CN112487465B - Cross-network dynamic service flow verification method, system, storage medium and computing device - Google Patents

Cross-network dynamic service flow verification method, system, storage medium and computing device Download PDF

Info

Publication number
CN112487465B
CN112487465B CN202011477233.2A CN202011477233A CN112487465B CN 112487465 B CN112487465 B CN 112487465B CN 202011477233 A CN202011477233 A CN 202011477233A CN 112487465 B CN112487465 B CN 112487465B
Authority
CN
China
Prior art keywords
service
node
service flow
network
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011477233.2A
Other languages
Chinese (zh)
Other versions
CN112487465A (en
Inventor
桂小林
杜天骄
滕晓宇
向泳安
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN202011477233.2A priority Critical patent/CN112487465B/en
Publication of CN112487465A publication Critical patent/CN112487465A/en
Application granted granted Critical
Publication of CN112487465B publication Critical patent/CN112487465B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Power Engineering (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cross-network dynamic service flow verification method, a system, a storage medium and computing equipment, wherein node address information and a public key are uploaded to a block chain through a PBFT (public binary field transformation) consensus mechanism, so that node network access application and self-signed certificate-oriented distributed key storage are realized; aiming at the service request behavior of the node, based on a block chain consensus mechanism, the distributed verification node verifies the node identity, generates a service sequence number, stores the service abstract uplink and returns a service flow permission, and realizes the cross-network service request uplink recording; aiming at the service in-sequence completion requirement required by the cross-network service flow, uploading real-time service and processing node information to a block chain by introducing a service completion identification mechanism, and realizing effective verification of service continuity; aiming at the condition that the cross-network service is tampered in the transmission process, a malicious network segment possibly existing in the cross-network service flow transmission is excavated by utilizing the historical routing path tracking technology, and the possibility that the malicious network segment is tampered with the service flow again is reduced by identifying a bad routing node in the retransmission process.

Description

Cross-network dynamic service flow verification method, system, storage medium and computing device
Technical Field
The invention belongs to the technical field of network security and communication, and particularly relates to a cross-network dynamic service flow verification method, a cross-network dynamic service flow verification system, a storage medium and computing equipment.
Background
With the increase of network access nodes, the traditional authentication mode based on the CA center has the problems of bottleneck of cross-network security transmission efficiency, insufficient flexibility and the like due to the existence of centralized trust dependence. In addition, since the traffic flow across the network passes through a plurality of heterogeneous networks, the complexity and uncontrollable security of the heterogeneous networks will inevitably threaten the reliability of network nodes, the sequence of traffic flow scheduling and the data privacy. Therefore, how to design a cross-network dynamic service flow verification technology which ensures reliability and is based on consensus so as to ensure confidentiality of service data privacy, sequence of cross-network service execution and reliability of service flow verification becomes important.
In general, the main reasons for the inefficiency and low reliability of cross-network traffic flow authentication can be roughly divided into the following three aspects: firstly, as more and more nodes depend on a CA centralized authentication mechanism for network access, a CA center is required to provide great authentication calculation power, and centralized storage is easy to be attacked to cause key leakage of the CA center, so that an attacker utilizes the CA authentication key to produce a pseudo certificate to destroy the whole network security; secondly, due to the complex diversity of network services, the existing cross-network communication mechanism lacks effective verification on the orderliness and safety of service flows; finally, due to the complexity of the heterogeneous network, the existing cross-network service flow technology cannot effectively avoid the overlapping tracks of the conventional unsafe routing network segments in the retransmission process of the service flow, so that the effective transmission and processing of the cross-network service are subjected to efficiency bottleneck.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a cross-network dynamic service flow verification method, system, storage medium and computing device, aiming at the deficiencies in the prior art, the cross-network dynamic service flow verification method, system, storage medium and computing device comprise a distributed key storage module for node network access application and self-signed certificate, a node service request accounting module based on a block chain, a node service flow transmission and verification module, a cross-network service route tracking and service retransmission module and other sub-modules, and a new cross-network service flow verification and scheduling architecture, so that the safety, continuity and verifiability of cross-network service flow scheduling are improved, the service efficiency of a network is ensured, and the service experience of a user is improved.
The invention adopts the following technical scheme:
a cross-network dynamic service flow verification method comprises the following steps:
s1, a new network access node in the integrated converged network generates a self-signed certificate and sends the certificate to a distributed verification node to apply for network access, and the distributed verification node stores an IP address, an MAC address and a public key of the new network access node in a block chain Trfchain through verification node identity information;
s2, after carrying out Hash mapping on the encrypted service request information by a service request node in the integrated converged network by using SHA-256, uploading the Hash mapping and the encrypted service request information to a distributed verification node together with a self-signed certificate, after verifying the self-signed certificate of the node by the distributed verification node by using a public key, uploading a corresponding service flow to a block chain Trfcain, and returning service flow execution permission and a service flow number to the request node;
s3, after receiving the execution permission and the service flow number, the service request node transmits the service flow to the network, and the router through which the service flow passes adds an IP address of the router in an option field of an IP datagram header as a routing record; the method comprises the steps that service flow information is uploaded to distributed verification nodes by nodes needing to complete service, the distributed verification nodes retrieve corresponding service flow historical information in a block chain Trfchain and compare the historical information with a received service flow request packet, a current node completes local service and adds a service completion identifier to the tail of a service flow request packet data segment, and finally the service information is uploaded to the block chain Trfchain;
and S4, when the service request node finds that the service request is tampered, sequentially notifying the last service node which completes the service to the routing node through which the tampered data passes, and realizing cross-network dynamic service flow verification.
Specifically, step S1 specifically includes:
s101, the new network access node locally generates an asymmetric key pair and a self-signed certificate, wherein the self-signed certificate comprises two parts: certificate information and self-signatures;
s102, the new network access node enables the self-signed certificate and the public key P e Uploading the information to distributed verification nodes together, verifying the certificate information of the new network access node by the distributed verification nodes through a PBFT algorithm, and utilizing P e Decrypting the self-signature of the new network access node to obtain P e (C s ) ', simultaneously using SHA-256 to certificate information C m Summarize to obtain H (C) m ) By comparison of P e (C s ) ' and H (C) m ) The identity of the network access node is verified, if P e (C s ) ' and H (C) m ) If the identity is the same, the new network access node passes the identity verification, otherwise, the identity verification is carried outThe certificate does not pass;
s103, the distributed verification node generates a node identity block B according to the information of the new network access node passing the identity verification and the public key id And uploaded to the blockchain Trfchain.
Further, certificate information C m Including the new network-accessing node public key P e Node IP address, node MAC address, node identity information and certificate validity time, self-signature C s As a plain text C m Private key P after calculation by Hash hash function SHA-256 d An encrypted signature; block B id The method comprises the following steps: block number, block type, hash value of previous block, hash value of current block, MAC address of new network access node, IP of new network access node and public key P of new network access node e
Specifically, step S2 specifically includes:
s201, a service flow request node uploads a source IP, a destination IP, a source port, a destination port of a requested service flow and an SHA-256 hash value of a result obtained by encrypting a service flow request packet data segment to a distributed verification node together with a self-signed certificate, and the verification node retrieves a public key P of the service request node according to an MAC address of the service request node through a Trfcain in block chain e Verifying the self-signed certificate;
s202, after the distributed verification node generates a unique service serial number for the service flow information, the hash mapping after the service information encryption is used as a service bill to generate a service block B trf And uploading to a block chain Trfcain; block B trf The method comprises the following steps: block number, block type, hash value of previous block, hash value of current block, service flow sequence number, source IP, destination IP, source port, destination port, hash value after encryption of service flow request packet data segment; and then, the distributed verification node returns the service flow sequence number and the service flow execution permission to the service flow request node.
Specifically, step S3 specifically includes:
s301, after receiving the execution permission and the service flow serial number, the service request node transmits the service flow after encrypting the data segment to the network, and each time the service flow passes through a routing node, an IP address of the service request node is added to an option field of the IP datagram header as a routing record; when a service flow passes through a node needing to complete the service, the corresponding node requests a distributed verification node to search the historical uplink data of the corresponding service flow in a block chain Trfcain according to a service serial number, the search result is received and compared with the received service flow request packet, whether the service information is tampered is checked, if the service information is determined not to be tampered, the step S302 is carried out, and if the service information is found to be tampered, the step S4 is carried out;
s302, after the service information is determined not to be tampered, the node of the current service to be completed checks the service completion identification at the tail part of the data segment, after the service required before the current service is completed, the current node completes the local service and adds the service completion identification to the tail part of the data segment of the service flow request packet, and finally the updated service request block B rtrf And uploading the service flow to the Trfcain, and transmitting the service flow in a subsequent network.
Further, block B rtrf The specific content comprises the following steps: block number, hash value of previous block, hash value of current block, IP address of current service node, serial number of service flow, source IP, destination IP, source port, destination port, and hash value after encryption of updated service flow request packet data segment.
Specifically, step S4 specifically includes:
when a service request is found to be tampered or a service required before the current service is not completed, the current service node obtains historical routing path information according to a header option field of a current IP datagram, sends an abnormal discovery warning and a historical routing path to a distributed verification node, and the distributed verification node retrieves a service request block B corresponding to the past service flow according to a service flow sequence number in the abnormal discovery warning trf And B rtrf The last service execution node adds the routing node IP with the threat to the tail of the service request packet segment and then performs service retransmission; and the subsequent network transfer node avoids the corresponding routing path by checking the routing node with the abnormal tail part of the data packet.
Another technical solution of the present invention is a cross-network dynamic service flow verification system, including:
the distributed key storage module for the node network access application and the self-signed certificate performs distributed verification on the cross-network node self-signed certificate and performs distributed storage based on a block chain on the node key;
a node service request accounting module based on a block chain is used for verifying the node identity by a distributed verification node aiming at the service request behavior of the node and based on a consensus mechanism of the block chain, completing the generation of a service serial number, and realizing the cochain record of the cross-network service request by service abstract cochain storage and service flow permission return;
the node service flow transmission and verification module uploads real-time service and processing node information to a block chain by introducing a service completion identification mechanism, so that effective verification of service continuity is realized;
the cross-network service routing tracking and service retransmission module utilizes a historical routing path tracking technology to mine a malicious network segment existing in cross-network service flow transmission aiming at the condition that the cross-network service is tampered in the transmission process, and reduces the possibility that the malicious network segment tampers the service flow again by identifying a bad routing node in the retransmission process.
Another aspect of the invention is a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform any of the methods described.
Another aspect of the present invention is a computing device, including:
one or more processors, memory, and one or more programs stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for performing any of the methods.
Compared with the prior art, the invention has at least the following beneficial effects:
the invention provides a cross-network dynamic service flow verification method based on consensus, which can realize the authentication and verification of a node self-signed certificate by using a block chain distributed consensus protocol in a complex network environment, ensure the consistency of the storage records of all distributed verification nodes of a node public key in a network, prevent a man-in-the-middle attack from tampering the public key through a consensus mechanism, ensure the effectiveness of the self-signed certificate of a node initiating communication, and make up the problems of a CA-based key management system in the aspects of single-point failure, low efficiency and the like; by introducing a service completion identification mechanism, the dynamic information of the cross-network service flow is updated and checked on a real-time chain, and the order and safety of the service flow are effectively verified; the method comprises the steps of utilizing a historical routing path tracking technology to mine a malicious network segment possibly existing in cross-network service flow transmission, and identifying a bad routing node in a retransmission data message, so that the bottleneck of effective transmission and processing efficiency of cross-network services is broken through while the possibility that the malicious network segment falsifies the service flow again is effectively reduced.
Further, in the step S1, distributed verification is performed on the cross-network node self-signed certificate, and distributed storage based on the block chain is performed on the node key, so that the authentication efficiency of the network access node is improved;
further, the certificate information covers the identity information of the network-accessing node and the validity period of the certificate, the self-signature ensures the tamper resistance of the node certificate information, and the block B id The category setting facilitates retrieval of the node identity category block from a large number of blocks when the distributed verification node reviews the node identity at a later time.
Further, in step S2, node identity authentication is realized by performing public key search on the service request node in a chain, and uplink storage is performed on the service request information abstract based on the consensus mechanism, so that a foundation is laid for the subsequent service flow verification technology research while the node identity is ensured to be credible.
Furthermore, in step S3, by introducing a service completion identification technology and a service information summary chain update technology, effective verification of the order and security of the service flow is ensured, and in addition, by adopting a route tracking technology set based on an option field of an IP datagram header, dynamic recording of the flow direction of the service flow is realized.
Further, block B rtrf The type setting and the service sequence number setting are convenient for searching the service type block of the appointed service sequence number in a large number of blocks when the Trfchain examines the historical uplink data of the service flow.
Furthermore, in the step S4, with the help of a route tracking technology, the mining of malicious network segments possibly existing in the cross-network service flow transmission is realized through the retrieval of route records, so that the phenomenon that the service flow has repeated the overlapping of the former unsafe route network segments in the retransmission process is effectively avoided, and the effective transmission and processing efficiency of the cross-network service is effectively improved.
In summary, the verification technology of the present invention realizes timely detection of an abnormal data packet of a cross-network service flow, and a dynamic service flow verification technology comprising four steps is designed systematically, certificate authentication efficiency and key storage security are improved by studying node access application and a distributed key storage mechanism oriented to a self-signed certificate, traceability and non-tamper-resistance of historical service request information are ensured by studying a node service request accounting mechanism based on a block link, updating of cross-network service real-time completion conditions and verification of order among services are realized by studying a node service flow transmission and verification mechanism, malicious effective network segment avoidance is completed by studying a cross-network route tracking and service retransmission mechanism, and overall service transportation rate and processing efficiency are further improved.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
FIG. 1 is an architecture diagram of the present invention as applied to a cross-network dynamic traffic flow validation technique;
FIG. 2 is a schematic diagram of a node network access application and a distributed key storage mechanism oriented to a self-signed certificate according to the present invention;
FIG. 3 is a schematic diagram of a block chain-based node service request accounting mechanism according to the present invention;
FIG. 4 is a schematic diagram of a node traffic flow transmission and verification mechanism according to the present invention;
fig. 5 is a schematic diagram of the cross-network route tracking and service retransmission mechanism of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Various structural schematics according to the disclosed embodiments of the invention are shown in the drawings. The figures are not drawn to scale, wherein certain details are exaggerated and some details may be omitted for clarity of presentation. The shapes of various regions, layers and their relative sizes and positional relationships shown in the drawings are merely exemplary, and deviations may occur in practice due to manufacturing tolerances or technical limitations, and a person skilled in the art may additionally design regions/layers having different shapes, sizes, relative positions, according to actual needs.
The invention provides a cross-network dynamic service flow verification method based on consensus, aiming at the problem that cross-network identity verification is too dependent on a CA center, a distributed verification node is adopted to verify the node identity according to a new network access node self-signed certificate and a public key, and the node address information and the public key are uploaded to a block chain Trfchain through a PBFT consensus mechanism, so that node network access application and distributed key storage facing the self-signed certificate are realized; aiming at the service request behavior of the node, based on a block chain consensus mechanism, a distributed verification node verifies the node identity, generates a service serial number, stores the service abstract uplink and returns a service flow permission, and realizes the cross-network service request uplink record; aiming at the service completion requirements required by cross-network service flow in sequence, uploading real-time service and processing node information to a block chain Trfcain by introducing a service completion identification mechanism, and realizing effective verification of service continuity; aiming at the condition that the cross-network service is tampered in the transmission process, a malicious network segment possibly existing in the cross-network service flow transmission is excavated by utilizing the historical routing path tracking technology, and the possibility that the malicious network segment is tampered with the service flow again is reduced by identifying a bad routing node in the retransmission process.
The invention relates to a cross-network dynamic service flow verification method based on consensus, which comprises the following steps:
s1, a new network access node in the integrated converged network generates a self-signed certificate and then sends the certificate to a distributed verification node to apply for network access, and the distributed verification node stores an IP address, an MAC address and a public key of the node in a block chain Trfcain through verification node identity information;
s101, a new network access node firstly generates an asymmetric key pair and a self-signed certificate locally, wherein the self-signed certificate comprises two parts: certificate information and self-signatures. Wherein the certificate information C m Including the new network-accessing node public key P e Node IP address, node MAC address, node identity information, certificate validity time and other plain texts, and self-signature C s As plaintext C m Private key P after calculation of hash function SHA-256 d And (4) signing after encryption.
S102, the new network access node enables the self-signed certificate and the public key P e Uploading the information to distributed verification nodes together, verifying the certificate information of the new network access node by the distributed verification nodes through a PBFT algorithm, and utilizing P e Decrypting the self-signature of the new network access node to obtain P e (C s ) ', simultaneously using SHA-256 to certificate information C m Summarize to obtain H (C) m ) By comparison of P e (C s ) ' and H (C) m ) The identity of the network access node is verified, if P e (C s ) ' and H (C) m ) And if the identity is the same, the new network access node passes the authentication, otherwise, the identity fails, as shown in fig. 2.
S103, the distributed verification node generates a node identity block B according to the information of the new network access node passing the identity verification and the public key id And uploaded to Trfchain, block B id The specific content comprises the following steps: block number, block type, hash value of previous block, hash value of current block, MAC address of new network-accessing node, IP of new network-accessing node, public key P of new network-accessing node e
S2, after Hash mapping is carried out on encrypted service request information by a service request node in the network through SHA-256, the Hash mapping and a self-signed certificate are uploaded to a distributed verification node, the distributed verification node verifies the self-signed certificate of the node through a public key, then the service flow is uploaded to Trfchain, and service flow execution permission and a service flow number are returned to the request node;
s201, a service flow request node firstly uploads a source IP, a destination IP, a source port, a destination port of a requested service flow and an SHA-256 hash value of a result obtained by encrypting a service flow request packet data segment to a distributed verification node together with a self-signed certificate, and the verification node retrieves a public key P of the service request node according to an MAC address of the service request node through Trfchain e And verifying the self-signed certificate.
S202, after the distributed verification node generates a unique service serial number for the service flow informationGenerating a service block B by taking the Hash mapping after the service information encryption as a service bill trf And uploaded to Trfchain. Block B trf The specific content comprises the following steps: block number, block type, hash value of previous block, hash value of current block, service flow sequence number, source IP, destination IP, source port, destination port, hash value after encryption of service flow request packet data segment. And then, the distributed verification node returns the service flow sequence number and the service flow execution permission to the service flow request node.
And S3, after receiving the execution permission and the service flow number, the service request node starts to transmit the service flow to the network, and the router through which the service flow passes adds the own IP address in the option field of the IP datagram header as a routing record. The method comprises the steps that a node which needs to finish a service and passes by a service flow uploads service flow information to a distributed verification node, the distributed verification node retrieves historical information of the service flow in Trfcain and compares the historical information with a received service flow request packet to ensure that the service information is not falsified, the service completion representation is carried out by checking the tail part of a data segment to ensure that the required service is completed before the current service, the current node finishes the local service and adds a service completion identifier to the tail part of the data segment of the service flow request packet, and finally the service information is uploaded to the Trfcain;
s301, after receiving the execution permission and the service flow sequence number, the service request node starts to transmit the service flow after the encrypted data segment to the network, and each time the service flow passes through one routing node, the service request node adds its own IP address in the option field of the IP datagram header as a routing record. When a service flow passes through a node needing to complete the service, the node requests a distributed verification node to search the historical uplink data of the service flow in Trfchain according to a service serial number, receives a search result, compares the search result with a received service flow request packet, checks whether service information is tampered, if the service information is determined not to be tampered, the step S302 is switched, and if the service information is found to be tampered, the step S4 is switched.
S302, after determining that the service information is not tampered, the node of the current service to be completed checks the service completion identifier at the tail of the data segment to ensure that the service required before the current service is completed, and when the service is not tamperedThe front node completes the local service and adds the service completion identifier to the tail of the service flow request packet data segment, and finally the updated service request block B rtrf And uploading the service flow to the Trfcain, and transmitting the service flow to a subsequent network. Block B rtrf The specific content comprises the following steps: block number, hash value of previous block, hash value of current block, IP address of current service node, serial number of service flow, source IP, destination IP, source port, destination port, hash value after encryption of updated service flow request packet data segment. If the service required before the current service is found to be not completed, the step S4 is executed.
S4, for the condition that the node finds that the service request is tampered, the current service node obtains routing path information according to the IP datagram header and sends an alarm to the distributed verification node, so that the last service node which completes the service is informed of the routing node through which the tampered data passes, the last service node adds the routing node IP which possibly has threat to the service request packet segment tail, and the routing path is prevented from being repeated during service retransmission.
Discovering that the service request is tampered or the service required before the current service is not completed, the current service node obtains the historical routing path information according to the option field of the header of the current IP datagram, sends an abnormal discovery warning and a historical routing path to a distributed verification node, and the distributed verification node retrieves the past service request block B of the service flow according to the sequence number of the service flow in the abnormal discovery warning trf And B rtrf And informing the routing node with threat in the last service node network completing the service according to the information, adding the routing node IP with threat to the tail of the service request packet by the last service execution node, and then retransmitting the service. The subsequent network transfer node checks the abnormal routing node at the tail part of the data packet, and avoids repeating the routing path as much as possible, thereby ensuring the effective transmission of the service flow.
Referring to fig. 1, in yet another embodiment of the present invention, a cross-network dynamic service flow verification system is provided, which can be used to implement the cross-network dynamic service flow verification method, system, storage medium and computing device described above, and specifically, the cross-network dynamic service flow verification system includes a node network access application and self-signed certificate oriented distributed key storage module, a block chain based node service request accounting module, a node service flow transmission and verification module, and a cross-network service route tracking and service retransmission module.
The distributed key storage module for the node network access application and the self-signed certificate performs distributed verification on the cross-network node self-signed certificate and performs distributed storage based on the block chain on the node key.
Referring to fig. 3 and 4, the node service request accounting module based on the block chain verifies the node identity by the distributed verification node based on the block chain consensus mechanism for the service request behavior of the node, completes the service sequence number generation, the service abstract uplink storage and the service flow permission return, and implements the inter-network service request uplink recording.
And the node service flow transmission and verification module uploads the real-time service and the processing node information to the block chain by introducing a service completion identification mechanism, so that the effective verification of the service continuity is realized.
Referring to fig. 5, a cross-network service routing tracking and service retransmission module, aiming at the condition that the cross-network service is tampered during the transmission process, utilizes a historical routing path tracking technology to mine a malicious network segment possibly existing in the cross-network service flow transmission, and identifies a bad routing node during the retransmission process, thereby reducing the possibility of tampering the service flow again on the malicious network segment.
In yet another embodiment of the present invention, a terminal device is provided that includes a processor and a memory for storing a computer program comprising program instructions, the processor being configured to execute the program instructions stored by the computer storage medium. The Processor may be a Central Processing Unit (CPU), or may be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable gate array (FPGA) or other Programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, etc., which is a computing core and a control core of the terminal, and is adapted to implement one or more instructions, and is specifically adapted to load and execute one or more instructions to implement a corresponding method flow or a corresponding function; the processor according to the embodiment of the present invention may be used for verifying a cross-network dynamic service flow, and includes: the new network access node generates a self-signed certificate and sends the certificate to the distributed verification node to apply for network access, and the distributed verification node saves the IP address, the MAC address and the public key of the new network access node in the blockchain Trfchain through verifying the identity information of the node; after Hash mapping is carried out on encrypted service request information by a service request node in a network through SHA-256, the encrypted service request information and a self-signed certificate are uploaded to distributed verification nodes, the distributed verification nodes verify the self-signed certificate of the node through a public key, then corresponding service flows are uploaded to a block chain Trfchain, and service flow execution permission and service flow numbers are returned to the request node; after receiving the execution permission and the service flow number, the service request node transmits the service flow to the network, and the router through which the service flow passes adds an IP address of the router in an option field of an IP datagram header as a routing record; the method comprises the steps that a node through which a service flow passes and needing to complete the service uploads service flow information to a distributed verification node, the distributed verification node retrieves corresponding service flow history information in a block chain Trfchain and compares the service flow history information with a received service flow request packet, the current node completes a local service and adds a service completion identifier to the tail of a service flow request packet data segment, and finally the service information is uploaded to the block chain Trfchain; when the service request node finds that the service request is tampered, the service request node informs the last service node which completes the service of the routing node through which the tampered data passes, and cross-network dynamic service flow verification is achieved.
In still another embodiment of the present invention, the present invention further provides a storage medium, specifically a computer-readable storage medium (Memory), which is a Memory device in a terminal device and is used for storing programs and data. It is understood that the computer readable storage medium herein may include a built-in storage medium in the terminal device, and may also include an extended storage medium supported by the terminal device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also, one or more instructions, which may be one or more computer programs (including program code), are stored in the memory space and are adapted to be loaded and executed by the processor. It should be noted that the computer-readable storage medium may be a high-speed RAM memory, or may be a non-volatile memory (non-volatile memory), such as at least one disk memory.
The processor can load and execute one or more instructions stored in the computer readable storage medium to realize the corresponding steps of the checking method related to the medium-term and long-term maintenance plan of the power grid in the embodiment; one or more instructions in the computer readable storage medium are loaded by the processor and perform the steps of: the new network access node generates a self-signed certificate and sends the certificate to the distributed verification node to apply for network access, and the distributed verification node saves the IP address, the MAC address and the public key of the new network access node in the block chain Trfchain through the identity information of the verification node; after Hash mapping is carried out on encrypted service request information by a service request node in a network through SHA-256, the encrypted service request information and a self-signed certificate are uploaded to distributed verification nodes, the distributed verification nodes verify the self-signed certificate of the node through a public key, then corresponding service flows are uploaded to a block chain Trfchain, and service flow execution permission and service flow numbers are returned to the request node; after receiving the execution permission and the service flow number, the service request node transmits the service flow to the network, and the router through which the service flow passes adds an IP address of the router itself in an option field of the IP datagram header to be used as a routing record; the method comprises the steps that a node through which a service flow passes and needing to complete the service uploads service flow information to a distributed verification node, the distributed verification node retrieves corresponding service flow history information in a block chain Trfchain and compares the service flow history information with a received service flow request packet, the current node completes a local service and adds a service completion identifier to the tail of a service flow request packet data segment, and finally the service information is uploaded to the block chain Trfchain; when the service request node finds that the service request is tampered, the service request node informs the last service node which completes the service of the routing node through which the tampered data passes, and cross-network dynamic service flow verification is achieved.
In summary, the invention provides a cross-network dynamic service flow verification method, a system, a storage medium and a computing device, which are based on a consensus mechanism of a blockchain technology, adopt a distributed self-signed key management and service flow recording mechanism, introduce a service completion identification technology and a route tracking technology, provide a cross-network dynamic service flow verification technology based on consensus, solve the problems of cross-network security transmission efficiency bottleneck and insufficient flexibility caused by CA centralized trust dependence, support effective verification of service flow orderliness and security in cross-network communication, and ensure real-time detection and monitoring of a cross-network service flow data packet.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned contents are only for illustrating the technical idea of the present invention, and the protection scope of the present invention is not limited thereby, and any modification made on the basis of the technical idea of the present invention falls within the protection scope of the claims of the present invention.

Claims (10)

1. A cross-network dynamic service flow verification method is characterized by comprising the following steps:
s1, a new access node in an integrated converged network generates a self-signed certificate and sends the certificate to a distributed verification node to apply for access to the network, and the distributed verification node stores an IP address, an MAC address and a public key of the new access node in a block chain Trfchain through verification node identity information;
s2, after carrying out Hash mapping on the encrypted service request information by a service request node in the integrated converged network through SHA-256, uploading the Hash mapping and the encrypted service request information to a distributed verification node together with a self-signed certificate, after verifying the self-signed certificate of the node by the distributed verification node through a public key, uploading a corresponding service flow to a block chain Trfchain, and returning service flow execution permission and a service flow number to the request node;
s3, after receiving the execution permission and the service flow number, the service request node transmits the service flow to the network, and the router through which the service flow passes adds an IP address of the router in an option field of an IP datagram header as a routing record; the method comprises the steps that service flow information is uploaded to distributed verification nodes by nodes needing to complete service, the distributed verification nodes retrieve corresponding service flow historical information in a block chain Trfchain and compare the historical information with a received service flow request packet, a current node completes local service and adds a service completion identifier to the tail of a service flow request packet data segment, and finally the service information is uploaded to the block chain Trfchain;
and S4, when the service request node finds that the service request is tampered, sequentially notifying the last service node which completes the service to the routing node through which the tampered data passes, and realizing cross-network dynamic service flow verification.
2. The cross-network dynamic service flow verification method according to claim 1, wherein step S1 specifically comprises:
s101, the new network access node locally generates an asymmetric key pair and a self-signed certificate, wherein the self-signed certificate comprises two parts: certificate information and self-signature;
s102, the new network access node enables the self-signed certificate and the public key P e Uploading the information to a distributed verification node together, verifying the certificate information of the new network access node by the distributed verification node through a PBFT algorithm, and utilizing P e Decrypting the self-signature of the new network access node to obtain P e (C s ) ', simultaneously using SHA-256 pair of certificate information C m Abstract to obtain H (C) m ) By comparison of P e (C s ) ' and H (C) m ) The identity of the network access node is verified, if P e (C s ) ' and H (C) m ) If the identity authentication is the same, the new network access node passes the identity authentication, otherwise, the identity authentication does not pass;
s103, the distributed verification node generates a node identity block B according to the information of the new network access node passing the identity verification and the public key id And uploaded to the blockchain Trfchain.
3. The cross-network dynamic traffic flow validation of claim 2Method, characterized by certificate information C m Including the new network-accessing node public key P e Node IP address, node MAC address, node identity information and certificate validity time, self-signature C s As a plain text C m Private key P after calculation by Hash hash function SHA-256 d An encrypted signature; block B id The method comprises the following steps: block number, block type, hash value of previous block, hash value of current block, MAC address of new network-accessing node, IP of new network-accessing node and public key P of new network-accessing node e
4. The method for cross-network dynamic service flow verification according to claim 1, wherein step S2 specifically comprises:
s201, a service flow request node uploads a source IP, a destination IP, a source port, a destination port of a requested service flow and an SHA-256 hash value of a result obtained by encrypting a service flow request packet data segment to a distributed verification node together with a self-signed certificate, and the verification node retrieves a public key P of the service request node according to an MAC address of the service request node through a Trfchain in a block chain e Verifying the self-signed certificate;
s202, after the distributed verification node generates a unique service serial number for the service flow information, the hash mapping after the service information encryption is used as a service bill to generate a service block B trf And uploading to a block chain Trfcain; block B trf The method comprises the following steps: block number, block type, hash value of previous block, hash value of current block, service flow serial number, source IP, destination IP, source port, destination port, hash value after encryption of service flow request packet data segment; and then, the distributed verification node returns the service flow sequence number and the service flow execution permission to the service flow request node.
5. The cross-network dynamic service flow verification method according to claim 1, wherein step S3 specifically comprises:
s301, after receiving the execution permission and the service flow serial number, the service request node transmits the service flow after encrypting the data segment to the network, and each time the service flow passes through one routing node, the service request node adds its own IP address in the option field of the IP datagram header as a routing record; when a service flow passes through a node needing to complete the service, the corresponding node requests a distributed verification node to retrieve historical uplink data of the corresponding service flow in a block chain Trfcain according to a service sequence number, the retrieval result is received and compared with the received service flow request packet, whether the service information is tampered or not is checked, if the service information is determined not to be tampered, the step S302 is executed, and if the service information is found to be tampered, the step S4 is executed;
s302, after determining that the service information is not tampered, the node of the current service to be completed checks the service completion identifier at the tail of the data segment, ensures that the service required before the current service is completed, the current node completes the local service and adds the service completion identifier to the tail of the data segment of the service flow request packet, and finally, the updated service request block B rtrf And uploading the service flow to the Trfcain, and transmitting the service flow in a subsequent network.
6. The cross-network dynamic traffic flow verification method of claim 5, wherein Block B is a block rtrf The specific content comprises the following steps: block number, hash value of previous block, hash value of current block, IP address of current service node, serial number of service flow, source IP, destination IP, source port, destination port, and hash value after encryption of updated service flow request packet data segment.
7. The method for cross-network dynamic service flow verification according to claim 1, wherein step S4 specifically comprises:
when a service request is found to be tampered or a service required before the current service is not completed, the current service node obtains historical routing path information according to a header option field of a current IP datagram, sends an abnormal discovery warning and a historical routing path to a distributed verification node, and the distributed verification node retrieves a service request block B corresponding to the past service flow according to a service flow sequence number in the abnormal discovery warning trf And B rtrf And informing the routing node with the threat in the last service node network to finish the service according to the information, wherein the last service execution node is storedAdding the threatened routing node IP to the tail of the service request packet segment, and then carrying out service retransmission; and the subsequent network transfer node avoids the corresponding routing path by checking the routing node with the abnormal tail part of the data packet.
8. A cross-network dynamic traffic flow verification system, comprising:
the distributed key storage module for the node network access application and the self-signed certificate performs distributed verification on the cross-network node self-signed certificate and performs distributed storage based on a block chain on the node key;
a node service request accounting module based on a block chain is used for verifying the node identity by a distributed verification node aiming at the service request behavior of the node and based on a consensus mechanism of the block chain, completing the generation of a service serial number, and realizing the cochain recording of the cross-network service request by service abstract cochain storage and service flow permission return;
the node service flow transmission and verification module uploads real-time service and processing node information to a block chain by introducing a service completion identification mechanism, so that effective verification of service continuity is realized;
the cross-network service routing tracking and service retransmission module utilizes a historical routing path tracking technology to mine a malicious network segment existing in cross-network service flow transmission aiming at the condition that the cross-network service is tampered in the transmission process, and reduces the possibility that the malicious network segment tampers the service flow again by identifying a bad routing node in the retransmission process.
9. A computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform any of the methods of claims 1-7.
10. A computing device, comprising:
one or more processors, memory, and one or more programs stored in the memory and configured for execution by the one or more processors, the one or more programs including instructions for performing any of the methods of claims 1-7.
CN202011477233.2A 2020-12-15 2020-12-15 Cross-network dynamic service flow verification method, system, storage medium and computing device Active CN112487465B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011477233.2A CN112487465B (en) 2020-12-15 2020-12-15 Cross-network dynamic service flow verification method, system, storage medium and computing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011477233.2A CN112487465B (en) 2020-12-15 2020-12-15 Cross-network dynamic service flow verification method, system, storage medium and computing device

Publications (2)

Publication Number Publication Date
CN112487465A CN112487465A (en) 2021-03-12
CN112487465B true CN112487465B (en) 2022-12-09

Family

ID=74917019

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011477233.2A Active CN112487465B (en) 2020-12-15 2020-12-15 Cross-network dynamic service flow verification method, system, storage medium and computing device

Country Status (1)

Country Link
CN (1) CN112487465B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113132378A (en) * 2021-04-15 2021-07-16 无锡全面互链科技有限公司 Block chain link point equipment and block chain network system
CN113282562B (en) * 2021-05-07 2023-12-26 范佳媛 File management method and system based on private chain
CN114091052B (en) * 2021-11-01 2024-04-12 天津理工大学 Intellectual property generation, transaction and authorization method based on NFT
CN115051984B (en) * 2021-11-22 2023-03-28 厦门大学 Distributed data plane verification method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110601851A (en) * 2019-09-12 2019-12-20 腾讯科技(深圳)有限公司 Method and device for replacing identity certificate in block chain network
CN110602096A (en) * 2019-09-12 2019-12-20 腾讯科技(深圳)有限公司 Data processing method, device, storage medium and equipment in block chain network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110601851A (en) * 2019-09-12 2019-12-20 腾讯科技(深圳)有限公司 Method and device for replacing identity certificate in block chain network
CN110602096A (en) * 2019-09-12 2019-12-20 腾讯科技(深圳)有限公司 Data processing method, device, storage medium and equipment in block chain network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于区块链共识机制的SDWAN零信任网络架构;罗可人;《集成电路应用》;20200709(第07期);全文 *

Also Published As

Publication number Publication date
CN112487465A (en) 2021-03-12

Similar Documents

Publication Publication Date Title
CN112487465B (en) Cross-network dynamic service flow verification method, system, storage medium and computing device
Ma et al. An efficient decentralized key management mechanism for VANET with blockchain
CN109918878B (en) Industrial Internet of things equipment identity authentication and safe interaction method based on block chain
Xu et al. BAGKD: A batch authentication and group key distribution protocol for VANETs
US20230121852A1 (en) Method and apparatus for trust management in integrated networks based on blockchain
CN112651037B (en) Out-of-chain data access method and system for block chain system
CN113923044A (en) Chain crossing system and method based on trusted execution environment
CN107396350B (en) SDN-5G network architecture-based security protection method between SDN components
CN114139203B (en) Block chain-based heterogeneous identity alliance risk assessment system and method and terminal
Shaikh et al. LSec: Lightweight security protocol for distributed wireless sensor network
JP2019530344A (en) COMMUNICATION DEVICE, SYSTEM, METHOD, AND PROGRAM
CN113079215B (en) Block chain-based wireless security access method for power distribution Internet of things
CN114390051A (en) Data management equipment based on logistics edge gateway and control method thereof
CN111447283A (en) Method for realizing information security of power distribution station room system
Bolgouras et al. Distributed key management in microgrids
Su et al. Blockchain‐based internet of vehicles privacy protection system
Singh et al. An efficient secure key establishment method in cluster-based sensor network
Wu et al. A decentralized lightweight blockchain-based authentication mechanism for Internet of Vehicles
Xie et al. BEPHAP: A blockchain-based efficient privacy-preserving handover authentication protocol with key agreement for internet of vehicles
CN112948868A (en) Electric power data storage method and electric power data sharing method based on block chain
CN115834093A (en) Block chain-based network node control method and system and consensus node
Chiu et al. NoPKI-a point-to-point trusted third party service based on blockchain consensus algorithm
Choudhary et al. A distributed key management protocol for wireless sensor network
CN100499649C (en) Method for realizing safety coalition backup and switching
Wang et al. A secure solution of V2G communication based on trusted computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant