WO2021073147A1 - Credibility authentication method for sdn nodes - Google Patents

Credibility authentication method for sdn nodes Download PDF

Info

Publication number
WO2021073147A1
WO2021073147A1 PCT/CN2020/098582 CN2020098582W WO2021073147A1 WO 2021073147 A1 WO2021073147 A1 WO 2021073147A1 CN 2020098582 W CN2020098582 W CN 2020098582W WO 2021073147 A1 WO2021073147 A1 WO 2021073147A1
Authority
WO
WIPO (PCT)
Prior art keywords
sdn
trusted
authentication
node device
root
Prior art date
Application number
PCT/CN2020/098582
Other languages
French (fr)
Chinese (zh)
Inventor
黄刚
刘强
柴萍萍
Original Assignee
山东超越数控电子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 山东超越数控电子股份有限公司 filed Critical 山东超越数控电子股份有限公司
Publication of WO2021073147A1 publication Critical patent/WO2021073147A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1044Group management mechanisms 
    • H04L67/1053Group management mechanisms  with pre-configuration of logical or physical connections with a determined number of other peers
    • H04L67/1055Group management mechanisms  with pre-configuration of logical or physical connections with a determined number of other peers involving connection limits

Definitions

  • the present invention relates to the field of communication technology, in particular, to a trusted authentication method between SDN nodes based on blockchain technology.
  • SDN Software Defined Network
  • SDN is a new type of network architecture. With the rapid development of Internet technology, network control has shifted from hardware to software. As a result, multiple devices are merged into one SDN controller, enabling network engineers to Control the entire network. SDN uses a controller to separate the network control plane from the data plane, which improves network management and control capabilities. It has a good application space in many industries. At present, the primary problem with SDN is security. How to confirm the credibility of the SDN node equipment newly connected to the network under the environment needs to be solved.
  • Network equipment authentication in SDN refers to the authentication implemented by the controller on the network equipment, which occurs when the network equipment is connected to the SDN network.
  • this type of authentication can use the traditional public key and private key method to implement authentication, that is, use the public key infrastructure to complete the two-way authentication of the network device and the controller.
  • this authentication method is feasible.
  • this authentication method is difficult to construct and deploy, and the public key information of each entity needs to be transmitted multiple times during authentication.
  • the authentication of traditional network equipment may be artificially cracked under some technical means. With the promotion and application of SDN, the number of network devices managed by the controller is gradually increasing, and a more secure and effective device authentication method is needed.
  • the purpose of the present invention is to provide a trusted authentication method between SDN nodes, which is used to solve the difficulties in the construction and arrangement of traditional public key and private key authentication methods in the existing authentication technology; traditional network equipment authentication exists under some technical means Problems such as the possibility of artificial cracking.
  • the present invention provides a trusted authentication method between SDN nodes, including: integrating a trusted root in an SDN controller; performing trusted authentication on SDN node devices that are expected to access the SDN network through the trusted root; The trusted and authenticated SDN node device is connected to the SDN network.
  • integrating the root of trust in the SDN controller also includes: taking the root of trust as a starting point to establish a trusted blockchain of the SDN node equipment.
  • the step of performing trusted authentication on the SDN node device that is expected to access the SDN network through the trusted root further includes: performing device trusted registration on the trusted blockchain for the SDN node device that is expected to access the SDN network.
  • the trusted authentication includes the trusted authentication of the identity information of the SDN node device that performs the trusted registration by the trusted root.
  • it also includes: in response to the credible authentication of the identity information of the SDN node device being passed, adding the credible confirmation information of the SDN node device to the trusted blockchain.
  • the method further includes: transmitting the trusted confirmation information to the next SDN node device that is expected to access according to the transfer rule of the trusted blockchain.
  • next SDN node device that is expected to access continues to perform credible authentication on the next SDN node device that is expected to access according to the credibility confirmation information.
  • trusted certification includes certification of static trustworthiness.
  • the authentication points for performing static credibility authentication on the SDN node device include: device hardware, startup sequence, controller operating system, and controller policy application.
  • the root of trust includes the TCM module integrated with the hardware platform of the SDN controller.
  • the present invention has the following beneficial technical effects:
  • the trusted authentication method between SDN nodes provided by the present invention can ensure that all SDN node devices newly accessing the SDN network architecture have passed the credible authentication of identity information, and can realize new access more safely and effectively. Confirmation of the credibility of the SDN node equipment of the SDN network.
  • FIG. 1 is a schematic diagram of a method for adding SDN node device information to a trusted blockchain according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of a flow chart of trusted authentication between SDN nodes based on blockchain technology according to an embodiment of the present invention.
  • Fig. 3 is a block diagram of the method according to the present invention.
  • the invention provides a trusted authentication method between SDN nodes.
  • Fig. 1 shows a schematic block diagram of a method for adding SDN node device information to a trusted blockchain according to an embodiment of the present invention.
  • the trusted authentication method between SDN nodes includes the following steps:
  • SDN node devices that have passed trusted authentication are allowed to access the SDN network.
  • the step of integrating the trusted root in the SDN controller also includes: taking the trusted root as a starting point to establish a trusted blockchain 100 of the SDN node device.
  • the step of performing trusted authentication 101 on the SDN node device that is expected to access the SDN network through the trusted root further includes:
  • the trusted authentication is the trusted authentication of the trusted root to the identity information of the SDN node device performing the trusted registration.
  • the credible confirmation information of the new SDN node device is added to the trust blockchain.
  • the next SDN node device that is expected to access according to the trusted confirmation information continues to follow the “integration of the trusted root in the SDN controller;
  • the SDN node device that accesses the SDN network performs trusted authentication; the SDN node device that has passed the trusted authentication is allowed to access the SDN network.”
  • the next step is to perform trusted authentication on the next SDN node device that is expected to access.
  • the method further includes: after the trusted confirmation information of the SDN node device is added to the trusted blockchain, transmitting the trusted confirmation information to the next SDN node device that is expected to access according to the trust blockchain transfer rule.
  • the trusted confirmation information 1 is added to the trusted blockchain 100, and the trusted confirmation information 1 is added according to the transfer rules of the trusted blockchain. Transfer to the next SDN node device 20 that expects to join.
  • the SDN node device 20 becomes the trusted node device 20 after passing the trusted authentication 101, and continues to add the trusted confirmation information 2 of the SDN node device 20 to the trusted blockchain 100, and transmits it downward in turn, that is, it is expected to be added later.
  • the n-th SDN node device n0 of the SDN network performs credibility authentication according to the credibility confirmation information n-1 of the n-1 th credible node device in the order described above.
  • the blockchain background service uses the built-in hash cryptographic algorithm to generate the trusted confirmation information of the switch node for the entire information data block.
  • credible authentication includes authentication of static credibility.
  • Authentication points for static credibility authentication of SDN node devices include: device hardware, startup sequence, controller operating system, controller policy application, etc.;
  • Figure 2 shows a schematic diagram of a flow chart of trusted authentication between SDN nodes based on blockchain technology in an embodiment of the present invention.
  • block 201 is to integrate the root of trust in the main SDN controller; according to some embodiments of the present invention, the hardware platform of the SDN controller integrates the TCM module 3 as the root of trust. Take the root of trust as the starting point to establish a trusted blockchain for SDN node equipment.
  • Block 202 is an access request of a new SDN node device expecting to access the SDN network.
  • the SDN node devices that access the SDN network will first perform device trusted registration on the trusted blockchain.
  • the device information includes: production date, manufacturer, user unit, management department, product color, number of network interfaces, network MAC address information, network speed, etc. related information, startup sequence, operating system, strategy Information, configuration information, deployment location, service period, etc., fill in the information form, and apply for new node device registration;
  • the background service integrates the information, and then uses the root of trust (such as the TCM module) to perform trusted authentication on the SDN node devices that are expected to access the SDN network, where the trusted authentication is the authentication of static credibility.
  • Authentication points for performing static credibility authentication on SDN node devices include: device hardware, startup sequence, controller operating system, controller policy application, etc.
  • the credible authentication of the identity information of the SDN node device passes, the credible confirmation information of the SDN node device is added to the trusted blockchain. If the credible authentication of the identity information of the SDN node device fails, the credible confirmation information of the SDN node device is refused to be added to the trusted blockchain.
  • Block 203 is to determine whether the trusted confirmation information of the SDN node device is on the trusted blockchain. When the judgment is "Yes”, that is, the trusted confirmation information of the SDN node device is on the trust blockchain, the SDN node device is allowed to access the SDN network; when the judgment is "No", that is, the SDN node device is trusted If it is confirmed that the information is not on the trusted blockchain, the SDN node device is denied access to the SDN network.
  • the implementation of all or part of the processes in the above-mentioned embodiment methods can be completed by instructing relevant hardware through computer programs, and the programs of the method for creating storage volume mirroring based on applications can be stored in In a computer readable storage medium, when the program is executed, it may include the procedures of the above-mentioned method embodiments.
  • the storage medium of the program can be a magnetic disk, an optical disk, a read-only memory (ROM) or a random access memory (RAM), etc.
  • ROM read-only memory
  • RAM random access memory
  • the method disclosed according to the embodiment of the present invention may also be implemented as a computer program executed by a processor, and the computer program may be stored in a computer-readable storage medium.
  • the computer program executes the above-mentioned functions defined in the method disclosed in the embodiment of the present invention.
  • the steps of the method or algorithm described in combination with the disclosure herein may be directly included in hardware, a software module executed by a processor, or a combination of the two.
  • the software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor such that the processor can read information from or write information to the storage medium.
  • the storage medium may be integrated with the processor.
  • the processor and the storage medium may reside in the ASIC.
  • the ASIC can reside in the user terminal.
  • the processor and the storage medium may reside as discrete components in the user terminal.
  • the program can be stored in a computer-readable storage medium.
  • the storage medium can be a read-only memory, a magnetic disk or an optical disk, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed is a credibility authentication method for SDN nodes. The method comprises: integrating a root of trust into an SDN controller; performing credibility authentication, by means of the root of trust, on SDN node devices intending to access an SDN network; and allowing SDN node devices that have passed the credibility authentication to access the SDN network. The root of trust is used as a starting point to build a trusted blockchain for SDN node devices. The present invention provides a technical solution ensuring that SDN node devices newly achieving access to an SDN network architecture have all passed credibility authentication of identity information, in which the root of trust is integrated such that the credibility of the SDN node devices newly connected to the SDN network can be confirmed in a safe and effective manner.

Description

一种SDN节点间可信认证方法A trusted authentication method between SDN nodes 技术领域Technical field
本发明涉及通信技术领域,具体地,涉及一种基于区块链技术的SDN节点间可信认证方法。The present invention relates to the field of communication technology, in particular, to a trusted authentication method between SDN nodes based on blockchain technology.
背景技术Background technique
软件定义网络(Software Defined Network,简称SDN)是一种新型的网络架构,随着互联网技术的快速发展,网络控制从硬件转向软件,结果是多个设备合并成一个SDN控制器,使网络工程师能够控制整个网络。SDN由于其通过使用控制器将网络控制平面与数据平面分离开来,提高了网络的管理和控制的能力,在很多行业都有良好的应用空间,而目前SDN存在首要的问题就是安全问题,应用环境下的如何确认新接入网络的SDN节点设备的可信性需要得以解决。Software Defined Network (SDN) is a new type of network architecture. With the rapid development of Internet technology, network control has shifted from hardware to software. As a result, multiple devices are merged into one SDN controller, enabling network engineers to Control the entire network. SDN uses a controller to separate the network control plane from the data plane, which improves network management and control capabilities. It has a good application space in many industries. At present, the primary problem with SDN is security. How to confirm the credibility of the SDN node equipment newly connected to the network under the environment needs to be solved.
SDN中网络设备认证是指控制器对网络设备实施的认证,发生在网络设备接入SDN网络中的时候。目前,该类认证可以使用传统公钥和私钥的方法实施认证,即利用公钥基础设施完成网络设备和控制器的双向认证,毫无疑问这种认证方法是可行的。但是,由于需要利用公钥基础设施,这种认证方法建设和布置比较困难,认证时需要多次传递各实体的公钥信息。另外,传统网络设备认证在一些技术手段下存在人为进行破解的可能。随着SDN的推广和应用,控制器管理网络设备的数量逐渐增多,需要一种更加安全有效的设备认证方法。Network equipment authentication in SDN refers to the authentication implemented by the controller on the network equipment, which occurs when the network equipment is connected to the SDN network. At present, this type of authentication can use the traditional public key and private key method to implement authentication, that is, use the public key infrastructure to complete the two-way authentication of the network device and the controller. There is no doubt that this authentication method is feasible. However, due to the need to use public key infrastructure, this authentication method is difficult to construct and deploy, and the public key information of each entity needs to be transmitted multiple times during authentication. In addition, the authentication of traditional network equipment may be artificially cracked under some technical means. With the promotion and application of SDN, the number of network devices managed by the controller is gradually increasing, and a more secure and effective device authentication method is needed.
发明内容Summary of the invention
本发明的目的在于提供一种SDN节点间可信认证方法,用于解决现有认证技术中,传统公钥和私钥的认证方法建设和布置比较困难;传统网络 设备认证在一些技术手段下存在人为进行破解的可能等问题。The purpose of the present invention is to provide a trusted authentication method between SDN nodes, which is used to solve the difficulties in the construction and arrangement of traditional public key and private key authentication methods in the existing authentication technology; traditional network equipment authentication exists under some technical means Problems such as the possibility of artificial cracking.
基于上述目的,本发明提供一种SDN节点间可信认证方法,包括:在SDN控制器中集成可信根;通过可信根对期望接入SDN网络的SDN节点设备进行可信认证;允许通过可信认证的SDN节点设备接入SDN网络。Based on the above objective, the present invention provides a trusted authentication method between SDN nodes, including: integrating a trusted root in an SDN controller; performing trusted authentication on SDN node devices that are expected to access the SDN network through the trusted root; The trusted and authenticated SDN node device is connected to the SDN network.
进一步地,在SDN控制器中集成可信根还包括:以可信根为起点,建立SDN节点设备的信任区块链。Further, integrating the root of trust in the SDN controller also includes: taking the root of trust as a starting point to establish a trusted blockchain of the SDN node equipment.
进一步地,通过可信根对期望接入SDN网络的SDN节点设备进行可信认证的步骤进一步包括:将期望接入SDN网络的SDN节点设备在信任区块链上进行设备可信注册。Further, the step of performing trusted authentication on the SDN node device that is expected to access the SDN network through the trusted root further includes: performing device trusted registration on the trusted blockchain for the SDN node device that is expected to access the SDN network.
进一步地,可信认证包括由可信根对进行可信注册的SDN节点设备的身份信息的可信认证。Further, the trusted authentication includes the trusted authentication of the identity information of the SDN node device that performs the trusted registration by the trusted root.
进一步地,还包括:响应于SDN节点设备的身份信息的可信认证通过,将SDN节点设备的可信确认信息加入信任区块链中。Further, it also includes: in response to the credible authentication of the identity information of the SDN node device being passed, adding the credible confirmation information of the SDN node device to the trusted blockchain.
进一步地,还包括:以信任区块链传递规则向下一个期待接入的SDN节点设备传递可信确认信息。Further, the method further includes: transmitting the trusted confirmation information to the next SDN node device that is expected to access according to the transfer rule of the trusted blockchain.
进一步地,还包括:下一个期待接入的SDN节点设备根据可信确认信息,继续对下一个期待接入的SDN节点设备进行可信认证。Further, it also includes that the next SDN node device that is expected to access continues to perform credible authentication on the next SDN node device that is expected to access according to the credibility confirmation information.
进一步地,可信认证包括对静态可信性的认证。Further, trusted certification includes certification of static trustworthiness.
进一步地,对SDN节点设备进行静态可信性认证的认证点包括:设备硬件、启动序列、控制器操作系统、控制器策略应用。Further, the authentication points for performing static credibility authentication on the SDN node device include: device hardware, startup sequence, controller operating system, and controller policy application.
进一步地,可信根包括SDN控制器硬件平台集成的TCM模块。Further, the root of trust includes the TCM module integrated with the hardware platform of the SDN controller.
本发明具有以下有益技术效果:本发明提供的SDN节点间可信认证方法可以保证所有新接入SDN网络架构的SDN节点设备均已经过身份信息可信认证,可以更安全有效地实现新接入SDN网络的SDN节点设备的可信性的确认。The present invention has the following beneficial technical effects: The trusted authentication method between SDN nodes provided by the present invention can ensure that all SDN node devices newly accessing the SDN network architecture have passed the credible authentication of identity information, and can realize new access more safely and effectively. Confirmation of the credibility of the SDN node equipment of the SDN network.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的实施例。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other embodiments can be obtained according to the drawings without creative work.
图1为本发明一实施例的SDN节点设备信息加入信任区块链的方法框图示意图。FIG. 1 is a schematic diagram of a method for adding SDN node device information to a trusted blockchain according to an embodiment of the present invention.
图2为本发明一实施例的基于区块链技术的SDN节点间可信认证流程图示意图。2 is a schematic diagram of a flow chart of trusted authentication between SDN nodes based on blockchain technology according to an embodiment of the present invention.
图3为根据本发明的方法的框图。Fig. 3 is a block diagram of the method according to the present invention.
具体实施方式Detailed ways
为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明实施例进一步详细说明。In order to make the objectives, technical solutions, and advantages of the present invention clearer, the following describes the embodiments of the present invention in detail in conjunction with specific embodiments and with reference to the accompanying drawings.
本发明提供一种SDN节点间可信认证方法。The invention provides a trusted authentication method between SDN nodes.
图1示出的是本发明一实施例的SDN节点设备信息加入信任区块链的方法框图示意图。Fig. 1 shows a schematic block diagram of a method for adding SDN node device information to a trusted blockchain according to an embodiment of the present invention.
该方法的前提是SDN网络已经建立,且该SDN网络环境是可信任的环境。在该前提下,首先,SDN节点间可信认证方法包括以下步骤:The premise of this method is that the SDN network has been established and the SDN network environment is a trusted environment. Under this premise, first, the trusted authentication method between SDN nodes includes the following steps:
在SDN控制器中集成可信根;Integrate the root of trust in the SDN controller;
通过可信根对期望接入SDN网络的SDN节点设备进行可信认证;Perform trusted authentication for SDN node devices that expect to access the SDN network through the trusted root;
允许通过可信认证的SDN节点设备接入SDN网络。SDN node devices that have passed trusted authentication are allowed to access the SDN network.
在SDN控制器中集成可信根步骤中还包括:以可信根为起点,建立SDN节点设备的信任区块链100。The step of integrating the trusted root in the SDN controller also includes: taking the trusted root as a starting point to establish a trusted blockchain 100 of the SDN node device.
其中,在通过可信根对期望接入SDN网络的SDN节点设备进行可信认证101的步骤进一步包括:Wherein, the step of performing trusted authentication 101 on the SDN node device that is expected to access the SDN network through the trusted root further includes:
将期望接入SDN网络的新SDN节点设备在信任区块链上申请设备可信注册。It is expected that new SDN node devices that access the SDN network will apply for device trusted registration on the trusted blockchain.
在本发明的一实施例中,可信认证为可信根对进行可信注册的SDN节点设备的身份信息的可信认证。In an embodiment of the present invention, the trusted authentication is the trusted authentication of the trusted root to the identity information of the SDN node device performing the trusted registration.
根据本发明的一些实施例,响应于该新SDN节点设备的身份信息的可信认证通过,将该新SDN节点设备的可信确认信息加入信任区块链中。According to some embodiments of the present invention, in response to the credible authentication of the identity information of the new SDN node device, the credible confirmation information of the new SDN node device is added to the trust blockchain.
根据本发明的进一步实施例,在信任区块链100中,下一个期待接入的SDN节点设备根据可信确认信息,继续按照“在SDN控制器中集成可信根;通过可信根对期望接入SDN网络的SDN节点设备进行可信认证;通过可信认证的SDN节点设备被允许接入SDN网络。”的步骤对下一个期待接入的SDN节点设备进行可信认证。According to a further embodiment of the present invention, in the trusted blockchain 100, the next SDN node device that is expected to access according to the trusted confirmation information continues to follow the “integration of the trusted root in the SDN controller; The SDN node device that accesses the SDN network performs trusted authentication; the SDN node device that has passed the trusted authentication is allowed to access the SDN network." The next step is to perform trusted authentication on the next SDN node device that is expected to access.
根据本发明的进一步实施例,方法还包括:SDN节点设备的可信确认信息加入信任区块链之后,以信任区块链传递规则向下一个期待接入的SDN节点设备传递可信确认信息。According to a further embodiment of the present invention, the method further includes: after the trusted confirmation information of the SDN node device is added to the trusted blockchain, transmitting the trusted confirmation information to the next SDN node device that is expected to access according to the trust blockchain transfer rule.
根据本发明的一些实施例,可信SDN节点设备10的身份信息通过可信认证时,可信确认信息1加入信任区块链100中,并根据信任区块链传递规则将可信确认信息1向下一个期待加入的SDN节点设备20传递。SDN节点设备20通过可信认证101后变为可信节点设备20,继续将SDN节点设备20的可信确认信息2加入信任区块链100中,并依次向下进行传递,即后续期待加入该SDN网络的第n个SDN节点设备n0依次按照上述顺序根据第n-1个可信节点设备的可信确认信息n-1进行可信认证。区块链后台服务将整个信息数据块采用内置的杂凑密码算法生成该交换机节点的可信确认信息。According to some embodiments of the present invention, when the identity information of the trusted SDN node device 10 passes the trusted authentication, the trusted confirmation information 1 is added to the trusted blockchain 100, and the trusted confirmation information 1 is added according to the transfer rules of the trusted blockchain. Transfer to the next SDN node device 20 that expects to join. The SDN node device 20 becomes the trusted node device 20 after passing the trusted authentication 101, and continues to add the trusted confirmation information 2 of the SDN node device 20 to the trusted blockchain 100, and transmits it downward in turn, that is, it is expected to be added later. The n-th SDN node device n0 of the SDN network performs credibility authentication according to the credibility confirmation information n-1 of the n-1 th credible node device in the order described above. The blockchain background service uses the built-in hash cryptographic algorithm to generate the trusted confirmation information of the switch node for the entire information data block.
其中,可信认证包括对静态可信性的认证。对SDN节点设备进行静态可信性认证的认证点包括:设备硬件、启动序列、控制器操作系统、控制器策略应用等;Among them, credible authentication includes authentication of static credibility. Authentication points for static credibility authentication of SDN node devices include: device hardware, startup sequence, controller operating system, controller policy application, etc.;
图2示出的是本发明一实施例的基于区块链技术的SDN节点间可信认 证流程图示意图。Figure 2 shows a schematic diagram of a flow chart of trusted authentication between SDN nodes based on blockchain technology in an embodiment of the present invention.
如图2所示,框201为在主SDN控制器中集成可信根;根据本发明的一些实施例,SDN控制器硬件平台集成TCM模块3作为可信根。以可信根为起点,建立SDN节点设备的信任区块链。As shown in FIG. 2, block 201 is to integrate the root of trust in the main SDN controller; according to some embodiments of the present invention, the hardware platform of the SDN controller integrates the TCM module 3 as the root of trust. Take the root of trust as the starting point to establish a trusted blockchain for SDN node equipment.
框202为期待接入该SDN网络的新SDN节点设备的接入请求。首先,期待接入该SDN网络的SDN节点设备首先在信任区块链上进行设备可信注册。在发明的一些实施例中,设备信息包括:生产日期、生产厂家、用户单位、管理部门、产品颜色、网络接口数、网络MAC地址信息、网络速率等等相关信息、启动序列、操作系统、策略信息、配置信息、部署位置、服务期限等等,信息进行表单填写,进行新节点设备注册申请; Block 202 is an access request of a new SDN node device expecting to access the SDN network. First of all, it is expected that the SDN node devices that access the SDN network will first perform device trusted registration on the trusted blockchain. In some embodiments of the invention, the device information includes: production date, manufacturer, user unit, management department, product color, number of network interfaces, network MAC address information, network speed, etc. related information, startup sequence, operating system, strategy Information, configuration information, deployment location, service period, etc., fill in the information form, and apply for new node device registration;
后台服务将信息进行整合,之后通过可信根(例如TCM模块)对期望接入SDN网络的SDN节点设备进行可信认证,其中,可信认证是对静态可信性的认证。对SDN节点设备进行静态可信性认证的认证点包括:设备硬件、启动序列、控制器操作系统、控制器策略应用等。The background service integrates the information, and then uses the root of trust (such as the TCM module) to perform trusted authentication on the SDN node devices that are expected to access the SDN network, where the trusted authentication is the authentication of static credibility. Authentication points for performing static credibility authentication on SDN node devices include: device hardware, startup sequence, controller operating system, controller policy application, etc.
若SDN节点设备的身份信息的可信认证通过,则SDN节点设备的可信确认信息加入信任区块链中。若SDN节点设备的身份信息的可信认证未通过,则SDN节点设备的可信确认信息被拒绝加入信任区块链中。If the credible authentication of the identity information of the SDN node device passes, the credible confirmation information of the SDN node device is added to the trusted blockchain. If the credible authentication of the identity information of the SDN node device fails, the credible confirmation information of the SDN node device is refused to be added to the trusted blockchain.
框203为判断SDN节点设备的可信确认信息是否在信任区块链上。当判断为“是”时,即SDN节点设备的可信确认信息在信任区块链上,则SDN节点设备被允许接入SDN网络;当判断为“否”时,即SDN节点设备的可信确认信息不在信任区块链上,则SDN节点设备被拒绝接入SDN网络。 Block 203 is to determine whether the trusted confirmation information of the SDN node device is on the trusted blockchain. When the judgment is "Yes", that is, the trusted confirmation information of the SDN node device is on the trust blockchain, the SDN node device is allowed to access the SDN network; when the judgment is "No", that is, the SDN node device is trusted If it is confirmed that the information is not on the trusted blockchain, the SDN node device is denied access to the SDN network.
其他设备按照上述方法逐一将其自身信息上区块链,这样无论哪一个设备的拥有者、或者有其他企图的非法用户,想要更改其中某一个设备的信息,就需要改动所有该设备节点之后的设备的相关确认信息,因为区块链的特点决定,这之间需要付出的代价太大,因此,区块链技术保证了所有想接入SDN网络且已经确认、并得到SDN控制器信任根身份验证的设备的唯一性。Other devices put their own information on the blockchain according to the above method one by one, so that no matter which device owner or illegal user has other attempts, if you want to change the information of one of the devices, you need to change all the device nodes. The relevant confirmation information of the equipment of the blockchain is determined by the characteristics of the blockchain, and the cost to be paid is too high. Therefore, the blockchain technology ensures that all who want to access the SDN network have been confirmed and obtained the SDN controller trust root The uniqueness of the device for authentication.
最后需要说明的是,本领域普通技术人员可以理解,实现上述实施例方法中的全部或部分流程,可以通过计算机程序来指令相关硬件来完成,基于应用创建存储卷镜像的方法的程序可存储于计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,程序的存储介质可为磁碟、光盘、只读存储记忆体(ROM)或随机存储记忆体(RAM)等。上述计算机程序的实施例,可以达到与之对应的前述任意方法实施例相同或者相类似的效果。Finally, it should be noted that those of ordinary skill in the art can understand that the implementation of all or part of the processes in the above-mentioned embodiment methods can be completed by instructing relevant hardware through computer programs, and the programs of the method for creating storage volume mirroring based on applications can be stored in In a computer readable storage medium, when the program is executed, it may include the procedures of the above-mentioned method embodiments. Among them, the storage medium of the program can be a magnetic disk, an optical disk, a read-only memory (ROM) or a random access memory (RAM), etc. The foregoing computer program embodiment can achieve the same or similar effects as any of the foregoing corresponding method embodiments.
此外,根据本发明实施例公开的方法还可以被实现为由处理器执行的计算机程序,该计算机程序可以存储在计算机可读存储介质中。在该计算机程序被处理器执行时,执行本发明实施例公开的方法中限定的上述功能。In addition, the method disclosed according to the embodiment of the present invention may also be implemented as a computer program executed by a processor, and the computer program may be stored in a computer-readable storage medium. When the computer program is executed by the processor, it executes the above-mentioned functions defined in the method disclosed in the embodiment of the present invention.
结合这里的公开所描述的方法或算法的步骤可以直接包含在硬件中、由处理器执行的软件模块中或这两者的组合中。软件模块可以驻留在RAM存储器、快闪存储器、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动盘、CD-ROM、或本领域已知的任何其它形式的存储介质中。示例性的存储介质被耦合到处理器,使得处理器能够从该存储介质中读取信息或向该存储介质写入信息。在一个替换方案中,存储介质可以与处理器集成在一起。处理器和存储介质可以驻留在ASIC中。ASIC可以驻留在用户终端中。在一个替换方案中,处理器和存储介质可以作为分立组件驻留在用户终端中。The steps of the method or algorithm described in combination with the disclosure herein may be directly included in hardware, a software module executed by a processor, or a combination of the two. The software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from or write information to the storage medium. In an alternative, the storage medium may be integrated with the processor. The processor and the storage medium may reside in the ASIC. The ASIC can reside in the user terminal. In an alternative, the processor and the storage medium may reside as discrete components in the user terminal.
以上是本发明公开的示例性实施例,但是应当注意,在不背离权利要求限定的本发明实施例公开的范围的前提下,可以进行多种改变和修改。根据这里描述的公开实施例的方法权利要求的功能、步骤和/或动作不需以任何特定顺序执行。此外,尽管本发明实施例公开的元素可以以个体形式描述或要求,但除非明确限制为单数,也可以理解为多个。The above are exemplary embodiments disclosed by the present invention, but it should be noted that various changes and modifications can be made without departing from the scope of the disclosure of the embodiments of the present invention as defined by the claims. The functions, steps and/or actions of the method claims according to the disclosed embodiments described herein do not need to be performed in any specific order. In addition, although the elements disclosed in the embodiments of the present invention may be described or required in individual forms, they may also be understood as plural unless explicitly limited to a singular number.
应当理解的是,在本文中使用的,除非上下文清楚地支持例外情况,单数形式“一个”旨在也包括复数形式。还应当理解的是,在本文中使用的“和/或”是指包括一个或者一个以上相关联地列出的项目的任意和所有可能组合。It should be understood that as used herein, unless the context clearly supports exceptions, the singular form "a" is intended to also include the plural form. It should also be understood that "and/or" as used herein refers to any and all possible combinations including one or more items listed in association.
上述本发明实施例公开实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the disclosed embodiments of the foregoing embodiments of the present invention are only for description, and do not represent the superiority of the embodiments.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the above-mentioned embodiments can be completed by hardware, or by a program instructing related hardware to be completed. The program can be stored in a computer-readable storage medium. The storage medium can be a read-only memory, a magnetic disk or an optical disk, etc.
所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在暗示本发明实施例公开的范围(包括权利要求)被限于这些例子;在本发明实施例的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,并存在如上的本发明实施例的不同方面的许多其它变化,为了简明它们没有在细节中提供。因此,凡在本发明实施例的精神和原则之内,所做的任何省略、修改、等同替换、改进等,均应包含在本发明实施例的保护范围之内。Those of ordinary skill in the art should understand that the discussion of any of the above embodiments is only exemplary, and is not intended to imply that the scope of disclosure (including the claims) of the embodiments of the present invention is limited to these examples; under the idea of the embodiments of the present invention The above embodiments or the technical features in different embodiments can also be combined, and there are many other changes in different aspects of the above embodiments of the present invention, which are not provided in the details for the sake of brevity. Therefore, any omissions, modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the embodiments of the present invention should be included in the protection scope of the embodiments of the present invention.

Claims (10)

  1. 一种SDN节点间可信认证方法,其特征在于,所述方法包括:A trusted authentication method between SDN nodes, characterized in that the method includes:
    在SDN控制器中集成可信根;Integrate the root of trust in the SDN controller;
    通过所述可信根对期望接入SDN网络的所述SDN节点设备进行可信认证;Performing trusted authentication on the SDN node device that expects to access the SDN network through the trusted root;
    允许通过所述可信认证的所述SDN节点设备接入所述SDN网络。Allowing the SDN node device that has passed the trusted authentication to access the SDN network.
  2. 根据权利要求1所述的SDN节点间可信认证方法,其特征在于,所述在SDN控制器中集成可信根还包括:The method for trusted authentication between SDN nodes according to claim 1, wherein said integrating a trusted root in the SDN controller further comprises:
    以可信根为起点,建立SDN节点设备的信任区块链。Take the root of trust as the starting point to establish a trusted blockchain for SDN node equipment.
  3. 根据权利要求2所述的SDN节点间可信认证方法,其特征在于,所述通过所述可信根对期望接入SDN网络的所述SDN节点设备进行可信认证的步骤进一步包括:The method for trusted authentication between SDN nodes according to claim 2, wherein the step of performing trusted authentication on the SDN node device that desires to access the SDN network through the trusted root further comprises:
    将期望接入所述SDN网络的所述SDN节点设备在所述信任区块链上进行设备可信注册。The SDN node device that is expected to access the SDN network performs trusted device registration on the trusted blockchain.
  4. 根据权利要求3所述的SDN节点间可信认证方法,其特征在于,所述可信认证包括由所述可信根对进行可信注册的所述SDN节点设备的身份信息的可信认证。The method for trusted authentication between SDN nodes according to claim 3, wherein the trusted authentication includes trusted authentication of the identity information of the SDN node device that performs trusted registration by the trusted root.
  5. 根据权利要求4所述的SDN节点间可信认证方法,其特征在于,还包括:The method for trusted authentication between SDN nodes according to claim 4, further comprising:
    响应于所述SDN节点设备的身份信息的可信认证通过,将所述SDN节点设备的可信确认信息加入所述信任区块链中。In response to the passing of the credible authentication of the identity information of the SDN node device, the credible confirmation information of the SDN node device is added to the trusted blockchain.
  6. 根据权利要求5所述的SDN节点间可信认证方法,其特征在于,还包括:The method for trusted authentication between SDN nodes according to claim 5, further comprising:
    以信任区块链传递规则向下一个期待接入的SDN节点设备传递所述可信确认信息。The trusted confirmation information is transmitted to the next SDN node device that is expected to access according to the transmission rule of the trusted blockchain.
  7. 根据权利要求6所述的SDN节点间可信认证方法,其特征在于,还包 括:The trusted authentication method between SDN nodes according to claim 6, characterized in that it further comprises:
    所述下一个期待接入的SDN节点设备根据所述可信确认信息,继续对所述下一个期待接入的SDN节点设备进行可信认证。The SDN node device that is expected to be accessed next continues to perform trusted authentication on the SDN node device that is expected to be accessed next according to the credibility confirmation information.
  8. 根据权利要求6所述的SDN节点间可信认证方法,其特征在于,所述可信认证包括对静态可信性的认证。The method for trusted authentication between SDN nodes according to claim 6, wherein the trusted authentication includes authentication of static trustworthiness.
  9. 根据权利要求8所述的SDN节点间可信认证方法,其特征在于,对SDN节点设备进行静态可信性认证的认证点包括:设备硬件、启动序列、控制器操作系统、控制器策略应用。The method for authenticating trust between SDN nodes according to claim 8, wherein the authentication points for performing static credibility authentication on SDN node devices include: device hardware, startup sequence, controller operating system, and controller policy application.
  10. 根据权利要求1所述的SDN节点间可信认证方法,其特征在于,所述可信根包括SDN控制器硬件平台集成的TCM模块。The trusted authentication method between SDN nodes according to claim 1, wherein the trusted root comprises a TCM module integrated with the hardware platform of the SDN controller.
PCT/CN2020/098582 2019-10-16 2020-06-28 Credibility authentication method for sdn nodes WO2021073147A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910985245.7A CN110602150B (en) 2019-10-16 2019-10-16 Trusted authentication method between SDN nodes
CN201910985245.7 2019-10-16

Publications (1)

Publication Number Publication Date
WO2021073147A1 true WO2021073147A1 (en) 2021-04-22

Family

ID=68849756

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/098582 WO2021073147A1 (en) 2019-10-16 2020-06-28 Credibility authentication method for sdn nodes

Country Status (2)

Country Link
CN (1) CN110602150B (en)
WO (1) WO2021073147A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110602150B (en) * 2019-10-16 2021-11-16 超越科技股份有限公司 Trusted authentication method between SDN nodes
CN111586025B (en) * 2020-04-30 2021-03-23 广州市品高软件股份有限公司 SDN-based SDP security group implementation method and security system
TWI740647B (en) 2020-09-15 2021-09-21 宏碁股份有限公司 Disease classification method and disease classification device
CN112235797B (en) * 2020-12-11 2021-03-09 信联科技(南京)有限公司 SDN-based equipment network access authentication method
CN116527408B (en) * 2023-07-05 2023-09-08 中国电子科技集团公司第十五研究所 Authentication management method and application based on friend bus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108124505A (en) * 2017-12-19 2018-06-05 深圳前海达闼云端智能科技有限公司 Method and device for acquiring trusted node, storage medium and block link node
CN108702622A (en) * 2017-11-30 2018-10-23 深圳前海达闼云端智能科技有限公司 Mobile network's access authentication method, device, storage medium and block chain node
US20180314868A1 (en) * 2017-04-28 2018-11-01 Tyco Fire & Security Gmbh Systems and methods for robust protection of item authentication, tracking and tracing against tag duplication
CN110602150A (en) * 2019-10-16 2019-12-20 山东超越数控电子股份有限公司 Trusted authentication method between SDN nodes

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929422B (en) * 2014-04-08 2017-01-25 北京工业大学 Trusted inter-domain safety certificate protocol based on SDN
US9509587B1 (en) * 2015-03-19 2016-11-29 Sprint Communications Company L.P. Hardware root of trust (HROT) for internet protocol (IP) communications
US10863558B2 (en) * 2016-03-30 2020-12-08 Schweitzer Engineering Laboratories, Inc. Communication device for implementing trusted relationships in a software defined network
CN105933245B (en) * 2016-06-23 2020-04-28 北京工业大学 Safe and trusted access method in software defined network
CN107222478B (en) * 2017-05-27 2019-09-17 暨南大学 Software defined network control layer security mechanism construction method based on block chain
CN107612731A (en) * 2017-09-19 2018-01-19 北京工业大学 One kind is based on the believable network section generation of software definition and credible recovery system
CN109525397B (en) * 2018-10-12 2021-05-28 南京邮电大学 Block chain and method for SDN network flow rule security guarantee

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180314868A1 (en) * 2017-04-28 2018-11-01 Tyco Fire & Security Gmbh Systems and methods for robust protection of item authentication, tracking and tracing against tag duplication
CN108702622A (en) * 2017-11-30 2018-10-23 深圳前海达闼云端智能科技有限公司 Mobile network's access authentication method, device, storage medium and block chain node
CN108124505A (en) * 2017-12-19 2018-06-05 深圳前海达闼云端智能科技有限公司 Method and device for acquiring trusted node, storage medium and block link node
CN110602150A (en) * 2019-10-16 2019-12-20 山东超越数控电子股份有限公司 Trusted authentication method between SDN nodes

Also Published As

Publication number Publication date
CN110602150A (en) 2019-12-20
CN110602150B (en) 2021-11-16

Similar Documents

Publication Publication Date Title
WO2021073147A1 (en) Credibility authentication method for sdn nodes
JP7121459B2 (en) Blockchain authentication via hard/soft token verification
US11038682B2 (en) Communication method, apparatus and system, electronic device, and computer readable storage medium
US12010248B2 (en) Systems and methods for providing authentication to a plurality of devices
US11032252B2 (en) Distributed authentication between network nodes
US10581615B2 (en) Blockchain-based identity authentication method, device, node and system
US8874769B2 (en) Facilitating group access control to data objects in peer-to-peer overlay networks
RU2444156C1 (en) Method to control access to secured network based on three-element authentication of peer-to-peer objects
KR101579814B1 (en) Facilitating access control in peer-to-peer overlay networks
US10187373B1 (en) Hierarchical, deterministic, one-time login tokens
WO2018219056A1 (en) Authentication method, device, system and storage medium
WO2016011827A1 (en) Information security realizing method and system based on digital certificate
US20080320566A1 (en) Device provisioning and domain join emulation over non-secured networks
KR20170106515A (en) Multi-factor certificate authority
US11552953B1 (en) Identity-based authentication and access control mechanism
WO2009015581A1 (en) A method for trusted network connect based on tri-element peer authentication
BRPI0711702A2 (en) policy-driven credential delegation for secure, single-signature access to network resources
US20220123950A1 (en) Multi-party cloud authenticator
US11100209B2 (en) Web client authentication and authorization
US10812272B1 (en) Identifying computing processes on automation servers
KR101791708B1 (en) Method and system for ip security certificate exchange based on certificate attributes
WO2022143935A1 (en) Blockchain-based method and system for sdp access control
CN108833334B (en) Equipment safety access system and method for digital home network
US20220311777A1 (en) Hardening remote administrator access
US11907394B1 (en) Isolation and authorization for segregated command and query database resource access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20877019

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20877019

Country of ref document: EP

Kind code of ref document: A1