[go: up one dir, main page]

CN111431858B - Centralized safe transmission and authentication method for routing message - Google Patents

Centralized safe transmission and authentication method for routing message Download PDF

Info

Publication number
CN111431858B
CN111431858B CN202010123451.XA CN202010123451A CN111431858B CN 111431858 B CN111431858 B CN 111431858B CN 202010123451 A CN202010123451 A CN 202010123451A CN 111431858 B CN111431858 B CN 111431858B
Authority
CN
China
Prior art keywords
authentication
neighbor
routing
routing equipment
centralized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010123451.XA
Other languages
Chinese (zh)
Other versions
CN111431858A (en
Inventor
张潇
吴响
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xuzhou Medical College
Original Assignee
Xuzhou Medical College
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xuzhou Medical College filed Critical Xuzhou Medical College
Priority to CN202010123451.XA priority Critical patent/CN111431858B/en
Publication of CN111431858A publication Critical patent/CN111431858A/en
Application granted granted Critical
Publication of CN111431858B publication Critical patent/CN111431858B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a centralized safe transmission and authentication method facing to a routing message, which comprises the following steps that firstly, newly added routing equipment establishes a neighbor relation with each equipment participating in routing through a neighbor table; secondly, the newly added routing equipment performs equipment authentication through a centralized authentication center; thirdly, before the message is sent, the centralized authentication center carries out authentication confirmation on the neighbor routing equipment; and secondly, after the neighbor routing equipment completes authentication and confirmation, encrypting and sending the message to the neighbor routing equipment by using an asymmetric encryption technology, and finally, after receiving the encrypted message, decrypting the message by using the asymmetric encryption technology to obtain an original message for a specific routing protocol to use. The method adds a mechanism of newly added routing equipment authentication, improves the safety of each routing equipment in the domain, and carries out authentication confirmation on the neighbor routing equipment before message transmission, thereby reducing the leakage risk of message transmission between the routing equipment and greatly improving the safety of message transmission between the routing equipment.

Description

一种面向路由报文的集中化安全传输与认证方法A centralized secure transmission and authentication method for routing messages

技术领域technical field

本发明涉及网络通信技术领域,具体为一种面向路由报文的集中化安全传输与认证方法。The invention relates to the technical field of network communication, in particular to a centralized safe transmission and authentication method for routing messages.

背景技术Background technique

目前互联网中常见的路由协议有RIP、OSPF、EIGRP、IS-IS、IGRP、BGP等,各种协议的安全性主要依靠各自协议的特有认证方法,各种协议之间的认证互不兼容。然而,在软件定义的网络等新型应用中,很多场景下需要对不同路由协议进行统一的安全性管理,目前尚缺乏能够保证所有路由协议通信安全的通用性方法。At present, common routing protocols in the Internet include RIP, OSPF, EIGRP, IS-IS, IGRP, BGP, etc. The security of each protocol mainly depends on the unique authentication method of each protocol, and the authentication among various protocols is incompatible with each other. However, in new applications such as software-defined networks, unified security management of different routing protocols is required in many scenarios, and there is currently no universal method to ensure the communication security of all routing protocols.

本发明主要用于解决该问题,整体思路是在各种路由协议的路由过程外部建立全新的认证机制,当认证成功后,才进行具体的路由通信。这种方法在传统路由协议外部进行“加壳”,进而保证能够与各种传统路由协议兼容。The present invention is mainly used to solve this problem, and the overall idea is to establish a new authentication mechanism outside the routing process of various routing protocols, and only after the authentication is successful, the specific routing communication is carried out. This method is "packed" outside the traditional routing protocol, thereby ensuring compatibility with various traditional routing protocols.

发明内容SUMMARY OF THE INVENTION

本发明提供一种面向路由报文的集中化安全传输与认证方法,有效提高路由之间报文传输的安全性,降低数据泄露的风险。The invention provides a centralized security transmission and authentication method for routing messages, which effectively improves the security of message transmission between routes and reduces the risk of data leakage.

本发明是以如下技术方案实现的:一种面向路由报文的集中化安全传输与认证方法,其特征在于:包括路由设备的邻居表建立、路由设备的集中认证、邻居路由设备的认证确认、报文加密传输四个过程,具体如下:The present invention is realized by the following technical solutions: a centralized safe transmission and authentication method oriented to routing messages, which is characterized in that: it includes establishment of a neighbor table of routing equipment, centralized authentication of routing equipment, authentication and confirmation of neighboring routing equipment, There are four processes for message encryption and transmission, as follows:

首先,新增路由设备通过邻居表建立与每台参与路由的设备的邻居关系;First, the newly added routing device establishes a neighbor relationship with each device participating in routing through the neighbor table;

其次,新增路由设备通过集中认证中心进行设备认证;Secondly, the newly added routing equipment is authenticated by the centralized authentication center;

再次,报文发送前,向集中认证中心对邻居路由设备进行认证确认;Thirdly, before the packet is sent, the centralized authentication center is used to authenticate and confirm the neighbor routing device;

从次,邻居路由设备认证确认完成后,利用加密技术,将报文加密并发送给邻居路由设备;Next, after the authentication and confirmation of the neighbor routing device is completed, the encryption technology is used to encrypt the packet and send it to the neighbor routing device;

最后,邻居路由设备接收到加密报文后,利用加密技术解密报文,获得原始报文供具体路由协议使用。Finally, after receiving the encrypted packet, the neighbor routing device decrypts the packet by using the encryption technology, and obtains the original packet for use by the specific routing protocol.

优选的,每台参与路由的设备建立邻居表,建立邻居关系中每个接口经历5种状态,分别是:Down状态、Init状态、Decide状态、Success状态、Fail状态;具体每个状态的设计如下:Preferably, each device participating in routing establishes a neighbor table, and each interface in the establishment of the neighbor relationship experiences five states, namely: Down state, Init state, Decide state, Success state, and Fail state; the specific design of each state is as follows :

(1)Down状态:端口尚未开启本方法,默认处于Down状态;(1) Down state: The port has not yet opened this method, and it is in the Down state by default;

(2)Init状态:端口开启本方法,并发送Discover探索协议包,且尚未获得对方的Coop包,同时,如果收到对方的Discover包,会回复Coop包;(2) Init state: the port opens this method and sends the Discover discovery protocol packet, and has not yet obtained the other party's Coop packet. At the same time, if it receives the other party's Discover packet, it will reply to the Coop packet;

(3)Decide状态:收到对方发送的Coop包,且尚未判断出认证是否成功;(3) Decide status: The Coop packet sent by the other party has been received, and it has not yet been determined whether the authentication is successful;

(4)Success状态:经过判断Coop包中的认证与本机设置的认证相符和,进入Success状态,在Success状态下,每收到5个Coop包,检测一次;(4) Success state: After judging that the authentication in the Coop package is consistent with the authentication set by the local machine, it enters the Success state. In the Success state, every 5 Coop packages are received, and the test is performed once;

(5)Fail状态:Coop包中的认证与本机设置的认证不符和,进入Fail状态,在Fail状态下,接收3个Coop包认证不符和后,进入Init状态。(5) Fail state: The authentication in the Coop package is inconsistent with the authentication set by the local machine, and the device enters the Fail state. In the Fail state, after receiving three Coop packets that are inconsistent with the authentication, it enters the Init state.

优选的,各种包发包时间周期为:Discover包默认每5秒发送一次,Coop包默认每10秒发送一次,当路由设备在Decide状态下,Coop包每5秒发送一次,当路由设备在Success状态下,Coop包每30秒发送一次;Preferably, the time period for sending various packets is as follows: Discover packets are sent every 5 seconds by default, and Coop packets are sent every 10 seconds by default. When the routing device is in Decide state, Coop packets are sent every 5 seconds. When the routing device is in Success In this state, Coop packets are sent every 30 seconds;

优选的,Discover包格式为:源地址、目的地址、生存时间。Preferably, the format of the Discover packet is: source address, destination address, and time-to-live.

优选的,Coop包格式为:路由设备名称、源地址、目的地址、生存时间、发送时间、认证标识。Preferably, the format of the Coop packet is: routing device name, source address, destination address, survival time, sending time, and authentication identifier.

优选的,Coop包中的认证流程如下:路由设备接收到Coop包后,判断包中认证标识是与本机设置的认证标识一致;若不一致,进入则Fail状态,连续3次未认证成功,则进入Init状态;若一致,则将路由设备名称、源地址记录到邻居表中。Preferably, the authentication process in the Coop packet is as follows: after the routing device receives the Coop packet, it determines that the authentication identifier in the packet is consistent with the authentication identifier set by the local machine; Enter the Init state; if they are consistent, record the routing device name and source address in the neighbor table.

优选的,新增路由设备通过集中认证中心进行设备认证,认证成功则收录在认证表中,认证失败则重新要求新增路由设备进行认证;路由设备的集中认证流程如下:Preferably, the newly added routing device is authenticated by the centralized authentication center. If the authentication succeeds, it is included in the authentication table. If the authentication fails, the newly added routing device is required to be authenticated again. The centralized authentication process of the routing device is as follows:

(1)在同一个域内,添加路由设备时为其分配一对公钥与私钥并分配唯一device-id;(1) In the same domain, when adding a routing device, assign a pair of public key and private key to it and assign a unique device-id;

(2)使用新增路由向集中认证中心发送数据包,数据包字段包括device-id、公钥、自身IP;(2) Use the new route to send a data packet to the centralized authentication center, and the data packet fields include device-id, public key, and its own IP;

(3)集中认证中心接收到新增路由发送的数据包后,记录该路由设备的device-id、公钥以及IP;(3) After the centralized authentication center receives the data packet sent by the new route, it records the device-id, public key and IP of the routing device;

(4)集中认证中心将自身公钥返回给新增路由设备;(4) The centralized certification center returns its own public key to the newly added routing device;

(5)新增路由设备接收公钥后,将认证密钥使用公钥进行加密,加密后返回给集中认证中心;(5) After the new routing device receives the public key, it encrypts the authentication key with the public key, and returns it to the centralized authentication center after encryption;

(6)集中认证中心接收到加密认证密钥后,使用自身私钥进行解密,将解密后认证密钥与原始认证密钥进行比对;(6) After receiving the encrypted authentication key, the centralized authentication center uses its own private key to decrypt, and compares the decrypted authentication key with the original authentication key;

(7)如果比对一致,将device-id、公钥以及IP记录到认证表中并返回认证成功信息给新增路由设备,如果比对不一致,将认证失败信息发送给新增路由设备,进行重新认证。(7) If the comparison is consistent, record the device-id, public key and IP in the authentication table and return the authentication success information to the newly added routing device. If the comparison is inconsistent, send the authentication failure information to the newly added routing device for Recertify.

优选的,报文发送前,通过集中认证中心对邻居路由设备进行认证确认,若邻居路由设备未在集中认证中心认证过,则直接停止向邻居路由发送报文,若邻居路由设备在集中认证中心认证过,在本地公钥储存表中未记录,则向集中认证中心进行二次认证,若在本地公钥储存表有记录,则准备报文加密传输;邻居路由的认证确认流程如下:Preferably, before the packet is sent, the neighbor routing device is authenticated and confirmed by the centralized authentication center. If the neighbor routing device has not been authenticated by the centralized authentication center, it will directly stop sending packets to the neighbor router. If the neighbor routing device is in the centralized authentication center After authentication, if there is no record in the local public key storage table, the secondary authentication is performed to the centralized authentication center. If there is a record in the local public key storage table, the packet is prepared for encrypted transmission; the authentication and confirmation process of neighbor routing is as follows:

(1)路由引擎产生报文后,根据邻居表获取邻居路由设备IP;(1) After the routing engine generates the message, it obtains the IP of the neighbor routing device according to the neighbor table;

(2)路由设备将目标IP发生给集中认证中心,进行邻居路由设备认证确认请求;(2) The routing device sends the target IP to the centralized authentication center, and performs the authentication and confirmation request of the neighbor routing device;

(3)集中认证中心接收到认证确认请求后,在认证表中查询邻居路由设备IP是否存在;(3) After the centralized authentication center receives the authentication confirmation request, it queries whether the IP of the neighbor routing device exists in the authentication table;

(4)若邻居路由设备IP不存在,返回认证确认失败信息给路由设备;(4) If the neighbor routing device IP does not exist, return authentication confirmation failure information to the routing device;

(5)若邻居路由IP存在,则将邻居路由设备IP对应device-id返回给路由;(5) If the neighbor routing IP exists, return the device-id corresponding to the neighbor routing device IP to the router;

(6)路由接收到邻居路由device-id后,在本地公钥储存表中查询该device-id,若该device-id在表中存在,则准备报文加密传输,此流程结束,若该device-id在表中不存在,则向集中认证中心发送二次认证确认请求;(6) After the router receives the device-id of the neighbor route, it queries the device-id in the local public key storage table. If the device-id exists in the table, it prepares the encrypted transmission of the message. This process ends. If the device-id exists - If the id does not exist in the table, send a secondary authentication confirmation request to the centralized authentication center;

(7)集中认证中心接收到二次认证确认请求后,将自身公钥发送给邻居路由设备进行认证确认请求;(7) After the centralized authentication center receives the secondary authentication confirmation request, it sends its own public key to the neighbor routing device for the authentication confirmation request;

(8)邻居路由设备接收到认证确认请求后,将认证密钥使用接收到的公钥进行加密,加密后返回给集中认证中心;(8) After receiving the authentication confirmation request, the neighbor routing device encrypts the authentication key with the received public key, and returns it to the centralized authentication center after encryption;

(9)集中认证中心接收到加密认证密钥后,使用自身私钥进行解密,将解密后认证密钥与原始认证密钥进行比对;(9) After receiving the encrypted authentication key, the centralized authentication center uses its own private key to decrypt, and compares the decrypted authentication key with the original authentication key;

(10)若比对不一致,将认证确认失败信息与邻居路由设备device-id返回给路由,并发送重新认证请求给邻居路由;(10) If the comparison is inconsistent, return the authentication confirmation failure information and the device-id of the neighbor routing device to the router, and send a re-authentication request to the neighbor router;

(11)路由设备接收到认证确认失败信息后,将停止向邻居路由设备发送报文;(11) After the routing device receives the authentication confirmation failure information, it will stop sending packets to the neighboring routing device;

(12)若比对一致,集中认证中心将认证确认成功信息与邻居路由设备device-id以及公钥返回给路由设备;(12) If the comparison is consistent, the centralized authentication center returns the authentication confirmation success information, the device-id and the public key of the neighbor routing device to the routing device;

(13)路由设备接收到认证确认成功信息后,将邻居路由设备device-id以及公钥记录到本地公钥储存表中并准备报文加密传输。(13) After the routing device receives the authentication confirmation success information, it records the device-id and public key of the neighboring routing device into the local public key storage table and prepares for encrypted transmission of the message.

优选的,邻居路由设备认证确认完成后,利用非对称加密技术,将报文加密并发送给邻居路由设备,邻居路由设备接收到加密报文后,利用非对称加密技术解密报文,获得原始报文供业务需求;报文加密传输流程如下:Preferably, after the neighbor routing device is authenticated and confirmed, the asymmetric encryption technology is used to encrypt the packet and send it to the neighbor routing device. After receiving the encrypted packet, the neighbor routing device decrypts the packet using the asymmetric encryption technology to obtain the original packet. The message supply business needs; the message encryption transmission process is as follows:

(1)路由设备产生报文后,并且邻居路由设备认证确认后,获得邻居路由设备device-id;(1) After the routing device generates the packet and the neighbor routing device is authenticated and confirmed, the device-id of the neighbor routing device is obtained;

(2)使用邻居路由设备device-id在公钥储存表中进行查询,得到对应邻居路由设备的公钥;(2) Use the neighbor routing device device-id to query in the public key storage table to obtain the public key of the corresponding neighbor routing device;

(3)使用邻居路由设备的公钥对原始报文进行加密,并发送给邻居路由设备;(3) Use the public key of the neighbor routing device to encrypt the original message and send it to the neighbor routing device;

(4)邻居路由设备接收到加密报文后,使用私钥进行解密得到原始报文,并使用路由引擎进行处理。(4) After receiving the encrypted message, the neighbor routing device decrypts it with the private key to obtain the original message, and uses the routing engine to process it.

与已有技术方案相比,本发明的有益效果:Compared with the prior art scheme, the beneficial effects of the present invention:

(1)在路由协议上,增加了新增路由认证的机制,提高了域内每台路由设备的安全性;(1) In the routing protocol, a new routing authentication mechanism is added, which improves the security of each routing device in the domain;

(2)在报文传输前,需要对邻居路由设备进行认证确认,减少路由设备之间报文传输的泄漏风险;(2) Before packet transmission, it is necessary to perform authentication and confirmation on neighboring routing devices to reduce the leakage risk of packet transmission between routing devices;

(3)利用非对称加密技术降低路由设备之间报文在传输中被抓取破解的风险,大大提高路由设备之间报文传输的安全性。(3) The asymmetric encryption technology is used to reduce the risk of packets being captured and cracked during transmission between routing devices, and the security of packet transmission between routing devices is greatly improved.

附图说明Description of drawings

下面结合附图对本发明作进一步说明。The present invention will be further described below in conjunction with the accompanying drawings.

图1为本发明的示意图;Fig. 1 is the schematic diagram of the present invention;

图2为本发明中邻居建立流程示意图;Fig. 2 is a flow chart of neighbor establishment in the present invention;

图3为本发明中路由集中认证流程示意图;Fig. 3 is a schematic diagram of the flow of centralized routing authentication in the present invention;

图4为本发明中邻居路由认证确认流程示意图;Fig. 4 is the schematic flow chart of neighbor route authentication confirmation in the present invention;

图5为本发明中报文加密传输流程示意图;5 is a schematic diagram of a message encryption transmission process flow diagram in the present invention;

图6为本发明中公钥储存表格式示意图;6 is a schematic diagram of a public key storage table format in the present invention;

图7为本发明中认证表格式示意图;7 is a schematic diagram of the authentication table format in the present invention;

图8为本发明中邻居表格式示意图;8 is a schematic diagram of a neighbor table format in the present invention;

图9为本发明中Discover包格式示意图;Fig. 9 is the schematic diagram of the Discover package format in the present invention;

图10为本发明中Coop包格式示意图。FIG. 10 is a schematic diagram of a Coop packet format in the present invention.

具体实施方式Detailed ways

如图1所示一种面向路由报文的集中化安全传输与认证方法,包括路由设备的邻居表建立、路由设备的集中认证、邻居路由设备的认证确认、报文加密传输四个过程。首先,新增路由设备通过邻居表建立与每台参与路由的设备建立邻居关系;其次,新增路由通过集中认证中心进行设备认证;再次,报文发送前,向集中认证中心对邻居路由设备进行认证确认;从次,邻居路由设备认证确认完成后,利用非对称加密技术,将报文加密并发送给邻居路由设备,最后,邻居路由设备接收到加密报文后,利用非对称加密技术解密报文,获得原始报文供业务需求。As shown in Figure 1, a centralized secure transmission and authentication method for routing packets includes four processes: neighbor table establishment of routing devices, centralized authentication of routing devices, authentication and confirmation of neighboring routing devices, and encrypted transmission of packets. First, the newly added routing device establishes a neighbor relationship with each device participating in the routing through the neighbor table; secondly, the newly added route is authenticated by the centralized authentication center; Authentication confirmation; secondly, after the neighbor routing device is authenticated and confirmed, it uses asymmetric encryption technology to encrypt the packet and send it to the neighbor routing device. Finally, after the neighbor routing device receives the encrypted packet, it uses asymmetric encryption technology to decrypt the packet. message to obtain the original message for business needs.

如图2所示,每台参与路由的设备建立邻居表,建立邻居关系中每个接口经历5种状态,分别是:Down状态、Init状态、Decide状态、Success状态、Fail状态;具体每个状态的设计如下:As shown in Figure 2, each device participating in routing establishes a neighbor table, and each interface in the establishment of a neighbor relationship experiences five states, namely: Down state, Init state, Decide state, Success state, Fail state; is designed as follows:

(1)Down状态:端口尚未开启本发明中设计的方法,默认处于Down状态;(1) Down state: the port has not yet opened the method designed in the present invention, and is in the Down state by default;

(2)Init状态:端口开启本发明中设计的方法,并发送Discover探索协议包,且尚未获得对方的Coop包,同时,如果收到对方的Discover包,会回复Coop包;(2) Init state: the port opens the method designed in the present invention, and sends the Discover exploration protocol package, and has not obtained the other party's Coop package, and at the same time, if the other party's Discover package is received, it will reply the Coop package;

(3)Decide状态:收到对方发送的Coop包,且尚未判断出认证是否成功;(3) Decide status: The Coop packet sent by the other party has been received, and it has not yet been determined whether the authentication is successful;

(4)Success状态:经过判断Coop包中的认证与本机设置的认证相符和,进入Success状态,在Success状态下,每收到5个Coop包,检测一次;(4) Success state: After judging that the authentication in the Coop package is consistent with the authentication set by the local machine, it enters the Success state. In the Success state, every 5 Coop packages are received, and the test is performed once;

(5)Fail状态:Coop包中的认证与本机设置的认证不符和,进入Fail状态,在Fail状态下,接收3个Coop包认证不符和后,进入Init状态。(5) Fail state: The authentication in the Coop package is inconsistent with the authentication set by the local machine, and the device enters the Fail state. In the Fail state, after receiving three Coop packets that are inconsistent with the authentication, it enters the Init state.

上述状态中:Discover包默认每5秒发送一次,Coop包默认每10秒发送一次,当路由设备在Decide状态下,Coop包每5秒发送一次,当路由设备在Success状态下,Coop包每30秒发送一次。如图9所示,Discover包格式为:源地址、目的地址、生存时间。如图10所示Coop包格式为:路由设备名称、源地址、目的地址、生存时间、发送时间、认证标识。In the above states: Discover packets are sent every 5 seconds by default, and Coop packets are sent every 10 seconds by default. When the routing device is in Decide state, Coop packets are sent every 5 seconds. When the routing device is in Success state, Coop packets are sent every 30 seconds. Sent every second. As shown in Figure 9, the format of the Discover packet is: source address, destination address, and time-to-live. As shown in Figure 10, the format of the Coop packet is: routing device name, source address, destination address, survival time, sending time, and authentication identifier.

如图3所示,新增路由设备通过集中认证中心进行设备认证,认证成功则收录在认证表中,认证失败则重新要求新增路由设备进行认证;路由设备的集中认证流程如下:As shown in Figure 3, the newly added routing device is authenticated by the centralized authentication center. If the authentication is successful, it will be included in the authentication table. If the authentication fails, the new routing device will be required to be authenticated again. The centralized authentication process of the routing device is as follows:

(1)在同一个域内,添加路由时为其分配一对公钥与私钥并分配唯一device-id(在实际应用中,device-id推荐使用点分10进制表示格式,例如:10.10.10.1);(1) In the same domain, when adding a route, assign a pair of public key and private key and assign a unique device-id (in practical applications, device-id is recommended to use dotted decimal notation format, for example: 10.10. 10.1);

(2)使用新增路由向集中认证中心发送数据包,数据包字段包括device-id、公钥、自身IP(在实际应用中,推荐使用JSON数据包格式,例如:{“device-id”:“10.10.10.1”,“key”:“xxx”,“ip”:“10.10.10.1”});(2) Use the new route to send data packets to the centralized authentication center. The data packet fields include device-id, public key, and its own IP (in practical applications, it is recommended to use the JSON data packet format, for example: {"device-id": "10.10.10.1", "key": "xxx", "ip": "10.10.10.1"});

(3)集中认证中心接收到新增路由发送的数据包后,记录该路由device-id、公钥以及IP;(3) After the centralized authentication center receives the data packet sent by the new route, it records the device-id, public key and IP of the route;

(4)集中认证中心将自身公钥返回给新增路由设备;(4) The centralized certification center returns its own public key to the newly added routing device;

(5)新增路由设备接收公钥后,将认证密钥使用公钥进行加密,加密后返回给集中认证中心;(5) After the new routing device receives the public key, it encrypts the authentication key with the public key, and returns it to the centralized authentication center after encryption;

(6)集中认证中心接收到加密认证密钥后,使用自身私钥进行解密,将解密后认证密钥与原始认证密钥进行比对;(6) After receiving the encrypted authentication key, the centralized authentication center uses its own private key to decrypt, and compares the decrypted authentication key with the original authentication key;

(7)比对一致后,将device-id,公钥以及IP记录认证表中并返回认证成功信息给新增路由,比对不一致,将认证失败信息发送给新增路由设备,进行重新认证。(7) After the comparison is consistent, the device-id, public key and IP are recorded in the authentication table and the authentication success information is returned to the new route. If the comparison is inconsistent, the authentication failure information is sent to the new route device for re-authentication.

如图4-8所示,报文发送前,通过集中认证中心对邻居路由设备进行认证确认,若邻居路由设备未在集中认证中心认证过,则直接停止向邻居路由发送报文,若邻居路由设备在集中认证中心认证过,在本地公钥储存表中未记录,则向集中认证中心进行二次认证,若在本地公钥储存表有记录,则准备报文加密传输;邻居路由的认证确认流程如下:As shown in Figure 4-8, before the packet is sent, the centralized authentication center authenticates the neighbor routing device. If the neighbor routing device has not been authenticated by the centralized authentication center, it stops sending packets to the neighbor router directly. If the device has been authenticated in the centralized authentication center, but it is not recorded in the local public key storage table, it will perform secondary authentication to the centralized authentication center. If there is a record in the local public key storage table, it is ready to encrypt the transmission of the message; the authentication of neighbor routing is confirmed The process is as follows:

(1)路由引擎产生报文后,根据邻居表获取邻居路由设备IP;(1) After the routing engine generates the message, it obtains the IP of the neighbor routing device according to the neighbor table;

(2)路由设备将目标IP发生给集中认证中心,进行邻居路由设备认证确认请求;(2) The routing device sends the target IP to the centralized authentication center, and performs the authentication and confirmation request of the neighbor routing device;

(3)集中认证中心接收到认证确认请求后,在认证表中查询邻居路由设备IP是否存在;(3) After the centralized authentication center receives the authentication confirmation request, it queries whether the IP of the neighbor routing device exists in the authentication table;

(4)若邻居路由设备IP不存在,返回认证确认失败信息给路由设备;(4) If the neighbor routing device IP does not exist, return authentication confirmation failure information to the routing device;

(5)若邻居路由IP存在,则将邻居路由设备IP对应device-id返回给路由;(5) If the neighbor routing IP exists, return the device-id corresponding to the neighbor routing device IP to the router;

(6)路由接收到邻居路由device-id后,在本地公钥储存表中查询该device-id,若该device-id在表中存在,则准备报文加密传输,此流程结束,若该device-id在表中不存在,则向集中认证中心发送二次认证确认请求;(6) After the router receives the device-id of the neighbor route, it queries the device-id in the local public key storage table. If the device-id exists in the table, it prepares the encrypted transmission of the message. This process ends. If the device-id exists - If the id does not exist in the table, send a secondary authentication confirmation request to the centralized authentication center;

(7)集中认证中心接收到二次认证确认请求后,将自身公钥发送给邻居路由设备进行认证确认请求;(7) After the centralized authentication center receives the secondary authentication confirmation request, it sends its own public key to the neighbor routing device for the authentication confirmation request;

(8)邻居路由设备接收到认证确认请求后,将认证密钥使用接收到的公钥进行加密,加密后返回给集中认证中心;(8) After receiving the authentication confirmation request, the neighbor routing device encrypts the authentication key with the received public key, and returns it to the centralized authentication center after encryption;

(9)集中认证中心接收到加密认证密钥后,使用自身私钥进行解密,将解密后认证密钥与原始认证密钥进行比对;(9) After receiving the encrypted authentication key, the centralized authentication center uses its own private key to decrypt, and compares the decrypted authentication key with the original authentication key;

(10)若比对不一致,将认证确认失败信息与邻居路由设备device-id返回给路由,并发送重新认证请求给邻居路由;(10) If the comparison is inconsistent, return the authentication confirmation failure information and the device-id of the neighbor routing device to the router, and send a re-authentication request to the neighbor router;

(11)路由设备接收到认证确认失败信息后,将停止向邻居路由设备发送报文;(11) After the routing device receives the authentication confirmation failure information, it will stop sending packets to the neighboring routing device;

(12)若比对一致,集中认证中心将认证确认成功信息与邻居路由设备device-id以及公钥返回给路由设备;(12) If the comparison is consistent, the centralized authentication center returns the authentication confirmation success information, the device-id and the public key of the neighbor routing device to the routing device;

(13)路由设备接收到认证确认成功信息后,将邻居路由设备device-id以及公钥记录到本地公钥储存表中并准备报文加密传输。(13) After the routing device receives the authentication confirmation success information, it records the device-id and public key of the neighboring routing device into the local public key storage table and prepares for encrypted transmission of the message.

如图5所示,邻居路由设备认证确认完成后,利用非对称加密技术,将报文加密并发送给邻居路由设备,邻居路由设备接收到加密报文后,利用非对称加密技术解密报文,获得原始报文供业务需求;报文加密传输流程如下:As shown in Figure 5, after the neighbor routing device is authenticated and confirmed, it uses asymmetric encryption technology to encrypt the packet and send it to the neighbor routing device. After the neighbor routing device receives the encrypted packet, it uses asymmetric encryption technology to decrypt the packet. Obtain the original message for business needs; the message encryption transmission process is as follows:

(1)路由产生报文后,并且邻居路由认证确认后,获得邻居路由device-id;(1) After the route generates the packet, and after the neighbor routing authentication is confirmed, the neighbor routing device-id is obtained;

(2)使用邻居路由device-id在公钥储存表中进行查询,得到对应邻居路由的公钥;(2) Use the neighbor routing device-id to query in the public key storage table to obtain the public key of the corresponding neighbor routing;

(3)使用邻居路由的公钥对原始报文进行加密,并发送给邻居路由;(3) Use the public key of the neighbor router to encrypt the original message and send it to the neighbor router;

(4)邻居路由接收到加密报文后,使用私钥进行解密得到原始报文,并使用路由引擎进行处理。(4) After the neighbor router receives the encrypted message, it decrypts it with the private key to obtain the original message, and uses the routing engine to process it.

由上述技术方案可知,本方法在路由协议上,增加了新增路由认证的机制,提高了域内每台路由设备的安全性,并在报文传输前,需要对邻居路由进行认证确认,减少路由之间报文传输的泄漏风险,且利用非对称加密技术降低路由之间报文在传输中被抓取破解的风险,大大提高路由之间报文传输的安全性。It can be seen from the above technical solutions that this method adds a new route authentication mechanism to the routing protocol, improves the security of each routing device in the domain, and needs to authenticate and confirm the neighbor routes before the packet is transmitted, reducing the number of routes. In addition, the asymmetric encryption technology is used to reduce the risk of packets being captured and cracked during transmission, which greatly improves the security of packet transmission between routes.

Claims (8)

1. A centralized safe transmission and authentication method facing to routing message is characterized in that: the method comprises four processes of establishing a neighbor table of the routing equipment, performing centralized authentication on the routing equipment, confirming authentication of the neighbor routing equipment and encrypting and transmitting a message, and specifically comprises the following steps:
firstly, the newly added routing equipment establishes a neighbor relation with each equipment participating in routing through a neighbor table;
secondly, the newly added routing equipment carries out equipment authentication through a centralized authentication center;
thirdly, before the message is sent, the centralized authentication center carries out authentication confirmation on the neighbor routing equipment;
secondly, after the neighbor routing equipment completes authentication confirmation, the message is encrypted and sent to the neighbor routing equipment by using an encryption technology;
finally, after receiving the encrypted message, the neighbor routing equipment decrypts the message by using an encryption technology to obtain an original message for a specific routing protocol to use;
before sending the message, the centralized authentication center authenticates and confirms the neighbor routing equipment, if the neighbor routing equipment is not authenticated in the centralized authentication center, the message is directly stopped to be sent to the neighbor routing equipment, if the neighbor routing equipment is authenticated in the centralized authentication center and is not recorded in the local public key storage table, the message is secondarily authenticated in the centralized authentication center, and if the local public key storage table has records, the message is prepared for encrypted transmission; the authentication confirmation process of the neighbor route is as follows:
(1) after the routing engine generates a message, acquiring a neighbor routing device IP according to a neighbor table;
(2) the routing equipment generates a target IP to a centralized authentication center and carries out authentication confirmation request of neighbor routing equipment;
(3) after receiving the authentication confirmation request, the centralized authentication center inquires whether the IP of the neighbor routing equipment exists in an authentication table;
(4) if the neighbor routing equipment IP does not exist, returning authentication confirmation failure information to the routing equipment;
(5) if the neighbor route IP exists, returning the device-id corresponding to the neighbor route equipment IP to the route;
(6) after receiving the neighbor route device-id, the route inquires the device-id in a local public key storage table, if the device-id exists in the table, message encryption transmission is prepared, the process is finished, and if the device-id does not exist in the table, a secondary authentication confirmation request is sent to a centralized authentication center;
(7) after receiving the secondary authentication confirmation request, the centralized authentication center sends the public key of the centralized authentication center to the neighbor routing equipment for carrying out the authentication confirmation request;
(8) after receiving the authentication confirmation request, the neighbor routing equipment encrypts the authentication key by using the received public key and returns the encrypted authentication key to the centralized authentication center;
(9) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(10) if the comparison is inconsistent, returning authentication confirmation failure information and the device-id of the neighbor routing equipment to the router, and sending a re-authentication request to the neighbor router;
(11) after receiving the authentication confirmation failure information, the routing equipment stops sending the message to the neighbor routing equipment;
(12) if the comparison is consistent, the centralized authentication center returns the authentication and confirmation success information, the neighboring routing equipment device-id and the public key to the routing equipment;
(13) and after receiving the authentication and confirmation success information, the routing equipment records the neighbor routing equipment device-id and the public key into a local public key storage table and prepares for message encryption transmission.
2. The centralized secure transmission and authentication method for routing-oriented packets according to claim 1, wherein: each device participating in routing establishes a neighbor table, and each interface in the established neighbor relation experiences 5 states, which are respectively: down state, Init state, delete state, Success state and Fail state; the specific design of each state is as follows:
(1) down state: the port is not started, and is in a Down state by default;
(2) the Init state: the port starts the method, sends a Discover exploration protocol packet, does not acquire a Coop packet of the other side, and replies the Coop packet if the Discover packet of the other side is received;
(3) decide status: receiving a Coop packet sent by the other party, and judging whether the authentication is successful or not;
(4) the Success state: after judging that the authentication in the Coop packet is consistent with the authentication set by the local computer, entering a Success state, and detecting once every 5 Coop packets are received in the Success state;
(5) a Fail state: the authentication in the Coop packet does not accord with the authentication set by the local computer, the state of Fail is entered, and the state of Init is entered after the authentication of 3 Coop packets is not accord with the authentication set by the local computer in the state of Fail.
3. The centralized secure transmission and authentication method for routing-oriented packets according to claim 2, wherein: the packet transmission time periods of various packets are as follows: the Discover packet is sent once every 5 seconds in a default mode, the Coop packet is sent once every 10 seconds in a default mode, the Coop packet is sent once every 5 seconds when the routing equipment is in a delete state, and the Coop packet is sent once every 30 seconds when the routing equipment is in a Success state.
4. The centralized secure transmission and authentication method for routing-oriented packets according to claim 2, wherein: the Discover packet format is: source address, destination address, time to live.
5. The centralized secure transmission and authentication method for routing-oriented packets according to claim 2, wherein: the format of the Coop packet in the step is as follows: the routing device comprises a routing device name, a source address, a destination address, a survival time, a sending time and an authentication identifier.
6. The centralized secure transmission and authentication method for routing-oriented packets according to claim 5, wherein: the authentication process in the Coop packet is as follows: after receiving the Coop packet, the routing equipment judges that the authentication identifier in the packet is consistent with the authentication identifier set by the local machine; if the two are not consistent, entering a Fail state, and if the two are not successfully authenticated for 3 times continuously, entering an Init state; and if the routing device name and the source address are consistent, recording the routing device name and the source address into the neighbor table.
7. The centralized secure transmission and authentication method for routing-oriented packets according to claim 1, wherein: the newly added routing equipment carries out equipment authentication through the centralized authentication center, if the authentication is successful, the newly added routing equipment is included in the authentication table, and if the authentication is failed, the newly added routing equipment is required to carry out authentication again; the centralized authentication process of the routing equipment is as follows:
(1) in the same domain, when a routing device is added, a pair of public key and private key is distributed for the routing device, and a unique device-id is distributed;
(2) sending a data packet to a centralized authentication center by using a newly added route, wherein the field of the data packet comprises device-id, a public key and own IP;
(3) after receiving a data packet sent by a newly added route, the centralized authentication center records device-id, a public key and IP of the route equipment;
(4) the centralized authentication center returns the public key to the newly added routing equipment;
(5) after receiving the public key, the newly added routing equipment encrypts the authentication key by using the public key and returns the encrypted authentication key to the centralized authentication center;
(6) after receiving the encrypted authentication key, the centralized authentication center decrypts the encrypted authentication key by using a private key of the centralized authentication center, and compares the decrypted authentication key with the original authentication key;
(7) if the comparison is consistent, the device-id, the public key and the IP are recorded in an authentication table, authentication success information is returned to the newly added routing equipment, and if the comparison is inconsistent, authentication failure information is sent to the newly added routing equipment for re-authentication.
8. The centralized secure transmission and authentication method for routing-oriented packets according to claim 1, wherein: after the neighbor routing equipment completes authentication confirmation, the message is encrypted and sent to the neighbor routing equipment by using an asymmetric encryption technology, and after the neighbor routing equipment receives the encrypted message, the message is decrypted by using the asymmetric encryption technology to obtain an original message for service requirement; the message encryption transmission flow is as follows:
(1) after the routing equipment generates a message and the neighbor routing equipment authenticates and confirms, obtaining the device-id of the neighbor routing equipment;
(2) inquiring in a public key storage table by using the neighbor routing equipment device-id to obtain a public key corresponding to the neighbor routing equipment;
(3) encrypting the original message by using a public key of the neighbor routing equipment, and sending the original message to the neighbor routing equipment;
(4) and after receiving the encrypted message, the neighbor routing equipment decrypts the encrypted message by using the private key to obtain an original message and processes the original message by using the routing engine.
CN202010123451.XA 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message Active CN111431858B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010123451.XA CN111431858B (en) 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010123451.XA CN111431858B (en) 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message

Publications (2)

Publication Number Publication Date
CN111431858A CN111431858A (en) 2020-07-17
CN111431858B true CN111431858B (en) 2022-07-12

Family

ID=71547305

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010123451.XA Active CN111431858B (en) 2020-02-27 2020-02-27 Centralized safe transmission and authentication method for routing message

Country Status (1)

Country Link
CN (1) CN111431858B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060479A (en) * 2007-05-28 2007-10-24 广州杰赛科技股份有限公司 Wireless self-organized network distribution authentication multi-layer tree route method
CN102594706A (en) * 2012-03-20 2012-07-18 南京邮电大学 Wireless broadband secure routing method for smart home control
CN104486082A (en) * 2014-12-15 2015-04-01 中电长城网际系统应用有限公司 Authentication method and router
CN105763517A (en) * 2014-12-17 2016-07-13 联芯科技有限公司 Router security access and control method and system
CN107249003A (en) * 2017-07-20 2017-10-13 电子科技大学 The access authentication method of Batman adv agreements

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161283B2 (en) * 2007-02-28 2012-04-17 Motorola Solutions, Inc. Method and device for establishing a secure route in a wireless network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060479A (en) * 2007-05-28 2007-10-24 广州杰赛科技股份有限公司 Wireless self-organized network distribution authentication multi-layer tree route method
CN102594706A (en) * 2012-03-20 2012-07-18 南京邮电大学 Wireless broadband secure routing method for smart home control
CN104486082A (en) * 2014-12-15 2015-04-01 中电长城网际系统应用有限公司 Authentication method and router
CN105763517A (en) * 2014-12-17 2016-07-13 联芯科技有限公司 Router security access and control method and system
CN107249003A (en) * 2017-07-20 2017-10-13 电子科技大学 The access authentication method of Batman adv agreements

Also Published As

Publication number Publication date
CN111431858A (en) 2020-07-17

Similar Documents

Publication Publication Date Title
US8205074B2 (en) Data communication method and data communication system
Maughan et al. Internet security association and key management protocol (ISAKMP)
JP4579934B2 (en) Addressing method and apparatus for establishing a Host Identity Protocol (HIP) connection between a legacy node and a HIP node
CN108769292B (en) Message data processing method and device
US20070255784A1 (en) Communication System for Use in Communication Between Communication Equipment by Using Ip Protocol
US20070198837A1 (en) Establishment of a secure communication
US20020124090A1 (en) Method and apparatus for data communication between a plurality of parties
US8650397B2 (en) Key distribution to a set of routers
EP1374533B1 (en) Facilitating legal interception of ip connections
EP1560396A2 (en) Method and apparatus for handling authentication on IPv6 network
JP4962117B2 (en) Encryption communication processing method and encryption communication processing apparatus
RU2009112589A (en) SECURITY AUTHENTICATION AND KEY MANAGEMENT IN INFRASTRUCTURAL WIRELESS MULTI-STAGED NETWORK
US20100325436A1 (en) Method, system, and device for obtaining keys
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
JP3944182B2 (en) Security communication method
WO2013166696A1 (en) Data transmission method, system and device
US7813509B2 (en) Key distribution method
CN113904809B (en) Communication method, device, electronic equipment and storage medium
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
JP5012173B2 (en) Encryption communication processing method and encryption communication processing apparatus
JP2015065677A (en) Method and apparatus for interworking authorization of dual stack operation
CN111614596B (en) A remote device control method and system based on IPv6 tunnel technology
CN112887278B (en) Interconnection system and method of private cloud and public cloud
WO2009082950A1 (en) Key distribution method, device and system
Maughan et al. Rfc2408: Internet security association and key management protocol (isakmp)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant