CN118827010A - Information transmission method, device, equipment and storage medium - Google Patents
Information transmission method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN118827010A CN118827010A CN202310868916.8A CN202310868916A CN118827010A CN 118827010 A CN118827010 A CN 118827010A CN 202310868916 A CN202310868916 A CN 202310868916A CN 118827010 A CN118827010 A CN 118827010A
- Authority
- CN
- China
- Prior art keywords
- information
- identifier
- optical module
- random number
- physical layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 131
- 230000005540 biological transmission Effects 0.000 title claims abstract description 44
- 230000003287 optical effect Effects 0.000 claims abstract description 200
- 230000015654 memory Effects 0.000 claims description 56
- 238000004590 computer program Methods 0.000 claims description 19
- 238000004891 communication Methods 0.000 description 21
- 238000010586 diagram Methods 0.000 description 18
- 238000005516 engineering process Methods 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 10
- 239000000306 component Substances 0.000 description 7
- 230000001360 synchronised effect Effects 0.000 description 5
- 239000008358 core component Substances 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 2
- VIEYMVWPECAOCY-UHFFFAOYSA-N 7-amino-4-(chloromethyl)chromen-2-one Chemical compound ClCC1=CC(=O)OC2=CC(N)=CC=C21 VIEYMVWPECAOCY-UHFFFAOYSA-N 0.000 description 1
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 1
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000002146 bilateral effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Optical Communication System (AREA)
Abstract
Description
技术领域Technical Field
本申请涉及无线通信技术领域,尤其涉及一种信息传输方法、装置、设备及存储介质。The present application relates to the field of wireless communication technology, and in particular to an information transmission method, device, equipment and storage medium.
背景技术Background Art
目前,任何连接到以太网的设备都可以接收到传输数据,导致网络攻击在以太网中更容易发生,可以采取数据加密、安全通信协议以及物理安全增强等措施,来防止网络攻击。现有的网络加密机制包括传输层安全(TLS,Transport Layer Security)协议、网络层安全(IPSec,Internet Protocol Security)协议以及链路层的媒体访问控制安全(MACSec,Media Access Control Security)协议,分别用于提供不同网络层次的安全服务。物理层安全(PHYSec,Physical Security)协议是一种工作在以太网物理层的安全加密技术,对物理层的比特流进行加解密。PHYSec可以保护所有的上层协议和数据,掩盖流量特征,具有极高的安全性。相关技术中,在对以太网中的设备进行认证的过程中,无法确认光模块的合法性,存在一定的安全风险。At present, any device connected to Ethernet can receive the transmission data, which makes network attacks more likely to occur in Ethernet. Data encryption, secure communication protocols, and physical security enhancements can be taken to prevent network attacks. Existing network encryption mechanisms include the Transport Layer Security (TLS) protocol, the Internet Protocol Security (IPSec) protocol, and the Media Access Control Security (MACSec) protocol at the link layer, which are used to provide security services at different network levels. The Physical Security (PHYSec) protocol is a security encryption technology that works at the Ethernet physical layer and encrypts and decrypts the bit stream at the physical layer. PHYSec can protect all upper-layer protocols and data, conceal traffic characteristics, and has extremely high security. In related technologies, in the process of authenticating devices in Ethernet, the legitimacy of the optical module cannot be confirmed, and there are certain security risks.
发明内容Summary of the invention
有鉴于此,本申请实施例期望提供一种信息传输方法、装置、设备及存储介质。In view of this, embodiments of the present application hope to provide an information transmission method, apparatus, device and storage medium.
本申请实施例的技术方案是这样实现的:The technical solution of the embodiment of the present application is implemented as follows:
本申请实施例提供一种信息传输方法,应用于第一设备,所述方法包括:The present application provides an information transmission method, which is applied to a first device, and the method includes:
对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到第一信息;Encrypting a first random number, a second random number, an identifier of the first device, and an identifier of a first optical module in the first device to obtain first information;
将所述第一信息发送给第二设备,其中,所述第一信息用于所述第二设备对所述第一设备进行认证。The first information is sent to a second device, wherein the first information is used by the second device to authenticate the first device.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
从所述第一设备中的第一光模块的存储器中读取所述第一光模块的标识。The identifier of the first optical module is read from a memory of the first optical module in the first device.
此外,根据本申请的至少一个实施例,所述对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,包括:In addition, according to at least one embodiment of the present application, encrypting the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device includes:
获取预配置的共享密钥;Get the pre-configured shared key;
利用所述共享密钥,对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密。The shared key is used to encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
接收第二信息;所述第二信息是所述第二设备利用预配置的共享密钥对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密得到的;receiving second information; the second information is obtained by encrypting the first random number, the identifier of the second device, and the identifier of the second optical module in the second device by the second device using a preconfigured shared key;
基于所述第二信息,对所述第二设备进行认证。Based on the second information, the second device is authenticated.
此外,根据本申请的至少一个实施例,所述基于所述第二信息,对第二设备进行认证,包括:In addition, according to at least one embodiment of the present application, authenticating the second device based on the second information includes:
利用所述预配置的共享密钥,对所述第二信息中的所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行解密,得到所述第二光模块的标识;Decrypting the first random number, the identifier of the second device, and the identifier of the second optical module in the second device in the second information by using the preconfigured shared key to obtain the identifier of the second optical module;
根据所述第二光模块的标识,判断所述第二光模块是否合法;Determining whether the second optical module is legal according to the identifier of the second optical module;
在确定所述第二光模块合法的情况下,利用预配置的共享密钥对所述第一随机数、所述第二设备的标识和解密得到的所述第二光模块的标识进行加密,得到第三信息;When it is determined that the second optical module is legal, encrypt the first random number, the identifier of the second device, and the identifier of the second optical module obtained by decryption by using a preconfigured shared key to obtain third information;
将所述第三信息与所述第二信息进行比较,得到比较结果;Comparing the third information with the second information to obtain a comparison result;
在所述比较结果表征所述第三信息与所述第二信息相同的情况下,判定所述第二设备为合法设备。When the comparison result indicates that the third information is identical to the second information, it is determined that the second device is a legitimate device.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
与所述第二设备互相发送第一报文;sending a first message to and from the second device;
若在预设时长内未收到所述第二设备发送的所述第一报文,则关闭当前的安全端口。If the first message sent by the second device is not received within a preset time period, the current security port is closed.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
在所述第二设备认证通过之后,获取物理层链路状态;After the second device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则对所述第二设备的合法性的认证失效;If the physical layer link state is disconnected, the authentication of the legitimacy of the second device becomes invalid;
在对所述第二设备的认证失效后,再次所述获取物理层链路状态;After the authentication of the second device fails, obtaining the physical layer link status again;
若所述物理层链路状态为连接状态,则对所述第二设备的合法性进行重新认证。If the physical layer link state is a connected state, the legitimacy of the second device is re-authenticated.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
在所述第二设备认证通过之后,获取物理层链路状态;After the second device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则开启计时窗口,在所述计时窗口内不对所述第二设备的合法性进行重新认证;If the physical layer link state is a disconnected state, opening a timing window, and not re-authenticating the legitimacy of the second device within the timing window;
在所述计时窗口结束后,再次获取物理层链路状态;After the timing window ends, obtaining the physical layer link status again;
若再次获取的所述物理层链路状态为连接状态,则对所述第二设备的合法性进行重新认证,所述计时窗口计时结束;If the physical layer link state obtained again is a connected state, the legitimacy of the second device is re-authenticated, and the timing window ends;
若再次获取的所述物理层链路状态为断开状态,则对所述第二设备的合法性的认证失效,并开启下一个计时窗口。If the physical layer link state obtained again is a disconnected state, the authentication of the legitimacy of the second device becomes invalid, and the next timing window is opened.
本申请实施例提供一种信息传输方法,应用于第二设备,所述方法包括:The present application provides an information transmission method, which is applied to a second device, and the method includes:
接收第一信息;所述第一信息是所述第一设备对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密得到的;Receive first information; the first information is obtained by the first device encrypting a first random number, a second random number, an identifier of the first device, and an identifier of a first optical module in the first device;
基于所述第一信息,对所述第一设备进行认证。Based on the first information, the first device is authenticated.
此外,根据本申请的至少一个实施例,所述基于所述第一信息,对所述第一设备进行认证,包括:In addition, according to at least one embodiment of the present application, authenticating the first device based on the first information includes:
利用预配置的共享密钥,对所述第一信息中的所述第一随机数、所述第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行解密,得到所述第一光模块的标识;Decrypting the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device in the first information by using a preconfigured shared key to obtain the identifier of the first optical module;
根据所述第二标识,判断所述第一光模块是否合法;determining, according to the second identifier, whether the first optical module is legal;
在确定所述第一光模块合法的情况下,利用预配置的共享密钥对所述第一随机数、所述第二随机数、所述第一设备的标识和解密得到的所述第一光模块的标识进行加密,得到第四信息;When it is determined that the first optical module is legal, encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module obtained by decryption by using a preconfigured shared key to obtain fourth information;
将所述第四信息与所述第一信息进行比较,得到比较结果;Comparing the fourth information with the first information to obtain a comparison result;
在所述比较结果表征所述第四信息与所述第一信息相同的情况下,判定所述第一设备为合法设备。When the comparison result indicates that the fourth information is identical to the first information, it is determined that the first device is a legitimate device.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
获取预配置的共享密钥;Get the pre-configured shared key;
利用所述共享密钥,对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密,得到第二信息;Using the shared key, encrypt the first random number, the identifier of the second device, and the identifier of the second optical module in the second device to obtain second information;
将所述第二信息发送给所述第一设备;其中,所述第二信息用于所述第一设备对所述第二设备进行认证。The second information is sent to the first device; wherein the second information is used by the first device to authenticate the second device.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
从所述第二设备中的第二光模块的存储器中读取所述第二光模块的标识。The identifier of the second optical module is read from the memory of the second optical module in the second device.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
与所述第一设备互相发送第一报文;Sending a first message to and from the first device;
若在预设时长内未收到所述第一设备发送的所述第一报文,则关闭当前的安全端口。If the first message sent by the first device is not received within a preset time period, the current security port is closed.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
在所述第一设备认证通过之后,获取物理层链路状态;After the first device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则对所述第一设备的合法性的认证失效;If the physical layer link state is disconnected, the authentication of the legitimacy of the first device becomes invalid;
在对所述第一设备的认证失效后,再次所述获取物理层链路状态;After the authentication of the first device fails, obtaining the physical layer link status again;
若所述物理层链路状态为连接状态,则对所述第一设备的合法性进行重新认证。If the physical layer link state is a connected state, the legitimacy of the first device is re-authenticated.
此外,根据本申请的至少一个实施例,所述方法还包括:In addition, according to at least one embodiment of the present application, the method further includes:
在所述第一设备认证通过之后,获取物理层链路状态;After the first device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则开启计时窗口,在所述计时窗口内不对所述第一设备的合法性进行重新认证;If the physical layer link state is a disconnected state, opening a timing window, and not re-authenticating the legitimacy of the first device within the timing window;
在所述计时窗口结束后,再次获取物理层链路状态;After the timing window ends, obtaining the physical layer link status again;
若再次获取的所述物理层链路状态为连接状态,则对所述第一设备的合法性进行重新认证,所述计时窗口计时结束;If the physical layer link state obtained again is a connected state, the legitimacy of the first device is re-authenticated, and the timing window ends;
若再次获取的所述物理层链路状态为断开状态,则对所述第一设备的合法性的认证失效,并开启下一个计时窗口。If the physical layer link state obtained again is a disconnected state, the authentication of the legitimacy of the first device becomes invalid, and the next timing window is opened.
本申请实施例提供一种信息传输装置,包括:The present application provides an information transmission device, including:
第一处理模块,用于对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到第一信息;A first processing module, configured to encrypt a first random number, a second random number, an identifier of the first device, and an identifier of a first optical module in the first device to obtain first information;
发送模块,用于将所述第一信息发送给第二设备,其中,所述第一信息用于所述第二设备对所述第一设备进行认证。A sending module is used to send the first information to a second device, wherein the first information is used by the second device to authenticate the first device.
本申请实施例提供一种信息传输装置,包括:The present application provides an information transmission device, including:
接收模块,用于接收第一信息;所述第一信息是所述第二设备对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密得到的;A receiving module, used to receive first information; the first information is obtained by encrypting the first random number, the second random number, the identifier of the first device and the identifier of the first optical module in the first device by the second device;
第二处理模块,用于基于所述第一信息,对所述第一设备进行认证。A second processing module is configured to authenticate the first device based on the first information.
本申请的至少一个实施例提供一种第一设备,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,At least one embodiment of the present application provides a first device, including a processor and a memory for storing a computer program that can be run on the processor.
其中,所述处理器用于运行所述计算机程序时,执行所述第一设备侧任一所述方法的步骤。Wherein, when the processor is used to run the computer program, it executes the steps of any method on the first device side.
本申请的至少一个实施例提供一种第二设备,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,At least one embodiment of the present application provides a second device, including a processor and a memory for storing a computer program that can be run on the processor.
其中,所述处理器用于运行所述计算机程序时,执行所述第二设备侧任一所述方法的步骤。Wherein, when the processor is used to run the computer program, it executes the steps of any method on the second device side.
本申请实施例提供的信息传输方法、装置、设备及存储介质,对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到第一信息;将所述第一信息发送给第二设备,其中,所述第一信息用于所述第二设备对所述第一设备进行认证。The information transmission method, apparatus, device and storage medium provided in the embodiments of the present application encrypt a first random number, a second random number, an identifier of the first device and an identifier of the first optical module in the first device to obtain first information; and send the first information to a second device, wherein the first information is used by the second device to authenticate the first device.
采用本申请实施例提供的技术方案,在对所述第一设备进行认证的过程中,除了将所述第一设备的标识加入认证过程外,还将所述第一设备的第一光模块的唯一标识加入到认证过程,同时确保了设备与光模块的合法性。By adopting the technical solution provided in the embodiment of the present application, in the process of authenticating the first device, in addition to adding the identification of the first device to the authentication process, the unique identification of the first optical module of the first device is also added to the authentication process, thereby ensuring the legitimacy of the device and the optical module.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请实施例信息传输方法的实现流程示意图一;FIG1 is a schematic diagram of a first implementation flow of an information transmission method according to an embodiment of the present application;
图2是本申请实施例信息传输方法的实现流程示意图二;FIG2 is a second schematic diagram of the implementation flow of the information transmission method according to an embodiment of the present application;
图3是本申请实施例信息传输方法应用的系统架构示意图;3 is a schematic diagram of a system architecture for an information transmission method according to an embodiment of the present application;
图4是本申请实施例信息传输方法的具体实现流程示意图;FIG4 is a schematic diagram of a specific implementation flow of the information transmission method according to an embodiment of the present application;
图5是本申请实施例通过物理层链路状态判断对端是否在线的示意图;5 is a schematic diagram of determining whether the other end is online through the physical layer link status according to an embodiment of the present application;
图6是本申请实施例信息传输装置的组成结构示意图一;FIG6 is a schematic diagram of the first structure of the information transmission device according to an embodiment of the present application;
图7是本申请实施例信息传输装置的组成结构示意图二;FIG7 is a second schematic diagram of the structure of the information transmission device according to an embodiment of the present application;
图8是本申请实施例第一设备的组成结构示意图;FIG8 is a schematic diagram of the composition structure of the first device according to an embodiment of the present application;
图9是本申请实施例第二设备的组成结构示意图。FIG. 9 is a schematic diagram of the composition structure of the second device according to an embodiment of the present application.
具体实施方式DETAILED DESCRIPTION
在对本申请实施例的技术方案进行介绍之前,先对相关技术进行介绍。Before introducing the technical solutions of the embodiments of the present application, the related technologies are first introduced.
目前,以太网被广泛应用于数据中心、运营商网络、工业互联网、物联网、车载以太网等场景,其安全直接关系到诸如电信、能源、交通、电力、金融等关键行业的业务生产,甚至会对人员生命及国家安全产生威胁。由于以太网是共享通信链路,任何连接到以太网的设备都可以接收到传输数据,导致网络攻击在以太网中更容易发生。随着800Gbps以及1.6Tbps以太网的出现,以太网链路传输的数据量激增,遭到网络攻击后,带来的破坏和影响也更加显著。Currently, Ethernet is widely used in data centers, carrier networks, industrial Internet, Internet of Things, automotive Ethernet and other scenarios. Its security is directly related to the business production of key industries such as telecommunications, energy, transportation, electricity, finance, etc., and may even pose a threat to human life and national security. Since Ethernet is a shared communication link, any device connected to Ethernet can receive the transmitted data, making network attacks more likely to occur in Ethernet. With the emergence of 800Gbps and 1.6Tbps Ethernet, the amount of data transmitted by Ethernet links has increased sharply, and the damage and impact caused by network attacks are more significant.
为此,需要采取数据加密、安全通信协议以及物理安全增强等措施,以防止窃听攻击的发生。To this end, measures such as data encryption, secure communication protocols, and physical security enhancements are needed to prevent eavesdropping attacks.
现有的网络加密机制包括传输层TLS、网络层IPSec以及链路层MACSec,分别提供不同网络层次的安全服务。物理层安全性(PHYSec)是一种工作在以太网物理层的安全加密技术,对物理层的比特流进行加解密。PHYSec的身份认证机制主要是确保相互通信的两端是合法的以太网设备。传统以太网认证方式是基于链路层设备(如交换机)端口的认证方式,如802.1X、MAC地址认证等。Existing network encryption mechanisms include transport layer TLS, network layer IPSec, and link layer MACSec, which provide security services at different network levels. Physical layer security (PHYSec) is a security encryption technology that works at the Ethernet physical layer and encrypts and decrypts the bit stream of the physical layer. The identity authentication mechanism of PHYSec is mainly to ensure that the two ends of the communication are legitimate Ethernet devices. Traditional Ethernet authentication methods are based on the authentication methods of link layer device (such as switches) ports, such as 802.1X, MAC address authentication, etc.
PHYSec是一种工作在以太网物理层的安全加密技术,对物理层的比特流进行加解密。数据链路层的以太帧头部以及网络层的IP头部均属于物理层比特流的净荷,因此,PHYSec可以保护所有的上层协议和数据,掩盖流量特征,具有极高的安全性。PHYSec is a security encryption technology that works at the Ethernet physical layer and encrypts and decrypts the bit stream at the physical layer. The Ethernet frame header at the data link layer and the IP header at the network layer are both payloads of the physical layer bit stream. Therefore, PHYSec can protect all upper layer protocols and data, mask traffic characteristics, and has extremely high security.
相关技术中,PHYSec的身份认证在认证过程中只利用了通信设备的信息,并没有利用接口上光模块的信息,所以无法确认光模块的合法性,存在一定的安全风险。In the related art, the PHYSec identity authentication only uses the information of the communication device during the authentication process, and does not use the information of the optical module on the interface, so the legitimacy of the optical module cannot be confirmed, which poses certain security risks.
基于此,本申请实施例中,对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到第一信息;将所述第一信息发送给第二设备,其中,所述第一信息用于所述第二设备对所述第一设备进行认证。Based on this, in an embodiment of the present application, the first random number, the second random number, the identifier of the first device and the identifier of the first optical module in the first device are encrypted to obtain first information; the first information is sent to the second device, wherein the first information is used by the second device to authenticate the first device.
参见图1,图1是本申请实施例信息传输方法的实现流程示意图,应用于第一设备,所述方法包括步骤101至步骤102:Referring to FIG. 1 , FIG. 1 is a schematic diagram of an implementation flow of an information transmission method according to an embodiment of the present application, which is applied to a first device. The method includes steps 101 to 102:
步骤101:对第一随机数、第二随机数、第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到第一信息。Step 101: encrypt a first random number, a second random number, an identifier of a first device, and an identifier of a first optical module in the first device to obtain first information.
作为示例,所述第一随机数是所述第一设备生成的。As an example, the first random number is generated by the first device.
作为示例,所述第二随机数是所述第二设备生成的。As an example, the second random number is generated by the second device.
作为示例,在所述第一设备确定所述第一信息之前,所述第二设备可以将生成的第二随机数发送给所述第一设备。As an example, before the first device determines the first information, the second device may send the generated second random number to the first device.
作为示例,可以通过随机函数,生成所述第一随机数和所述第二随机数。其中,所述随机函数可以是RAND()。As an example, the first random number and the second random number may be generated by a random function, wherein the random function may be RAND().
作为示例,所述第一设备的标识可以从所述第一设备的本地存储器中获取。As an example, the identification of the first device may be obtained from a local memory of the first device.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
从所述第一设备中的第一光模块的存储器中读取所述第一光模块的标识。The identifier of the first optical module is read from a memory of the first optical module in the first device.
作为示例,所述存储器可以是指电可擦除编程只读存储器(EEPROM,Electrically-Erasable Programmable Read-Only Memory),但是包括但不限于EEPROM。As an example, the memory may refer to an Electrically-Erasable Programmable Read-Only Memory (EEPROM), but includes but is not limited to EEPROM.
作为示例,所述第一光模块是通信网络中的核心器件。所述第一光模块支持热插拔,可以插入到所述第一设备中进行使用。As an example, the first optical module is a core component in a communication network. The first optical module supports hot plugging and can be inserted into the first device for use.
作为示例,所述第一设备可以通过IIC接口,将存放在所述第一光模块的EEPROM中的第一光模块的标识读取到设备内。As an example, the first device may read the identifier of the first optical module stored in the EEPROM of the first optical module into the device through an IIC interface.
步骤102:将所述第一信息发送给第二设备,其中,所述第一信息用于所述第二设备对所述第一设备进行认证。Step 102: Send the first information to a second device, wherein the first information is used by the second device to authenticate the first device.
在一些实施例中,所述对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,包括:In some embodiments, encrypting the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device includes:
获取预配置的共享密钥;Get the pre-configured shared key;
利用所述共享密钥,对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密。The shared key is used to encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device.
作为示例,所述预配置的共享密钥可以是指PSK。As an example, the preconfigured shared key may refer to PSK.
作为示例,所述第一设备可以向服务器发送第一请求,所述第一请求用于请求获取预配置的共享密钥;所述服务器响应所述第一请求,对所述第一设备进行认证,在所述第一设备通过认证之后,将所述共享密钥配置给所述第一设备。As an example, the first device may send a first request to a server, where the first request is used to request a preconfigured shared key; the server responds to the first request, authenticates the first device, and configures the shared key to the first device after the first device passes the authentication.
其中,所述服务器可以通过随机数生成器生成所述共享密钥,所述服务器可以获取所述第一设备的标识,当本地数据库中存储有所述第一设备的标识时,确定所述第一设备通过认证。The server may generate the shared key by using a random number generator, and the server may obtain the identifier of the first device. When the identifier of the first device is stored in a local database, it is determined that the first device has passed the authentication.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
接收第二信息;所述第二信息是所述第二设备利用预配置的共享密钥对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密得到的;所述第一随机数是所述第一设备生成的;receiving second information; the second information is obtained by encrypting the first random number, the identifier of the second device and the identifier of the second optical module in the second device by the second device using a preconfigured shared key; the first random number is generated by the first device;
基于所述第二信息,对所述第二设备进行认证。Based on the second information, the second device is authenticated.
作为示例,在所述第一设备接收所述第二设备发送的第二信息之前,所述第一设备可以将所述第一随机数发送给所述第二设备。As an example, before the first device receives the second information sent by the second device, the first device may send the first random number to the second device.
作为示例,所述第一设备发送给所述第二设备的第一信息是对第一随机数、第二随机数、第一设备的标识和所述第一设备中的第一光模块的标识进行加密得到的,所述第二设备发送给所述第一设备的第二信息是对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密得到的。如此,避免在发生网络攻击的情况下其他设备冒充所述第二设备向所述第一身份发送认证信息。As an example, the first information sent by the first device to the second device is obtained by encrypting the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device, and the second information sent by the second device to the first device is obtained by encrypting the first random number, the identifier of the second device, and the identifier of the second optical module in the second device. In this way, it is prevented that other devices pretend to be the second device and send authentication information to the first identity in the event of a network attack.
作为示例,所述第二设备也可以利用预配置的共享密钥对所述第二随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密得到。As an example, the second device may also encrypt the second random number, the identifier of the second device, and the identifier of the second optical module in the second device by using a preconfigured shared key.
作为示例,所述第二设备可以从所述第二设备的本地存储器获取所述第二设备的标识并发送给所述第一设备。As an example, the second device may obtain the identification of the second device from a local memory of the second device and send the identification to the first device.
作为示例,所述第二设备可以从所述第二设备中的第二光模块的存储器中读取所述第二光模块的标识。As an example, the second device may read the identification of the second optical module from a memory of the second optical module in the second device.
作为示例,所述存储器可以是指EEPROM,但是包括但不限于EEPROM。As an example, the memory may refer to EEPROM, but includes but is not limited to EEPROM.
作为示例,所述第二光模块是通信网络中的核心器件。所述第二光模块支持热插拔,可以插入到所述第二设备中进行使用。As an example, the second optical module is a core component in a communication network. The second optical module supports hot plugging and can be inserted into the second device for use.
在一些实施例中,所述基于所述第二信息,对第二设备进行认证,包括:In some embodiments, authenticating the second device based on the second information includes:
利用所述预配置的共享密钥,对所述第二信息中的所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行解密,得到所述第二光模块的标识;Decrypting the first random number, the identifier of the second device, and the identifier of the second optical module in the second device in the second information by using the preconfigured shared key to obtain the identifier of the second optical module;
根据所述第二光模块的标识,判断所述第二光模块是否合法;Determining whether the second optical module is legal according to the identifier of the second optical module;
在确定所述第二光模块合法的情况下,利用预配置的共享密钥对所述第一随机数、所述第二设备的标识和解密得到的所述第二光模块的标识进行加密,得到第三信息;When it is determined that the second optical module is legal, encrypt the first random number, the identifier of the second device, and the identifier of the second optical module obtained by decryption by using a preconfigured shared key to obtain third information;
将所述第三信息与所述第二信息进行比较,得到比较结果;Comparing the third information with the second information to obtain a comparison result;
在所述比较结果表征所述第三信息与所述第二信息相同的情况下,判定所述第二设备为合法设备。When the comparison result indicates that the third information is identical to the second information, it is determined that the second device is a legitimate device.
作为示例,所述第一设备本地可以存储有所述第二设备中的第二光模块的序列号,在所述第一设备对所述第二信息进行解码得到所述第二光模块的标识之后,将解码得到的第二光模块的标识与本地存储的第二光模块的序列号进行比较,如果二者相同,则确定所述第二光模块合法;否则,确定所述第二光模块不合法。As an example, the first device may locally store the serial number of the second optical module in the second device. After the first device decodes the second information to obtain the identifier of the second optical module, the decoded identifier of the second optical module is compared with the locally stored serial number of the second optical module. If the two are the same, the second optical module is determined to be legal; otherwise, the second optical module is determined to be illegal.
作为示例,在服务器中可以存储有一个数据库,该数据库中存储有第二设备中的第二光模块的序列号,在所述第一设备对所述第二信息进行解码得到所述第二光模块的标识之后,可以向服务器获取所述数据库,并查询该数据库中是否包含解码得到的第二光模块的标识,如果该数据库中包含解码得到的第二光模块的标识,则确定所述第二光模块合法;否则,确定所述第二光模块不合法。As an example, a database may be stored in the server, in which the serial number of the second optical module in the second device is stored. After the first device decodes the second information to obtain the identifier of the second optical module, the database may be obtained from the server, and a query may be made as to whether the database contains the identifier of the decoded second optical module. If the database contains the identifier of the decoded second optical module, the second optical module is determined to be legal; otherwise, the second optical module is determined to be illegal.
作为示例,在所述第一设备对所述第二信息进行解码得到所述第二光模块的标识之后,还可以将解码得到的所述第二光模块的标识发送至服务器,由所述服务器查询该数据库中是否包含解码得到的第二光模块的标识,如果该数据库中包含解码得到的第二光模块的标识,则向所述第一设备发送指示信息,所述指示信息用于指示所述第二光模块合法;否则,向所述第一设备发送指示信息,所述指示信息用于指示所述第二光模块不合法。As an example, after the first device decodes the second information to obtain the identifier of the second optical module, the decoded identifier of the second optical module can also be sent to the server, and the server queries whether the database contains the decoded identifier of the second optical module. If the database contains the decoded identifier of the second optical module, an indication message is sent to the first device, and the indication message is used to indicate that the second optical module is legal; otherwise, an indication message is sent to the first device, and the indication message is used to indicate that the second optical module is illegal.
作为示例,所述第一信息和第二信息具体可以是两个序列,该序列可以是指由0、1组成的序列,在两个序列相同的情况下,判定所述第二设备为合法设备。进一步,还可以将两个序列分别转换为对应的字符串,在两个字符串相同的情况下,判断所述第二设备为合法设备。As an example, the first information and the second information may be two sequences, which may be sequences consisting of 0 and 1. When the two sequences are the same, the second device is determined to be a legitimate device. Furthermore, the two sequences may be converted into corresponding character strings respectively. When the two character strings are the same, the second device is determined to be a legitimate device.
这里,对加密算法不做限制,满足安全性要求即可,可以基于高级加密标准(AES,Advanced Encrypted Standard)的AES-基于密码的信息认证码(CMAC,Cipher-baseMessage Authentication Code)算法。Here, there is no restriction on the encryption algorithm as long as it meets the security requirements. It can be based on the AES-Cipher-base Message Authentication Code (CMAC) algorithm of the Advanced Encrypted Standard (AES).
需要说明的是,所述第一设备对所述第二设备认证过程中,除了将所述第二设备的标识加入认证过程,还将所述第二设备的第二光模块的唯一标识加入到认证过程,确保了所述第二设备与所述第二光模块的合法性。It should be noted that during the authentication process of the first device to the second device, in addition to adding the identifier of the second device to the authentication process, the unique identifier of the second optical module of the second device is also added to the authentication process, thereby ensuring the legitimacy of the second device and the second optical module.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
与所述第二设备互相发送第一报文;sending a first message to and from the second device;
若在预设时长内未收到所述第二设备发送的所述第一报文,则关闭当前的安全端口。If the first message sent by the second device is not received within a preset time period, the current security port is closed.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
在所述第二设备认证通过之后,获取物理层链路状态;After the second device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则对所述第二设备的合法性的认证失效;If the physical layer link state is disconnected, the authentication of the legitimacy of the second device becomes invalid;
在对所述第二设备的认证失效后,再次所述获取物理层链路状态;After the authentication of the second device fails, obtaining the physical layer link status again;
若所述物理层链路状态为连接状态,则对所述第二设备的合法性进行重新认证。If the physical layer link state is a connected state, the legitimacy of the second device is re-authenticated.
作为示例,所述物理层链路状态包括连接状态(up)和断开状态(down)。As an example, the physical layer link state includes a connected state (up) and a disconnected state (down).
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
在所述第二设备认证通过之后,获取物理层链路状态;After the second device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则开启计时窗口,在所述计时窗口内不对所述第二设备的合法性进行重新认证;If the physical layer link state is a disconnected state, opening a timing window, and not re-authenticating the legitimacy of the second device within the timing window;
在所述计时窗口结束后,再次获取物理层链路状态;After the timing window ends, obtaining the physical layer link status again;
若再次获取的所述物理层链路状态为连接状态,则对所述第二设备的合法性进行重新认证,所述计时窗口计时结束;If the physical layer link state obtained again is a connected state, the legitimacy of the second device is re-authenticated, and the timing window ends;
若再次获取的所述物理层链路状态为断开状态,则对所述第二设备的合法性的认证失效,并开启下一个计时窗口。If the physical layer link state obtained again is a disconnected state, the authentication of the legitimacy of the second device becomes invalid, and the next timing window is opened.
本申请实施例中,具备以下优点:In the embodiment of the present application, the following advantages are possessed:
(1)在对所述第一设备进行认证的过程中,除了将所述第一设备的标识加入认证过程外,还将所述第一设备的第一光模块的唯一标识加入到认证过程,同时确保了设备与光模块的合法性。(1) In the process of authenticating the first device, in addition to adding the identifier of the first device to the authentication process, the unique identifier of the first optical module of the first device is also added to the authentication process, thereby ensuring the legitimacy of the device and the optical module.
(2)基于光模块标识的身份认证机制技术是实现PHYSec方案的关键技术之一,PHYSec的认证机制将光模块的唯一身份标识(ID)融入到认证过程当中,确保了设备与光模块均具有合法性。(2) The optical module identification-based authentication mechanism technology is one of the key technologies to implement the PHYSec solution. The PHYSec authentication mechanism integrates the optical module’s unique identity (ID) into the authentication process, ensuring the legitimacy of both the device and the optical module.
参见图2,图2是本申请实施例信息传输方法的实现流程示意图,应用于第二设备,所述方法包括步骤201至步骤202:Referring to FIG. 2 , FIG. 2 is a schematic diagram of an implementation flow of an information transmission method according to an embodiment of the present application, which is applied to a second device. The method includes steps 201 to 202:
步骤201:接收第一信息;所述第一信息是第一设备对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密得到的。Step 201: Receive first information; the first information is obtained by encrypting a first random number, a second random number, an identifier of the first device, and an identifier of a first optical module in the first device by a first device.
作为示例,所述第一随机数是所述第一设备生成的。As an example, the first random number is generated by the first device.
作为示例,所述第二随机数是所述第二设备生成的。As an example, the second random number is generated by the second device.
作为示例,在所述第一设备确定所述第一信息的过程中,所述第二设备可以将生成的第二随机数发送给所述第一设备。As an example, during the process in which the first device determines the first information, the second device may send a generated second random number to the first device.
作为示例,可以通过随机函数,生成所述第一随机数和所述第二随机数。其中,所述随机函数可以是RAND()。As an example, the first random number and the second random number may be generated by a random function, wherein the random function may be RAND().
作为示例,所述第一设备的标识可以由所述第一设备从所述第一设备的本地存储器中获取。As an example, the identification of the first device may be obtained by the first device from a local memory of the first device.
作为示例,所述第一设备可以从所述第一设备中的第一光模块的存储器中读取所述第一光模块的标识。As an example, the first device may read the identification of the first optical module from a memory of the first optical module in the first device.
作为示例,所述存储器可以是指EEPROM,但是包括但不限于EEPROM。As an example, the memory may refer to EEPROM, but includes but is not limited to EEPROM.
作为示例,所述第一光模块是通信网络中的核心器件。所述第一光模块支持热插拔,可以插入到所述第一设备中进行使用。As an example, the first optical module is a core component in a communication network. The first optical module supports hot plugging and can be inserted into the first device for use.
作为示例,所述第一设备可以通过IIC接口,将存放在所述第一光模块的EEPROM中的第一光模块的标识读取到设备内。As an example, the first device may read the identifier of the first optical module stored in the EEPROM of the first optical module into the device through an IIC interface.
作为示例,所述第一设备可以获取预配置的共享密钥,利用预配置的共享密钥,对所述第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到所述第一信息。As an example, the first device may obtain a preconfigured shared key, and use the preconfigured shared key to encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device to obtain the first information.
作为示例,所述预配置的共享密钥可以是指PSK。As an example, the preconfigured shared key may refer to PSK.
作为示例,所述第一设备可以向服务器发送第一请求,所述第一请求用于请求获取预配置的共享密钥;所述服务器响应所述第一请求,对所述第一设备进行认证,在所述第一设备通过认证之后,将所述共享密钥配置给所述第一设备。As an example, the first device may send a first request to a server, where the first request is used to request a preconfigured shared key; the server responds to the first request, authenticates the first device, and configures the shared key to the first device after the first device passes the authentication.
其中,所述服务器可以通过随机数生成器生成所述共享密钥,所述服务器可以获取所述第一设备的标识,当本地数据库中存储有所述第一设备的标识时,确定所述第一设备通过认证。The server may generate the shared key by using a random number generator, and the server may obtain the identifier of the first device. When the identifier of the first device is stored in a local database, it is determined that the first device has passed the authentication.
步骤202:基于所述第一信息,对所述第一设备进行认证。Step 202: Authenticate the first device based on the first information.
在一些实施例中,所述基于所述第一信息,对所述第一设备进行认证,包括:In some embodiments, authenticating the first device based on the first information includes:
利用预配置的共享密钥,对所述第一信息中的所述第一随机数、所述第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行解密,得到所述第一光模块的标识;Decrypting the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device in the first information by using a preconfigured shared key to obtain the identifier of the first optical module;
根据所述第二标识,判断所述第一光模块是否合法;determining, according to the second identifier, whether the first optical module is legal;
在确定所述第一光模块合法的情况下,利用预配置的共享密钥对所述第一随机数、所述第二随机数、所述第一设备的标识和解密得到的所述第一光模块的标识进行加密,得到第四信息;When it is determined that the first optical module is legal, encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module obtained by decryption by using a preconfigured shared key to obtain fourth information;
将所述第四信息与所述第一信息进行比较,得到比较结果;Comparing the fourth information with the first information to obtain a comparison result;
在所述比较结果表征所述第四信息与所述第一信息相同的情况下,判定所述第一设备为合法设备。When the comparison result indicates that the fourth information is identical to the first information, it is determined that the first device is a legitimate device.
作为示例,所述第二设备本地可以存储有所述第一设备中的第一光模块的序列号,在所述第二设备对所述第一信息进行解码得到所述第一光模块的标识之后,将解码得到的第一光模块的标识与本地存储的第一光模块的序列号进行比较,如果二者相同,则确定所述第一光模块合法;否则,确定所述第一光模块不合法。As an example, the second device may locally store the serial number of the first optical module in the first device. After the second device decodes the first information to obtain the identifier of the first optical module, the decoded identifier of the first optical module is compared with the serial number of the first optical module stored locally. If the two are the same, the first optical module is determined to be legal; otherwise, the first optical module is determined to be illegal.
作为示例,在服务器中可以存储有一个数据库,该数据库中存储有第一设备中的第一光模块的序列号,在所述第二设备对所述第一信息进行解码得到所述第一光模块的标识之后,可以向服务器获取所述数据库,并查询该数据库中是否包含解码得到的第一光模块的标识,如果该数据库中包含解码得到的第一光模块的标识,则确定所述第一光模块合法;否则,确定所述第一光模块不合法。As an example, a database may be stored in the server, in which the serial number of the first optical module in the first device is stored. After the second device decodes the first information to obtain the identifier of the first optical module, the database may be obtained from the server, and a query may be made as to whether the database contains the identifier of the decoded first optical module. If the database contains the identifier of the decoded first optical module, the first optical module is determined to be legal; otherwise, the first optical module is determined to be illegal.
作为示例,在所述第二设备对所述第一信息进行解码得到所述第一光模块的标识之后,还可以将解码得到的所述第一光模块的标识发送至服务器,由所述服务器查询该数据库中是否包含解码得到的第一光模块的标识,如果该数据库中包含解码得到的第一光模块的标识,则向所述第二设备发送指示信息,所述指示信息用于指示所述第一光模块合法;否则,向所述第二设备发送指示信息,所述指示信息用于指示所述第一光模块不合法。As an example, after the second device decodes the first information to obtain the identifier of the first optical module, the decoded identifier of the first optical module can also be sent to the server, and the server queries whether the database contains the decoded identifier of the first optical module. If the database contains the decoded identifier of the first optical module, an indication message is sent to the second device, and the indication message is used to indicate that the first optical module is legal; otherwise, an indication message is sent to the second device, and the indication message is used to indicate that the first optical module is illegal.
这里,对加密算法不做限制,满足安全性要求即可,可以基于AES的AES-CMAC算法。Here, there is no restriction on the encryption algorithm, as long as it meets the security requirements, and it can be based on the AES-CMAC algorithm of AES.
需要说明的是,所述第二设备对所述第一设备认证过程中,除了将所述第一设备的标识加入认证过程,还将所述第一设备的第一光模块的唯一标识加入到认证过程,确保了所述第一设备与所述第一光模块的合法性。It should be noted that during the authentication process of the first device by the second device, in addition to adding the identification of the first device to the authentication process, the unique identification of the first optical module of the first device is also added to the authentication process, thereby ensuring the legitimacy of the first device and the first optical module.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
获取预配置的共享密钥;Get the pre-configured shared key;
利用所述共享密钥,对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密,得到第二信息;所述第一随机数是所述第一设备生成的;Using the shared key, encrypting the first random number, the identifier of the second device, and the identifier of the second optical module in the second device to obtain second information; the first random number is generated by the first device;
将所述第二信息发送给所述第一设备;其中,所述第二信息用于所述第一设备对所述第二设备进行认证。The second information is sent to the first device; wherein the second information is used by the first device to authenticate the second device.
作为示例,在所述第一设备接收所述第二设备发送的第二信息之前,所述第一设备可以将所述第一随机数发送给所述第二设备。As an example, before the first device receives the second information sent by the second device, the first device may send the first random number to the second device.
作为示例,所述第二设备可以从所述第二设备的本地存储器获取所述第二设备的标识并发送给所述第一设备。As an example, the second device may obtain the identification of the second device from a local memory of the second device and send the identification to the first device.
作为示例,所述第二光模块是通信网络中的核心器件。所述第二光模块支持热插拔,可以插入到所述第二设备中进行使用。As an example, the second optical module is a core component in a communication network. The second optical module supports hot plugging and can be inserted into the second device for use.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
从所述第二设备中的第二光模块的存储器中读取所述第二光模块的标识。The identifier of the second optical module is read from the memory of the second optical module in the second device.
作为示例,所述存储器可以是指EEPROM,但是包括但不限于EEPROM。As an example, the memory may refer to EEPROM, but includes but is not limited to EEPROM.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
与所述第一设备互相发送第一报文;Sending a first message to and from the first device;
若在预设时长内未收到所述第一设备发送的所述第一报文,则关闭当前的安全端口。If the first message sent by the first device is not received within a preset time period, the current security port is closed.
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
在所述第一设备认证通过之后,获取物理层链路状态;After the first device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则对所述第一设备的合法性的认证失效;If the physical layer link state is disconnected, the authentication of the legitimacy of the first device becomes invalid;
在对所述第一设备的认证失效后,再次所述获取物理层链路状态;After the authentication of the first device fails, obtaining the physical layer link status again;
若所述物理层链路状态为连接状态,则对所述第一设备的合法性进行重新认证。If the physical layer link state is a connected state, the legitimacy of the first device is re-authenticated.
作为示例,所述物理层链路状态包括连接状态(up)和断开状态(down)。As an example, the physical layer link state includes a connected state (up) and a disconnected state (down).
在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:
在所述第一设备认证通过之后,获取物理层链路状态;After the first device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则开启计时窗口,在所述计时窗口内不对所述第一设备的合法性进行重新认证;If the physical layer link state is a disconnected state, opening a timing window, and not re-authenticating the legitimacy of the first device within the timing window;
在所述计时窗口结束后,再次获取物理层链路状态;After the timing window ends, obtaining the physical layer link status again;
若再次获取的所述物理层链路状态为连接状态,则对所述第一设备的合法性进行重新认证,所述计时窗口计时结束;If the physical layer link state obtained again is a connected state, the legitimacy of the first device is re-authenticated, and the timing window ends;
若再次获取的所述物理层链路状态为断开状态,则对所述第一设备的合法性的认证失效,并开启下一个计时窗口。If the physical layer link state obtained again is a disconnected state, the authentication of the legitimacy of the first device becomes invalid, and the next timing window is opened.
本申请实施例中,具备以下优点:In the embodiment of the present application, the following advantages are possessed:
(1)在对所述第一设备进行认证的过程中,除了将所述第一设备的标识加入认证过程外,还将所述第一设备的第一光模块的唯一标识加入到认证过程,同时确保了设备与光模块的合法性。(1) In the process of authenticating the first device, in addition to adding the identifier of the first device to the authentication process, the unique identifier of the first optical module of the first device is also added to the authentication process, thereby ensuring the legitimacy of the device and the optical module.
(2)基于光模块标识的身份认证机制技术是实现PHYSec方案的关键技术之一,PHYSec的认证机制将光模块的唯一身份标识(ID)融入到认证过程当中,确保了设备与光模块均具有合法性。(2) The optical module identification-based authentication mechanism technology is one of the key technologies to implement the PHYSec solution. The PHYSec authentication mechanism integrates the optical module’s unique identity (ID) into the authentication process, ensuring the legitimacy of both the device and the optical module.
参见图3,图3是本申请实施例信息传输方法应用的系统架构示意图,所述系统包括:See FIG. 3 , which is a schematic diagram of a system architecture of an information transmission method according to an embodiment of the present application, wherein the system includes:
管理系统,用于第一设备和第二设备获取预配置的共享密钥。A management system is used for the first device and the second device to obtain a pre-configured shared key.
第一设备,用于获取预配置的共享密钥;利用所述共享密钥,对第一随机数、第二随机数、第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到第一信息;将所述第一信息发送给第二设备。The first device is used to obtain a preconfigured shared key; use the shared key to encrypt a first random number, a second random number, an identifier of the first device, and an identifier of a first optical module in the first device to obtain first information; and send the first information to a second device.
第二设备,用于接收所述第一信息;基于所述第一信息,对所述第一设备进行认证。The second device is used to receive the first information; and authenticate the first device based on the first information.
所述第二设备,还用于获取预配置的共享密钥;利用所述共享密钥,对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密,得到第二信息;将所述第二信息发送给所述第一设备。The second device is also used to obtain a preconfigured shared key; use the shared key to encrypt the first random number, the identifier of the second device and the identifier of the second optical module in the second device to obtain second information; and send the second information to the first device.
所述第一设备,还用于接收所述第二信息;基于所述第二信息,对所述第二设备进行认证。The first device is further used to receive the second information; and authenticate the second device based on the second information.
参见图4,图4是本申请实施例信息传输方法的具体实现流程示意图,所述方法包括步骤401至步骤410:Referring to FIG. 4 , FIG. 4 is a schematic diagram of a specific implementation flow of the information transmission method according to an embodiment of the present application, wherein the method comprises steps 401 to 410:
步骤401:管理员通过管理系统,对两个通信设备预配置共享密钥PSK。Step 401: The administrator pre-configures a shared key PSK for two communication devices through the management system.
步骤402:第一设备Bob接收第二随机数。Step 402: The first device Bob receives a second random number.
这里,第二设备Alice生成第二随机数并发送给第一设备Bob。Here, the second device Alice generates a second random number and sends it to the first device Bob.
这里,所述第二随机数的比特数可以为256比特。Here, the number of bits of the second random number may be 256 bits.
这里,所述第二随机数用随机数A表示。Here, the second random number is represented by random number A.
步骤403:第一设备Bob在接收到第二随机数后,本端生成第一随机数。Step 403: After receiving the second random number, the first device Bob generates a first random number.
这里,第一随机数的比特数可以为256比特。Here, the number of bits of the first random number may be 256 bits.
这里,所述第一随机数用随机值B表示。Here, the first random number is represented by a random value B.
步骤404:第一设备Bob从第一光模块的EEPROM中读取所述第一光模块的标识,并从本地存储器获取第一设备Bob的标识。Step 404: the first device Bob reads the identifier of the first optical module from the EEPROM of the first optical module, and obtains the identifier of the first device Bob from the local memory.
步骤405:第一设备Bob使用预配置的共享密钥PSK,对所述第一随机数、第二随机数、第一设备Bob的标识和所述第一光模块的标识进行加密运算,得到第一信息。Step 405: The first device Bob uses a preconfigured shared key PSK to perform an encryption operation on the first random number, the second random number, the identifier of the first device Bob, and the identifier of the first optical module to obtain first information.
这里,所述第一随机数用随机值B表示。Here, the first random number is represented by a random value B.
这里,所述第二随机数用随机数A表示。Here, the second random number is represented by random number A.
这里,所述第一设备的标识用表示。Here, the identification of the first device is express.
这里,所述第一光模块的标识用表示。Here, the identification of the first optical module is express.
这里,所述第一信息用表示。Here, the first information is express.
步骤406:第一设备Bob将第一随机数、第一设备Bob的标识、第一信息发送给第二设备Alice。Step 406: The first device Bob sends the first random number, the identifier of the first device Bob, and the first information to the second device Alice.
步骤407:第二设备Alice接收所述第一随机数、第一设备Bob的标识和第一信息,基于所述第一随机数、第一设备Bob的标识和第一信息,对第一设备Bob进行认证。Step 407: the second device Alice receives the first random number, the identifier of the first device Bob and the first information, and authenticates the first device Bob based on the first random number, the identifier of the first device Bob and the first information.
这里,第二设备Alice对第一设备Bob进行认证,包括:Here, the second device Alice authenticates the first device Bob, including:
首先,第二设备Alice收到所述第一信息后,使用本端预配置的共享密钥PSK,对所述第一信息进行解密,得到所述第一光模块的标识。First, after receiving the first information, the second device Alice uses the shared key PSK preconfigured on the local end to decrypt the first information and obtain the identifier of the first optical module.
这里,所述第一信息用表示。Here, the first information is express.
这里,所述第一光模块的标识用表示。Here, the identification of the first optical module is express.
第二,基于所述第一光模块的标识,判断所述第一光模块是否合法。Second, based on the identifier of the first optical module, determine whether the first optical module is legal.
这里,判断所述第一光模块是否合法的过程前文已描述,在此不再赘述。Here, the process of determining whether the first optical module is legal has been described above and will not be repeated here.
这里,所述第一光模块用光模块B表示。Here, the first optical module is represented by optical module B.
第三,若第一光模块合法,则利用预配置的共享密钥,对所述第一随机数、所述第二随机数、所述第一设备的标识Bob和解密得到的所述第一光模块的标识进行加密,得到第四信息。Third, if the first optical module is legal, the first random number, the second random number, the identifier Bob of the first device and the identifier of the first optical module obtained by decryption are encrypted using a preconfigured shared key to obtain fourth information.
这里,所述第四信息用表示。Here, the fourth information is used express.
这里,对加密算法不做限制,满足安全性要求即可,推荐基于AES的AES-CMAC算法。Here, there is no restriction on the encryption algorithm as long as it meets the security requirements. The AES-CMAC algorithm based on AES is recommended.
最后,将所述第四信息与所述第一信息进行比较,得到比较结果。Finally, the fourth information is compared with the first information to obtain a comparison result.
这里,对比与收到的若二者不一致,则对第一设备Bob的认证失败,终止认证流程;若二者一致,则对第一设备Bob的认证成功。Here, contrast With received If the two are inconsistent, the authentication of the first device Bob fails and the authentication process is terminated; if the two are consistent, the authentication of the first device Bob succeeds.
步骤408:第二设备Alice对第一设备Bob的认证成功之后,使用预配置的共享密钥PSK,对所述第一随机数、第二设备Alice的标识和所述第二光模块的标识进行加密运算,得到第二信息。Step 408: After the second device Alice successfully authenticates the first device Bob, the preconfigured shared key PSK is used to perform encryption operation on the first random number, the identifier of the second device Alice, and the identifier of the second optical module to obtain second information.
这里,所述第一随机数用随机值B表示,由第一设备Bob生成并发送给第二设备Alice。Here, the first random number is represented by a random value B, which is generated by the first device Bob and sent to the second device Alice.
这里,所述第二设备的标识用表示。Here, the identification of the second device is express.
这里,所述第二光模块的标识用表示。Here, the identification of the second optical module is express.
这里,所述第二信息用表示。Here, the second information is used express.
这里,对加密算法不做限制,满足安全性要求即可,推荐基于AES的AES-CMAC算法。Here, there is no restriction on the encryption algorithm as long as it meets the security requirements. The AES-CMAC algorithm based on AES is recommended.
步骤409:第二设备Alice将第二设备Alice的标识和第二信息发送给第一设备Bob。Step 409: the second device Alice sends the identifier of the second device Alice and the second information to the first device Bob.
步骤410:第一设备Bob接收第二设备Alice的标识和第二信息,基于第二设备Alice的标识和第二信息,对所述第二设备Alice进行认证。Step 410: The first device Bob receives the identifier and the second information of the second device Alice, and authenticates the second device Alice based on the identifier and the second information of the second device Alice.
这里,第一设备Bob对所述第二设备Alice进行认证,包括:Here, the first device Bob authenticates the second device Alice, including:
首先,第一设备Bob收到所述第二信息后,使用本端预配置的共享密钥PSK,对所述第二信息进行解密,得到所述第二光模块的标识。First, after receiving the second information, the first device Bob uses the shared key PSK pre-configured on the local end to decrypt the second information and obtain the identifier of the second optical module.
这里,这里,所述第二信息用表示。Here, the second information is used express.
这里,所述第二光模块的标识用表示。Here, the identification of the second optical module is express.
第二,基于所述第二光模块的标识,判断所述第二光模块是否合法。Second, based on the identifier of the second optical module, determine whether the second optical module is legal.
这里,所述第二光模块用光模块A表示。Here, the second optical module is represented by optical module A.
第三,若所述第二光模块合法,则利用预配置的共享密钥,对所述第一随机数、所述第二设备的标识和解密得到的所述第二光模块的标识进行加密,得到第三信息。Third, if the second optical module is legal, the first random number, the identifier of the second device and the identifier of the second optical module obtained by decryption are encrypted using a preconfigured shared key to obtain third information.
这里,所述第三信息用表示。Here, the third information is used express.
这里,对加密算法不做限制,满足安全性要求即可,推荐基于AES的AES-CMAC算法。Here, there is no restriction on the encryption algorithm as long as it meets the security requirements. The AES-CMAC algorithm based on AES is recommended.
最后,将所述第三信息与所述第二信息进行比较,得到比较结果。Finally, the third information is compared with the second information to obtain a comparison result.
这里,对比与收到的若二者不一致,则对第二设备Alice的认证失败,终止认证流程;若二者一致,则对第二设备Alice的认证成功,同时双边认证成功。Here, contrast With received If the two are inconsistent, the authentication of the second device Alice fails and the authentication process is terminated; if the two are consistent, the authentication of the second device Alice succeeds, and the bilateral authentication succeeds.
参见图5,图5是本申请实施例通过物理层链路状态判断对端是否在线的示意图,如图5所示,在第一设备与第二设备之间完成双方认证之后,通过物理层链路状态状态判断对端是否在线。Refer to Figure 5, which is a schematic diagram of an embodiment of the present application for determining whether the other party is online through the physical layer link status. As shown in Figure 5, after completing the mutual authentication between the first device and the second device, determine whether the other party is online through the physical layer link status.
这里,物理层链路状态包括连接状态(up)和断开状态(down)。Here, the physical layer link state includes a connected state (up) and a disconnected state (down).
这里,根据用户对安全性的需求,基于物理层链路状态判断对端在线情况的方式,可以提供两种模式供客户灵活选择。Here, according to the user's demand for security, two modes can be provided for customers to flexibly choose based on the way of judging the online status of the other party based on the physical layer link status.
第一种,高安全模式:双端设备完成双向认证后,若设备物理层检测到链路状态为断开(down)状态,则说明链路此时因故中断,当前认证随即失效。若设备物理层再次检测到链路为连接状态(up)状态,则链路两端设备需要重新进行双向认证。The first is high security mode: after the two-end devices complete the two-way authentication, if the physical layer of the device detects that the link is disconnected (down), it means that the link is interrupted for some reason and the current authentication becomes invalid. If the physical layer of the device detects that the link is connected (up) again, the two-end devices of the link need to re-perform the two-way authentication.
第二种,高易用性模式:设计一个计时窗口,窗口周期为T,初始状态为连接状态(up)。双端设备完成双向认证后,当设备检测到物理层链路状态为断开(down)后,开始计时器(timer)计时。在一个窗口周期内,不进行重新认证。在一个窗口周期T结束后,检查该物理层链路状态。若物理层链路状态仍然是断开(down)状态,则启动新一轮窗口计时,当前认证失效,但不阻断业务,一旦检测到物理层链路状态为连接状态(up)就发起重认证;如果物理层链路状态是连接状态(up),则启动重认证,停止计时器(timer)计时,计时器(timer)清零。窗口周期T可配置。The second mode is high usability mode: design a timing window with a window period of T and an initial state of connected state (up). After the two-end devices complete the two-way authentication, when the device detects that the physical layer link state is disconnected (down), the timer starts timing. No re-authentication is performed within a window period. After a window period T ends, check the physical layer link state. If the physical layer link state is still disconnected (down), a new round of window timing is started, and the current authentication is invalid, but the service is not blocked. Once the physical layer link state is detected to be connected (up), re-authentication is initiated; if the physical layer link state is connected (up), re-authentication is started, the timer is stopped, and the timer is reset. The window period T is configurable.
这里,认证协议可以基于以太帧承载(EAPoL),也可以基于物理层通道承载。若采用以太帧承载,当认证成功后,设备端口需要维护一定时器,每隔固定时间(如30秒)向对端发送握手(handshake)报文进行端口认证保活。若超过设定好的规定时间(如90秒)没有收到对端发送的握手(handshake)报文,本端设备将关闭当前的安全端口。Here, the authentication protocol can be based on Ethernet frame bearer (EAPoL) or physical layer channel bearer. If Ethernet frame bearer is used, after the authentication is successful, the device port needs to maintain a timer and send a handshake message to the other end every fixed time (such as 30 seconds) to keep the port authentication alive. If the handshake message sent by the other end is not received within the set time (such as 90 seconds), the local device will close the current security port.
这里,基于物理层通道承载认证协议的方式,认证成功后可以直接使用物理层链路状态(up/down)来迅速判断对端是否下线,免去认证成功后双端每隔固定时间发送握手(handshake)报文通知对方本端仍然在线的机制。Here, based on the way of carrying the authentication protocol over the physical layer channel, after successful authentication, the physical layer link status (up/down) can be directly used to quickly determine whether the other end is offline, eliminating the mechanism in which both ends send handshake messages at fixed intervals to notify the other end that the local end is still online after successful authentication.
本示例中,具备以下优点:In this example, the following advantages are achieved:
(1)通过提前为两个通信设备预配置共享密钥PSK,设备通过IIC接口将存放在光模块的EEPROM中的光模块的标识读取到设备内,双方设备基于EAP认证框架通过交互认证信息进行双向身份认证,认证信息可以是设备使用共享密钥PSK对设备ID、光模块ID以及安全随机数进行加密运算得到的密文。(1) By pre-configuring a shared key PSK for two communicating devices in advance, the device reads the optical module identifier stored in the EEPROM of the optical module into the device through the IIC interface. The two devices perform two-way identity authentication based on the EAP authentication framework by exchanging authentication information. The authentication information can be the ciphertext obtained by the device using the shared key PSK to encrypt the device ID, the optical module ID, and the secure random number.
(2)提出光模块标识的身份认证机制,将光模块的唯一身份标识(ID)融入到认证过程中,光模块的标识参与加解密运算,在确保设备的合法性的同时,确保了光模块的合法性。(2) An identity authentication mechanism for the optical module identifier is proposed, and the unique identity identifier (ID) of the optical module is integrated into the authentication process. The identifier of the optical module participates in the encryption and decryption operations, which ensures the legitimacy of the optical module while ensuring the legitimacy of the device.
(3)基于物理层链路状态判断对端在线情况的方式,可以提供多种模式供客户灵活选择。(3) The method of judging the online status of the other party based on the physical layer link status can provide multiple modes for customers to flexibly choose.
高安全性模式,若设备物理层检测到物理层链路状态为断开状态(down)状态,当前认证随即失效。若设备物理层再次检测到链路状态为连接(up)状态,则链路两端设备需要重新进行双向认证。In high security mode, if the physical layer of the device detects that the physical layer link is in a disconnected state (down), the current authentication will become invalid. If the physical layer of the device detects that the link is in an up state again, the devices at both ends of the link need to re-perform bidirectional authentication.
高易用性模式:设计计时窗口,多次闪断,只重新认证一次,不阻断业务。High usability mode: Design a timing window, multiple flash disconnections, and only re-authenticate once without blocking services.
(4)基于物理层通道承载认证协议的方式,认证成功后可以直接使用物理层状态是连接(up)还是断开(down)来迅速判断对端是否下线,免去认证成功后双端每隔固定时间发送捂手(handshake)报文通知对方本端仍然在线的机制。(4) Based on the method of carrying the authentication protocol over the physical layer channel, after successful authentication, the physical layer status can be directly used to quickly determine whether the other end is offline, eliminating the mechanism in which both ends send handshake messages at fixed intervals to notify the other end that the local end is still online after successful authentication.
为实现本申请实施例信息传输方法,本申请实施例还提供一种信息传输装置,设置在第一设备。图6为本申请实施例信息传输装置的组成结构示意图,如图6所示,所述装置包括:To implement the information transmission method of the embodiment of the present application, the embodiment of the present application further provides an information transmission device, which is arranged in the first device. FIG6 is a schematic diagram of the composition structure of the information transmission device of the embodiment of the present application. As shown in FIG6 , the device includes:
第一处理模块61,用于对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,得到第一信息;A first processing module 61 is used to encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device to obtain first information;
发送模块62,用于将所述第一信息发送给第二设备,其中,所述第一信息用于所述第二设备对所述第一设备进行认证。The sending module 62 is used to send the first information to a second device, wherein the first information is used by the second device to authenticate the first device.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
从所述第一设备中的第一光模块的存储器中读取所述第一光模块的标识。The identifier of the first optical module is read from a memory of the first optical module in the first device.
此外,根据本申请的至少一个实施例,所述对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密,包括:In addition, according to at least one embodiment of the present application, encrypting the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device includes:
获取预配置的共享密钥;Get the pre-configured shared key;
利用所述共享密钥,对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密。The shared key is used to encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
接收第二信息;所述第二信息是所述第二设备利用预配置的共享密钥对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密得到的;所述第一随机数是所述第一设备生成的;receiving second information; the second information is obtained by encrypting the first random number, the identifier of the second device and the identifier of the second optical module in the second device by the second device using a preconfigured shared key; the first random number is generated by the first device;
基于所述第二信息,对所述第二设备进行认证。Based on the second information, the second device is authenticated.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
利用所述预配置的共享密钥,对所述第二信息中的所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行解密,得到所述第二光模块的标识;Decrypting the first random number, the identifier of the second device, and the identifier of the second optical module in the second device in the second information by using the preconfigured shared key to obtain the identifier of the second optical module;
根据所述第二光模块的标识,判断所述第二光模块是否合法;Determining whether the second optical module is legal according to the identifier of the second optical module;
在确定所述第二光模块合法的情况下,利用预配置的共享密钥对所述第一随机数、所述第二设备的标识和解密得到的所述第二光模块的标识进行加密,得到第三信息;When it is determined that the second optical module is legal, encrypt the first random number, the identifier of the second device, and the identifier of the second optical module obtained by decryption by using a preconfigured shared key to obtain third information;
将所述第三信息与所述第二信息进行比较,得到比较结果;Comparing the third information with the second information to obtain a comparison result;
在所述比较结果表征所述第三信息与所述第二信息相同的情况下,判定所述第二设备为合法设备。When the comparison result indicates that the third information is identical to the second information, it is determined that the second device is a legitimate device.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
与所述第二设备互相发送第一报文;sending a first message to and from the second device;
若在预设时长内未收到所述第二设备发送的所述第一报文,则关闭当前的安全端口。If the first message sent by the second device is not received within a preset time period, the current security port is closed.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
在所述第二设备认证通过之后,获取物理层链路状态;After the second device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则对所述第二设备的合法性的认证失效;If the physical layer link state is disconnected, the authentication of the legitimacy of the second device becomes invalid;
在对所述第二设备的认证失效后,再次所述获取物理层链路状态;After the authentication of the second device fails, obtaining the physical layer link status again;
若所述物理层链路状态为连接状态,则对所述第二设备的合法性进行重新认证。If the physical layer link state is a connected state, the legitimacy of the second device is re-authenticated.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
在所述第二设备认证通过之后,获取物理层链路状态;After the second device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则开启计时窗口,在所述计时窗口内不对所述第二设备的合法性进行重新认证;If the physical layer link state is a disconnected state, opening a timing window, and not re-authenticating the legitimacy of the second device within the timing window;
在所述计时窗口结束后,再次获取物理层链路状态;After the timing window ends, obtaining the physical layer link status again;
若再次获取的所述物理层链路状态为连接状态,则对所述第二设备的合法性进行重新认证,所述计时窗口计时结束;If the physical layer link state obtained again is a connected state, the legitimacy of the second device is re-authenticated, and the timing window ends;
若再次获取的所述物理层链路状态为断开状态,则对所述第二设备的合法性的认证失效,并开启下一个计时窗口。If the physical layer link state obtained again is a disconnected state, the authentication of the legitimacy of the second device becomes invalid, and the next timing window is opened.
实际应用时,所述发送单元62可以由信息传输装置中的通信接口实现;所述第一处理单元61可以由信息传输装置中的处理器实现。In actual application, the sending unit 62 can be implemented by a communication interface in the information transmission device; the first processing unit 61 can be implemented by a processor in the information transmission device.
需要说明的是:上述实施例提供的信息传输装置在进行信息传输时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的信息传输装置与信息传输方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: the information transmission device provided in the above embodiment only uses the division of the above program modules as an example when performing information transmission. In actual applications, the above processing can be assigned to different program modules as needed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the information transmission device provided in the above embodiment and the information transmission method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
为实现本申请实施例信息传输方法,本申请实施例还提供一种信息传输装置,设置在第二设备。图7为本申请实施例信息传输装置的组成结构示意图,如图7所示,所述装置包括:To implement the information transmission method of the embodiment of the present application, the embodiment of the present application further provides an information transmission device, which is arranged on the second device. FIG. 7 is a schematic diagram of the composition structure of the information transmission device of the embodiment of the present application. As shown in FIG. 7 , the device includes:
接收模块71,用于接收第一信息;所述第一信息是所述第二设备对第一随机数、第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行加密得到的;The receiving module 71 is used to receive first information; the first information is obtained by encrypting the first random number, the second random number, the identifier of the first device and the identifier of the first optical module in the first device by the second device;
第二处理模块72,用于基于所述第一信息,对所述第一设备进行认证。The second processing module 72 is configured to authenticate the first device based on the first information.
在一实施例中,所述第二处理模块72,用于:In one embodiment, the second processing module 72 is used to:
利用预配置的共享密钥,对所述第一信息中的所述第一随机数、所述第二随机数、所述第一设备的标识和所述第一设备中的第一光模块的标识进行解密,得到所述第一光模块的标识;Decrypting the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module in the first device in the first information by using a preconfigured shared key to obtain the identifier of the first optical module;
根据所述第二标识,判断所述第一光模块是否合法;determining, according to the second identifier, whether the first optical module is legal;
在确定所述第一光模块合法的情况下,利用预配置的共享密钥对所述第一随机数、所述第二随机数、所述第一设备的标识和解密得到的所述第一光模块的标识进行加密,得到第四信息;When it is determined that the first optical module is legal, encrypt the first random number, the second random number, the identifier of the first device, and the identifier of the first optical module obtained by decryption using a preconfigured shared key to obtain fourth information;
将所述第四信息与所述第一信息进行比较,得到比较结果;Comparing the fourth information with the first information to obtain a comparison result;
在所述比较结果表征所述第四信息与所述第一信息相同的情况下,判定所述第一设备为合法设备。When the comparison result indicates that the fourth information is identical to the first information, it is determined that the first device is a legitimate device.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
获取预配置的共享密钥;Get the pre-configured shared key;
利用所述共享密钥,对所述第一随机数、所述第二设备的标识和所述第二设备中的第二光模块的标识进行加密,得到第二信息;所述第一随机数是所述第一设备生成的;Using the shared key, encrypting the first random number, the identifier of the second device, and the identifier of the second optical module in the second device to obtain second information; the first random number is generated by the first device;
将所述第二信息发送给所述第一设备;其中,所述第二信息用于所述第一设备对所述第二设备进行认证。The second information is sent to the first device; wherein the second information is used by the first device to authenticate the second device.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
从所述第二设备中的第二光模块的存储器中读取所述第二光模块的标识。The identifier of the second optical module is read from the memory of the second optical module in the second device.
在一实施例中,所述方法还包括:In one embodiment, the method further comprises:
与所述第一设备互相发送第一报文;Sending a first message to and from the first device;
若在预设时长内未收到所述第一设备发送的所述第一报文,则关闭当前的安全端口。If the first message sent by the first device is not received within a preset time period, the current security port is closed.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
在所述第一设备认证通过之后,获取物理层链路状态;After the first device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则对所述第一设备的合法性的认证失效;If the physical layer link state is disconnected, the authentication of the legitimacy of the first device becomes invalid;
在对所述第一设备的认证失效后,再次所述获取物理层链路状态;After the authentication of the first device fails, obtaining the physical layer link status again;
若所述物理层链路状态为连接状态,则对所述第一设备的合法性进行重新认证。If the physical layer link state is a connected state, the legitimacy of the first device is re-authenticated.
在一实施例中,所述装置还用于:In one embodiment, the device is further used for:
在所述第一设备认证通过之后,获取物理层链路状态;After the first device passes authentication, obtaining a physical layer link state;
若所述物理层链路状态为断开状态,则开启计时窗口,在所述计时窗口内不对所述第一设备的合法性进行重新认证;If the physical layer link state is a disconnected state, opening a timing window, and not re-authenticating the legitimacy of the first device within the timing window;
在所述计时窗口结束后,再次获取物理层链路状态;After the timing window ends, obtaining the physical layer link status again;
若再次获取的所述物理层链路状态为连接状态,则对所述第一设备的合法性进行重新认证,所述计时窗口计时结束;If the physical layer link state obtained again is a connected state, the legitimacy of the first device is re-authenticated, and the timing window ends;
若再次获取的所述物理层链路状态为断开状态,则对所述第一设备的合法性的认证失效,并开启下一个计时窗口。If the physical layer link state obtained again is a disconnected state, the authentication of the legitimacy of the first device becomes invalid, and the next timing window is opened.
实际应用时,所述接收单元71可以由信息传输装置中的通信接口实现;所述第二处理单元72可以由信息传输装置中的处理器实现。In actual application, the receiving unit 71 can be implemented by a communication interface in the information transmission device; the second processing unit 72 can be implemented by a processor in the information transmission device.
需要说明的是:上述实施例提供的信息传输装置在进行信息传输时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的信息传输装置与信息传输方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: the information transmission device provided in the above embodiment only uses the division of the above program modules as an example when performing information transmission. In actual applications, the above processing can be assigned to different program modules as needed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the information transmission device provided in the above embodiment and the information transmission method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
本申请实施例还提供了一种第一设备,如图8所示,包括:The embodiment of the present application further provides a first device, as shown in FIG8 , including:
第一通信接口81,能够与其它第一设备进行信息交互;The first communication interface 81 is capable of exchanging information with other first devices;
第一处理器82,与所述第一通信接口81连接,用于运行计算机程序时,执行上述第一设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器83上。The first processor 82 is connected to the first communication interface 81 and is used to execute the method provided by one or more technical solutions of the first device side when running a computer program. The computer program is stored in the first memory 83.
需要说明的是:所述第一处理器82和第一通信接口81的具体处理过程详见方法实施例,这里不再赘述。It should be noted that the specific processing process of the first processor 82 and the first communication interface 81 is detailed in the method embodiment and will not be repeated here.
当然,实际应用时,第一设备80中的各个组件通过总线系统84耦合在一起。可理解,总线系统84用于实现这些组件之间的连接通信。总线系统84除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图8中将各种总线都标为总线系统84。Of course, in actual application, the various components in the first device 80 are coupled together through the bus system 84. It can be understood that the bus system 84 is used to realize the connection and communication between these components. In addition to the data bus, the bus system 84 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are marked as the bus system 84 in FIG. 8.
本申请实施例中的第一存储器83用于存储各种类型的数据以支持第一设备80的操作。这些数据的示例包括:用于在第一设备80上操作的任何计算机程序。The first memory 83 in the embodiment of the present application is used to store various types of data to support the operation of the first device 80. Examples of such data include: any computer program used to operate on the first device 80.
上述本申请实施例揭示的方法可以应用于所述第一处理器82中,或者由所述第一处理器82实现。所述第一处理器82可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器82中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器82可以是通用处理器、数字数据处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器82可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器83,所述第一处理器82读取第一存储器83中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiment of the present application can be applied to the first processor 82, or implemented by the first processor 82. The first processor 82 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit or software instructions in the first processor 82. The above-mentioned first processor 82 may be a general-purpose processor, a digital data processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The first processor 82 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application. The general-purpose processor may be a microprocessor or any conventional processor, etc. In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium, which is located in the first memory 83, and the first processor 82 reads the information in the first memory 83 and completes the steps of the above method in combination with its hardware.
本申请实施例还提供了一种第二设备,如图9所示,包括:The embodiment of the present application further provides a second device, as shown in FIG9 , including:
第二通信接口91,能够与其它第一设备进行信息交互;The second communication interface 91 is capable of exchanging information with other first devices;
第二处理器92,与所述第二通信接口91连接,用于运行计算机程序时,执行上述第二设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第二存储器93上。The second processor 92 is connected to the second communication interface 91 and is used to execute the method provided by one or more technical solutions of the second device side when running a computer program. The computer program is stored in the second memory 93.
需要说明的是:所述第二处理器92和第二通信接口91的具体处理过程详见方法实施例,这里不再赘述。It should be noted that: the specific processing process of the second processor 92 and the second communication interface 91 is detailed in the method embodiment, which will not be repeated here.
当然,实际应用时,第二设备90中的各个组件通过总线系统94耦合在一起。可理解,总线系统94用于实现这些组件之间的连接通信。总线系统94除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线系统94。Of course, in actual application, the various components in the second device 90 are coupled together through the bus system 94. It can be understood that the bus system 94 is used to realize the connection and communication between these components. In addition to the data bus, the bus system 94 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are marked as the bus system 94 in FIG. 9.
本申请实施例中的第二存储器93用于存储各种类型的数据以支持第二设备90的操作。这些数据的示例包括:用于在第二设备90上操作的任何计算机程序。The second memory 93 in the embodiment of the present application is used to store various types of data to support the operation of the second device 90. Examples of such data include: any computer program used to operate on the second device 90.
上述本申请实施例揭示的方法可以应用于所述第二处理器92中,或者由所述第二处理器92实现。所述第二处理器92可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第二处理器92中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器92可以是通用处理器、数字数据处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器92可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第二存储器93,所述第二处理器92读取第二存储器93中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiment of the present application can be applied to the second processor 92, or implemented by the second processor 92. The second processor 92 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit or software instructions in the second processor 92. The above second processor 92 may be a general processor, a digital data processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The second processor 92 can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application. The general processor may be a microprocessor or any conventional processor, etc. In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium, which is located in the second memory 93, and the second processor 92 reads the information in the second memory 93 and completes the steps of the above method in combination with its hardware.
在示例性实施例中,第一设备80、第二设备90可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable LogicDevice)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the first device 80 and the second device 90 can be implemented by one or more application specific integrated circuits (ASIC), DSP, programmable logic device (PLD), complex programmable logic device (CPLD), field programmable gate array (FPGA), general processor, controller, microcontroller (MCU), microprocessor, or other electronic components to execute the aforementioned method.
可以理解,本申请实施例的存储器(第一存储器83、第二存储器93)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,ProgrammableRead-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically ErasableProgrammable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic randomaccess memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,StaticRandom Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static RandomAccess Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic RandomAccess Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced SynchronousDynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLinkDynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct RambusRandom Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (first memory 83, second memory 93) of the embodiment of the present application can be a volatile memory or a non-volatile memory, and can also include both volatile and non-volatile memories. Among them, the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), a magnetic random access memory (FRAM), a flash memory, a magnetic surface memory, an optical disc, or a compact disc read-only memory (CD-ROM); the magnetic surface memory can be a disk memory or a tape memory. The volatile memory can be a random access memory (RAM), which is used as an external cache. By way of example but not limitation, many forms of RAM are available, such as static random access memory (SRAM), synchronous static random access memory (SSRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), direct memory bus random access memory (DRRAM). The memory described in the embodiments of the present application is intended to include but is not limited to these and any other suitable types of memory.
在示例性实施例中,本申请实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的存储器,上述计算机程序可由第一设备80的第一处理器82执行,以完成前述第一设备侧方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, the present application also provides a storage medium, namely a computer storage medium, specifically a computer-readable storage medium, for example, a memory storing a computer program, and the computer program can be executed by the first processor 82 of the first device 80 to complete the steps of the first device side method. The computer-readable storage medium can be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface storage, optical disk, or CD-ROM.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application can be combined arbitrarily without conflict.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above description is only a preferred embodiment of the present application and is not intended to limit the protection scope of the present application.
Claims (20)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310868916.8A CN118827010A (en) | 2023-07-14 | 2023-07-14 | Information transmission method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310868916.8A CN118827010A (en) | 2023-07-14 | 2023-07-14 | Information transmission method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118827010A true CN118827010A (en) | 2024-10-22 |
Family
ID=93071824
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310868916.8A Pending CN118827010A (en) | 2023-07-14 | 2023-07-14 | Information transmission method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118827010A (en) |
-
2023
- 2023-07-14 CN CN202310868916.8A patent/CN118827010A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3073668B1 (en) | Apparatus and method for authenticating network devices | |
| EP2082525B1 (en) | Method and apparatus for mutual authentication | |
| US7373509B2 (en) | Multi-authentication for a computing device connecting to a network | |
| Housley et al. | Guidance for authentication, authorization, and accounting (AAA) key management | |
| CN101828357B (en) | Credential provisioning method and device | |
| US20130227286A1 (en) | Dynamic Identity Verification and Authentication, Dynamic Distributed Key Infrastructures, Dynamic Distributed Key Systems and Method for Identity Management, Authentication Servers, Data Security and Preventing Man-in-the-Middle Attacks, Side Channel Attacks, Botnet Attacks, and Credit Card and Financial Transaction Fraud, Mitigating Biometric False Positives and False Negatives, and Controlling Life of Accessible Data in the Cloud | |
| CN111314072B (en) | A scalable identity authentication method and system based on SM2 algorithm | |
| CN101807998A (en) | Authentication | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| CN111836260B (en) | Authentication information processing method, terminal and network equipment | |
| EP3367607B1 (en) | Communication device, communication method and computer program | |
| US20240048363A1 (en) | Network packet tampering proofing | |
| WO2020215958A1 (en) | Authentication information processing method, and terminal and network device | |
| US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
| CN105591748B (en) | A kind of authentication method and device | |
| US20240073009A1 (en) | Registration of endpoints by authentication server when onboarding to network | |
| Hoeper et al. | Where EAP security claims fail | |
| CN118827010A (en) | Information transmission method, device, equipment and storage medium | |
| US20240048364A1 (en) | Registration and authentication of endpoints by authentication server for network connections and communication including packet tampering proofing | |
| US20240022568A1 (en) | Authorization and authentication of endpoints for network connections and communication | |
| US20240048559A1 (en) | Rendering endpoint connection without authentication dark on network | |
| US20240064012A1 (en) | Authentication cryptography operations, exchanges and signatures | |
| CN118647022B (en) | Geographic information data encryption transmission method and system based on 5G private network | |
| CN118802297A (en) | Authentication processing method, device and related equipment | |
| Johnson | A Review of Cryptographic Protocols for Securing Web Applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |