN108702371A (en) System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification
JP2017506846A (en) System and method for securing source routing using digital signatures based on public keys
CN103152335A (en) Method and device for preventing ARP (address resolution protocol) deceit on network equipment
US10699031B2 (en) Secure transactions in a memory fabric
CN110493367B (en) Address-free IPv6 non-public server, client and communication method
Alves et al. WS3N: wireless secure SDN‐based communication for sensor networks
Misra et al. Introduction to IoT
US20190394033A1 (en) Private key generation method and system, and device
Shukla et al. A bit commitment signcryption protocol for wireless transport layer security (wtls)
CN101808142A (en) Method and device for realizing trusted network connection through router or switch
CN101834864A (en) Method and device for preventing attack in three-layer virtual private network
WO2022173882A1 (en) Secure network protocol and transit system to protect communications deliverability and attribution
CN107342964A (en) A kind of message parsing method and equipment
CN110474922A (en) A kind of communication means, PC system and access control router
TWI493946B (en) Virtual private network communication system, routing device and method thereof
Büttner et al. Real-world evaluation of an anonymous authenticated key agreement protocol for vehicular ad-hoc networks
CN105516070B (en) A kind of method and device that Service Ticket substitutes
WO2016107359A1 (en) Signature method and apparatus
Bartlett et al. IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS
CN109951298A (en) Access method, equipment and the computer readable storage medium of server
Komninos et al. Authentication in a layered security approach for mobile ad hoc networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15875038

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15875038

Country of ref document: EP

Kind code of ref document: A1