WO2020067734A1 - Équipement réseau sans adresse et système de sécurité de communication l'utilisant - Google Patents

Équipement réseau sans adresse et système de sécurité de communication l'utilisant Download PDF

Info

Publication number
WO2020067734A1
WO2020067734A1 PCT/KR2019/012515 KR2019012515W WO2020067734A1 WO 2020067734 A1 WO2020067734 A1 WO 2020067734A1 KR 2019012515 W KR2019012515 W KR 2019012515W WO 2020067734 A1 WO2020067734 A1 WO 2020067734A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
terminal
data
input
network equipment
Prior art date
Application number
PCT/KR2019/012515
Other languages
English (en)
Korean (ko)
Inventor
이광원
Original Assignee
이광원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 이광원 filed Critical 이광원
Publication of WO2020067734A1 publication Critical patent/WO2020067734A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present invention relates to a non-address network equipment and a communication security system using the same, and more specifically, a non-address network equipment without an IP address or account for hacking, eavesdropping, and eavesdropping of terminals transmitting and receiving data through various dedicated networks and public networks.
  • Non-address network equipment to maintain the security of data transmission by blocking and preventing hacking, eavesdropping, and eavesdropping. It relates to a non-address network equipment and a communication security system using the same.
  • various terminals operating in a dedicated network including a wired or wireless network or a public network such as a PC, a laptop, a VoIP phone, a fax terminal, and a mobile phone, are subject to massive physical or property damage due to various hacking. You can.
  • An object of the present invention for solving the above-mentioned problems is to block hacking, eavesdropping, and eavesdropping of terminals transmitting and receiving data through various dedicated networks and public networks by using non-address network equipment without an IP address or account.
  • a non-address network equipment and a communication security system using the same are provided.
  • a non-address network equipment receives and decrypts the first encrypted data transmitted through the communication network to the first terminal having the first address, generates decrypted data, and delivers the decrypted data to the first terminal, or transmits the communication network.
  • a non-address network equipment that encrypts data transmitted from the first terminal to a second terminal having a second address to generate second encrypted data, and transmits the encrypted data through the communication network
  • the first terminal A second input / output unit connected to; A first input / output unit having one side connected to the second input / output unit and the other side connected to a communication network; And a security unit that operates without decrypting the first encrypted data inputted from the first input / output unit and encrypting the inputted data from the second input / output unit to generate second encrypted data.
  • the security unit uses the normal determination value included in the header portion of the first encrypted data to determine whether to discard the first encrypted data, and the first terminal value to generate the second encrypted data After determining whether to discard the data using, the unique normal determination value and the unique equipment value of the security unit are added to the header portion of the second encrypted data.
  • a communication security system using a non-address network equipment includes: a first terminal receiving data including a first address or generating and transmitting data containing a second address; and generating data including the first address,
  • a communication security system using a non-address network device that communicates through a communication network with a second terminal that transmits or receives data including the second address, comprising: a 1-2 input / output unit connected to the first terminal; A 1-1 I / O unit having one side connected to the 1-2 input / output unit and the other side connected to a communication network; And a first security unit that decrypts the encrypted data inputted from the 1-1 input / output unit and encrypts the data inputted from the 1-2 input / output unit.
  • a 2-1 input / output unit connected to the communication network.
  • a 2-2 input / output unit having one side connected to the 2-1 input / output unit and the other side connected to the second terminal;
  • a second non-address network equipment including a second security unit that decrypts the encrypted data input from the 2-1 input / output unit and encrypts the data input from the 2-2 input / output unit.
  • the non-address network equipment and the second non-address network equipment perform the operation of the first security unit and the operation of the second security unit in a state in which an IP address and an account are not set, respectively, and the first address is set.
  • the first terminal When the first terminal is configured to transmit data to the second terminal having the second address set, the first terminal generates data including the second address to generate the first non-address network equipment.
  • the 1-2 input / output unit receives data including the second address and delivers it to the first security unit.
  • the first security unit checks whether the first terminal value and the terminal value included in the data including the second address match, and if not, discards the data containing the second address, and the terminal value In case of a match, the data including the second address is encrypted to include the first equipment value, which is the equipment value of the first non-address network equipment, and the second equipment value, which is the equipment value of the second non-address network equipment.
  • the first encrypted data is generated and transmitted to the communication network through the first-first input / output unit, and the second non-address network equipment receives the first encrypted data from the communication network and receives the second-first input / output unit.
  • the second security unit decrypts the first encrypted data and reprocesses it according to a specific algorithm.
  • the first terminal in which the first address is set by the second terminal in which the second address is set In the case of transmitting data to a terminal, when the second terminal generates data including the first address and transmits it to the second non-address network equipment, the second non-address network equipment inputs and outputs the 2-2 input / output.
  • the unit receives the data including the first address and transmits it to the second security unit, and the second security unit checks whether the second terminal value and the terminal value included in the data including the first address match, and matches If not, the data including the first address is discarded, and when the terminal values match, the data including the first address includes the first equipment value and the second equipment value.
  • the encrypted data is received and transmitted to the first security unit, and the first security unit decrypts the second encrypted data and re-processes it according to a specific algorithm to generate the data containing the first address to generate the 1-2 input / output. It is transmitted to the first terminal through the unit.
  • the first security unit After generating the first encryption data, the first security unit re-processes the first encryption data such that the first encryption data includes a first normal judgment value set in a header, and the second security unit comprises: After generating the second encrypted data, the second encrypted data may be reprocessed such that the second encrypted data includes a second normal judgment value preset in a header.
  • the first security unit upon receiving the second encryption data, checks the second normal determination value of the second encryption data, and when the second normal determination value is not a preset value, the second encryption data
  • the second security unit upon receiving the first encryption data, checks the first normal determination value of the first encryption data, and when the first normal determination value is not a preset value, the The first encrypted data can be discarded.
  • the first terminal value is the first terminal obtained by analyzing the first packet transmitted from the first terminal through the 1-2 input / output unit when the first non-address network equipment is connected to the first terminal for the first time. Is a unique terminal value of, and the second terminal value analyzes the first packet transmitted from the second terminal through the 2-2 input / output unit when the second non-address network equipment is connected to the second terminal for the first time. It may be a unique terminal value of the obtained second terminal.
  • the second non-address network equipment acquires initial data transmitted from the first non-address network equipment and headers
  • the first non-address network equipment acquires the first data transmitted from the second non-address network equipment by analyzing the value and stores the first terminal value and the first equipment value in the second security unit, and obtains the header value.
  • the second terminal value and the second equipment value may be stored in the first security unit.
  • the first security unit uses the second terminal value and the second terminal value in the decryption algorithm of the second encrypted data, and the second security unit includes the first terminal value and the decryption algorithm of the first encrypted data.
  • the first terminal value may be used.
  • connection between the 1-1 input / output unit and the 1-2 input / output unit and the connection between the 2-1 input / output unit and the 2-2 input / output unit may be connected in a bridge manner, respectively.
  • the first security unit is included in the first-1 input / output unit or the 1-2 input / output unit, or the first non-address network equipment separately from the first-1 input / output unit and the 1-2 input / output unit Can be included in
  • the second security unit is included in the 2-1 input / output unit or the 2-2 input / output unit, or separately from the 2-1 input / output unit and the 2-2 input / output unit, the second non-address network equipment Can be included in
  • the first terminal may be set with the first address
  • the second terminal may be set with the second address
  • different accounts may be set in the first terminal and the second terminal.
  • the 1-2 input / output unit and the 2-1 input / output unit connected to the communication network may operate in a promiscuous mode for receiving all data transmitted through the communication network.
  • the first security unit encrypts a specific portion of the first data input from the first terminal through the 1-2 input / output unit and generates the encrypted first processed data according to a specific algorithm to generate the 1-1 input / output unit. Or decrypt the second encrypted data input through the first-first input / output unit from the communication network and output it to the first terminal as second data reprocessed according to a specific algorithm.
  • the second security unit encrypts a specific portion of the second data input through the second-2 input / output unit from the second terminal, generates the second encrypted data reprocessed according to a specific algorithm, and generates the second-1 input / output unit. Or decrypt the first encrypted data input through the 2-1 input / output unit from the communication network and output it to the second terminal as the first data reprocessed according to a specific algorithm.
  • a third non-address network equipment connected to the first non-address network equipment and the second non-address network equipment through the communication network to obtain the first and second encrypted data and transmit hacking data to the communication network is further provided.
  • the third non-address network equipment is a terminal of a third terminal connected to the third non-address network equipment in the first or second encrypted data when obtaining the first or second encrypted data from the communication network. If the value of the third terminal that is the value or the value of the third equipment that is the equipment value of the third non-address network equipment is not extracted, it may be discarded without decrypting the first or second encrypted data.
  • the present invention it is not necessary to set an IP address or an account in network equipment connected to each terminal, and it is possible to prevent hacking, eavesdropping, and eavesdropping of terminals communicating through various dedicated networks or public networks.
  • hackers cannot access terminals connected to non-address network equipment without an IP address or account, and they cannot leak wiretapping, interception, or confidentiality through private networks and public networks.
  • network communication between non-address network devices without an IP address and an account connected to a transmitting or receiving terminal has an advantage that a kind of virtual private network effect is generated.
  • non-addressed network equipment without IP addresses and accounts, it can provide complete security for industrial terminals, providing a security solution that can protect sensitive confidential information and data from malicious hackers and confidential leaks.
  • FIG. 1 is a view showing a basic concept of a communication security system using a non-address network equipment according to an embodiment of the present invention.
  • FIG. 2 is a configuration diagram schematically showing the overall configuration of a communication security system using a non-address network equipment according to an embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an example of transmitting data between terminals using a non-address network equipment according to an embodiment of the present invention.
  • FIG. 4 is a view showing an example of preventing hacking of a terminal using a non-address network equipment according to an embodiment of the present invention.
  • FIG. 5 is a view showing a basic flow chart for explaining a communication security method using a non-address network equipment according to an embodiment of the present invention.
  • FIG. 6 is a flowchart illustrating a communication security method using a non-address network equipment of a communication security system according to an embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a communication security method using a non-address network equipment of a communication security system according to an embodiment of the present invention.
  • one part When one part is said to be “above” another part, it may be directly on top of the other part or another part may be involved in between. In contrast, if one part is said to be "just above” another part, no other part is involved in between.
  • first, second and third are used to describe various parts, components, regions, layers and / or sections, but are not limited thereto. These terms are only used to distinguish one part, component, region, layer or section from another part, component, region, layer or section. Accordingly, a first portion, component, region, layer or section described below may be referred to as a second portion, component, region, layer or section without departing from the scope of the present invention.
  • FIG. 1 is a view showing a basic concept of a communication security system using a non-address network equipment according to an embodiment of the present invention.
  • the communication security system 100 using a non-address network equipment basically, the terminal 110 to the communication network 130 through a non-address network equipment (Non-address Network Equipment) 120 Includes connected configuration.
  • a non-address network equipment Non-address Network Equipment
  • the terminal 110 is a communication terminal for transmitting or receiving data to the communication network 130, and includes a wired or wireless communication terminal.
  • the terminal 110 may be a PC, a laptop, a VoIP phone, a fax, or a mobile phone.
  • the non-address network equipment 120 means a network device in which an IP address or a MAC address required for communication to transmit and receive data is not set or an account is not required.
  • the non-address network equipment 120 includes a first input / output unit (122), a second input / output unit (124), and a security unit 135, and the first input / output unit It is connected to the communication network 130 through 122, and is connected to the terminal 110 through the second input / output unit 124.
  • the first input / output unit 122 and the second input / output unit 124 may be network cards, such as a local area network (LAN) card.
  • LAN local area network
  • the security unit 125 When the security unit 125 receives the encrypted data through the first input / output unit 122 from the communication network 130, it decrypts the decrypted data and transmits the decrypted data to the terminal 110 through the second input / output unit 124, and the terminal 110 When data is received through the second input / output unit 124 from the server, it is encrypted and output to the communication network 130 through the first input / output unit 122 as encrypted data.
  • the security unit 125 may store encryption / decryption packet information, connection terminal values, and normal determination values for data encryption or decryption.
  • the communication network 130 includes a dedicated network or a public network, and may include a wired network such as the Internet or PSTN, and a wireless network such as Zigbee and Bluetooth.
  • the non-address network equipment 120 receives a random packet from a connected terminal in the process of being initially connected to the terminal 110.
  • the security unit 125 analyzes the packet and the address of the terminal connected to the non-address network equipment 120 After obtaining (IP), MAC, and other unique values as terminal values, they are stored in a ghost table that is a terminal value storage area formed in the security unit 125.
  • the non-address network equipment 120 analyzes all packets transmitted from the terminal 110 and compares them with the terminal values stored in the ghost table, whereby the non-address network equipment 120 is It is possible to prevent the corresponding data from being transmitted to the communication network 130 by performing the encryption operation in the security unit 125 or discarding the packet without transmitting it to the first input / output unit 122.
  • data may be generated even if a security problem occurs, such as the non-address network equipment 120 being seized, the network structure changed due to a hacking attack, or the forgery of the terminal 110 connected to the second input / output unit. Can maintain the security of.
  • the non-address network equipment 120 may obtain encrypted data through the communication network 130 to perform decryption, and then transmit the decrypted data to the terminal 110.
  • the first input / output unit 122 acquires encrypted data through the communication network 130 and transmits the encrypted data to the security unit 125.
  • the security unit 125 first checks the normal determination value included in the header portion of the encrypted data.
  • the normal judgment value is a value added to the header portion of the encrypted data to identify whether the non-addressing network equipment communicating, that is, the non-addressing network equipment generating the encrypted data obtained by the first input / output unit 122 is a normal equipment. If there is an abnormality in the value, the packet can be discarded without decrypting the encrypted data to prevent the load during a random data attack such as DDOS.
  • the security unit 125 analyzes the header of the encrypted data and stores the terminal value of the terminal that generated the data and the equipment value of the non-address network equipment that generated the encrypted data in a ghost table. And, by analyzing the header of the encrypted data by using the corresponding terminal value and equipment value, it is possible to selectively receive and decrypt only data generated by the terminal and the non-address network equipment connected to the terminal.
  • FIG. 2 is a configuration diagram schematically showing the overall configuration of a communication security system using a non-address network equipment according to an embodiment of the present invention.
  • the communication security system 200 using a non-address network equipment using a non-address network equipment according to an embodiment of the present invention
  • the first non-address network equipment 210 is connected to the first terminal 112
  • the communication network 130 The second non-address network equipment 220 is connected to the second terminal 114 and includes a configuration connected to the communication network 130.
  • a first address is set in the first terminal 112
  • a second address is set in the second terminal 114
  • different accounts are set in the first terminal 112 and the second terminal 114, respectively. Can be.
  • communication between the first non-address network equipment 210 and the second non-address network equipment 220 may have the same effect as communication through a virtual private network.
  • the first terminal 112 receives data including the first address from the communication network 130 or generates data including the second address and transmits the data to the communication network 130.
  • the first terminal 112 generates data including a second address for transmission to the second terminal 114 and sends it to the communication network 130, or the first terminal 112 from the second terminal 114 It is to receive data from the communication network 130 that includes the first address sent toward.
  • data transmitted between the first terminal 112 and the second terminal 114 includes a header including a source address, a destination address and an account, and information. It may be configured to include a payload (Payroad) form.
  • Payroad payload
  • the second terminal 114 generates data including the first address and transmits it to the communication network 130 or receives data including the second address from the communication network 130. That is, the second terminal 114 generates data including the first address to transmit data to the first terminal 112 and transmits the data to the communication network 130, or the second terminal 114 from the first terminal 112 114) is to receive data from the communication network 130 including the second address sent to the.
  • the first non-address network equipment 210 and the second non-address network equipment 220 each operate the first security unit 215 without an IP address and an account set, that is, without an address and an account. And the operation of the second security unit 225.
  • first non-address network equipment 210 and the second non-address network equipment 220 operate as a dummy hub device, and the security-related functions are not only hardware but also software. Can be configured.
  • the first non-address network equipment 210 includes a 1-1 I / O unit 211, a 1-2 I / O unit 212, and a first security unit 215.
  • the first-first input-output unit 211 is connected to the first-second input-output unit 212 through the first security unit 215 and the other side is connected to the communication network 130.
  • the 1-2 input / output unit 212 has one side connected to the first terminal 112 and the other side connected to the 1-1 input / output unit 211 through the first security unit 215.
  • the first security unit 215 decrypts the encrypted data input from the 1-1 input / output unit 211, or encrypts the data input from the 1-2 input / output unit 212, and stores a key for encryption and decryption. do.
  • the second non-address network equipment 220 includes a 2-1 input / output unit 221, a 2-2 input / output unit 222, and a second security unit 225.
  • One side of the 2-1 input / output unit 221 is connected to the communication network 130, and the other side is connected to the 2-2 input / output unit 222 through the second security unit 225.
  • One side of the 2-2 input / output unit 222 is connected to the 2-1 input / output unit 221 through the second security unit 225, and the other side is connected to the second terminal 114.
  • the second security unit 225 decrypts the encrypted data input from the 2-1 input / output unit 221, or encrypts the data input from the 2-2 input / output unit 222, and stores a key for encryption and decryption. do.
  • connection between the 1-1 input / output unit 211 and the 1-2 input / output unit 212 and the connection between the 2-1 input / output unit 221 and the 2-2 input / output unit 222 are each bridges. (Bridge) can be connected.
  • first security unit 215 may be included in the first-first input / output unit 211 or the first-second input / output unit 212 or differently as illustrated in FIG. 2, as illustrated in FIG. 2. It may be included in the first non-address network equipment 210 separately from the 1 input / output unit 211 and the 1-2 input / output unit 212.
  • the second security unit 225 may be included in the 2-1 input / output unit 221 or the 2-2 input / output unit 222, unlike the 2-1 input / output unit 221 and Separately from the 2-2 input / output unit 222, the second non-address network equipment 220 may be included.
  • the first security unit 215 generates the first data input through the 1-2 input / output unit 212 from the first terminal 112 as the first encrypted data through encryption that is reprocessed according to a specific algorithm. It is output to the communication network 130 through the 1-1 input / output unit 211.
  • the first data includes a first terminal value that is a terminal value of the origin terminal and a first equipment value that is a device value of the non-address network equipment that generates the first encryption data, and a second terminal value that is a terminal value of the destination terminal and the first data. 1 further includes a second device value that is a device value of a non-address network device that performs encryption data decryption.
  • the first security unit 215 may perform an encryption process of reprocessing the first data according to a specific algorithm so that the header of the first encrypted data further includes a normal determination value.
  • the second security unit 225 generates second encrypted data from the second terminal 114 through the second-input / output unit 222 through the encryption to re-process the second data according to a specific algorithm. It outputs to the communication network 130 through the 2-1 input / output unit 221.
  • the second data includes a second terminal value that is a terminal value of the origin terminal and a second equipment value that is a device value of the non-address network equipment that generates the second encryption data, and a first terminal value that is a terminal value of the destination terminal and the second data.
  • 2 Further includes a first device value, which is a device value of a non-address network device that performs encryption data decryption.
  • the second security unit 225 may perform an encryption process of reprocessing the second data according to a specific algorithm so that the header of the second encrypted data further includes a normal determination value.
  • the 1-1 I / O unit 211 and the 2-1 I / O unit 221 connected to the communication network 130 are promiscuous for receiving all data transmitted through the communication network 130 (Promiscuous mode). mode).
  • the first-first input / output unit 211 and the second-first input / output unit 221 receive all data including data and encryption data received from the communication network 130, respectively. It is delivered to the security unit 215 and the second security unit 225.
  • the second data is output to the first terminal 112 through the 1-2 input / output unit 212.
  • the second data transmitted from the second terminal 114 is generated as second encrypted data through the second non-address network equipment 220 to the first non-address network equipment 210 via the communication network 130.
  • the second terminal 114 is transmitted and decrypted by the first non-address network equipment 210 through the first security unit 215 to generate the second data and transmit the second data to the first terminal 112. Data is safely transmitted from the first terminal 112.
  • the second security unit 225 when the first encryption data is input through the 2-1 input / output unit 221 from the communication network 130, through the decryption to re-process the input first encryption data according to a specific algorithm
  • the first data is output to the second terminal 114 through the 2-2 input / output unit 222.
  • the first data transmitted from the first terminal 112 is generated as first encrypted data through the first non-address network equipment 210 to the second non-address network equipment 220 via the communication network 130.
  • the first terminal 112 is transmitted and decrypted by the second non-address network equipment 220 through the second security unit 225 to generate the first data and transmit the first data to the second terminal 114.
  • the data is safely transmitted from the second terminal 114.
  • the first non-address network equipment 210 receives a random packet from a connected terminal in the process of first connection with the first terminal 112.
  • the first non-address network equipment 210 When the first non-address network equipment 210 receives a random packet from the first terminal 112 through the 1-2 input / output unit 212, the first non-address unit 215 analyzes the corresponding packet and analyzes the first non-address. After obtaining the first terminal value including the address (IP), MAC, and other unique values of the terminal connected to the network equipment 210, it is stored in a ghost table, which is a terminal value storage area formed in the first security unit 215.
  • the first non-address network equipment 210 analyzes all packets transmitted from the first terminal 112 and compares them with the first terminal value stored in the ghost table. 1 The non-address network equipment 210 does not perform the encryption operation in the security unit 215 or discards the packet without passing it to the 1-1 I / O unit 211 to prevent the corresponding data from being transmitted to the communication network 130 can do.
  • the first non-address network equipment 210 has been seized, the network structure has changed due to a hacking attack, or the first terminal 112 connected to the 1-2 input / output unit 212 has been forged. Even when a security problem occurs, data can be kept secure.
  • the second non-address network equipment 220 receives a random packet from a connected terminal in the first connection process with the second terminal 114.
  • the second security unit 225 analyzes the corresponding packet to analyze the second non-address. After obtaining the second terminal value including the address (IP), MAC, and other unique values of the terminal connected to the network equipment 220, the second terminal value is stored in a ghost table, which is a terminal value storage area formed in the second security unit 225.
  • the second non-address network equipment 220 analyzes all packets transmitted from the second terminal 114 and compares them with the second terminal value stored in the ghost table, whereby the packet to be analyzed is different from the second terminal value. 2
  • the non-address network equipment 220 does not perform the encryption operation in the security unit 225 or discards the corresponding packet to the 2-1 input / output unit 211 to prevent the corresponding data from being transmitted to the communication network 130 can do.
  • the second non-address network equipment 220 has been seized, the network structure has changed due to a hacking attack, etc., or the forgery of the second terminal 114 connected to the 2-2 input / output unit 222 occurs. Even when a security problem occurs, data can be kept secure.
  • FIG. 3 is a diagram illustrating an example of transmitting data between terminals using a non-address network equipment according to an embodiment of the present invention.
  • the first terminal 112 and the second terminal 114 recognize only data, and transmit or receive data, and do not process encrypted data because they are not recognized.
  • the first terminal 112 when transmitting data between the first terminal 112 and the second terminal 114, as shown in FIG. 3, the first terminal 112 is the first non-address network equipment 210 ), And the second terminal 114 is connected to the communication network 130 through the second non-address network equipment 220, and the first terminal 112 and the first non-address network Between the equipment 210 is transmitted as data, between the first non-address network equipment 210 and the second non-address network equipment 220 is transmitted as encrypted data through the communication network 130, the second terminal 114 ) And the second non-address network equipment 220 are transmitted as data.
  • the first security unit 215 and the second security unit 225 are first If the data received by the 1-1 input / output unit 211 and the 2-1 input / output unit 221 is not encrypted data, the load of the non-address network equipment can be prevented by discarding the data.
  • first non-address network equipment 210 and the second non-address network equipment 220 communicate with each other in order to exchange encrypted data through the communication network 130.
  • the 1-1 I / O unit 211 may communicate with the 2-1 I / O unit 221 through the communication network ( 130) by analyzing the header of the packet received through the second terminal value that is the information of the second terminal and the second equipment value that is the equipment value of the second non-address network equipment 220 is formed in the first security unit 215 1 Store in a ghost table.
  • the 2-1 input / output unit 221 analyzes the header of the packet received from the 1-1 input / output unit 211 through the communication network 130, and the first terminal value and the first non-information of the first terminal.
  • the first device value that is the device value of the address network device 210 is stored in the second ghost table formed in the second security unit 225.
  • the first non-address network equipment 210 and the second non-address network equipment 220 can share each other's terminal value and equipment value, and the encrypted data received using the shared terminal value and equipment value It is possible to check whether the data is generated at a preset terminal, that is, data generated at a terminal where data transmission / reception is permitted, or encrypted data at a permitted non-address network equipment.
  • first non-address network equipment 210 and the second non-address network equipment 220 perform encryption of the data received from the first terminal 112 and the second terminal 114, and then the header of the encrypted data.
  • the normal judgment value can be added to the part.
  • the normal judgment value is a value added to the header portion of the encrypted data to identify whether the non-address network device that generated the encrypted data is a normal device, that is, encrypted data generated from a device allowed to transmit and receive data. If an abnormality exists, the load can be prevented in a random data attack such as DDOS by discarding the packet without decrypting the encrypted data.
  • the first security unit 215 and the second security unit 225 analyze the header of the encrypted data and analyze the terminal value and encryption of the terminal that generated the data.
  • the first security unit 215 and the second security unit 225 analyze the header of the encrypted data and analyze the terminal value and encryption of the terminal that generated the data.
  • FIG. 4 shows a situation in which the third terminal 116 transmits hacked data to the communication network 130 using the third non-address network equipment 230 or receives encrypted data to hack the data.
  • a hacker terminal 116 using a third non-address network equipment 230 in the process of transmitting and receiving encrypted data by the first non-address network equipment 210 and the second non-address network equipment 220 Can access the communication network 130.
  • the third non-address network equipment 230 acquires encrypted data in communication between the first non-address network equipment 210 and the second non-address network equipment 220 through the communication network 130 to the hacker terminal 116 Alternatively, the data generated by the hacker terminal 116 may be encrypted to transmit hacking data to the first non-address network equipment 210 or the second non-address network equipment 220 through the communication network 130.
  • the first non-address network equipment 210 and the second non-address network equipment 220 store each terminal value and equipment value by completing the first communication, but the third non-address network equipment 230 Since new data is being transmitted in the middle of communication, the first and second terminal values, the first and second equipment values, and the normal determination values are not obtained.
  • the third non-address network equipment 230 is not only capable of decrypting the first or second encrypted data obtained from the communication network 130, but also the first or It may be set to discard the second encrypted data.
  • FIG. 5 is a view showing a basic flow chart for explaining a communication security method using a non-address network equipment according to an embodiment of the present invention.
  • the security unit 125 receives data from the terminal 110 through the second input / output unit 124 (S510). , Encrypt the corresponding data to generate encrypted data and output it to the communication network 130 through the first input / output unit 122 (S520).
  • the security unit 125 receives a random packet from the connected terminal in the process of the first connection with the terminal 110 in step S510.
  • the security unit 125 analyzes the packet and sets the address (IP), MAC, and other unique values of the connected terminal 110 as the terminal value. After the acquisition, it is stored in a ghost table, which is a terminal value storage area formed in the security unit 125.
  • the non-address network equipment 120 analyzes all packets transmitted from the terminal 110 and compares them with the terminal values stored in the ghost table, whereby the non-address network equipment 120 is It is possible to prevent the corresponding data from being transmitted to the communication network 130 by performing the encryption operation in the security unit 125 or discarding the packet without transmitting it to the first input / output unit 122.
  • data may be generated even if a security problem occurs, such as the non-address network equipment 120 being seized, the network structure changed due to a hacking attack, or the forgery of the terminal 110 connected to the second input / output unit. Can maintain the security of.
  • the security unit 125 decrypts the encrypted data and generates decrypted data to the terminal through the second input / output unit.
  • Output (S540).
  • the first input / output unit 122 acquires encrypted data through the communication network 130 and transmits the encrypted data to the security unit 125.
  • the security unit 125 first checks the normal determination value included in the header portion of the encrypted data.
  • the normal determination value is a value added to the header portion of the encrypted data to identify whether the non-addressing network equipment communicating with the non-addressing network equipment generating the encrypted data obtained by the first input / output unit 122 is a normal equipment, If an abnormality exists in the value, the packet can be discarded without decrypting the encrypted data to prevent the load during a random data attack such as DDOS.
  • the security unit 125 analyzes the header of the encrypted data and stores the terminal value of the terminal that generated the data and the equipment value of the non-address network equipment that generated the encrypted data in a ghost table. And, by analyzing the header of the encrypted data by using the corresponding terminal value and equipment value, it is possible to selectively receive and decrypt only data generated by the terminal and the non-address network equipment connected to the terminal.
  • FIG. 6 is a flowchart illustrating a communication security method using a non-address network equipment of a communication security system according to an embodiment of the present invention. That is, FIG. 6 is a flowchart illustrating a process of transmitting data from the first terminal 112 to the second terminal 114.
  • the first terminal 112 generates the data including the second address, and the 1-2 input / output unit 212 It transmits to the first non-address network equipment 210 through (S610).
  • the first non-address network equipment 210 uses the first terminal value pre-stored in the ghost table of the first security unit 215 and the terminal value of data containing the second address to encrypt the data including the second address. By comparing and checking whether the value is the same terminal, and if it is not the same terminal value, the corresponding data can be discarded to prevent hacking data from being transmitted to the second address.
  • the first security unit 215 may The data containing the second address is encrypted and re-processed according to a specific algorithm to generate the first encrypted data and transmitted to the communication network 130 through the 1-1 input / output unit 211 (S620).
  • the first security unit 215 is connected to the second terminal 114 having the first device value and the second address, which is the device value of the first non-address network equipment 210, before encrypting data including the second address.
  • the second equipment value which is the equipment value of the second non-address network equipment 220, may be obtained from the ghost table, and the first equipment value and the second equipment value may be included in the header portion of the first encryption data along with the normal determination value.
  • the normal judgment value is a value added to the header portion of the encrypted data to prove that the communicating non-address network equipment is a normal equipment, and if there is an abnormality in the value, the non-address network equipment that received the encrypted data By discarding the packet without performing decryption, it is possible to prevent a load during a random data attack such as DDOS.
  • the 2-1 input / output unit 221 in the second non-address network equipment 220 receives the first encrypted data from the communication network 130 and transmits the first encrypted data to the second security unit 225 (S630).
  • the second security unit 225 decrypts the first encrypted data and re-processes it according to a specific algorithm to generate data including the second address and transmits the data to the second terminal 114 through the 2-2 input / output unit 222. To transmit (S640).
  • the second security unit 225 When receiving the first encrypted data, the second security unit 225 checks the normal determination value included in the header portion of the first encrypted data. If there is an abnormality in the normal determination value, the second security unit 225 determines that the first encrypted data is encrypted data using an unauthorized device, and discards the first encrypted data.
  • the second security unit 225 decrypts the first encrypted data.
  • the second security unit 225 is a value stored in the ghost table of the second security unit 225, any one of the first address, the first device value, the second address, and the second device value during the decryption process of the first encryption data If there is a difference, the data transmitted from the first terminal 112 is safely received by the second terminal 114 by judging and discarding the first encrypted data as unauthorized data.
  • FIG. 7 is a flowchart illustrating a communication security method using a non-address network equipment of a communication security system according to an embodiment of the present invention. That is, FIG. 7 is a flowchart illustrating a process in which the first terminal 112 receives data transmitted from the second terminal 114 as data is transmitted from the second terminal 114 to the first terminal 112.
  • the second terminal 114 in the communication security system 200 according to an embodiment of the present invention, the second terminal 114 generates the data including the first address, and the 2-2 input / output unit 222 It transmits to the second non-address network equipment 220 through (S710).
  • the second security unit 225 compares the terminal value of the second terminal value previously stored in the ghost table of the second security unit 215 with the terminal value of the data containing the first address to encrypt the data including the first address. It is possible to check whether the value is a terminal, and if it is not the same terminal value, discard the corresponding data to prevent hacking data from being transmitted to the first address
  • the second security unit 225 determines that the terminal value of the data including the second address and the previously stored second terminal value are the same, the second security unit 225
  • the data containing the first address is encrypted and re-processed according to a specific algorithm to generate the second encrypted data and transmitted to the communication network 130 through the 2-1 input / output unit 221 (S720).
  • the second security unit 225 encrypts data including the first address
  • the first terminal 112 having the second device value and the first address, which is the device value of the second non-address network equipment 220
  • the first equipment value which is the equipment value of the connected first non-address network equipment 210
  • the normal judgment value is a value added to the header portion of the encrypted data to prove that the communicating non-address network equipment is a normal equipment, and if there is an abnormality in the value, the non-address network equipment that received the encrypted data By discarding the packet without performing decryption, it is possible to prevent a load during a random data attack such as DDOS.
  • the first-first input / output unit 211 receives the second encrypted data from the communication network 130 and transmits the second encrypted data to the first security unit 215 (S730).
  • the first security unit 215 decrypts the second encrypted data and re-processes it according to a specific algorithm to generate data including the first address and transmits the data to the first terminal 112 through the 1-2 input / output unit 212. To transmit (S740).
  • the first security unit 215 When receiving the second encrypted data, the first security unit 215 checks the normal determination value included in the header portion of the second encrypted data. If there is an abnormality in the normal determination value, the first security unit 215 determines the encrypted data using equipment to which the first encrypted data is not authorized, and discards the second encrypted data.
  • the first security unit 215 decrypts the second encrypted data.
  • the first security unit 215 is a value stored in the ghost table of the first security unit 215 in any one of the first address, the first device value, the second address, and the second device value during the decryption process of the second encrypted data If there is a difference, the data transmitted from the second terminal 114 is safely received by the first terminal 112 by determining and discarding the second encrypted data as unauthorized data.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

La présente invention concerne un équipement réseau sans adresse et un système de sécurité de communication l'utilisant. Un équipement réseau sans adresse selon un mode de réalisation de la présente invention reçoit et décode des premières données codées transmises par l'intermédiaire d'un réseau de communication à un premier terminal ayant une première adresse, génère des données décodées et transmet les données décodées au premier terminal, ou code des données transmises par le premier terminal à un second terminal ayant une seconde adresse par l'intermédiaire du réseau de communication, génère des secondes données codées et transmet les données codées par l'intermédiaire du réseau de communication. L'équipement réseau sans adresse comprend : une seconde unité d'entrée/sortie connectée au premier terminal; une première unité d'entrée/sortie ayant un côté connecté à la seconde unité d'entrée/sortie et l'autre côté connecté au réseau de communication; et une unité de sécurité, fonctionnant lorsqu'une adresse IP et un compte ne sont pas configurés, qui décode des premières données codées entrées depuis la première unité d'entrée/sortie, code des données entrées depuis la seconde unité d'entrée/sortie, et génère ainsi des secondes données codées, l'unité de sécurité utilisant une valeur de détermination normale comprise dans une partie en-tête des premières données codées afin de déterminer si les premières données codées doivent être ou non supprimées, détermine si les données doivent être supprimées au moyen d'une première valeur de terminal afin de générer les secondes données codées, puis ajoute une valeur de détermination normale unique de l'unité de sécurité à une partie en-tête des secondes données codées.
PCT/KR2019/012515 2018-09-27 2019-09-26 Équipement réseau sans adresse et système de sécurité de communication l'utilisant WO2020067734A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020180114863A KR101979157B1 (ko) 2018-09-27 2018-09-27 넌어드레스 네트워크 장비 및 이를 이용한 통신 보안 시스템
KR10-2018-0114863 2018-09-27

Publications (1)

Publication Number Publication Date
WO2020067734A1 true WO2020067734A1 (fr) 2020-04-02

Family

ID=66579438

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/012515 WO2020067734A1 (fr) 2018-09-27 2019-09-26 Équipement réseau sans adresse et système de sécurité de communication l'utilisant

Country Status (2)

Country Link
KR (1) KR101979157B1 (fr)
WO (1) WO2020067734A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101979157B1 (ko) * 2018-09-27 2019-05-15 이광원 넌어드레스 네트워크 장비 및 이를 이용한 통신 보안 시스템
KR102380107B1 (ko) * 2020-11-19 2022-03-28 이광원 암호화 시스템

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6240513B1 (en) * 1997-01-03 2001-05-29 Fortress Technologies, Inc. Network security device
KR20040104487A (ko) * 2002-05-09 2004-12-10 니이가타세이미츠 가부시키가이샤 암호화의 일원 집중 관리 시스템
US7100048B1 (en) * 2000-01-25 2006-08-29 Space Micro Inc. Encrypted internet and intranet communication device
KR20100099513A (ko) * 2009-03-03 2010-09-13 시큐아이닷컴 주식회사 분산 서비스 거부 공격 방어 보안장치 및 그 방법
KR20170060596A (ko) * 2016-11-24 2017-06-01 이광원 넌어드레스 네트워크 장비를 이용한 통신 보안 시스템 및 방법
KR101979157B1 (ko) * 2018-09-27 2019-05-15 이광원 넌어드레스 네트워크 장비 및 이를 이용한 통신 보안 시스템

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130005973A (ko) 2011-07-08 2013-01-16 유넷시스템주식회사 네트워크 보안시스템 및 네트워크 보안방법

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6240513B1 (en) * 1997-01-03 2001-05-29 Fortress Technologies, Inc. Network security device
US7100048B1 (en) * 2000-01-25 2006-08-29 Space Micro Inc. Encrypted internet and intranet communication device
KR20040104487A (ko) * 2002-05-09 2004-12-10 니이가타세이미츠 가부시키가이샤 암호화의 일원 집중 관리 시스템
KR20100099513A (ko) * 2009-03-03 2010-09-13 시큐아이닷컴 주식회사 분산 서비스 거부 공격 방어 보안장치 및 그 방법
KR20170060596A (ko) * 2016-11-24 2017-06-01 이광원 넌어드레스 네트워크 장비를 이용한 통신 보안 시스템 및 방법
KR101979157B1 (ko) * 2018-09-27 2019-05-15 이광원 넌어드레스 네트워크 장비 및 이를 이용한 통신 보안 시스템

Also Published As

Publication number Publication date
KR101979157B1 (ko) 2019-05-15

Similar Documents

Publication Publication Date Title
WO2014175538A1 (fr) Appareil permettant d'utiliser un otp matériel basé sur puf et procédé permettant une authentification à 2 facteurs l'utilisant
WO2012046907A1 (fr) Appareil destiné à traiter une image de manière à protéger la confidentialité, système de sécurisation d'image l'utilisant et procédé associé
WO2018151390A1 (fr) Dispositif de l'internet des objets
WO2017091047A1 (fr) Procédé de blocage de connexion dans un système de prévention d'intrusion sans fil et dispositif associé
WO2012093900A2 (fr) Procédé et dispositif pour authentifier une entité de réseau personnel
KR20080020584A (ko) 지능망 인터페이스 컨트롤러
CN111988289B (zh) Epa工业控制网络安全测试系统及方法
WO2019132270A1 (fr) Procédé de communication sécurisé dans un environnement nfv et système associé
WO2022235007A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande, et son procédé
WO2023146308A1 (fr) Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé
WO2018000674A1 (fr) Procédé de connexion réseau, dispositif de connexion réseau et terminal
WO2020067734A1 (fr) Équipement réseau sans adresse et système de sécurité de communication l'utilisant
JP2007039166A (ja) エレベータの遠隔監視システム
WO2018004114A2 (fr) Système d'authentification de proxy, et procédé d'authentification pour fournir un service de proxy
WO2019182219A1 (fr) Système de réseau de confiance basé sur une chaîne de blocs
CN116321136A (zh) 一种支持多因素身份认证的隐身网关设计方法
KR101784240B1 (ko) 넌어드레스 네트워크 장비를 이용한 통신 보안 시스템 및 방법
JP4647481B2 (ja) 暗号化通信装置
WO2017090789A1 (fr) Système et procédé de sécurité des communications utilisant un équipement de réseau non adressé
KR101628094B1 (ko) 보안 장비 및 그것의 접근 허용 방법
CN113225298A (zh) 一种报文验证方法及装置
WO2022265393A1 (fr) Système et procédé d'authentification de niveau de sécurité de fournisseur de contenus
JP2007074761A (ja) データ暗号化方法、データ復号化方法、不正アクセス防止機能を有するlan制御装置、及び情報処理装置
WO2024143744A1 (fr) Système et procédé de communication chiffrée basés sur une mutation d'adresse réseau
Adbeib Comprehensive Study on Wi-Fi Security Protocols by Analyzing WEP, WPA, and WPA2

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19867160

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 21/05/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19867160

Country of ref document: EP

Kind code of ref document: A1