[go: up one dir, main page]

CN105763318A - Pre-shared key obtaining method, pre-shared key distribution method and pre-shared key distribution device - Google Patents

Pre-shared key obtaining method, pre-shared key distribution method and pre-shared key distribution device Download PDF

Info

Publication number
CN105763318A
CN105763318A CN201610070225.3A CN201610070225A CN105763318A CN 105763318 A CN105763318 A CN 105763318A CN 201610070225 A CN201610070225 A CN 201610070225A CN 105763318 A CN105763318 A CN 105763318A
Authority
CN
China
Prior art keywords
shared key
user information
terminal device
negotiation
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610070225.3A
Other languages
Chinese (zh)
Other versions
CN105763318B (en
Inventor
张太博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201610070225.3A priority Critical patent/CN105763318B/en
Publication of CN105763318A publication Critical patent/CN105763318A/en
Application granted granted Critical
Publication of CN105763318B publication Critical patent/CN105763318B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a pre-shared key obtaining method, a pre-shared key distribution method and a pre-shared key distribution device. The pre-shared key obtaining method comprises: receiving negotiation message for building an Internet safety tunnel sent by a terminal device; determining whether the negotiation message includes the user information of the terminal device or not; if the negotiation message includes the user information of the terminal device, sending the user information to a server to facilitate randomly generating a pre-shared key when the server is determined to store the user information by itself, and sending to pre-shared key to a network device and the terminal device; receiving the pre-shared key, corresponding to the user information, sent by the server; and employing the pre-shared key and the terminal device to perform follow-up message negotiation. According to the embodiment of the invention, the pre-shared key obtaining method, the pre-shared key distribution method and the pre-shared key distribution device employ a pre-shared key to perform negotiation so as to prevent the pre-shared key from being solved by attackers and avoid pretending to be a real user to access the internal network for data stealing, therefore the safety of the IKE negotiation is improved.

Description

A kind of wildcard acquisition, distribution method and device
Technical field
The application relates to field of information security technology, particularly to a kind of wildcard acquisition, distribution method and device.
Background technology
Along with the development of safety communication technology, at present, almost all of IP safety (IPsec, IPSecurity) tunnel is all exchanged (IKE, InternetKeyExchange) by internet key to hold consultation.Its most widely used scene is that user uses the gateway of IKE and company Intranet to consult to set up IPsec tunnel, encrypted access company Intranet data.
Wherein, the negotiations process of IKE is divided into two independent negotiation phases, and the first stage is to have identity protection and can consult the holotype negotiation phase of a large amount of attribute;Second stage is quick mode negotiation phase.
In the first stage; a passage having passed through authentication and safeguard protection is set up between communicating pair; namely IKE Security Association (SA is set up; SecurityAssociation); second stage consults security service for another different agreement (such as IPSec) under the protection of IKESA, and its safety is based upon on the safety of first stage.
The exchanging mechanism of IKE agreement is on the basis of DH (Diffie-Hellman) Diffie-Hellman, owing to DH exchange is easily subject to the attack of " hacker or go-between ", in order to prevent hacker or internuncial attack, the identity of communicating pair must being authenticated, its authentication mode is mainly through wildcard mode.It is to say, communicating pair is pre-configured with wildcard by out-of-band mechanism, carries out the authentication of both sides based on this shared key, and utilize wildcard calculated for subsequent encryption key.But, this wildcard mode can be cracked, and owing to front 4 messages of ike negotiation are all expressly transmit, except wildcard (pre-shared-key) is unknown, other key material, AES can be trapped.The field specifying some negotiation packet plus agreement is fixing, and hacker or go-between only need to use simple Brute Force means, cracked by the message of encryption, can get pre-shared-key, then the content of encrypted message is also disengaged accordingly.In other words, after the wildcard that user uses is cracked, hacker or go-between just can pretend to be real user to access the intranet data of company.
It follows that owing to wildcard is easily cracked, it is impossible to the ike negotiation of safety is provided, how to ensure that safe ike negotiation is to need at present to be solved the technical problem that.
Summary of the invention
In view of this, the application provides a kind of wildcard acquisition, distribution method and device, to solve owing to wildcard is easily cracked in prior art, causes the problem that the safety of ike negotiation reduces.
Specifically, the application is achieved by the following technical solution:
First aspect according to the embodiment of the present application, it is provided that the acquisition methods of a kind of wildcard, described method is applied to the network equipment;Described method includes:
What receiving terminal apparatus sent is used for setting up the negotiation packet in internet security tunnel;
Judge the user profile whether including described terminal unit in described negotiation packet;
If described negotiation packet includes the user profile of described terminal unit, then described user profile is sent to server, so that described server is when determining that self preserves described user profile, stochastic generation wildcard, and described wildcard is sent to the described network equipment and described terminal unit;
Receive the wildcard corresponding with described user profile that described server sends;
Described wildcard and described terminal unit is used to carry out subsequent packet negotiation.
Second aspect according to the embodiment of the present application, it is provided that the distribution method of a kind of wildcard, described method is applied to server;Described method includes:
Receive the user profile of the terminal unit that the network equipment sends;
If it is determined that self preserve described user profile, stochastic generation wildcard;
Described wildcard is sent respectively to the described network equipment and described terminal unit, in order to the described network equipment and described terminal unit use described wildcard to carry out message negotiation.
The third aspect according to the embodiment of the present application, it is provided that the acquisition methods of a kind of wildcard, described method is applied to terminal unit;Described method includes:
Send the negotiation packet setting up internet security tunnel to the network equipment, described negotiation packet includes the user profile of described terminal unit, in order to the user profile of described terminal unit is sent to server by the described network equipment;
Receiving the wildcard corresponding with described user profile that described server sends, described wildcard is by described server stochastic generation;
Described wildcard and the described network equipment is used to carry out subsequent packet negotiation.
Fourth aspect according to the embodiment of the present application, it is provided that the acquisition device of a kind of wildcard, described acquisition device is integrated in the network device, and described acquisition device includes:
First receives unit, for the negotiation packet being used for setting up internet security tunnel that receiving terminal apparatus sends;
First judging unit, for judging whether to include in described negotiation packet the user profile of described terminal unit;
Transmitting element, for when described first judges the user profile that described negotiation packet includes described acquisition device, described user profile is sent to server, so that described server is when determining that self preserves described user profile, stochastic generation wildcard, and described wildcard is sent to described acquisition device and described terminal unit;
Second receives unit, for receiving the wildcard corresponding with described user profile that described server sends;
Negotiation element, is used for using described wildcard and described terminal unit to carry out subsequent packet negotiation.
The 5th aspect according to the embodiment of the present application, it is provided that the distributor of a kind of wildcard, described distributor is integrated in the server, and described distributor includes:
Receive unit, for receiving the user profile of the terminal unit that the network equipment sends;
Generate unit, be used for when determining that self preserves described user profile, stochastic generation wildcard;
Transmitting element, for being sent respectively to the described network equipment and described terminal unit by described wildcard, in order to the described network equipment and described terminal unit use described wildcard to carry out message negotiation.
The 6th aspect according to the embodiment of the present application, it is provided that the acquisition device of a kind of wildcard, described acquisition device is integrated in terminal unit, and described acquisition device includes:
Transmitting element, for sending the negotiation packet setting up internet security tunnel to the network equipment, described negotiation packet includes the user profile of terminal unit, in order to the user profile of described terminal unit is sent to server by the described network equipment;
Receiving unit, for receiving the wildcard corresponding with described user profile that described server sends, described wildcard is by described server stochastic generation;
Negotiation element, is used for using described wildcard and the described network equipment to carry out subsequent packet negotiation.
In the embodiment of the present application, when carrying out ike negotiation, its user profile is added in negotiation packet by terminal unit, then this negotiation packet is sent to the network equipment to hold consultation, after the network equipment receives the negotiation packet of the user profile including this terminal unit, utilize the user profile of this terminal unit, from server, get the wildcard corresponding with this user profile, and use this wildcard to carry out subsequent packet negotiation.Due to, wildcard is received stochastic generation after user profile by server, so even assailant has intercepted and captured negotiation packet, crack out the wildcard of this negotiation, when terminal unit is held consultation with the network equipment again, the wildcard that the network equipment gets is no longer just the wildcard that assailant cracks out, the wildcard cracked out also just cannot be utilized afterwards to pretend to be real user to go access of holding consultation, thus improve the safety of ike negotiation.
It should be appreciated that it is only exemplary and explanatory that above general description and details hereinafter describe, the application can not be limited.
Accompanying drawing explanation
Fig. 1 is the flow chart of the acquisition methods of a kind of wildcard that the embodiment of the present application provides;
Fig. 2 is another flow chart of the acquisition methods of a kind of wildcard that the embodiment of the present application provides;
Fig. 3 is another flow chart of the acquisition methods of a kind of wildcard that the embodiment of the present application provides;
Fig. 4 is another flow chart of the distribution method of a kind of wildcard that the embodiment of the present application provides;
Fig. 5 is a kind of hardware structure diagram of the acquisition of a kind of wildcard that provides of the embodiment of the present application or distributor place equipment;
Fig. 6 is the structure chart of the acquisition device of a kind of wildcard that the embodiment of the present application provides;
Fig. 7 is another structure chart of the acquisition device of a kind of wildcard that the embodiment of the present application provides;
Fig. 8 is another structure chart of the distributor of a kind of wildcard that the embodiment of the present application provides;
Fig. 9 is the structural representation that the embodiment of the present application provides a kind of application example of ike negotiation system.
Detailed description of the invention
Here in detail exemplary embodiment being illustrated, its example representation is in the accompanying drawings.When as explained below relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Embodiment described in following exemplary embodiment does not represent all embodiments consistent with the application.On the contrary, they only with in appended claims describe in detail, the application some in the example of consistent apparatus and method.
It is only merely for the purpose describing specific embodiment at term used in this application, and is not intended to be limiting the application." one ", " described " and " being somebody's turn to do " of the singulative used in the application and appended claims is also intended to include most form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and comprises any or all of one or more project of listing being associated and be likely to combination.
Although should be appreciated that and be likely to adopt term first, second, third, etc. to describe various information in the application, but these information should not necessarily be limited by these terms.These terms are only used for being distinguished from each other out same type of information.Such as, when without departing from the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as the first information.Depend on linguistic context, word as used in this " if " can be construed to " ... time " or " when ... " or " in response to determining ".
Here in detail exemplary embodiment being illustrated, its example representation is in the accompanying drawings.When as explained below relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Embodiment described in following exemplary embodiment does not represent all embodiments consistent with the application.On the contrary, they only with in appended claims describe in detail, the application some in the example of consistent apparatus and method.
It is only merely for the purpose describing specific embodiment at term used in this application, and is not intended to be limiting the application." one ", " described " and " being somebody's turn to do " of the singulative used in the application and appended claims is also intended to include most form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and comprises any or all of one or more project of listing being associated and be likely to combination.
Although should be appreciated that and be likely to adopt term first, second, third, etc. to describe various information in the application, but these information should not necessarily be limited by these terms.These terms are only used for being distinguished from each other out same type of information.Such as, when without departing from the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as the first information.Depend on linguistic context, word as used in this " if " can be construed to " ... time " or " when ... " or " in response to determining ".
Fig. 1 is the flow chart of the acquisition methods of a kind of wildcard that the embodiment of the present application provides, and described method is applied to internet key exchange scene, and described method includes:
Step 101: terminal unit sends the negotiation packet setting up internet security tunnel to the network equipment, and described negotiation packet includes the user profile of described terminal unit, in order to the user profile of described terminal unit is sent to server by the described network equipment.
In this step, when carrying out ike negotiation, user sends negotiation packet by terminal unit (such as main frame Host etc.) to the network equipment, this negotiation packet is the Article 1 negotiation packet that both sides consult, this negotiation packet can include the user profile of described terminal unit, wherein, this user profile can include, user name and/or the user's registration information such as user cipher and/or cell-phone number.
In a kind of optional embodiment, when terminal unit initiates to consult to the network equipment, adding response (REPLY) payload field in the Article 1 negotiation packet consulted, this response payload field is filled with the user profile of terminal unit or Host.
In this step, the network equipment is when receiving this negotiation packet, first this negotiation packet is resolved, then the user profile whether including terminal unit in the negotiation packet after this parsing is judged, if including, then the user profile of this terminal unit can be sent to server, in order to server is when determining that self preserves described user profile, stochastic generation wildcard, and the wildcard generated is sent to this network equipment and this terminal unit.It is to say, server is when receiving same user profile every time, the wildcard of generation is all different.
Wherein, server can short message server or Cloud Server etc..
Step 102: described terminal unit receives the wildcard corresponding with described user profile that described server sends, and described wildcard is by described server stochastic generation.
Step 103: described terminal unit uses described wildcard and the described network equipment to carry out subsequent packet negotiation.
Terminal unit, after receiving the wildcard that server sends, utilizes this wildcard and other encrypted material to generate encryption key, then utilizes this encryption key that the follow-up negotiation packet mutual with this network equipment is carried out encryption and decryption.
Same, the network equipment, after receiving the wildcard that server sends, utilizes this wildcard and other encrypted material to generate encryption key, then utilizes this encryption key that the follow-up negotiation packet mutual with this terminal unit is carried out encryption and decryption.
The process obtaining other encrypted material, the process generating encryption key and encryption and decryption is same as the prior art, does not repeat them here.
In the embodiment of the present application, when carrying out ike negotiation, terminal unit carries user profile and holds consultation, after the network equipment receives this user profile, utilize the user profile of this terminal unit, from server, get the wildcard corresponding with this user profile, and use this wildcard to carry out subsequent packet negotiation.Due to, wildcard is received stochastic generation after user profile by server, so even assailant has intercepted and captured negotiation packet, crack out the wildcard of this negotiation, when terminal unit is held consultation with the network equipment again, the wildcard that the network equipment gets is no longer just the wildcard that assailant cracks out, the wildcard cracked out also just cannot be utilized afterwards to pretend to be real user to go access of holding consultation, thus improve the safety of ike negotiation.
Also referring to Fig. 2, for another flow chart of acquisition methods of a kind of wildcard that the embodiment of the present application provides, described method is applied to the network equipment;Described method includes:
Step 201: what receiving terminal apparatus sent is used for setting up the negotiation packet in internet security tunnel.
In this step, the network equipment receives the negotiation packet that terminal unit sends, and can include the user profile of terminal unit in this negotiation packet, and wherein, this user profile can include, user name and/or the user's registration information such as user cipher and/or cell-phone number.
Step 202: judge the user profile whether including described terminal unit in described negotiation packet.
A kind of judgment mode is: judge whether to include in the response payload field of described negotiation packet the user profile of described terminal unit.
Step 203: if described negotiation packet includes the user profile of described terminal unit, then described user profile is sent to server, so that described server is when determining that self preserves described user profile, stochastic generation wildcard, and described wildcard is sent to the described network equipment and described terminal unit.
Server is after receiving user profile, when determining that self preserves described user profile, and stochastic generation wildcard, and the wildcard generated is sent to this network equipment and this terminal unit.It is to say, server is when receiving same user profile every time, the wildcard of generation is all different.
Wherein, server can short message server or Cloud Server etc..
Step 204: receive the wildcard corresponding with described user profile that described server sends.
Step 205: use described wildcard and described terminal unit to carry out subsequent packet negotiation.
The network equipment, after receiving the wildcard that server sends, utilizes this wildcard and other encrypted material to generate encryption key, then utilizes this encryption key that the follow-up negotiation packet mutual with this terminal unit is carried out encryption and decryption.
Same, terminal unit, after receiving the wildcard that server sends, utilizes this wildcard and other encrypted material to generate encryption key, then utilizes this encryption key that the follow-up negotiation packet mutual with this network equipment is carried out encryption and decryption.
The process obtaining other encrypted material, the process generating encryption key and encryption and decryption is same as the prior art, does not repeat them here.
In the embodiment of the present application, when carrying out ike negotiation, the network equipment receives the negotiation packet including its user profile that terminal unit sends, and gets the wildcard corresponding with this user profile from server, then uses this wildcard to carry out subsequent packet negotiation.Due to, wildcard is received stochastic generation after user profile by server, so even assailant has intercepted and captured negotiation packet, crack out the wildcard of this negotiation, when terminal unit is held consultation with the network equipment again, the wildcard that the network equipment gets is no longer just the wildcard that assailant cracks out, the wildcard cracked out also just cannot be utilized afterwards to pretend to be real user to go access of holding consultation, thus improve the safety of ike negotiation.It is to say, both sides are when carrying out ike negotiation, up-to-date wildcard all can be used to go to carry out ike negotiation.Even if assailant has intercepted and captured a negotiation packet, cracking out the wildcard of this negotiation, real user also cannot having been pretended to be next time to go access of holding consultation, thus ensure that the safety of ike negotiation.
Also refer to Fig. 3, for another flow chart of acquisition methods of a kind of wildcard that the embodiment of the present application provides;Described method is applied to the network equipment, and described method includes:
Step 301: what network equipment receiving terminal apparatus sent is used for setting up the negotiation packet in internet security tunnel.
Wherein, this negotiation packet is the Article 1 message that both sides consult, and can include the user profile of described terminal unit, it is also possible to not including, the present embodiment is not limited as in the response payload field of its negotiation packet.
Step 302: the network equipment judges whether to use wildcard;If it is, perform step 303;Otherwise, step 307 is performed.
In this step, if it is determined that use, then perform the step of follow-up use wildcard;If do not used, then according to existing negotiation flow processing, its concrete negotiation flow process, for art technology, has been know technology, has not repeated them here.
Step 303: the network equipment judges the user profile whether including described terminal unit in described negotiation packet;If it is, perform step 304 to step 306;Otherwise, step 308 is performed.
A kind of judgment mode is: judge whether to include in the response payload field of described negotiation packet the user profile of described terminal unit.
Step 304: described user profile is sent to server by the network equipment, so that described server is when determining that self preserves described user profile, stochastic generation wildcard, and described wildcard is sent to the described network equipment and described terminal unit.
In this step, server is when receiving this user profile, and whether inquiry has stored this user profile in its data storehouse, if storage has, then and the wildcard that stochastic generation is corresponding, and this wildcard is sent to this terminal unit and this network equipment.
Step 305: the network equipment receives the wildcard corresponding with described user profile that described server sends.
Step 306: the network equipment uses described wildcard and described terminal unit to carry out subsequent packet negotiation.
The terminal unit receiving this wildcard uses this wildcard and this network equipment to carry out subsequent packet negotiation.
Step 307: according to existing negotiation flow processing.
Step 308: consult unsuccessfully.
Also refer to Fig. 4, for the flow chart of distribution method of a kind of wildcard that the embodiment of the present application provides;Described method is applied to server, and described method includes:
Step 401: receive the user profile of the terminal unit that the network equipment sends.
In this step, the content that user profile includes specifically refers to above-mentioned, does not repeat them here.
Step 402: if it is determined that self preserve described user profile, stochastic generation wildcard.
Inquire about and whether the data base of self has stored this user profile, if having inquired this user profile, then the wildcard that stochastic generation is corresponding.It is to say, server is when receiving same user profile every time, the wildcard of generation is all different.
Step 403: described wildcard is sent respectively to the described network equipment and terminal unit, in order to the described network equipment and terminal unit use described wildcard to carry out message negotiation.
The process that the described network equipment carries out message negotiation with the terminal unit described wildcard of use is identical with other embodiments above-mentioned, does not repeat them here.
Wherein, this enforcement of mode sending wildcard is not limited as, for instance the mode of note can be adopted to send.
In another embodiment, on the basis of this examples of implementation above-described embodiment, described method can also include:
Server obtains and records user's registration information, and described user's registration information may include that user profile, and described user profile includes user name and/or password and/or phone number etc., it is, of course, also possible to adaptability includes other parameters, the present embodiment is not limited as.
In the embodiment of the present application, server is when receiving the user profile of the terminal unit that the network equipment sends, if inquiring this user profile from its data storehouse, then stochastic generation wildcard, and this wildcard is sent respectively to the network equipment and terminal unit, in order to the network equipment and terminal unit use this wildcard to carry out subsequent packet negotiation.Wherein, wildcard is received stochastic generation after user profile by server, so even assailant has intercepted and captured negotiation packet, crack out the wildcard of this negotiation, when terminal unit is held consultation with the network equipment again, the wildcard that the network equipment gets is no longer just the wildcard that assailant cracks out, the wildcard cracked out also just cannot be utilized afterwards to pretend to be real user to go access of holding consultation, thus improve the safety of ike negotiation.
The embodiment of the machinery of consultation with aforementioned wildcard is corresponding, present invention also provides the embodiment of the acquisition device of wildcard and distributor.
The acquisition device of wildcard or the embodiment of distributor that the application provides can be applied on equipment.Device embodiment can be realized by software, it is also possible to is realized by the mode of hardware or software and hardware combining.Implemented in software for example, as the device on a logical meaning, it is that computer program instructions corresponding in nonvolatile memory is read to run in internal memory and formed by the processor by its place equipment.Say from hardware view, as shown in Figure 5, the acquisition of a kind of wildcard provided for the application or a kind of hardware structure diagram of distributor place equipment, except the processor shown in Fig. 5, internal memory, network interface and nonvolatile memory, in embodiment, the equipment at device place is generally according to the actual functional capability of this equipment, other hardware can also be included, this is repeated no more.
Accordingly, also referring to Fig. 6, for the structure chart of acquisition device of a kind of wildcard that the application provides, described device is applied to terminal unit;Described device includes: transmitting element 61, receives unit 62 and negotiation element 63, wherein,
Transmitting element 61, for sending the negotiation packet setting up internet security tunnel to the network equipment, described negotiation packet includes the user profile of terminal unit, in order to the user profile of described terminal unit is sent to server by the described network equipment;
Receiving unit 62, for receiving the wildcard corresponding with described user profile that described server sends, described wildcard is by described server stochastic generation;
Negotiation element 63, is used for using described wildcard and the described network equipment to carry out subsequent packet negotiation.
In another embodiment, described device can also include: adding device (not shown), for adding the user profile of described consulting device in the response payload field of described negotiation packet.
Also referring to Fig. 7, for another structure chart of acquisition device of a kind of wildcard that the application provides, described device is integrated in the network device;Described device includes: first receives unit 71, the first judging unit 72, transmitting element 73, and second receives unit 74 and negotiation element 75, wherein,
First receives unit 71, for the negotiation packet being used for setting up internet security tunnel that receiving terminal apparatus sends;
First judging unit 72, for judging whether to include in described negotiation packet the user profile of described terminal unit;Wherein, described first judging unit 72, specifically for judging the user profile whether including described terminal unit in the response payload field of described negotiation packet;
Transmitting element 73, for when described first judges that described negotiation packet includes described user profile, described user profile is sent to server, so that described server is when determining that self preserves described user profile, stochastic generation wildcard, and described wildcard is sent to described acquisition device and terminal unit;
Second receives unit 74, for receiving the wildcard corresponding with described user profile that described server sends;
Negotiation element 75, is used for using described wildcard and described terminal unit to carry out subsequent packet negotiation.
In another embodiment, described device can also include: the second judging unit (not shown), wherein,
Second judging unit, when receiving described negotiation packet for described first reception unit, it may be judged whether use wildcard;
Described first judging unit, is additionally operable to when described second judging unit judges to use wildcard, it is judged that whether include the user profile of described terminal unit in described negotiation packet.
Also referring to Fig. 8, for the structural representation of distributor of a kind of wildcard that the application provides, described device is integrated in the server;Described device includes: receive unit 81, generates unit 82 and transmitting element 83, wherein,
Receive unit 81, for receiving the user profile of the terminal unit that the network equipment sends;
Generate unit 82, be used for when determining that self preserves described user profile, stochastic generation wildcard;
Transmitting element 83, for being sent respectively to the described network equipment and terminal unit by described wildcard code, in order to the described network equipment and terminal unit use described wildcard to carry out message negotiation.
In another embodiment, described device can also include: acquiring unit (not shown), wherein,
Acquiring unit, is used for obtaining and recording user's registration information, and described user's registration information includes: user profile.
What in said apparatus, the function of unit and the process that realizes of effect specifically referred in said method corresponding step realizes process, does not repeat them here.
In order to make it easy to understand, illustrate with concrete example below, the terminal unit in this example is with main frame Host, and the network equipment is with gateway device, and server is for short message server, but is not limited to this in actual applications.Optional, gateway device can also be connected with enterprise network (Enterprisenetwork).As it is shown in figure 9, the structural representation of a kind of application example of the ike negotiation system provided for the embodiment of the present application.
As shown in Figure 9, Host and gateway device carry out ike negotiation and set up IPsec tunnel, and by IPsec tunnel, message is sent to gateway device, and then access corporate intranet, it with existing ike negotiation process difference is: in the present embodiment, send the user profile that with the addition of Host in Article 1 negotiation packet to gateway device at Host, so that the user profile of this Host is sent to short message server by gateway device, to obtain the wildcard corresponding with this user profile of short message server stochastic generation, and this wildcard is utilized to carry out the negotiation of subsequent packet.Its negotiations process specifically includes:
1, Host sends Article 1 negotiation packet to gateway device, with the addition of the user profile of Host in this negotiation packet;Wherein, in this embodiment, user profile is with user's example by name.
Response (REPLY) payload field in the first negotiation packet under holotype negotiation phase namely adds the user profile of Host.
2, after gateway device receives the Host Article 1 negotiation packet including user profile sent, the user profile of this Host is sent to short message server.
If 3 short message servers are at data base querying to this user profile, the then wildcard that stochastic generation is corresponding, then this wildcard is sent respectively to gateway device and Host.
4, after gateway device receives this wildcard that short message server sends, utilize this wildcard and other encrypted material to generate encryption key, then utilize this encryption key that the follow-up negotiation packet mutual with Host (from Article 5 negotiation packet) is carried out encryption and decryption.
5, Host is after receiving this wildcard that short message server sends, utilize this wildcard and other encrypted material to generate encryption key, then utilize this encryption key that the follow-up negotiation packet mutual with gateway device (from Article 5 negotiation packet) is carried out encryption and decryption.
Wherein, the process obtaining other encrypted material, the process generating encryption key and encryption and decryption is same as the prior art, does not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part illustrates referring to the part of embodiment of the method.Device embodiment described above is merely schematic, the wherein said unit illustrated as separating component can be or may not be physically separate, the parts shown as unit can be or may not be physical location, namely may be located at a place, or can also be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs to realize the purpose of the application scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all within spirit herein and principle, any amendment of making, equivalent replacements, improvement etc., should be included within the scope that the application protects.

Claims (14)

1.一种预共享密钥获取方法,其特征在于,所述方法应用于网络设备;所述方法包括:1. A method for obtaining a pre-shared key, wherein the method is applied to a network device; the method includes: 接收终端设备发送的用来建立互联网安全隧道的协商报文;Receive the negotiation message sent by the terminal device to establish an Internet security tunnel; 判断所述协商报文中是否包括所述终端设备的用户信息;judging whether the negotiation message includes the user information of the terminal device; 如果所述协商报文中包括所述终端设备的用户信息,则将所述用户信息发送给服务器,以便于所述服务器在确定自身保存有所述用户信息时,随机生成预共享密钥,并将所述预共享密钥发送至所述网络设备和所述终端设备;If the negotiation message includes the user information of the terminal device, sending the user information to the server, so that the server randomly generates a pre-shared key when it determines that it has saved the user information, and sending the pre-shared key to the network device and the terminal device; 接收所述服务器发送的与所述用户信息对应的预共享密钥;receiving the pre-shared key corresponding to the user information sent by the server; 使用所述预共享密钥与所述终端设备进行后续报文协商。Perform subsequent packet negotiation with the terminal device by using the pre-shared key. 2.根据权利要求1所述的方法,其特征在于,所述判断所述协商报文中是否包括所述终端设备的用户信息,具体包括:2. The method according to claim 1, wherein the judging whether the negotiation message includes the user information of the terminal device specifically includes: 判断所述协商报文的应答载荷字段中是否包括所述终端设备的用户信息。Judging whether the response payload field of the negotiation message includes the user information of the terminal device. 3.根据权利要求1或2所述的方法,其特征在于,还包括:3. The method according to claim 1 or 2, further comprising: 在接收到所述协商报文时,判断是否使用预共享密钥,如果使用,执行判断所述协商报文中是否包括所述终端设备的用户信息的步骤。When the negotiation message is received, it is judged whether to use the pre-shared key, and if so, the step of judging whether the negotiation message includes the user information of the terminal device is performed. 4.一种预共享密钥分配方法,其特征在于,所述方法应用于服务器;所述方法包括:4. A pre-shared key distribution method, characterized in that the method is applied to a server; the method comprises: 接收网络设备发送的终端设备的用户信息;Receive the user information of the terminal device sent by the network device; 若确定自身保存有所述用户信息,随机生成预共享密钥;If it is determined that the user information is saved by itself, randomly generate a pre-shared key; 将所述预共享密钥分别发送给所述网络设备和所述终端设备,以便于所述网络设备和所述终端设备使用所述预共享密钥进行报文协商。Sending the pre-shared key to the network device and the terminal device respectively, so that the network device and the terminal device use the pre-shared key to perform packet negotiation. 5.根据权利要求4所述的方法,其特征在于,还包括:5. The method according to claim 4, further comprising: 获取并记录用户注册信息,所述用户注册信息包括:用户信息。Obtain and record user registration information, where the user registration information includes: user information. 6.一种预共享密钥获取方法,其特征在于,所述方法应用于终端设备;所述方法包括:6. A method for obtaining a pre-shared key, wherein the method is applied to a terminal device; the method comprises: 向网络设备发送建立互联网安全隧道的协商报文,所述协商报文中包括所述终端设备的用户信息,以便于所述网络设备将所述终端设备的用户信息发送给服务器;Sending a negotiation message for establishing an Internet security tunnel to the network device, where the negotiation message includes user information of the terminal device, so that the network device sends the user information of the terminal device to the server; 接收所述服务器发送的与所述用户信息对应的预共享密钥,所述预共享密钥是由所述服务器随机生成的;receiving a pre-shared key corresponding to the user information sent by the server, where the pre-shared key is randomly generated by the server; 使用所述预共享密钥与所述网络设备进行后续报文协商。Perform subsequent packet negotiation with the network device by using the pre-shared key. 7.根据权利要求6所述的方法,其特征在于,还包括:7. The method according to claim 6, further comprising: 在所述协商报文的应答载荷字段中添加所述终端设备的用户信息。Add the user information of the terminal device in the response payload field of the negotiation message. 8.一种预共享密钥的获取装置,其特征在于,所述获取装置集成在网络设备中,所述获取装置包括:8. A device for obtaining a pre-shared key, characterized in that the device for obtaining is integrated in a network device, and the device for obtaining includes: 第一接收单元,用于接收终端设备发送的用来建立互联网安全隧道的协商报文;The first receiving unit is configured to receive a negotiation message sent by the terminal device for establishing an Internet security tunnel; 第一判断单元,用于判断所述协商报文中是否包括所述终端设备的用户信息;a first judging unit, configured to judge whether the negotiation message includes user information of the terminal device; 发送单元,用于在所述第一判断判断所述协商报文中包括所述获取装置的用户信息时,将所述用户信息发送给服务器,以便于所述服务器在确定自身保存有所述用户信息时,随机生成预共享密钥,并将所述预共享密钥发送至所述获取装置和所述终端设备;a sending unit, configured to send the user information to a server when the first judgment judges that the negotiation message includes the user information of the acquisition device, so that the server determines that it has stored the user information; When receiving information, randomly generate a pre-shared key, and send the pre-shared key to the obtaining device and the terminal device; 第二接收单元,用于接收所述服务器发送的与所述用户信息对应的预共享密钥;a second receiving unit, configured to receive the pre-shared key corresponding to the user information sent by the server; 协商单元,用于使用所述预共享密钥与所述终端设备进行后续报文协商。A negotiating unit, configured to use the pre-shared key to perform subsequent message negotiation with the terminal device. 9.根据权利要求8所述的装置,其特征在于,所述第一判断单元,具体用于判断所述协商报文的应答载荷字段中是否包括所述终端设备的用户信息。9. The device according to claim 8, wherein the first judging unit is specifically configured to judge whether the response payload field of the negotiation message includes the user information of the terminal device. 10.根据权利要求8或9所述的装置,其特征在于,还包括:10. The device according to claim 8 or 9, further comprising: 第二判断单元,用于所述第一接收单元接收到所述协商报文时,判断是否使用预共享密钥;a second judging unit, configured to judge whether to use a pre-shared key when the first receiving unit receives the negotiation message; 所述第一判断单元,还用于在所述第二判断单元判断使用预共享密钥时,判断所述协商报文中是否包括所述终端设备的用户信息。The first judging unit is further configured to judge whether the negotiation message includes the user information of the terminal device when the second judging unit judges to use the pre-shared key. 11.一种预共享密钥的分配装置,其特征在于,所述分配装置集成在服务器中,所述分配装置包括:11. A distribution device for a pre-shared key, characterized in that the distribution device is integrated in a server, and the distribution device includes: 接收单元,用于接收网络设备发送的终端设备的用户信息;a receiving unit, configured to receive user information of the terminal device sent by the network device; 生成单元,用于在确定自身保存有所述用户信息时,随机生成预共享密钥;A generating unit, configured to randomly generate a pre-shared key when it is determined that the user information is saved by itself; 发送单元,用于将所述预共享密钥分别发送给所述网络设备和所述终端设备,以便于所述网络设备和所述终端设备使用所述预共享密钥进行报文协商。A sending unit, configured to send the pre-shared key to the network device and the terminal device respectively, so that the network device and the terminal device use the pre-shared key to perform packet negotiation. 12.根据权利要求11所述的装置,其特征在于,还包括:12. The device of claim 11, further comprising: 获取单元,用于获取并记录用户注册信息,所述用户注册信息包括:用户信息。The acquiring unit is configured to acquire and record user registration information, where the user registration information includes: user information. 13.一种预共享密钥的获取装置,其特征在于,所述获取装置集成在终端设备中,所述获取装置包括:13. A device for obtaining a pre-shared key, characterized in that the device for obtaining is integrated in a terminal device, and the device for obtaining includes: 发送单元,用于向网络设备发送建立互联网安全隧道的协商报文,所述协商报文中包括终端设备的用户信息,以便于所述网络设备将所述终端设备的用户信息发送给服务器;A sending unit, configured to send a negotiation message for establishing an Internet security tunnel to the network device, where the negotiation message includes user information of the terminal device, so that the network device sends the user information of the terminal device to the server; 接收单元,用于接收所述服务器发送的与所述用户信息对应的预共享密钥,所述预共享密钥是由所述服务器随机生成的;a receiving unit, configured to receive a pre-shared key corresponding to the user information sent by the server, where the pre-shared key is randomly generated by the server; 协商单元,用于使用所述预共享密钥与所述网络设备进行后续报文协商。A negotiating unit, configured to use the pre-shared key to perform subsequent message negotiation with the network device. 14.根据权利要求13所述的装置,其特征在于,还包括:14. The device of claim 13, further comprising: 添加单元,用于在所述协商报文的应答载荷字段中添加所述终端设备的用户信息。An adding unit, configured to add the user information of the terminal device in the response payload field of the negotiation message.
CN201610070225.3A 2016-01-29 2016-01-29 A kind of wildcard obtains, distribution method and device Active CN105763318B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610070225.3A CN105763318B (en) 2016-01-29 2016-01-29 A kind of wildcard obtains, distribution method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610070225.3A CN105763318B (en) 2016-01-29 2016-01-29 A kind of wildcard obtains, distribution method and device

Publications (2)

Publication Number Publication Date
CN105763318A true CN105763318A (en) 2016-07-13
CN105763318B CN105763318B (en) 2018-09-04

Family

ID=56343013

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610070225.3A Active CN105763318B (en) 2016-01-29 2016-01-29 A kind of wildcard obtains, distribution method and device

Country Status (1)

Country Link
CN (1) CN105763318B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259157A (en) * 2016-12-29 2018-07-06 华为技术有限公司 Identity authentication method and the network equipment in a kind of ike negotiation
CN108366059A (en) * 2018-02-07 2018-08-03 迈普通信技术股份有限公司 Communication negotiation method, responder device and initiator device
CN110391902A (en) * 2019-07-08 2019-10-29 新华三信息安全技术有限公司 A kind of method and device of internet key exchange ike negotiation
CN113300834A (en) * 2020-11-05 2021-08-24 阿里巴巴集团控股有限公司 Key exchange method, communication method and device, storage medium and electronic equipment
WO2022021940A1 (en) * 2020-07-25 2022-02-03 华为技术有限公司 Method and device for updating preshared key (psk)
CN114268473A (en) * 2021-12-10 2022-04-01 北京天融信网络安全技术有限公司 Method, system, terminal and storage medium for defending DDOS attack by IKEv1 protocol main mode
CN114760093A (en) * 2022-03-07 2022-07-15 新华三技术有限公司合肥分公司 Communication method and device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106454A (en) * 2007-08-17 2008-01-16 杭州华三通信技术有限公司 Method and device for originating Internet secret key exchange and negotiation
CN101471934A (en) * 2007-12-28 2009-07-01 三星电子株式会社 Bidirectional encipher and identification authentication method of dynamic host configuration protocol
CN101521882B (en) * 2009-03-24 2014-03-12 中兴通讯股份有限公司南京分公司 Method and system for updating preshared key
CN101640614B (en) * 2009-09-03 2012-01-04 成都市华为赛门铁克科技有限公司 Method and device for configuring IPSEC security strategy
CN103401751B (en) * 2013-07-17 2016-08-10 北京星网锐捷网络技术有限公司 Internet safety protocol tunnel establishing method and device
CN104735052B (en) * 2015-01-28 2017-12-08 中山大学 The safe login method and system of Wi-Fi hotspot
CN105245532B (en) * 2015-10-22 2018-01-19 桂林航天工业学院 WLAN cut-in methods based on NFC certifications

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259157A (en) * 2016-12-29 2018-07-06 华为技术有限公司 Identity authentication method and the network equipment in a kind of ike negotiation
CN108259157B (en) * 2016-12-29 2021-06-01 华为技术有限公司 A method and network device for identity authentication in IKE negotiation
CN108366059A (en) * 2018-02-07 2018-08-03 迈普通信技术股份有限公司 Communication negotiation method, responder device and initiator device
CN110391902A (en) * 2019-07-08 2019-10-29 新华三信息安全技术有限公司 A kind of method and device of internet key exchange ike negotiation
CN110391902B (en) * 2019-07-08 2022-10-25 新华三信息安全技术有限公司 Internet key exchange IKE negotiation method and device
WO2022021940A1 (en) * 2020-07-25 2022-02-03 华为技术有限公司 Method and device for updating preshared key (psk)
CN113300834A (en) * 2020-11-05 2021-08-24 阿里巴巴集团控股有限公司 Key exchange method, communication method and device, storage medium and electronic equipment
CN113300834B (en) * 2020-11-05 2023-06-23 阿里巴巴集团控股有限公司 Key exchange method, communication method and device, storage medium and electronic equipment
CN114268473A (en) * 2021-12-10 2022-04-01 北京天融信网络安全技术有限公司 Method, system, terminal and storage medium for defending DDOS attack by IKEv1 protocol main mode
CN114760093A (en) * 2022-03-07 2022-07-15 新华三技术有限公司合肥分公司 Communication method and device
CN114760093B (en) * 2022-03-07 2024-02-09 新华三技术有限公司合肥分公司 Communication method and device

Also Published As

Publication number Publication date
CN105763318B (en) 2018-09-04

Similar Documents

Publication Publication Date Title
US11968302B1 (en) Method and system for pre-shared key (PSK) based secure communications with domain name system (DNS) authenticator
US8639936B2 (en) Methods and entities using IPSec ESP to support security functionality for UDP-based traffic
CN103067158B (en) Encrypting and decrypting method, encrypting and decrypting device and key management system
CN105763318A (en) Pre-shared key obtaining method, pre-shared key distribution method and pre-shared key distribution device
EP2632108B1 (en) Method and system for secure communication
US12015721B1 (en) System and method for dynamic retrieval of certificates with remote lifecycle management
EP2767029B1 (en) Secure communication
CN106453612A (en) Data storage and sharing system
WO2015131609A1 (en) Method for implementing l2tp over ipsec access
CN113225298A (en) Message verification method and device
CN118300899A (en) Authorized communication method, device, computer equipment and storage medium
CN105591748B (en) A kind of authentication method and device
CN114268499B (en) Data transmission method, device, system, equipment and storage medium
WO2017210914A1 (en) Method and apparatus for transmitting information
CN101610509B (en) Method, device and system for protecting communication security
CN104393989A (en) A secret key negotiating method and device
CN110049024B (en) Data transmission method, transfer server and access network point server
JP2011054182A (en) System and method for using digital batons, and firewall, device, and computer readable medium to authenticate message
Ajay et al. Packet encryption for securing real-time mobile cloud applications
CN118264422A (en) A multi-factor identity authentication method, device and system for mail system
CN112073410B (en) Cloud data secure transmission control method based on aging
JP2005244573A (en) Network connection device, network connection method, network connection program, and storage medium storing the program
KR20170003080A (en) Security device and network security management server for establishing security channel in network, and system and method of establishing security channel in network
KR20220054028A (en) IoT DEVICE AND GATEWAY DEVICE OPPERATING METHOD FOR MUTUAL AUTHENTICATION AND DEVICES OF THEREOF
Alliance Security Common Functions Requirements

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant