CN112637145A - Network equipment interconnection authentication method and system - Google Patents
Network equipment interconnection authentication method and system Download PDFInfo
- Publication number
- CN112637145A CN112637145A CN202011444665.3A CN202011444665A CN112637145A CN 112637145 A CN112637145 A CN 112637145A CN 202011444665 A CN202011444665 A CN 202011444665A CN 112637145 A CN112637145 A CN 112637145A
- Authority
- CN
- China
- Prior art keywords
- switch
- random number
- key
- encrypted
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 230000005540 biological transmission Effects 0.000 claims abstract description 18
- 238000012545 processing Methods 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 abstract description 6
- 239000011159 matrix material Substances 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000007423 decrease Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network equipment interconnection authentication method and a system, comprising the following steps: the first switch periodically sends a first statement message to a second switch in the local area network; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated by the second switch after being encrypted by using the public key of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; the decrypted random number is sent to the second switch. The network equipment interconnection authentication method and system provided by the invention have the advantages that the CID of the switch is generated by using the unique physical characteristics of the switch, the corresponding public key and private key are generated by using the CID and are used for authenticating the switches of the subsequent local area network, the group key is distributed, the purposes of transmission encryption of synchronous information between the switches and the like are achieved, the authentication problem of the switches of the local area network is solved, and the security of data safety transmission is effectively improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a network equipment interconnection authentication method and system.
Background
With the rapid development of computer networks, the problems of network illegal crime, hacking attack, harmful information dissemination and the like become more serious and cause significant impact and loss worldwide, so that network security protection is an irreparable thing.
In the existing local area network, a two-layer switch device is randomly accessed, and mechanisms such as security authentication and the like do not exist to ensure the legality of the accessed switch; meanwhile, under the condition that all the switches belong to the same broadcast domain, the data messages are transmitted by utilizing the plaintext, no confidentiality measure exists, and potential safety hazards exist.
At present, there is no way to implement the security authentication of the lan switch and the security transmission of the data packet.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a network equipment interconnection authentication method and system.
In a first aspect, the present invention provides a network device interconnection authentication method, including: the first switch periodically sends a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch;
the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number;
sending the decrypted random number to the second switch.
According to the network device interconnection authentication method provided by the present invention, after the sending the decryption random number to the second switch, the method further includes:
generating a group key in a case where the first switch receives an authentication success message transmitted by the second switch;
and the first switch sends the group key to the second switch so that the second switch can realize encrypted transmission with the first switch by using the group key.
According to the network device interconnection authentication method provided by the present invention, the generating of the group key includes: and generating the group key based on a symmetric key encryption method.
According to the network equipment interconnection authentication method provided by the invention, the first declaration message contains a source switch identity; after the first switch periodically sends the first declaration message to the second switch in the lan, the method further includes:
receiving a second clear message sent by the second switch, wherein the second clear message does not contain a source switch identity;
and according to the second plain message, the first switch is added into a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is determined to be a slave switch in the switch multicast group.
According to the network equipment interconnection authentication method provided by the invention, the unique identity of the first switch is generated based on the network card physical address information of the first switch.
In a second aspect, the present invention provides a network device interconnection authentication method, including: the second switch receives a first declaration message sent by the first switch; the first declaration message includes a unique identity of the first switch;
generating an encrypted random number according to the unique identity, and sending the encrypted random number to the first switch;
receiving a decrypted random number transmitted by the first switch; the decryption random number is generated by the first switch decrypting the encryption random number by using a first switch private key;
and verifying the first switch according to the decryption random number.
According to the network equipment interconnection authentication method provided by the invention, an authentication success message is sent to the first switch under the condition that the verification result is qualified;
receiving a group key sent by the first switch;
and utilizing the group key to realize encrypted transmission with the first switch.
The invention also provides a network equipment interconnection authentication system, which comprises: at least one first switch and a plurality of second switches;
the first switch comprises a first processing module, a second processing module, a third processing module and a fourth processing module;
the first processing module is used for periodically sending a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch;
the second processing module is configured to receive the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the third processing module is used for decrypting the encrypted random number by using a private key of the first switch and outputting a decrypted random number;
and the fourth processing module is configured to send the decrypted random number to the second switch.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of any one of the network device interconnection authentication methods.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the network device interconnection authentication method as described in any of the above.
The invention provides a network equipment interconnection authentication method and system,
drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a network device interconnection authentication method provided by the present invention;
fig. 2 is a connection topology diagram of switches in a local area network provided by the present invention;
fig. 3 is a second schematic flowchart of the network device interconnection authentication method provided by the present invention;
fig. 4 is a signaling interaction diagram of the network device interconnection authentication method provided by the present invention;
fig. 5 is a schematic structural diagram of a network device interconnection authentication system provided by the present invention;
fig. 6 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following describes a method and a system for authenticating network device interconnection according to an embodiment of the present invention with reference to fig. 1 to 6.
Fig. 1 is a schematic flowchart of a network device interconnection authentication method provided by the present invention, as shown in fig. 1, including but not limited to the following steps:
step S1: the first switch periodically sends a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch;
step S2: the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch;
step S3: the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number;
step S4: sending the decrypted random number to the second switch.
It should be noted that: in a local area network, particularly a switched local area network, there are generally a plurality of switches, so that through data interaction between the switches, the switches in the local area network can establish a plurality of concurrent connections among a plurality of ports thereof, so as to realize the exchange of related data in the local area network. The switches in each lan can be classified into two types, namely a source switch (Master switch) and a Slave switch (Slave switch), and at least one Master switch and a plurality of Slave switches are included in the switches.
In the method for authenticating interconnection of network devices provided by the present invention, the execution subject is the first switch, which may be defined as a Master switch.
In step S1, the first switch and the second switch send their own unique identity (CID) through a declaration message (delete message), and the delete message sent by the first switch also includes an Identifier of the source switch, i.e., the Master switch.
Specifically, in a local area network, after a newly accessed switch (called a second switch) is accessed to the local area network, the newly accessed switch and the first switch periodically send a delete message to each other. The delete message contains the CID of the switch. Namely, the first switch sends a first delete message to the second switch so as to send the CID of the first switch to the second switch through the first delete message; meanwhile, the second switch also broadcasts a delete message periodically to send its own CID to the first switch.
Wherein the CID is a unique identification of the switch to distinguish from other switches.
Further, in step S2, after receiving the CID of the first switch, the second switch generates a public key according to the CID of the first switch and a pre-stored public key matrix by using the identification key technology, encrypts a random number by using the public key, and generates an encrypted random number to be sent to the first switch.
Further, in step S3, after the first switch receives the encrypted random number sent by the second switch, the first switch generates a private key corresponding to the public key by using the private key matrix corresponding to the public key matrix in combination with its CID, and decrypts the encrypted random number by using the private key to obtain a decrypted random number.
Further, in step S4, the first switch sends the generated decryption random number to the second switch again, so that the second switch can compare the decryption random number with the random number encrypted in step S2 to perform the authentication operation on the first switch. If the decrypted random number is the same as the random number subjected to the encryption processing in step S2, the authentication is passed; if the decryption random number is different from the random number subjected to the encryption processing in step S2, the authentication is not passed.
The network equipment interconnection authentication method provided by the invention uses the unique physical characteristics of the switch to generate the CID of the switch, so that the CID is used for generating the corresponding public key and private key for the authentication of the switches of the subsequent local area network, thereby realizing the distribution of the group secret key, achieving the purposes of the transmission encryption of the synchronous information between the switches and the like, solving the authentication problem of the local area network switches, and effectively improving the security of the safe data transmission.
Based on the content of the foregoing embodiment, as an optional embodiment, the method for authenticating interconnection of network devices, provided by the present invention, further includes, after the sending the decrypted random number to the second switch, that: generating a group key in a case where the first switch receives an authentication success message transmitted by the second switch; and the first switch sends the group key to the second switch so that the second switch can realize encrypted transmission with the first switch by using the group key.
Specifically, according to the network device interconnection authentication method provided by the present invention, after receiving a delete message from another Slave switch, the first switch adds the Slave switch that sends the message to the switch multicast group, so that all switches in the local area network can be added to the multicast group, and meanwhile, the first switch is also made clear of the home of the Master switch. The invention realizes that the Master switch only needs to send one copy of data when the Master switch needs to send information to each Slave switch by constructing the multicast group by all the switches, and the target address of the data is the multicast group address, so that all members belonging to the group can receive one copy of the data sent by the Master switch. In addition, in the multicast mode, only the Slave switches needed by the real information receive the information, and other Slave switches do not receive the information.
For example, the multicast mode used in the present invention may be a static multicast, and the multicast address is 01-01-c 1-FE-FE-10.
Further, in the case that the Master switch receives the authentication success message sent by the Slave switch, a group key is generated and sent to the Slave switch. Thus, when the relevant information (such as the authentication information of the terminal) needs to be synchronized among all the switches of the local area network, the information can be encrypted and transmitted by using the common group key, and the security of data transmission among all the switches in the same multicast group can be fully ensured.
Based on the content of the foregoing embodiment, as an alternative embodiment, the generating a group key includes: and generating the group key based on a symmetric key encryption method.
The symmetric key encryption is also called private key encryption or shared key encryption, that is, both parties sending and receiving data must use the same key to encrypt and decrypt the plaintext, and the symmetric key encryption algorithm is mainly the national key algorithm SM 4.
The network equipment interconnection authentication method provided by the invention generates the group key by a symmetric key encryption method, so as to ensure that the same key is used between the Master switch and the Slave switch in the same multicast group to encrypt and decrypt information and transmit the information, thereby ensuring the safety of information interaction in the multicast group.
Based on the content of the foregoing embodiment, as an optional embodiment, the first declaration message includes a source switch identity; after the first switch periodically sends the first declaration message to the second switch in the lan, the method further includes:
receiving a second clear message sent by the second switch, wherein the second clear message does not contain a source switch identity;
and according to the second plain message, the first switch is added into a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is determined to be a slave switch in the switch multicast group.
Fig. 2 is a connection topology diagram of switches in a local area network according to the present invention, as shown in fig. 2, in a local area network, the switches are divided into two types, that is, a Master switch and a Slave switch, the Master switch is mainly responsible for distributing a group key, the number of the group key is generally one (or a redundant design is performed, one or more backup Master switches exist), and each Master switch is connected with a plurality of Slave switches. The network equipment interconnection authentication method provided by the invention determines the master-slave relationship among all the switches in a mode of mutually sending a Decare message.
Specifically, a source switch identity is added to a delete message sent by a Master switch to indicate the Master switch identity of the Master switch; different from the delete message sent by the Slave switch, the delete message sent by each Slave switch does not contain the source switch identity.
By adopting the mode, any two switches can determine the master-slave relationship between the two switches by receiving the Decare message of the other switch, and a multicast group is established according to the master-slave relationship between the two switches.
According to the network equipment interconnection authentication method provided by the invention, the Master switch establishes all the switches into the multicast group by indicating the own Master identity in the broadcast Declear message, and provides a foundation for information security interaction in the multicast group in the later period.
Based on the content of the foregoing embodiment, the unique identifier of the first switch is generated based on the network card physical address information of the first switch.
The invention provides a method for generating a CID of a switch, which comprises the following steps:
first, network card physical address information (MAC) of the switch is acquired.
Based on the uniqueness of the MAC information of each switch, the invention can utilize the unique identity generation tool to generate the CID of the switch according to the read MAC information after the MAC information of each switch is obtained. Alternatively, the MAC information may be part of the CID of the switch.
When the first switch receives the delete message sent by the second switch, the first switch CID may be generated by retrieving the CID suffix file stored in advance from the storage unit.
Further, an IPK key technology may be used to directly generate the public key and the private key file corresponding to the first switch in combination with the CID of the first switch. And after receiving a delete message sent by the second switch, directly sending the CID of the first switch to the second switch.
The identification technology of IPK (identity Public key) is also called an IPK identification Public key, and is a lightweight key system, which has two characteristics: firstly, the key data is short, secondly, the authentication does not depend on the center, and the authentication efficiency is simple and efficient.
The IPK identification key technology provided by the invention comprises two convenient contents, namely, a private key seed file (namely a private key matrix) and a CID of the IPK identification key technology are used for generating a private key file in a first switch; and meanwhile, generating the public key file according to the public key seed file (namely the public key matrix) and the CID of the public key seed file. Due to the symmetry of the private key matrix and the public key matrix, the symmetry of the private key file and the public key file is the basis for realizing the switch authentication.
The network equipment interconnection authentication method provided by the invention generates the CID of the first switch by utilizing the MAC information of the switch, thereby ensuring the uniqueness of the CID and the authentication security of the switch.
Fig. 3 is a second schematic flowchart of the network device interconnection authentication method provided by the present invention, as shown in fig. 3, the method includes, but is not limited to, the following steps:
step S21: the second switch receives a first declaration message sent by the first switch; the first declaration message includes a unique identity of the first switch;
step S22: generating an encrypted random number according to the unique identity, and sending the encrypted random number to the first switch;
step S23: receiving a decrypted random number transmitted by the first switch; the decryption random number is generated by the first switch decrypting the encryption random number by using a first switch private key;
step S24: and verifying the first switch according to the decryption random number.
It should be noted that, in the network device interconnection authentication method provided by the present invention, the execution main body is the second switch, i.e., the Slave switch.
Fig. 4 is a signaling interaction diagram of the network device interconnection authentication method provided by the present invention, and as shown in fig. 4, the network device interconnection authentication method provided by the present invention mainly includes the following steps:
and broadcasting a Declear message between the Master switch and the Slave switch, wherein the Declear message broadcasted by the Master switch contains the CID of the switch and indicates the Master identity in the Declear message.
And after the Slave switch receives the Decline message of the Master switch, acquiring the CID of the Master switch. And generating a target public key according to the CID and the public key matrix of the Master switch, encrypting a random number by using the target public key to generate an encrypted random number, and sending the encrypted random number to the Master switch.
And after receiving the encrypted random number sent by the Slave switch, the Master switch decrypts the encrypted random number by using a target private key corresponding to the target public key to obtain a decrypted random number, and sends the decrypted random number to the Slave switch.
And after receiving the decryption random number, the Slave switch authenticates according to the decryption random number. And if the authentication is passed, adding the multicast group to the Master switch.
And respectively authenticating the Master switch by each Slave switch according to the method, and forming a multicast group by all the authenticated Slave switches and the Master switch together.
The network equipment interconnection authentication method provided by the invention uses the unique physical characteristics of the switch to generate the CID of the switch, so that the CID is used for generating the corresponding public key and private key for the authentication of the switches of the subsequent local area network, thereby realizing the distribution of the group secret key, achieving the purposes of the transmission encryption of the synchronous information between the switches and the like, solving the authentication problem of the local area network switches, and effectively improving the security of the safe data transmission.
Further, after the first switch is verified according to the decrypted random number, the method further includes: under the condition that the verification result is qualified, sending an authentication success message to the first switch; receiving a group key sent by the first switch; and utilizing the group key to realize encrypted transmission with the first switch.
After each Slave switch completes the authentication work of the Master switch, the Master switch generates a group key and sends the group key to all the Slave switches.
When the relevant information (such as the authentication information of the terminal and the like) needs to be synchronized among all the switches of the local area network, the community key is used for carrying out encryption transmission on the information.
The network equipment interconnection authentication method provided by the invention constructs a multicast group through the authentication of each Slave switch to the Master switch, and generates a group key through the Master switch, so that when information interaction is carried out among the switches in the whole multicast group, the group key is used for carrying out encryption transmission on the interaction information, and the security of the interaction information is effectively ensured.
Fig. 5 is a schematic structural diagram of a network device interconnection authentication system provided by the present invention, and as shown in fig. 5, the network device interconnection authentication system provided by the present invention includes at least one first switch and a plurality of second switches; the first switch comprises a first processing module 1, a second processing module 2, a third processing module 3 and a fourth processing module 4, wherein:
the first processing module 1 is configured to periodically send a first declaration message to a second switch in a local area network; the first declaration message includes a unique identity of the first switch;
the second processing module 2 is configured to receive the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the third processing module 3 is configured to decrypt the encrypted random number by using a first switch private key, and output a decrypted random number;
and the fourth processing module 4 is configured to send the decrypted random number to the second switch.
Wherein the first switch may be a Master switch. The second switch may be a Slave switch.
After the newly accessed Slave switch is accessed to the local area network, the Slave switch and the Master switch periodically send a delete message to each other. The delete message contains the CID of the switch. That is, the first processing module 1 of the first switch sends a first delete packet to the second switch, so as to send its CID to the second switch through the first delete packet.
Further, after the Slave switch receives the CID of the Master switch, a public key is generated by using an identification key technology according to the CID of the Master switch and a pre-stored public key matrix, a random number is encrypted by using the public key, and an encrypted random number is generated and sent to the Master switch.
The second processing module 2 receives the encrypted random number transmitted by the Slave switch, and then transmits the encrypted random number to the third processing module 3. The third processing module 3 generates a private key corresponding to the public key by using the private key matrix corresponding to the public key matrix in combination with the CID of the Master switch, and decrypts the encrypted random number by using the private key to obtain a decrypted random number.
Further, the fourth processing module 4 sends the generated decrypted random number to the Slave switch again, so that the Slave switch compares the decrypted random number with the random number subjected to the encryption processing in step S2 according to the decrypted random number, so as to implement the authentication work on the Master switch.
The network equipment interconnection authentication system provided by the invention uses the unique physical characteristics of the switch to generate the CID of the switch, so that the CID is used for generating the corresponding public key and private key for the authentication of the switches of the subsequent local area network, thereby realizing the distribution of the group secret key, achieving the purposes of the transmission encryption of the synchronous information between the switches and the like, solving the authentication problem of the local area network switches, and effectively improving the security of the safe data transmission.
It should be noted that, when specifically executed, the network device interconnection authentication system provided in the embodiment of the present invention may be implemented based on the network device interconnection authentication method described in any of the foregoing embodiments, which is not described in detail in this embodiment.
Fig. 6 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 6, the electronic device may include: a processor (processor)610, a communication interface (communication interface)620, a memory (memory)630 and a communication bus 640, wherein the processor 610, the communication interface 620 and the memory 630 are communicated with each other via the communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform a network device interconnection authentication method comprising: the first switch periodically sends a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; sending the decrypted random number to the second switch.
In addition, the logic instructions in the memory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In another aspect, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer being capable of executing the network device interconnection authentication method provided by the above methods, the method including: the first switch periodically sends a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; sending the decrypted random number to the second switch.
In yet another aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to execute the method for authenticating interconnection of network devices provided in the foregoing embodiments, and the method includes: the first switch periodically sends a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch; the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch; the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number; sending the decrypted random number to the second switch.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A network equipment interconnection authentication method is characterized by comprising the following steps:
the first switch periodically sends a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch;
the first switch receives the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the first switch decrypts the encrypted random number by using a first switch private key and outputs a decrypted random number;
sending the decrypted random number to the second switch.
2. The method according to claim 1, further comprising, after the sending the decrypted nonce to the second switch:
generating a group key in a case where the first switch receives an authentication success message transmitted by the second switch;
and the first switch sends the group key to the second switch so that the second switch can realize encrypted transmission with the first switch by using the group key.
3. The method according to claim 2, wherein the generating a group key includes: and generating the group key based on a symmetric key encryption method.
4. The method according to claim 1, wherein the first declaration message includes a source switch identification; after the first switch periodically sends the first declaration message to the second switch in the lan, the method further includes:
receiving a second clear message sent by the second switch, wherein the second clear message does not contain a source switch identity;
and according to the second plain message, the first switch is added into a switch multicast group, the first switch is determined to be a source switch in the switch multicast group, and the second switch is determined to be a slave switch in the switch multicast group.
5. The method according to claim 1, wherein the unique id of the first switch is generated based on network card physical address information of the first switch.
6. A network equipment interconnection authentication method is characterized by comprising the following steps:
the second switch receives a first declaration message sent by the first switch; the first declaration message includes a unique identity of the first switch;
generating an encrypted random number according to the unique identity, and sending the encrypted random number to the first switch;
receiving a decrypted random number transmitted by the first switch; the decryption random number is generated by the first switch decrypting the encryption random number by using a first switch private key;
and verifying the first switch according to the decryption random number.
7. The method according to claim 6, further comprising, after verifying the first switch according to the decrypted random number:
under the condition that the verification result is qualified, sending an authentication success message to the first switch;
receiving a group key sent by the first switch;
and utilizing the group key to realize encrypted transmission with the first switch.
8. The network equipment interconnection authentication system is characterized by comprising at least one first switch and a plurality of second switches;
the first switch comprises a first processing module, a second processing module, a third processing module and a fourth processing module;
the first processing module is used for periodically sending a first statement message to a second switch in the local area network; the first declaration message includes a unique identity of the first switch;
the second processing module is configured to receive the encrypted random number sent by the second switch; the encrypted random number is generated after the second switch is encrypted by using a first switch public key; the first switch public key is generated based on a unique identity of the first switch;
the third processing module is used for decrypting the encrypted random number by using a private key of the first switch and outputting a decrypted random number;
and the fourth processing module is configured to send the decrypted random number to the second switch.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the network device interconnection authentication method according to any one of claims 1 to 7 when executing the computer program.
10. A non-transitory computer readable storage medium, having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the network device interconnection authentication method steps according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011444665.3A CN112637145B (en) | 2020-12-08 | 2020-12-08 | Network equipment interconnection authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011444665.3A CN112637145B (en) | 2020-12-08 | 2020-12-08 | Network equipment interconnection authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112637145A true CN112637145A (en) | 2021-04-09 |
| CN112637145B CN112637145B (en) | 2023-04-28 |
Family
ID=75309531
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011444665.3A Active CN112637145B (en) | 2020-12-08 | 2020-12-08 | Network equipment interconnection authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637145B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114374508A (en) * | 2021-12-20 | 2022-04-19 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN114866251A (en) * | 2022-04-25 | 2022-08-05 | 中国银联股份有限公司 | Equipment interconnection security authentication system, method, device, server and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
| CN106603234A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Method, device and system for device identity authentication |
| CN106789986A (en) * | 2016-12-08 | 2017-05-31 | 浙江宇视科技有限公司 | Monitoring device authentication method and device |
| CN108809914A (en) * | 2017-05-05 | 2018-11-13 | 国民技术股份有限公司 | Access control method, device, terminal and Internet of Things house system |
| CN110855695A (en) * | 2019-11-19 | 2020-02-28 | 武汉思普崚技术有限公司 | Improved SDN network security authentication method and system |
-
2020
- 2020-12-08 CN CN202011444665.3A patent/CN112637145B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
| CN106603234A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Method, device and system for device identity authentication |
| CN106789986A (en) * | 2016-12-08 | 2017-05-31 | 浙江宇视科技有限公司 | Monitoring device authentication method and device |
| CN108809914A (en) * | 2017-05-05 | 2018-11-13 | 国民技术股份有限公司 | Access control method, device, terminal and Internet of Things house system |
| CN110855695A (en) * | 2019-11-19 | 2020-02-28 | 武汉思普崚技术有限公司 | Improved SDN network security authentication method and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114374508A (en) * | 2021-12-20 | 2022-04-19 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN114374508B (en) * | 2021-12-20 | 2024-03-26 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN114866251A (en) * | 2022-04-25 | 2022-08-05 | 中国银联股份有限公司 | Equipment interconnection security authentication system, method, device, server and medium |
| CN114866251B (en) * | 2022-04-25 | 2023-07-07 | 中国银联股份有限公司 | Equipment interconnection security authentication system, method, device, server and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637145B (en) | 2023-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683501B (en) | Multiple identity authentication system and method with timestamp as random number based on quantum communication network | |
| CN113239403B (en) | Data sharing method and device | |
| CN111030814B (en) | Secret key negotiation method and device | |
| CN108650028B (en) | Multiple identity authentication system and method based on quantum communication network and true random number | |
| CN108347404B (en) | Identity authentication method and device | |
| CN105553951A (en) | Data transmission method and data transmission device | |
| CN110839240B (en) | Method and device for establishing connection | |
| CN112926051A (en) | Multi-party security computing method and device | |
| JP2011501585A (en) | Method, system and apparatus for key distribution | |
| CN108964897B (en) | Identity authentication system and method based on group communication | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN108880799B (en) | Multi-time identity authentication system and method based on group key pool | |
| CN108964896B (en) | Kerberos identity authentication system and method based on group key pool | |
| CN108600152B (en) | Improved Kerberos identity authentication system and method based on quantum communication network | |
| JP6592851B2 (en) | Anonymous broadcast method, key exchange method, anonymous broadcast system, key exchange system, communication device, program | |
| CN109981271B (en) | Network multimedia safety protection encryption method | |
| CN108964895B (en) | User-to-User identity authentication system and method based on group key pool and improved Kerberos | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| CN112637145B (en) | Network equipment interconnection authentication method and system | |
| Castiglione et al. | An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update | |
| CN102281303A (en) | Data exchange method | |
| CN118540165B (en) | Anti-quantum security enhancement method for national secret IPSec VPN protocol | |
| CN114499837A (en) | Method, device, system and equipment for preventing leakage of message | |
| JP6939897B2 (en) | Communication terminal, program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240326 Address after: Room 1501, 12th Floor, Building 3, No. 34 Zhongguancun South Street, Haidian District, Beijing, 100080 Patentee after: Federation of Industry and Commerce Lingchuang (Beijing) Technology Co.,Ltd. Country or region after: China Address before: Room 1602, block C, Zhongguancun Science and technology development building, 34 Zhongguancun South Street, Haidian District, Beijing 100081 Patentee before: BEIJING VRV SOFTWARE Corp.,Ltd. Country or region before: China |