[go: up one dir, main page]

CN104219217B - Security association negotiation method, device and system - Google Patents

Security association negotiation method, device and system Download PDF

Info

Publication number
CN104219217B
CN104219217B CN201310221599.7A CN201310221599A CN104219217B CN 104219217 B CN104219217 B CN 104219217B CN 201310221599 A CN201310221599 A CN 201310221599A CN 104219217 B CN104219217 B CN 104219217B
Authority
CN
China
Prior art keywords
communication
key
responder
initiator
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310221599.7A
Other languages
Chinese (zh)
Other versions
CN104219217A (en
Inventor
王静
左敏
任兰芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Corp filed Critical China Mobile Communications Corp
Priority to CN201310221599.7A priority Critical patent/CN104219217B/en
Publication of CN104219217A publication Critical patent/CN104219217A/en
Application granted granted Critical
Publication of CN104219217B publication Critical patent/CN104219217B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种安全关联(SA)协商方法、设备和系统,所述方法包括:密钥服务器为通信发起方及通信响应方分别生成对应所述通信发起方的私钥及对应所述通信响应方的私钥;所述通信发起方和所述通信响应方利用各自的私钥将各自待发送报文的数字摘要加密为签名信息,将所述签名信息封装入所述待发送报文并发送至对方;所述通信发起方和所述通信响应方分别确定对方的公钥,并利用所述确定的对方的公钥和各自接收到报文中的签名信息对对方进行认证。通过本发明,能够解决SA协商的实现流程复杂,通信负载重的问题,并能够对部署网际协议安全(IPSec)协议的网络的通信进行安全监管和合法监听。

Figure 201310221599

The invention discloses a security association (SA) negotiation method, device and system. The method includes: a key server generates a private key corresponding to the communication initiator and a private key corresponding to the communication for a communication initiator and a communication responder respectively. The private key of the responder; the communication initiator and the communication responder use their respective private keys to encrypt the digital digest of the message to be sent into signature information, encapsulate the signature information into the message to be sent and The communication initiator and the communication responder respectively determine the public key of the other party, and use the determined public key of the other party and the signature information in the respectively received message to authenticate the other party. The present invention can solve the problems of complex implementation process of SA negotiation and heavy communication load, and can perform security supervision and legal interception on the communication of the network deploying the Internet Protocol Security (IPSec) protocol.

Figure 201310221599

Description

安全关联协商方法、设备和系统Security Association Negotiation Method, Device and System

技术领域technical field

本发明涉及数字信息传输技术,尤其涉及一种安全关联(SA,SecurityAssociation)协商方法、设备和系统。The present invention relates to digital information transmission technology, in particular to a security association (SA, SecurityAssociation) negotiation method, device and system.

背景技术Background technique

目前,网际协议版本4(IPv4,Internet Protocol version4)定义的有限地址空间将被耗尽,地址空间的不足必将妨碍互联网的进一步发展,因此,为了扩大地址空间,基于网际协议版本6(IPv6,Internet Protocol version6)的网络部署已逐渐提上日程。At present, the limited address space defined by Internet Protocol version 4 (IPv4, Internet Protocol version 4) will be exhausted, and the lack of address space will inevitably hinder the further development of the Internet. Therefore, in order to expand the address space, based on Internet Protocol version 6 (IPv6, The network deployment of Internet Protocol version 6) has gradually been put on the agenda.

与IPv4相比,IPv6在很多方面做了改进,比如:在安全方面支持网际协议安全(IPSec,Internet Protocol Security)协议,如此,IPv6网络可以实现端到端、以及网关到网关的加密通信和认证鉴权,从而保障了网络的通信安全。Compared with IPv4, IPv6 has made improvements in many aspects, such as: supporting the Internet Protocol Security (IPSec, Internet Protocol Security) protocol in security, so that IPv6 networks can realize end-to-end and gateway-to-gateway encrypted communication and authentication Authentication, thus ensuring the communication security of the network.

IPSec协议在IPv6网络部署的场景可以分为以下三种:The scenarios in which IPSec is deployed on an IPv6 network can be divided into the following three scenarios:

(1)站点到站点(Site-to-Site)或者网关到网关,与之对应的,IPSec协议部署场景示意图如图1a所示,某企业的三个机构分布在互联网的三个不同地方,且三个机构分别使用一个网关相互建立IPSec隧道,企业内网的若干个人电脑(PC,Personal Computer)之间的数据通过这些网关建立的IPSec隧道实现安全互联。(1) Site-to-Site or gateway-to-gateway. Correspondingly, the schematic diagram of the IPSec protocol deployment scenario is shown in Figure 1a. Three organizations of an enterprise are distributed in three different places on the Internet, and The three organizations use a gateway to establish IPSec tunnels with each other, and the data between several personal computers (PCs, Personal Computers) on the enterprise intranet is securely interconnected through the IPSec tunnels established by these gateways.

(2)端到端(End-to-End)或者PC到PC,两个PC之间的通信由两个PC之间的IPSec会话进行保护,而不是由网关进行保护。(2) End-to-End or PC-to-PC, the communication between the two PCs is protected by the IPSec session between the two PCs, not by the gateway.

(3)端到站点或者PC到网关(End-to-Site),两个PC之间的通信由网关和异地PC之间的IPSec会话进行保护。(3) End-to-site or PC-to-gateway (End-to-Site), the communication between the two PCs is protected by the IPSec session between the gateway and the remote PC.

在IPv6网络中部署IPSec协议时,由于移动终端支持IPSec协议的实现难度较大,因此,IPv6网络的应用初期主要在网关到网关场景下进行IPSec协议的部署,主要有以下两种情况:When deploying the IPSec protocol in an IPv6 network, it is difficult for mobile terminals to support the IPSec protocol. Therefore, in the initial stage of the application of the IPv6 network, the IPSec protocol is mainly deployed in the gateway-to-gateway scenario, mainly in the following two situations:

(1)IPv6网络的流量穿越IPv4网络下的部署,图1b为IPv6网络的流量穿越IPv4网络的示意图,如图1b所示,位于一孤岛上的IPv6网络的主机A与位于另一孤岛上的IPv6网络的主机B进行通信,两个孤岛上的IPv6网络通过网关A和网关B相连接,且网关A和网关B之间通过IPSec隧道在IPv4网络中进行通信;(1) The deployment of IPv6 network traffic traversing IPv4 network, Figure 1b is a schematic diagram of IPv6 network traffic traversing IPv4 network, as shown in Figure 1b, host A on an IPv6 network on an isolated island and host A on another isolated island Host B on the IPv6 network communicates, the IPv6 networks on the two isolated islands are connected through gateway A and gateway B, and gateway A and gateway B communicate in the IPv4 network through an IPSec tunnel;

(2)IPv6网络中的部署,图1c为IPv6流量穿越IPv6网络的示意图,如图1c所示,位于一孤岛上的IPv6网络的主机A与位于另一孤岛上的IPv6网络的主机B进行通信,两个孤岛上的IPv6网络通过网关A和网关B相连接,且网关A和网关B之间通过IPSec隧道在IPv6网络中进行通信。(2) Deployment in an IPv6 network, Figure 1c is a schematic diagram of IPv6 traffic traversing an IPv6 network, as shown in Figure 1c, host A on an IPv6 network on an isolated island communicates with host B on an IPv6 network on another isolated island , the IPv6 networks on the two isolated islands are connected through gateway A and gateway B, and gateway A and gateway B communicate in the IPv6 network through an IPSec tunnel.

但是,在IPv6网络中采用IPSec协议保障网络的通信安全时,由于IPSec协议本身对资源和网络的性能等方面有较高的要求,为网络的真正部署和落地带来了很大的阻力,具体表现在以下几个方面:However, when the IPSec protocol is used in the IPv6 network to ensure the communication security of the network, the IPSec protocol itself has high requirements on resources and network performance, which brings great resistance to the actual deployment and implementation of the network. It is manifested in the following aspects:

第一,IPSec协议规定:密钥协商过程要求支持公钥体制及证书系统,这就要求IPSec的支持端需要进行颁发证书、管理证书、以及验证证书等操作,实现流程过于复杂、通信负载较重。First, the IPSec protocol stipulates that the key negotiation process requires support for the public key system and certificate system, which requires the IPSec support side to issue certificates, manage certificates, and verify certificates. The implementation process is too complicated and the communication load is heavy. .

下面以网关到网关场景为例说明IPSec协议部署过程,包括两个阶段:The following takes the gateway-to-gateway scenario as an example to illustrate the IPSec protocol deployment process, which includes two stages:

第一阶段:网关之间进行互联网密钥交换(IKE,Internet Key Exchange)SA协商,即建立IKE安全关联(SA,Security Association),以保护网关之间后续的IPSec SA协商;The first stage: Internet Key Exchange (IKE, Internet Key Exchange) SA negotiation between gateways, that is, establishing an IKE Security Association (SA, Security Association) to protect the subsequent IPSec SA negotiation between gateways;

第二阶段:网关之间进行IPSec SA协商,即建立IPSec SA,为网关之间后续的通信进行保护。The second stage: IPSec SA negotiation is performed between gateways, that is, IPSec SA is established to protect subsequent communication between gateways.

其中,网关之间在第一阶段需要通过六条交互报文进行策略协商、密钥材料交换和认证,而且认证所使用的证书还需要额外的通信开销来实现,额外通信开销包括,网关需要将证书载荷封装为报文发送至对等体(即进行SA协商的另一个网关),或者,网关通过提前协商告知对等体证书的信息,导致实现流程过于复杂、通信负载较重;并且,一个网关需要与多个网关进行SA协商时,需要进行对应多个网关的证书的识别操作,这就涉及到分发不同公钥的系统,即认证授权(CA,Certificate Authority)中心的互通,并且IPSec厂商之间也需要进行互操作,实现流程过于复杂、通信负载较重。Among them, in the first stage, the gateways need to conduct policy negotiation, key material exchange and authentication through six interactive messages, and the certificate used for authentication requires additional communication overhead. The payload is encapsulated as a message and sent to the peer (that is, another gateway for SA negotiation), or the gateway informs the peer certificate information through negotiation in advance, resulting in an overly complicated implementation process and a heavy communication load; and, a gateway When SA negotiation with multiple gateways is required, the identification operation of certificates corresponding to multiple gateways needs to be performed, which involves the system of distributing different public keys, that is, the intercommunication of the Certification Authority (CA, Certificate Authority) center, and the IPSec manufacturers Interoperability is also required between them, and the implementation process is too complicated and the communication load is heavy.

第二,IPSec协议规定:IPSec的支持端的通信进行加密保护,这在一定程度上屏蔽了安全监管和合法监听,因此在IPSec安全监管没有合理解决之前,IPv6环境下基于IPSec协议的网络的难以真正部署。Second, the IPSec protocol stipulates that the communication at the support end of IPSec is encrypted and protected, which shields security supervision and lawful interception to a certain extent. deploy.

综上所述,如何解决SA协商的实现流程复杂,通信负载重的问题,以及对部署IPSec协议的网络通信进行安全监管和合法监听,成为亟待解决的问题。To sum up, how to solve the problems of complex implementation process of SA negotiation and heavy communication load, and how to conduct security supervision and legal interception of network communication deploying the IPSec protocol, have become problems to be solved urgently.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明的主要目的在于提供一种SA协商方法、设备和系统,能够解决SA协商的实现流程复杂,通信负载重的问题,并能够对部署IPSec协议的网络的通信进行安全监管和合法监听。In view of this, the main purpose of the present invention is to provide a SA negotiation method, device and system, which can solve the problems of complex implementation process of SA negotiation and heavy communication load, and can perform security supervision and security supervision on the communication of the network deploying the IPSec protocol. Lawful interception.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, the technical scheme of the present invention is achieved in this way:

本发明提供了一种SA协商方法,设置用于密钥管理的密钥服务器;该方法包括:The present invention provides a SA negotiation method, which sets a key server for key management; the method includes:

密钥服务器为通信发起方及通信响应方分别生成对应所述通信发起方的私钥及对应所述通信响应方的私钥;The key server generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder respectively;

所述通信发起方和所述通信响应方利用各自的私钥将各自待发送报文的数字摘要加密为签名信息,将所述签名信息封装入所述待发送报文并发送至对方;The communication initiator and the communication responder encrypt the digital digest of the message to be sent into signature information using their private keys, and encapsulate the signature information into the message to be sent and send to the other party;

所述通信发起方和所述通信响应方分别确定对方的公钥,并利用所述确定的对方的公钥和各自接收到报文中的签名信息对对方进行认证。The communication initiator and the communication responder respectively determine the public key of the other party, and use the determined public key of the other party and the signature information in the respectively received message to authenticate the other party.

优选的,所述密钥服务器为通信发起方及通信响应方分别生成对应所述通信发起方的私钥及对应所述通信响应方的私钥,包括:Preferably, the key server generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder, respectively, including:

所述密钥服务器生成主密钥,并根据所述主密钥和所述通信发起方的ID确定对应所述通信发起方的私钥,以及,根据所述主密钥和所述通信响应方的ID确定对应所述通信响应方的私钥;The key server generates a master key, and determines a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and, according to the master key and the communication responder ID determines the private key corresponding to the communication responder;

所述通信发起方和所述通信响应方分别确定对方的公钥,包括:The communication initiator and the communication responder respectively determine the public key of the other party, including:

所述密钥服务器生成公开参数,并分别发送给所述通信发起方和所述通信响应方;The key server generates public parameters and sends them to the communication initiator and the communication responder respectively;

所述通信发起方和所述通信响应方根据对方的ID和所述密钥服务器发送的所述公开参数,确定对方的公钥。The communication initiator and the communication responder determine the public key of the other party according to the ID of the other party and the public parameter sent by the key server.

优选的,该方法还包括:所述密钥服务器还向所述通信发起方和所述通信响应方分别发送对方的交换及密钥分发(DH,Diffie-Hellman)公开值和随机数;Preferably, the method further includes: the key server further sends the exchange and key distribution (DH, Diffie-Hellman) public value and random number of the other party to the communication initiator and the communication responder respectively;

相应的,所述通信发起方和所述通信响应方分别根据接收的DH公开值和随机数确定加密密钥和完整性密钥,利用各自确定的加密密钥对待发送报文进行加密,并利用各自确定的完整性密钥对接收的报文进行完整性校验。Correspondingly, the communication initiator and the communication responder respectively determine the encryption key and the integrity key according to the received DH public value and random number, use the respectively determined encryption key to encrypt the message to be sent, and use The integrity key determined by each of them performs integrity check on the received message.

优选的,所述通信发起方和所述通信响应方利用所述确定的对方的公钥和各自接收到报文中的签名信息对对方进行认证,包括:所述通信发起方和所述通信响应方根据所述确定的公钥对各自接收的报文中的签名信息进行解密,在解密的数字摘要与根据对方的ID和所述密钥服务器发送的DH公开值确定的数字摘要一致时,确定认证成功。Preferably, the communication initiator and the communication responder use the determined public key of the other party and the signature information in the respectively received message to authenticate each other, including: the communication initiator and the communication responder Each party decrypts the signature information in the received message according to the determined public key, and when the decrypted digital digest is consistent with the digital digest determined according to the ID of the other party and the DH public value sent by the key server, determine the Authentication succeeded.

优选的,所述通信发起方和所述通信响应方对对方进行认证成功之后,该方法还包括:所述通信发起方和所述通信响应方以所述加密密钥加密发送的报文,并以所述完整性密钥对接收的报文进行完整性校验。Preferably, after the communication initiator and the communication responder successfully authenticate each other, the method further includes: encrypting the sent message with the encryption key by the communication initiator and the communication responder, and The integrity check is performed on the received message using the integrity key.

优选的,该方法还包括:所述通信发起方通过所述密钥服务器向所述通信响应方转发IPSec策略协商报文,所述通信响应方通过所述密钥服务器向所述通信发起方转发IPSec策略协商结果报文;Preferably, the method further includes: the communication initiator forwards the IPSec policy negotiation message to the communication responder through the key server, and the communication responder forwards the communication initiator to the communication initiator through the key server IPSec policy negotiation result packet;

其中,所述IPSec策略协商报文和所述IPSec策略协商结果报文携带有发送方的随机数、安全参数索引(SPI,Security Parameters Index)和协议信息;Wherein, the IPSec policy negotiation message and the IPSec policy negotiation result message carry the random number of the sender, a security parameter index (SPI, Security Parameters Index) and protocol information;

相应的,所述密钥服务器根据所述IPSec策略协商报文携带的随机数、SPI和协议信息,或根据所述IPSec策略协商结果报文携带的随机数、SPI和协议信息,确定所述通信发起方和所述通信响应方进行数据通信时使用的加密密钥和完整性密钥。Correspondingly, the key server determines the communication according to the random number, SPI and protocol information carried in the IPSec policy negotiation message, or according to the random number, SPI and protocol information carried in the IPSec policy negotiation result message. Encryption key and integrity key used by the initiator and the communication responder for data communication.

本发明还提供了一种密钥服务器,该密钥服务器包括:密钥生成单元和第一通讯单元;其中,The present invention also provides a key server, which includes: a key generation unit and a first communication unit; wherein,

所述密钥生成单元,用于为通信设备中的通信发起方及通信设备中的通信响应方分别生成对应所述通信发起方的私钥及对应所述通信响应方的私钥;The key generation unit is used to generate a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator in the communication device and the communication responder in the communication device respectively;

所述第一通讯单元,用于将所述密钥生成单元生成的私钥对应发送至所述通信发起方及所述通信响应方。The first communication unit is configured to correspondingly send the private key generated by the key generation unit to the communication initiator and the communication responder.

优选的,所述密钥生成单元,还用于生成主密钥,并根据所述主密钥和所述通信发起方的ID确定对应所述通信发起方的私钥,以及,根据所述主密钥和所述通信响应方的ID确定对应所述通信响应方的私钥。Preferably, the key generation unit is further configured to generate a master key, and determine a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and, according to the master key The secret key and the ID of the communication responder determine the private key corresponding to the communication responder.

优选的,所述第一通讯单元,还用于向所述通信发起方和所述通信响应方分别发送对方的DH公开值和随机数。Preferably, the first communication unit is further configured to send the DH public value and random number of the other party to the communication initiator and the communication responder, respectively.

优选的,所述第一通讯单元,还用将来自所述通信发起方的IPSec策略协商报文发送至所述通信响应方,将来自所述通信响应方的IPSec策略协商结果报文发送至所述通信发起方;Preferably, the first communication unit further sends the IPSec policy negotiation message from the communication initiator to the communication responder, and sends the IPSec policy negotiation result message from the communication responder to the communication responder. the originator of the communication;

所述密钥生成单元,还用于根据所述第一通讯单元接收的IPSec策略协商报文携带的随机数、SPI和协议信息,或根据所述第一通讯单元接收的IPSec策略协商结果报文携带的随机数、SPI和协议信息,确定所述通信发起方和所述通信响应方进行数据通信时使用的加密密钥和完整性密钥。The key generation unit is also used for random number, SPI and protocol information carried in the IPSec policy negotiation message received by the first communication unit, or according to the IPSec policy negotiation result message received by the first communication unit The carried random number, SPI and protocol information determine the encryption key and the integrity key used when the communication initiator and the communication responder perform data communication.

本发明还提供一种通信设备,该通信设备包括:第二通讯单元和认证单元;其中,The present invention also provides a communication device, the communication device includes: a second communication unit and an authentication unit; wherein,

所述第二通讯单元,用于利用本地私钥将待发送报文的数字摘要加密为签名信息,将所述签名信息封装入所述待发送报文并发送至对方通信设备;The second communication unit is used to encrypt the digital digest of the message to be sent into signature information by using the local private key, and encapsulate the signature information into the message to be sent and send it to the other party's communication device;

所述认证单元,用于确定对方通信设备的公钥,并利用所述确定的公钥和所述第二通讯单元接收到的报文中的签名信息对对方通讯设备进行认证。The authentication unit is configured to determine the public key of the counterpart communication device, and use the determined public key and the signature information in the message received by the second communication unit to authenticate the counterpart communication device.

优选的,所述认证单元,还用于根据对方通信设备的ID和所述密钥服务器生成的公开参数,确定对方通信设备的公钥。Preferably, the authentication unit is further configured to determine the public key of the counterpart communication device according to the ID of the counterpart communication device and the public parameter generated by the key server.

优选的,所述第二通讯单元,还用于接收密钥服务器发送的对方通信设备的DH公开值和随机数;Preferably, the second communication unit is further configured to receive the DH public value and random number of the counterpart communication device sent by the key server;

所述认证单元,还用于根据所述第二通讯单元接收的对方通信设备的DH公开值和随机数,确定加密密钥和完整性密钥,利用所述加密密钥对所述第二通讯单元待发送的报文进行加密,并利用所述完整性密钥对所述第二通讯单元接收的报文进行完整性校验。The authentication unit is further configured to determine an encryption key and an integrity key according to the DH public value and random number of the counterpart communication device received by the second communication unit, and to use the encryption key to perform an encryption key for the second communication device. The message to be sent by the unit is encrypted, and the integrity check is performed on the message received by the second communication unit by using the integrity key.

优选的,所述认证单元,还用于根据所述确定的公钥对所述第二通讯单元接收的报文中的签名信息进行解密,在解密的数字摘要与根据对方通讯设备的ID和所述第二通讯单元接收的DH公开值确定的数字摘要一致时,确定认证成功。Preferably, the authentication unit is further configured to decrypt the signature information in the message received by the second communication unit according to the determined public key, and compare the decrypted digital digest with the ID and When the digital digest determined by the DH public value received by the second communication unit is consistent, it is determined that the authentication is successful.

优选的,所述第二通讯单元,还用于以所述认证单元确定的加密密钥加密发送的报文,并以所述认证单元确定的完整性密钥对接收的报文进行完整性校验。Preferably, the second communication unit is further configured to encrypt the sent message with the encryption key determined by the authentication unit, and perform an integrity check on the received message with the integrity key determined by the authentication unit test.

优选的,所述第二通讯单元,还用于向所述密钥服务器发送IPSec策略协商报文或IPSec策略协商结果报文,其中,所述IPSec策略协商报文和所述IPSec策略协商结果报文携带有发送方的随机数、SPI和协议信息。Preferably, the second communication unit is further configured to send an IPSec policy negotiation message or an IPSec policy negotiation result message to the key server, wherein the IPSec policy negotiation message and the IPSec policy negotiation result message The file carries the sender's random number, SPI and protocol information.

本发明还提供了一种SA协商系统,该系统包括:密钥服务器和通信设备;其中,The present invention also provides an SA negotiation system, which includes: a key server and a communication device; wherein,

所述密钥服务器,用于为通信设备生成对应所述通信设备的私钥;the key server, for generating a private key corresponding to the communication device for the communication device;

所述通信设备,用于利用本地的私钥将待发送报文的数字摘要加密为签名信息,将所述签名信息封装入所述待发送报文并发送至对方通信设备;确定对方通信设备的公钥,并利用所述确定的公钥和接收到报文中的签名信息对对方通信设备进行认证。The communication device is configured to encrypt the digital digest of the message to be sent into signature information by using a local private key, encapsulate the signature information into the message to be sent and send it to the communication device of the other party; determine the information of the communication device of the other party. the public key, and use the determined public key and the signature information in the received message to authenticate the counterpart communication device.

优选的,所述密钥服务器密钥包括生成单元和第一通讯单元;所述通信设备包括第二通讯单元和认证单元;各单元功能与以上所述相同。Preferably, the key server key includes a generating unit and a first communication unit; the communication device includes a second communication unit and an authentication unit; the functions of each unit are the same as those described above.

通过本发明的技术方案,当通信发起方与多个通信响应方进行SA协商时,由密钥服务器统一为通信发起方和通信响应方生成对应的密钥,实现流程简单,通信负载低;并且,密钥服务器根据通信双方的协商报文携带的随机数、SPI和协议信息,确定所述通信发起方和所述通信响应方通信时使用的加密密钥和完整性密钥,可以实现对通信双方的安全监管和合法监听。Through the technical solution of the present invention, when the communication initiator performs SA negotiation with a plurality of communication responders, the key server uniformly generates corresponding keys for the communication initiator and the communication responders, the implementation process is simple, and the communication load is low; and , the key server determines the encryption key and the integrity key used when the communication initiator and the communication responder communicate according to the random number, SPI and protocol information carried in the negotiation message of the communication parties, which can realize the communication Security supervision and legal interception of both parties.

附图说明Description of drawings

图1a为站点到站点或网关到网关部署IPSec协议的场景示意图;Figure 1a is a schematic diagram of a site-to-site or gateway-to-gateway deployment of IPSec protocol;

图1b为IPv6网络流量穿越IPv4网络时部署IPSec协议的场景示意图;Figure 1b is a schematic diagram of a scenario in which the IPSec protocol is deployed when IPv6 network traffic traverses an IPv4 network;

图1c为IPv6网络流量穿越IPv4网络时部署IPSec协议的场景示意图;Figure 1c is a schematic diagram of a scenario where the IPSec protocol is deployed when IPv6 network traffic traverses an IPv4 network;

图2为本发明实施例的SA协商方法的实现流程示意图;FIG. 2 is a schematic flowchart of an implementation of an SA negotiation method according to an embodiment of the present invention;

图3为本发明实施例的SA协商系统的组成结构示意图;3 is a schematic diagram of a composition structure of an SA negotiation system according to an embodiment of the present invention;

图4为本发明实施例的SA协商的实现流程示意图一;4 is a schematic diagram 1 of an implementation flow of SA negotiation according to an embodiment of the present invention;

图5为本发明实施例的SA协商的实现流程示意图二。FIG. 5 is a schematic diagram 2 of an implementation flow of SA negotiation according to an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图及具体实施例对本发明再作进一步详细的说明。The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

本发明实施例记载了一种SA协商方法,图2为本发明实施例的SA协商方法的实现流程示意图,如图2所示,包括:An embodiment of the present invention describes an SA negotiation method, and FIG. 2 is a schematic flowchart of the implementation of the SA negotiation method according to an embodiment of the present invention, as shown in FIG. 2 , including:

步骤201:密钥服务器为通信发起方及通信响应方分别生成对应所述通信发起方的私钥及对应所述通信响应方的私钥;Step 201: the key server respectively generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder;

所述密钥服务器设置用于密钥管理。The key server is provided for key management.

优选的,所述密钥服务器生成主密钥,并根据所述主密钥和所述通信发起方的身份标识(ID,Identity)确定对应所述通信发起方的私钥,以及,根据所述主密钥和所述通信响应方的ID确定对应所述通信响应方的私钥;Preferably, the key server generates a master key, and determines the private key corresponding to the communication initiator according to the master key and the identity (ID, Identity) of the communication initiator, and, according to the The master key and the ID of the communication responder determine the private key corresponding to the communication responder;

步骤202:所述通信发起方和所述通信响应方利用各自的私钥将各自待发送报文的数字摘要加密为签名信息,将所述签名信息封装入所述待发送报文并发送至对方;Step 202: The communication initiator and the communication responder encrypt the digital digest of the message to be sent into signature information using their respective private keys, encapsulate the signature information into the message to be sent, and send it to the other party ;

优选的,所述密钥服务器生成公开参数,并分别发送给所述通信发起方和所述通信响应方;所述通信发起方和所述通信响应方根据对方的ID和所述密钥服务器发送的所述公开参数,确定对方的公钥。Preferably, the key server generates public parameters and sends them to the communication initiator and the communication responder respectively; the communication initiator and the communication responder send the public parameters to the key server according to the ID of the other party The public parameter of , determines the public key of the other party.

优选的,所述密钥服务器还向所述通信发起方和所述通信响应方分别发送对方的DH公开值和随机数;Preferably, the key server further sends the DH public value and random number of the other party to the communication initiator and the communication responder respectively;

相应的,所述通信发起方和所述通信响应方分别根据接收的DH公开值和随机数确定加密密钥和完整性密钥,利用各自确定的加密密钥对步骤202中待发送报文进行加密,并利用各自确定的完整性密钥对接收的报文进行完整性校验。Correspondingly, the communication initiator and the communication responder respectively determine the encryption key and the integrity key according to the received DH public value and random number, and use the respectively determined encryption key to perform the processing on the message to be sent in step 202. Encryption, and use the respective determined integrity key to perform integrity check on the received message.

步骤203:所述通信发起方和所述通信响应方分别确定对方的公钥,并利用所述确定的对方的公钥和各自接收到报文中的签名信息对对方进行认证。Step 203: The communication initiator and the communication responder respectively determine the public key of the other party, and use the determined public key of the other party and the signature information in the respectively received message to authenticate the other party.

优选的,所述通信发起方和所述通信响应方根据所述确定的公钥对各自接收的报文中的签名信息进行解密,在解密的数字摘要与根据对方的ID和所述密钥服务器发送的DH公开值确定的数字摘要一致时,确定认证成功。Preferably, the communication initiator and the communication responder decrypt the signature information in the received message according to the determined public key, and then compare the decrypted digital digest with the key server according to the ID of the other party and the key server. When the digital digest determined by the sent DH public value is consistent, it is determined that the authentication is successful.

优选的,所述通信发起方和所述通信响应方对对方进行认证成功之后,所述通信发起方和所述通信响应方以所述加密密钥加密发送的报文,并以所述完整性密钥对接收的报文进行完整性校验。Preferably, after the communication initiator and the communication responder successfully authenticate each other, the communication initiator and the communication responder encrypt the sent message with the encryption key, and use the integrity The key performs integrity check on the received message.

优选的,所述通信发起方通过所述密钥服务器向所述通信响应方转发IPSec策略协商报文,所述通信响应方通过所述密钥服务器向所述通信发起方转发IPSec策略协商结果报文;Preferably, the communication initiator forwards the IPSec policy negotiation message to the communication responder through the key server, and the communication responder forwards the IPSec policy negotiation result message to the communication initiator through the key server arts;

其中,所述IPSec策略协商报文和所述IPSec策略协商结果报文携带有发送方的随机数、SPI和协议信息;Wherein, the IPSec policy negotiation message and the IPSec policy negotiation result message carry the random number, SPI and protocol information of the sender;

相应的,所述密钥服务器根据所述IPSec策略协商报文携带的随机数、SPI和协议信息,或根据所述IPSec策略协商结果报文携带的随机数、SPI和协议信息,确定所述通信发起方和所述通信响应方进行数据通信时使用的加密密钥和完整性密钥。Correspondingly, the key server determines the communication according to the random number, SPI and protocol information carried in the IPSec policy negotiation message, or according to the random number, SPI and protocol information carried in the IPSec policy negotiation result message. Encryption key and integrity key used by the initiator and the communication responder for data communication.

本发明实施例还记载了一种SA系统,图3为本发明实施例的SA协商系统的组成结构示意图,如图3所示,包括:通信设备31和密钥服务器32;其中,The embodiment of the present invention also describes an SA system. FIG. 3 is a schematic diagram of the composition and structure of the SA negotiation system according to the embodiment of the present invention. As shown in FIG. 3 , it includes: a communication device 31 and a key server 32; wherein,

所述密钥服务器32,用于为通信设备31生成对应所述通信设备31的私钥;The key server 32 is configured to generate a private key corresponding to the communication device 31 for the communication device 31;

所述通信设备31,用于利用本地的私钥将待发送报文的数字摘要加密为签名信息,将所述签名信息封装入所述待发送报文并发送至对方通信设备31;确定对方通信设备31的公钥,并利用所述确定的公钥和接收到报文中的签名信息对对方通信设备31进行认证。The communication device 31 is used to encrypt the digital digest of the message to be sent into signature information by using the local private key, encapsulate the signature information into the message to be sent and send it to the communication device 31 of the opposite party; determine the communication of the opposite party the public key of the device 31, and use the determined public key and the signature information in the received message to authenticate the counterpart communication device 31.

所述密钥服务器32,包括:密钥生成单元321和第一通讯单元322;其中,The key server 32 includes: a key generation unit 321 and a first communication unit 322; wherein,

所述密钥生成单元321,用于为通信设备31中的通信发起方及通信设备31中的通信响应方分别生成对应所述通信发起方的私钥及对应所述通信响应方的私钥;The key generation unit 321 is used to generate a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator in the communication device 31 and the communication responder in the communication device 31 respectively;

所述第一通讯单元322,用于将所述密钥生成单元321生成的私钥对应发送至所述通信发起方及所述通信响应方。The first communication unit 322 is configured to send the private key generated by the key generation unit 321 to the communication initiator and the communication responder correspondingly.

其中,所述密钥生成单元321,还用于生成主密钥,并根据所述主密钥和所述通信发起方的ID确定对应所述通信发起方的私钥,以及,根据所述主密钥和所述通信响应方的ID确定对应所述通信响应方的私钥。The key generation unit 321 is further configured to generate a master key, and determine a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and, according to the master key The secret key and the ID of the communication responder determine the private key corresponding to the communication responder.

其中,所述第一通讯单元322,还用于向所述通信发起方和所述通信响应方分别发送对方的DH公开值和随机数。The first communication unit 322 is further configured to send the DH public value and random number of the other party to the communication initiator and the communication responder, respectively.

其中,所述第一通讯单元322,还用于将来自所述通信发起方的IPSec策略协商报文发送至所述通信响应方,将来自所述通信响应方的IPSec策略协商结果报文发送至所述通信发起方;The first communication unit 322 is further configured to send the IPSec policy negotiation message from the communication initiator to the communication responder, and send the IPSec policy negotiation result message from the communication responder to the communication responder. the communication initiator;

所述密钥生成单元321,还用于根据所述第一通讯单元322接收的IPSec策略协商报文携带的随机数、SPI和协议信息,或根据所述第一通讯单元322接收的IPSec策略协商结果报文携带的随机数、SPI和协议信息,确定所述通信发起方和所述通信响应方进行数据通信时使用的加密密钥和完整性密钥。The key generation unit 321 is further configured to negotiate the random number, SPI and protocol information carried in the IPSec policy negotiation packet received by the first communication unit 322, or according to the IPSec policy negotiation received by the first communication unit 322. The random number, SPI and protocol information carried in the result message determine the encryption key and the integrity key used when the communication initiator and the communication responder perform data communication.

所述通信设备31,包括:第二通讯单元311和认证单元312;其中,The communication device 31 includes: a second communication unit 311 and an authentication unit 312; wherein,

所述第二通讯单元311,用于利用本地私钥将待发送报文的数字摘要加密为签名信息,将所述签名信息封装入所述待发送报文并发送至对方通信设备31;The second communication unit 311 is configured to encrypt the digital digest of the message to be sent into signature information by using the local private key, encapsulate the signature information into the message to be sent and send it to the communication device 31 of the opposite party;

所述认证单元312,用于确定对方通信设备31的公钥,并利用所述确定的公钥和所述第二通讯单元311接收到的报文中的签名信息对对方通信设备31进行认证。The authentication unit 312 is configured to determine the public key of the counterpart communication device 31 and use the determined public key and the signature information in the message received by the second communication unit 311 to authenticate the counterpart communication device 31 .

其中,所述认证单元312,还用于根据对方通信设备31的ID和所述密钥服务器32生成的公开参数,确定对方通信设备31的公钥。The authentication unit 312 is further configured to determine the public key of the counterpart communication device 31 according to the ID of the counterpart communication device 31 and the public parameter generated by the key server 32 .

其中,所述第二通讯单元311,还用于接收密钥服务器32发送的对方通信设备31的DH公开值和随机数;Wherein, the second communication unit 311 is further configured to receive the DH public value and random number of the counterpart communication device 31 sent by the key server 32;

所述认证单元312,还用于根据所述第二通讯单元311接收的对方通信设备31的DH公开值和随机数,确定加密密钥和完整性密钥,利用所述加密密钥对所述第二通讯单元311待发送的报文进行加密,并利用所述完整性密钥对所述第二通讯单元311接收的报文进行完整性校验。The authentication unit 312 is further configured to determine an encryption key and an integrity key according to the DH public value and random number of the counterpart communication device 31 received by the second communication unit 311, and use the encryption key to verify the The message to be sent by the second communication unit 311 is encrypted, and the integrity check is performed on the message received by the second communication unit 311 by using the integrity key.

其中,所述认证单元312,还用于根据所述确定的公钥对所述第二通讯单元311接收的报文中的签名信息进行解密,在解密的数字摘要与根据对方通信设备31的ID和所述第二通讯单元311接收的DH公开值确定的数字摘要一致时,确定认证成功。Wherein, the authentication unit 312 is further configured to decrypt the signature information in the message received by the second communication unit 311 according to the determined public key. When it is consistent with the digital digest determined by the DH public value received by the second communication unit 311, it is determined that the authentication is successful.

其中,所述第二通讯单元311,还用于以所述认证单元312确定的加密密钥加密发送的报文,并以所述认证单元312确定的完整性密钥对接收的报文进行完整性校验。The second communication unit 311 is further configured to encrypt the sent message with the encryption key determined by the authentication unit 312, and complete the received message with the integrity key determined by the authentication unit 312. sex check.

其中,所述第二通讯单元311,还用于向所述密钥服务器32发送IPSec策略协商报文或IPSec策略协商结果报文,其中,所述IPSec策略协商报文和所述IPSec策略协商结果报文携带有发送方的随机数、SPI和协议信息。The second communication unit 311 is further configured to send an IPSec policy negotiation message or an IPSec policy negotiation result message to the key server 32, wherein the IPSec policy negotiation message and the IPSec policy negotiation result The message carries the sender's random number, SPI and protocol information.

图4为本发明实施例的安全关联协商的实现流程示意图一,如图4所示,包括以下步骤:FIG. 4 is a schematic diagram 1 of an implementation process of security association negotiation according to an embodiment of the present invention. As shown in FIG. 4 , the following steps are included:

步骤401~步骤402:网关1(发起方)与网关2(响应方)进行策略协商,即网关1向网关2发送策略提议,网关2向网关1返回匹配到的策略;Steps 401 to 402: Gateway 1 (initiator) and gateway 2 (responder) conduct policy negotiation, that is, gateway 1 sends a policy proposal to gateway 2, and gateway 2 returns the matched policy to gateway 1;

步骤401中,网关1向网关2发送一组或多组策略提议,该策略提议封装在报文的SA载荷中,报文中还封装互联网安全连接和密钥管理协议(ISAKMP,Internet SecurityAssociation and Key Management Protocol)对应的头部(HDR,HeaDeR);In step 401, gateway 1 sends one or more groups of policy proposals to gateway 2, the policy proposals are encapsulated in the SA payload of the message, and the message is also encapsulated in the Internet Security Connection and Key Management Protocol (ISAKMP, Internet Security Association and Key). Management Protocol) corresponding header (HDR, HeaDeR);

这里,所述SA载荷包含一组或多组策略提议,在策略提议中包含五元组,具体为:加密算法、散列算法、交换及密钥分发(DH,Diffie-Hellman)算法、认证方法、以及IKE SA生命周期。Here, the SA payload includes one or more groups of policy proposals, and the policy proposal includes a quintuple, specifically: encryption algorithm, hash algorithm, exchange and key distribution (DH, Diffie-Hellman) algorithm, authentication method , and the IKE SA life cycle.

步骤402中,网关2根据接收的报文中SA载荷的策略提议,在本地查询与所述策略提议相匹配的策略,匹配到后,向网关1发送封装HDR和SA载荷的报文,所述SA载荷包括匹配到的策略信息。In step 402, according to the policy proposal of the SA payload in the received message, the gateway 2 locally queries the policy that matches the policy proposal, and after matching, sends the message encapsulating the HDR and SA payload to the gateway 1. The SA payload includes matched policy information.

步骤403:网关1向密钥服务器请求对应网关1的私钥Pri1和密钥服务器生成的公开参数params、网关2的DH公开值g^xr和随机数Nr,并向密钥服务器发送网关1的DH公开值g^xi和随机数Ni。Step 403: Gateway 1 requests from the key server the private key Pri1 of gateway 1, public parameters params generated by the key server, DH public value g^xr and random number Nr of gateway 2, and sends the key server DH public value g^xi and random number Ni.

其中,Pri1=Fuc(MasterKey,IDi),IDi为网关1的ID,MasterKey为密钥服务器生成的主密钥,Fuc()表示预设的椭圆曲线上的一点与整数相乘的算法,Pri1(私钥)和Pub1(公钥)为对应网关1的配对的密钥。Among them, Pri1=Fuc(MasterKey, IDi), IDi is the ID of gateway 1, MasterKey is the master key generated by the key server, Fuc() represents the algorithm of multiplying a point on the preset elliptic curve by an integer, Pri1( private key) and Pub1 (public key) are paired keys corresponding to gateway 1.

其中,网关DH公开值包括网关所绑定地址和端口信息。The gateway DH public value includes address and port information bound to the gateway.

步骤404:密钥服务器向网关2转发网关1针对g^xr和Nr的请求,并向网关2发送params、对应网关2的私钥Pri2、g^xr和Nr。Step 404: The key server forwards the request of the gateway 1 for g^xr and Nr to the gateway 2, and sends the params, the private key Pri2, g^xr and Nr corresponding to the gateway 2 to the gateway 2.

其中,Pri2=Fuc(MasterKey,IDr),IDr为网关2的ID;Pri2(私钥)和Pub2(公钥)为对应网关2的配对的密钥。Wherein, Pri2=Fuc(MasterKey, IDr), IDr is the ID of the gateway 2; Pri2 (private key) and Pub2 (public key) are the paired keys corresponding to the gateway 2 .

步骤405:网关2向密钥服务器发送g^xr和Nr;Step 405: Gateway 2 sends g^xr and Nr to the key server;

步骤406:密钥服务器向网关1发送params、Pri1、g^xr和Nr;Step 406: The key server sends params, Pri1, g^xr and Nr to gateway 1;

步骤407:网关1和网关2根据对方ID和数params,确定对应对方的公钥,并确定密钥材料;Step 407: Gateway 1 and Gateway 2 determine the public key of the corresponding counterparty according to the counterparty ID and number params, and determine the key material;

对应网关2的公钥Pub2=Fuc(params,IDr),对应网关1的公钥Pub1=Fuc(params,IDi)。The public key Pub2=Fuc(params, IDr) corresponding to the gateway 2, and the public key Pub1=Fuc(params, IDi) corresponding to the gateway 1.

网关1和网关2根据g^xi、g^xr、Ni和Nr,确定第一个密钥材料SKEYID为prf(Ni_b|Nr_b,g^xy),并根据SKEYID确定以下密钥材料:Gateway 1 and Gateway 2 determine the first key material SKEYID as prf(Ni_b|Nr_b, g^xy) according to g^xi, g^xr, Ni and Nr, and determine the following key materials according to SKEYID:

SKEYID_d=prf(SKEYID,g^xy|CKY-I|CKY-R|0) (1)SKEYID_d=prf(SKEYID, g^xy|CKY-I|CKY-R|0) (1)

prf()是哈希函数,用于导出密钥材料。prf() is the hash function used to derive the key material.

SKEYID_d用于在第二阶段IPSec SA协商时确定加密使用的新的密钥材料;SKEYID_d is used to determine the new key material used for encryption during the second-phase IPSec SA negotiation;

SKEYID_a=prf(SKEYID,SKEYID_d|g^xy|CKY-I|CKY-R|1) (2)SKEYID_a=prf(SKEYID, SKEYID_d|g^xy|CKY-I|CKY-R|1) (2)

SKEYID_a为完整性密钥,用于对步骤407之后的IKE SA协商的报文以及本实施例第二阶段IPSEC SA协商的报文进行完整性校验;SKEYID_a is an integrity key, which is used to perform integrity verification on the message negotiated by the IKE SA after step 407 and the message negotiated by the IPSEC SA in the second stage of this embodiment;

SKEYID_e=prf(SKEYID,SKEYID_a|g^xy|CKY-I|CKY-R|2) (3)SKEYID_e=prf(SKEYID, SKEYID_a|g^xy|CKY-I|CKY-R|2) (3)

SKEYID_e为加密密钥,用于对步骤407之后的IKE SA协商的报文以及本实施例第二阶段IPSEC SA协商的报文进行加密。SKEYID_e is an encryption key, which is used to encrypt the message of the IKE SA negotiation after step 407 and the message of the second phase of the IPSEC SA negotiation in this embodiment.

步骤408:网关2认证网关1;Step 408: Gateway 2 authenticates gateway 1;

以使用数字签名进行认证为例,网关1根据下式确定待发送至网关2的报文的数字摘要HASH_I:Taking the use of digital signature for authentication as an example, gateway 1 determines the digital digest HASH_I of the message to be sent to gateway 2 according to the following formula:

HASH_I=prf(SKEYID,g^xi|g^xr|CKY-I|CKY-R|SAi_b|IDi_b) (4)HASH_I=prf(SKEYID, g^xi|g^xr|CKY-I|CKY-R|SAi_b|IDi_b) (4)

网关1利用Pri1对HASH_I加密生成签名SIG_I,将SIG_I载荷和IDi载荷封装入待发送报文,并利用步骤407确定的SKEYID_e将载荷加密后发送至网关2;Gateway 1 utilizes Pri1 to encrypt HASH_I to generate signature SIG_I, encapsulates the SIG_I payload and the IDi payload into the message to be sent, and utilizes the SKEYID_e determined in step 407 to encrypt the payload and send it to gateway 2;

网关2根据式(4)确定HASH_I,并利用步骤407确定的Pub1对SIG_I进行解密,将解密出的HASH_I与根据式(4)确定HASH_I比对,如果一致则认证网关1成功,否则,中止处理。Gateway 2 determines HASH_I according to formula (4), and decrypts SIG_I using Pub1 determined in step 407, and compares the decrypted HASH_I with HASH_I determined according to formula (4), if they are consistent, the authentication gateway 1 succeeds, otherwise, the processing is terminated .

步骤409:网关1认证网关2;Step 409: Gateway 1 authenticates gateway 2;

以使用数字签名进行认证为例,网关2根据下式确定待发送至网关1的报文的数字摘要HASH_R:Taking the use of digital signature for authentication as an example, gateway 2 determines the digital digest HASH_R of the message to be sent to gateway 1 according to the following formula:

HASH_R=prf(SKEYID,g^xr|g^xi|CKY-R|CKY-I|SAi_b|IDr_b) (5)HASH_R=prf(SKEYID, g^xr|g^xi|CKY-R|CKY-I|SAi_b|IDr_b) (5)

网关2利用Pri2对HASH_R加密生成签名SIG_R,将SIG_R载荷IDr载荷封装入待发送报文,并利用步骤407确定的SKEYID_e将待发送报文的载荷加密后发送至网关2;Gateway 2 utilizes Pri2 to encrypt HASH_R to generate signature SIG_R, encapsulates the SIG_R payload IDr payload into the message to be sent, and utilizes the SKEYID_e determined in step 407 to encrypt the payload of the message to be sent to gateway 2;

网关1根据式(5)确定HASH_R,并利用步骤407确定的Pub2对SIG_R进行解密,将解密出的HASH_R与根据式(5)确定HASH_R比对,如果一致则认证网关2成功,否则,中止处理。Gateway 1 determines HASH_R according to formula (5), and decrypts SIG_R using Pub2 determined in step 407, compares the decrypted HASH_R with the HASH_R determined according to formula (5), if they are consistent, the authentication gateway 2 succeeds, otherwise, the processing is terminated .

第二阶段:网关之间进行IPSec SA协商。The second stage: IPSec SA negotiation between gateways.

图5为本发明实施例的安全关联协商的实现流程示意图二,如图5所示,包括以下步骤:FIG. 5 is a schematic diagram 2 of the implementation process of security association negotiation according to an embodiment of the present invention. As shown in FIG. 5 , the following steps are included:

步骤501:网关1向密钥服务器发送SA协商报文;Step 501: Gateway 1 sends an SA negotiation message to the key server;

其中,该协商报文封装HDR*、HASH[1]载荷、SA载荷(包括IPSec策略提议)和随机数(NONCE)载荷,该协商报文还可以封装DH载荷、KE载荷和ID载荷,NONCE载荷包括网关1的随机数Ni,DH载荷包括网关1的DH公开值,HASH[1]根据式(6)确定:Among them, the negotiation packet encapsulates HDR*, HASH[1] payload, SA payload (including IPSec policy proposal) and random number (NONCE) payload, and the negotiation message can also encapsulate DH payload, KE payload and ID payload, NONCE payload It includes the random number Ni of gateway 1, the DH load includes the DH public value of gateway 1, and HASH[1] is determined according to formula (6):

HASH[1]=prf(SKEYID_a,M-ID|SA|Ni[|KE][|IDci|IDcr) (6)HASH[1]=prf(SKEYID_a, M-ID|SA|Ni[|KE][|IDci|IDcr) (6)

所述HDR*表示报文中的载荷通过第一阶段步骤407确定的SKEYID_e加密传输;HASH[1]载荷包括网关1根据式(4)重新确定的HASH_I,网关2根据该HASH_I做完整性校验,以再次认证网关1;IPSEC SA策略包括安全协议(AH或者ESP),SPI、散列算法、模式(隧道模式或者传输模式)和IPSEC SA生命周期;The HDR* indicates that the load in the message is encrypted and transmitted by the SKEYID_e determined in the first stage step 407; the HASH[1] load includes the HASH_I re-determined by the gateway 1 according to the formula (4), and the gateway 2 does the integrity check according to the HASH_I , to re-authenticate gateway 1; IPSEC SA policy includes security protocol (AH or ESP), SPI, hash algorithm, mode (tunnel mode or transmission mode) and IPSEC SA life cycle;

报文中的载荷使用第一阶段步骤407确定的SKEYID_a进行完整性校验。The payload in the message uses the SKEYID_a determined in step 407 of the first stage to perform integrity check.

步骤502:密钥服务器向网关2转发步骤501的报文;Step 502: the key server forwards the message of step 501 to the gateway 2;

步骤503:网关2向密钥服务器返回携带协商结果的报文;Step 503: The gateway 2 returns a message carrying the negotiation result to the key server;

网关2根据密钥服务器转发报文的策略提议,在本地查询与策略提议匹配的策略,并向密钥服务器返回匹配携带匹配结果的报文。The gateway 2 locally queries the policy matching the policy proposal according to the policy proposal forwarding the message by the key server, and returns a matched message carrying the matching result to the key server.

网关2返回的报文中封装SA载荷(包括IPSec策略提议匹配结果)、NONCE载荷(包括网关2的随机数Nr)和HASH[2]载荷,HASH[2]载荷包括网关根据式(5)重新确定的HASH_R,当网关2接收的报文中封装DH载荷、KE载荷和ID载荷时,相应的,网关2向密钥服务器发送的报文中也封装DH载荷、KE载荷和ID载荷,HASH[2]根据式(7)确定:The packet returned by gateway 2 encapsulates SA payload (including IPSec policy proposal matching results), NONCE payload (including random number Nr of gateway 2), and HASH[2] payload. The determined HASH_R, when the DH payload, KE payload and ID payload are encapsulated in the message received by gateway 2, correspondingly, the message sent by gateway 2 to the key server is also encapsulated with DH payload, KE payload and ID payload. HASH[ 2] Determine according to formula (7):

HASH[2]=prf(SKEYID_a,M-ID|Ni_b|SA|Nr[|KE][|IDci|IDcr) (7)网关2返回的报文封装的载荷通过第一阶段步骤407确定的加密密钥SKEYID_e进行加密,并通过第一阶段步骤407确定的完整性密钥SKEYID_a进行完整性校验。HASH[2]=prf(SKEYID_a, M-ID|Ni_b|SA|Nr[|KE][|IDci|IDcr) (7) The packet encapsulated payload returned by gateway 2 passes the encryption key determined in step 407 of the first stage The key SKEYID_e is encrypted, and the integrity check is performed through the integrity key SKEYID_a determined in step 407 of the first stage.

网关2根据报文携带的随机数Ni,确定新的密钥材料KEYMAT,并基于该KEYMAT确定密钥材料,该处理具体为:The gateway 2 determines a new key material KEYMAT according to the random number Ni carried in the message, and determines the key material based on the KEYMAT, and the processing is specifically:

如果不需要完美向前保密(PFS,Perfect Forward Secrecy)且接收的报文中未封装KE载荷,则根据式(8)确定新的密钥材料:If perfect forward secrecy (PFS, Perfect Forward Secrecy) is not required and the KE payload is not encapsulated in the received message, the new key material is determined according to formula (8):

KEYMAT=prf(SKEYID_d,protocol|SPI|Ni_b|Nr_b) (8)KEYMAT=prf(SKEYID_d, protocol|SPI|Ni_b|Nr_b) (8)

如果需要PFS且接收报文中封装KE载荷,则根据式(9)确定新的密钥材料:If PFS is required and the KE payload is encapsulated in the received message, the new key material is determined according to formula (9):

KEYMAT=prf(SKEYID_d,g(qm)^xy|protocol|SPI|Ni_b|Nr_b) (9)KEYMAT=prf(SKEYID_d, g(qm)^xy|protocol|SPI|Ni_b|Nr_b) (9)

其中,protocol(协议)和SPI从SA载荷中获取。Among them, the protocol (protocol) and SPI are obtained from the SA payload.

基于上述新的密钥材料,将KEYMAT代入式(1)、(2)、(3)中的SKEYID,确定新的SKEYID_e和SKEYID_a,使用SKEYID_e对网关1和网关2后续通信时传输的报文进行加密,并使用SKEYID_a对网关1和网关2后续通信时传输的报文进行完整性校验。Based on the above new key material, substitute KEYMAT into the SKEYID in equations (1), (2) and (3), determine the new SKEYID_e and SKEYID_a, and use SKEYID_e to perform the subsequent communication between gateway 1 and gateway 2. Encryption, and use SKEYID_a to check the integrity of the packets transmitted by gateway 1 and gateway 2 during subsequent communication.

步骤504:密钥服务器转发网关2返回的报文至网关1;Step 504: the key server forwards the message returned by gateway 2 to gateway 1;

步骤505:网关1向网关2发送确认报文。Step 505: Gateway 1 sends a confirmation message to gateway 2.

该报文封装HASH[3]载荷,确认接收到网关2的报文,并证明网关1处于活动(Active)状态,即网关1在步骤501发送的报文没有伪造,HASH[3]根据式(10)确定:The message encapsulates the HASH[3] payload, confirms receipt of the message from gateway 2, and proves that gateway 1 is in the Active state, that is, the message sent by gateway 1 in step 501 is not forged, HASH[3] is based on formula ( 10) Determine:

HASH[3]=prf(SKEYID_a,0|M-ID|Ni_b|Nr_b) (10)HASH[3]=prf(SKEYID_a, 0|M-ID|Ni_b|Nr_b) (10)

本实施例中式(1)~式(10)各参数的定义与规范RFC2409相同。The definitions of the parameters in the formulas (1) to (10) in this embodiment are the same as those in the specification RFC2409.

网关1根据报文中的Nr,重新确定密钥材料KEYMAT,并基于该KEYMAT确定新的密钥材料SKEYID_e和SKEYID_a,具体处理与步骤503相同,网关1和网关2使用SKEYID_e对后续通信的报文的载荷进行加密,并使用SKEYID_a对后续通信的报文的载荷进行完整性校验。Gateway 1 re-determines the key material KEYMAT according to the Nr in the message, and determines new key materials SKEYID_e and SKEYID_a based on the KEYMAT. The specific processing is the same as step 503. Gateway 1 and gateway 2 use SKEYID_e for subsequent communication messages The payload is encrypted, and SKEYID_a is used to perform integrity check on the payload of subsequent communication packets.

上述交互步骤中,密钥服务器保存网关1和网关2发送的报文中的SA载荷及随机数Ni、Nr,在需要监管网关1和网关2的通信时,根据步骤502确定KEYMAT,并将KEYMAT代入式(1)、(2)、(3)中的参数SKEYID,确定新的SKEYID_e和SKEYID_a,如此可对网关1和网关2通信时传输的加密数据进行解密,达到对网关1和网关2通信监管的目的。In the above interaction steps, the key server saves the SA load and random numbers Ni and Nr in the messages sent by the gateway 1 and the gateway 2. When the communication between the gateway 1 and the gateway 2 needs to be monitored, the KEYMAT is determined according to step 502, and the KEYMAT is Substitute the parameter SKEYID in equations (1), (2), and (3) to determine the new SKEYID_e and SKEYID_a, so that the encrypted data transmitted during the communication between gateway 1 and gateway 2 can be decrypted to achieve the communication between gateway 1 and gateway 2. regulatory purposes.

步骤505之后,网关1和网关2通过第二阶段协商的SKEYID_e和SKEYID_a,保护通信会话和数据。After step 505, gateway 1 and gateway 2 protect the communication session and data through SKEYID_e and SKEYID_a negotiated in the second stage.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (17)

1. A security association SA negotiation method is characterized in that a key server for key management is arranged; the method comprises the following steps:
the key server respectively generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder;
the communication initiator and the communication responder encrypt the digital digests of respective messages to be sent into signature information by using respective private keys, and the signature information is packaged into the messages to be sent and sent to the other party;
the communication initiator and the communication responder respectively determine a public key of the other party through the key server, and authenticate the other party by using the determined public key of the other party and the signature information in the messages received by the communication initiator and the communication responder respectively;
and the communication initiator and the communication responder determine a public key of the opposite party according to the identity of the opposite party and the public parameter determined by the key server.
2. The method of claim 1, wherein the key server generates a private key corresponding to the communication initiator and a private key corresponding to the communication responder for the communication initiator and the communication responder, respectively, and comprises:
the key server generates a master key, determines a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and determines a private key corresponding to the communication responder according to the master key and the ID of the communication responder;
the determining, by the communication initiator and the communication responder, public keys of each other includes:
the key server generates public parameters and respectively sends the public parameters to the communication initiator and the communication responder;
and the communication initiator and the communication responder determine the public key of the other party according to the ID of the other party and the public parameter sent by the key server.
3. The method according to claim 1 or 2, characterized in that the method further comprises: the key server also sends the exchange and key distribution DH public value and the random number of the other party to the communication initiator and the communication responder respectively;
correspondingly, the communication initiator and the communication responder respectively determine an encryption key and an integrity key according to the received DH public value and the random number, encrypt the message to be sent by using the respective determined encryption key, and perform integrity check on the received message by using the respective determined integrity key.
4. The method of claim 3, wherein the communication initiator and the communication responder authenticate the counterpart by using the determined public key of the counterpart and signature information in each received message, and comprising: and the communication initiator and the communication responder decrypt the signature information in the respectively received message according to the determined public key, and when the decrypted digital digest is consistent with the digital digest determined according to the ID of the opposite party and the DH public value sent by the key server, the successful authentication is determined.
5. The method of claim 3, wherein after the communication initiator and the communication responder successfully authenticate the other party, the method further comprises: and the communication initiator and the communication responder encrypt the sent messages by the encryption key and carry out integrity check on the received messages by the integrity key.
6. The method of claim 5, further comprising: the communication initiator forwards an internet protocol security (IPSec) strategy negotiation message to the communication responder through the key server, and the communication responder forwards an IPSec strategy negotiation result message to the communication initiator through the key server;
the IPSec policy negotiation message and the IPSec policy negotiation result message carry a random number, a Security Parameter Index (SPI) and protocol information of a sender;
correspondingly, the key server determines an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation message or according to the random number, the SPI and the protocol information carried by the IPSec policy negotiation result message.
7. A key server, comprising: a key generation unit and a first communication unit; wherein,
the key generation unit is used for respectively generating a private key corresponding to the communication initiator and a private key corresponding to the communication responder for a communication initiator in the communication equipment and a communication responder in the communication equipment;
the first communication unit is used for correspondingly sending the private key generated by the key generation unit to the communication initiator and the communication responder;
the key generation unit is further configured to generate public parameters and send the public parameters to the communication initiator and the communication responder, respectively, where the communication initiator and the communication responder determine a public key of the other party according to an identity of the other party and the public parameters determined by the key server.
8. The key server of claim 7,
the key generation unit is further configured to generate a master key, determine a private key corresponding to the communication initiator according to the master key and the ID of the communication initiator, and determine a private key corresponding to the communication responder according to the master key and the ID of the communication responder.
9. The key server of claim 7,
the first communication unit is further configured to send a DH public value and a random number of the other party to the communication initiator and the communication responder, respectively.
10. The key server according to claim 7, 8 or 9,
the first communication unit is further configured to send the IPSec policy negotiation packet from the communication initiator to the communication responder, and send the IPSec policy negotiation result packet from the communication responder to the communication initiator;
the key generation unit is further configured to determine an encryption key and an integrity key used when the communication initiator and the communication responder perform data communication according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation packet received by the first communication unit, or according to the random number, the SPI, and the protocol information carried in the IPSec policy negotiation result packet received by the first communication unit.
11. A communication device, characterized in that the communication device comprises: a second communication unit and an authentication unit; wherein,
the second communication unit is used for encrypting the digital abstract of the message to be sent into signature information by using a private key of the communication equipment, packaging the signature information into the message to be sent and sending the message to the communication equipment of the other party;
the authentication unit is used for determining a public key of the communication equipment of the other party through a key server and authenticating the communication equipment of the other party by using the determined public key and the signature information in the message received by the second communication unit;
the authentication unit is further configured to determine a public key of the opposite communication device according to the ID of the opposite communication device and the public parameter generated by the key server.
12. The communication device of claim 11,
the second communication unit is further configured to receive a DH public value and a random number of the opposite communication device, which are sent by the key server;
the authentication unit is further configured to determine an encryption key and an integrity key according to the DH public value and the random number of the opposite communication device received by the second communication unit, encrypt a message to be sent by the second communication unit using the encryption key, and perform integrity check on the message received by the second communication unit using the integrity key.
13. The communication device of claim 12,
the authentication unit is further configured to decrypt, according to the determined public key, signature information in the message received by the second communication unit, and when the decrypted digital digest is consistent with a digital digest determined according to the ID of the opposite communication device and the DH public value received by the second communication unit, determine that authentication is successful.
14. The communication device of claim 12,
the second communication unit is further configured to encrypt the sent message with the encryption key determined by the authentication unit, and perform integrity check on the received message with the integrity key determined by the authentication unit.
15. The communication device according to any one of claims 11 to 14,
the second communication unit is further configured to send an IPSec policy negotiation packet or an IPSec policy negotiation result packet to the key server, where the IPSec policy negotiation packet and the IPSec policy negotiation result packet carry a random number, an SPI, and protocol information of a sender.
16. An SA negotiation system, comprising: a key server and a communication device; wherein,
the key server is used for generating a private key corresponding to the communication equipment for the communication equipment;
the communication equipment is used for encrypting the digital abstract of the message to be sent into signature information by using a local private key, packaging the signature information into the message to be sent and sending the message to the opposite communication equipment; determining a public key of the communication equipment of the opposite party through the key server, and authenticating the communication equipment of the opposite party by using the determined public key and the signature information in the received message;
and the key server is further configured to generate public parameters and send the public parameters to the communication initiator and the communication responder respectively, and the communication initiator and the communication responder determine a public key of the other party according to an identity of the other party and the public parameters determined by the key server.
17. The SA negotiation system of claim 16,
the key server is the key server of any one of claims 7 to 10; the communication device is as claimed in any one of claims 11 to 15.
CN201310221599.7A 2013-06-05 2013-06-05 Security association negotiation method, device and system Active CN104219217B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310221599.7A CN104219217B (en) 2013-06-05 2013-06-05 Security association negotiation method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310221599.7A CN104219217B (en) 2013-06-05 2013-06-05 Security association negotiation method, device and system

Publications (2)

Publication Number Publication Date
CN104219217A CN104219217A (en) 2014-12-17
CN104219217B true CN104219217B (en) 2020-03-10

Family

ID=52100354

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310221599.7A Active CN104219217B (en) 2013-06-05 2013-06-05 Security association negotiation method, device and system

Country Status (1)

Country Link
CN (1) CN104219217B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106304400B (en) * 2015-05-21 2019-05-07 阿里巴巴集团控股有限公司 The IP address distribution method and system of wireless network
WO2017035725A1 (en) * 2015-08-31 2017-03-09 林建华 Communication method for electronic communication system in open environment
CN106357650A (en) * 2016-09-09 2017-01-25 庞己人 System, device and method for safely transmitting verification data
CN107135206A (en) * 2017-04-18 2017-09-05 北京思特奇信息技术股份有限公司 Safe precaution method and system that a kind of internet environment lower interface is called
CN109768948A (en) * 2017-11-10 2019-05-17 中国电信股份有限公司 Information push method, system and messaging device
US11368298B2 (en) 2019-05-16 2022-06-21 Cisco Technology, Inc. Decentralized internet protocol security key negotiation
CN110266485B (en) * 2019-06-28 2022-06-24 宁波奥克斯电气股份有限公司 A secure communication control method for the Internet of Things based on NB-IoT
CN110391902B (en) * 2019-07-08 2022-10-25 新华三信息安全技术有限公司 Internet key exchange IKE negotiation method and device
CN111614692B (en) * 2020-05-28 2021-06-08 广东纬德信息科技股份有限公司 Inbound message processing method and device based on power gateway
CN111865564A (en) * 2020-07-29 2020-10-30 北京浪潮数据技术有限公司 IPSec communication establishing method and system
CN112929169B (en) * 2021-02-07 2022-10-28 成都薯片科技有限公司 Key negotiation method and system
CN113364811B (en) * 2021-07-05 2022-09-13 上海辉禹科技有限公司 Network layer safety protection system and method based on IKE protocol
CN115529184A (en) * 2022-09-28 2022-12-27 中国电信股份有限公司 Message verification method and device, electronic equipment and storage medium
CN116074038B (en) * 2022-11-29 2023-08-22 杭州海兴电力科技股份有限公司 Gateway system and method for IPv6 data security transmission
CN116506142A (en) * 2022-12-29 2023-07-28 中国航空工业集团公司西安航空计算技术研究所 A method for realizing security gateway in FC network
CN117061115B (en) * 2023-10-11 2024-02-02 腾讯科技(深圳)有限公司 Key negotiation method, key negotiation apparatus, computer device, and computer-readable storage medium

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7146009B2 (en) * 2002-02-05 2006-12-05 Surety, Llc Secure electronic messaging system requiring key retrieval for deriving decryption keys
US7975140B2 (en) * 2005-04-08 2011-07-05 Nortel Networks Limited Key negotiation and management for third party access to a secure communication session
CN101626374B (en) * 2008-07-11 2013-08-28 成都市华为赛门铁克科技有限公司 Method, system and equipment for negotiating security association (SA) in internet protocol version 6 (IPv6) network
US8707045B2 (en) * 2009-02-12 2014-04-22 Lg Electronics Inc. Method and apparatus for traffic count key management and key count management
DE102009059893A1 (en) * 2009-12-21 2011-06-22 Siemens Aktiengesellschaft, 80333 Apparatus and method for securing a negotiation of at least one cryptographic key between devices
US20130108045A1 (en) * 2011-10-27 2013-05-02 Architecture Technology, Inc. Methods, networks and nodes for dynamically establishing encrypted communications
CN102694650B (en) * 2012-06-13 2015-03-11 苏州大学 Secret key generating method based on identity encryption
CN102761553A (en) * 2012-07-23 2012-10-31 杭州华三通信技术有限公司 IPSec SA consultation method and device
CN103078743B (en) * 2013-01-15 2015-07-08 武汉理工大学 E-mail IBE (Internet Booking Engine) encryption realizing method

Also Published As

Publication number Publication date
CN104219217A (en) 2014-12-17

Similar Documents

Publication Publication Date Title
CN104219217B (en) Security association negotiation method, device and system
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
US8559640B2 (en) Method of integrating quantum key distribution with internet key exchange protocol
CN103441839B (en) Application method and system of a kind of quantum cryptography in IP secure communications
CN101459506B (en) Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
CN103155512B (en) System and method for providing secure access to service
US8082574B2 (en) Enforcing security groups in network of data processors
CN107105060A (en) A kind of method for realizing electric automobile information security
CN102932350B (en) A kind of method and apparatus of TLS scanning
CN114221765B (en) Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm
CN114422205B (en) Method for establishing network layer data tunnel of special CPU chip for electric power
CN112637136A (en) Encrypted communication method and system
CN115567206B (en) Method and system for realizing encryption and decryption of network data messages by adopting quantum distribution secret key
US20080072033A1 (en) Re-encrypting policy enforcement point
US11637699B2 (en) Rollover of encryption keys in a packet-compatible network
CN114285571A (en) Method, gateway device and system for using quantum key in IPSec protocol
CN113364811A (en) Network layer safety protection system and method based on IKE protocol
CN111935213A (en) Distributed trusted authentication virtual networking system and method
CN114928491A (en) Internet of things security authentication method, device and system based on identification cryptographic algorithm
CN111756528B (en) Quantum session key distribution method, device and communication architecture
CN115459912A (en) Communication encryption method and system based on quantum key centralized management
CN114500013A (en) A data encryption transmission method
CN118540165A (en) Quantum security enhancement method for national security IPSec VPN protocol
CN116132025A (en) Key negotiation method, device and communication system based on preset key group
CN105591748B (en) A kind of authentication method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant