CN115766055A - Method and device for communication message verification - Google Patents
Method and device for communication message verification Download PDFInfo
- Publication number
- CN115766055A CN115766055A CN202211097028.2A CN202211097028A CN115766055A CN 115766055 A CN115766055 A CN 115766055A CN 202211097028 A CN202211097028 A CN 202211097028A CN 115766055 A CN115766055 A CN 115766055A
- Authority
- CN
- China
- Prior art keywords
- equipment
- sending
- encrypted message
- digital signature
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 157
- 238000004891 communication Methods 0.000 title claims abstract description 155
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000012795 verification Methods 0.000 title claims abstract description 60
- 238000003780 insertion Methods 0.000 claims description 12
- 230000037431 insertion Effects 0.000 claims description 12
- 230000000977 initiatory effect Effects 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 16
- 238000004590 computer program Methods 0.000 description 14
- 230000006399 behavior Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000002596 correlated effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for communication message verification. The method comprises the following steps: the sending equipment encrypts a message to be transmitted, wherein the message carries a user identifier of the sending equipment; generating a first random number as a digital signature, and carrying the digital signature in the encrypted message; and sending the encrypted message to forwarding equipment in a communication network. The forwarding equipment receives and identifies the digital signature in the encrypted message and generates a second random number; judging whether the second random number is smaller than the first random number; if yes, sending the encrypted message to next hop equipment; otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment. The receiving equipment receives and judges whether the number of the received user identifications in the set time exceeds a threshold value, and if so, a verification request is initiated; otherwise, communication continues with the sending device. The application improves the safety of the communication network system.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a method and an apparatus for communication packet verification.
Background
With the increase of the internet scale and the increase of the number of users year by year, various network services are emerging and continuously affect the life of people. Meanwhile, the network security problem is increasingly highlighted due to the openness and anonymity of the network. Existing networks may employ IP Security Protocol (IPSec) technology to protect a network transport Protocol suite of IP protocols. When using protocols such as IPSec, both parties of communication are required to negotiate the key information for confirmation, so as to implement encryption of transmission packets. How to exchange and manage the keys becomes an important issue.
At present, both communication parties can adopt Diffie Hellman algorithm to realize the exchange and management of the secret key. The Diffie Hellman algorithm can make two communication parties exchange public key and confirm symmetric key safely by generating symmetric shared key, and encrypt and decrypt message with the key.
However, the Diffie Hellman algorithm lacks an authentication step for both communicating parties. When two communication parties exchange keys by using a Diffie Hellman algorithm, if an attack device exists in a public channel between the two communication parties, the attack device can not only obtain message information and a public key transmitted by the two communication parties, but also impersonate the identities of the two communication parties to respectively generate public keys with the two communication parties, thereby realizing the decryption of the transmitted message. If no obvious network delay is caused when the attack equipment initiates the attack behavior, both communication parties cannot perceive whether the attack equipment exists in a communication channel, and then the attack behavior cannot be resisted.
Disclosure of Invention
The application provides a method and a device for communication message verification, and aims to solve the problem that in the prior art, two communication parties cannot sense whether attack equipment exists in a communication channel during communication, and then cannot resist attack behaviors.
In a first aspect, the present application provides a method for verifying a communication packet, including:
encrypting a message to be transmitted, wherein the message carries a user identifier of a sending device;
generating a first random number as a digital signature, and carrying the digital signature in an encrypted message;
and sending the encrypted message carrying the digital signature to forwarding equipment in a communication network.
In a possible implementation manner, the carrying the digital signature in an encrypted message includes:
randomly determining the insertion position of the first random number in an encrypted message;
adding the first random number as a digital signature at the insertion location in the encrypted message.
In a possible implementation manner, before encrypting the message to be transmitted, the method includes:
determining a public key by algorithm negotiation with the message receiving equipment;
the encrypting the message to be transmitted includes:
and encrypting the message to be transmitted by adopting the public key.
In a possible implementation manner, the determining, by using algorithm negotiation with a message receiving device, a public key includes:
negotiating an integer g and a prime number P with the message receiving device;
with K = g ab The mod (p) algorithm determines the public key K.
In a second aspect, the present application provides a communication transmission apparatus, including:
the encryption module is used for encrypting a message to be transmitted, wherein the message carries a user identifier of the sending equipment;
the first verification module is used for generating a first random number as a digital signature and carrying the digital signature in the encrypted message;
and the sending module is used for sending the encrypted message carrying the digital signature to forwarding equipment in a communication network.
In a possible implementation, the first verification module is further configured to: randomly determining the insertion position of the first random number in an encrypted message; adding the first random number as a digital signature at the insertion location in the encrypted message.
In a possible embodiment, the apparatus further comprises:
the determining module is used for determining a public key by algorithm negotiation with the message receiving equipment;
the encryption module is specifically configured to encrypt the packet to be transmitted by using the public key.
In a possible implementation manner, the determining module is specifically configured to: negotiating an integer g and a prime number P with the message receiving device; with K = g ab The mod (p) algorithm determines the public key K.
In a third aspect, the present application provides an electronic device, comprising: at least one processor and a memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of any one of the first aspects.
In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, implement the method according to any one of the first aspect.
In a fifth aspect, the present application provides a computer program product comprising a computer program; the computer program when executed implements the method of any one of the first aspects.
The application provides a method and a device for verifying a communication message.A sending device firstly encrypts a message to be transmitted, wherein the message carries a user identifier of the sending device; generating a first random number as a digital signature, and carrying the digital signature in the encrypted message; and then sending the encrypted message carrying the digital signature to forwarding equipment in a communication network. The sending equipment not only encrypts the communication message, but also carries the digital signature and the user identification of the sending equipment in the encrypted message so as to verify the identity information of the sending equipment subsequently, thereby improving the communication safety.
In a sixth aspect, the present application provides a method for verifying a communication packet, including:
receiving an encrypted message carrying a digital signature, wherein the digital signature is a first random number generated by sending equipment, and the encrypted message carries a user identifier of the sending equipment;
identifying a digital signature in the encrypted message and generating a second random number;
judging whether the second random number is smaller than the first random number;
if the second random number is smaller than the first random number, sending the encrypted message carrying the digital signature to next hop equipment; and otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment.
In a possible implementation, the verification method further includes:
receiving a verification request sent by the receiving equipment, wherein the verification request carries a user identifier received by the receiving equipment; and identifying the user identification of the sending equipment in the user identifications received by the receiving equipment so as to determine the attacking equipment.
In a seventh aspect, the present application provides a communication forwarding apparatus, including:
the first receiving module is used for receiving an encrypted message carrying a digital signature, wherein the digital signature is a first random number generated by sending equipment, and the encrypted message carries a user identifier of the sending equipment;
the identification module is used for identifying the digital signature in the encrypted message and generating a second random number;
the first judgment module is used for judging whether the second random number is smaller than the first random number or not; if the second random number is smaller than the first random number, sending the encrypted message carrying the digital signature to next hop equipment; and otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment.
In a possible implementation manner, the communication forwarding apparatus further includes:
a second verification module, configured to receive a verification request sent by the receiving device, where the verification request carries a user identifier received by the receiving device; and identifying the user identification of the sending equipment in the user identifications received by the receiving equipment so as to determine the attacking equipment.
In an eighth aspect, the present application provides an electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
execution of the computer-executable instructions stored by the memory by the at least one processor causes the at least one processor to perform the method of any one of the sixth aspects.
In a ninth aspect, the present application provides a computer readable storage medium having stored thereon computer executable instructions which, when executed by a processor, implement the method according to any one of the sixth aspect.
In a tenth aspect, the present application provides a computer program product comprising a computer program; the computer program when executed implements the method of any of the sixth aspects.
The application provides a method and a device for communication message verification.A forwarding device firstly receives and identifies a digital signature in an encrypted message sent by a sending device and generates a second random number; then, it is determined whether the second random number is smaller than the first random number. If so, sending the encrypted message carrying the digital signature to next hop equipment; otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment; the forwarding device can also identify the user identifier of the sending device from the user identifiers received by the receiving device according to the verification request sent by the receiving device, so as to determine the attack device. According to the method and the device, the first random number and the second random number are set and the sizes of the first random number and the second random number are judged to randomly determine the matched verifier, so that the attack equipment cannot attack a certain forwarding equipment or a certain link in the communication network system, the attack equipment is determined by identifying the user identification received by the receiving equipment, and the safety of the communication network system is improved.
In an eleventh aspect, the present application provides a method for verifying a communication packet, including:
receiving a user identifier and an encrypted message of sending equipment sent by forwarding equipment;
judging whether the number of the user identifications received within the set time exceeds a threshold value;
if the number of the user identifications exceeds a threshold value, initiating a verification request; otherwise, communication continues with the sending device.
In a twelfth aspect, the present application provides a communication receiving apparatus, including:
the second receiving module is used for receiving the user identification and the encrypted message of the sending equipment, which are sent by the forwarding equipment;
the second judgment module is used for judging whether the number of the user identifications received within the set time exceeds a threshold value; if the number of the user identifications exceeds a threshold value, initiating a verification request; otherwise, communication continues with the sending device.
In a thirteenth aspect, the present application provides an electronic device comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of any of the eleventh aspects.
In a fourteenth aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, implement the method of any one of the eleventh aspects.
In a fifteenth aspect, the present application provides a computer program product comprising a computer program; the computer program, when executed, implements the method of any of the eleventh aspects.
The application provides a method and a device for communication message verification.A receiving device firstly receives a user identifier and an encrypted message of a sending device, which are sent by a forwarding device; judging whether the number of the received user identifications in the set time exceeds a threshold value; if the number of the user identifications exceeds a threshold value, determining that attack equipment exists in the communication network, wherein at the moment, the receiving equipment needs to initiate an authentication request to determine the user identification of the attack equipment, and the network management system resists the attack action of the attack equipment by positioning the user identification of the attack equipment and blocking a connection interface between the attack equipment and the communication network; otherwise, the receiving device continues to communicate with the sending device. Whether attack equipment exists in the communication network is judged by judging the number of the user identifications received by the receiving equipment, and the user identifications of the attack equipment are determined by initiating a verification request and performing identity verification, so that the attack action of the attack equipment is resisted, and the safety of a communication network system is improved.
Drawings
Fig. 1A is a schematic diagram of a communication network system according to an embodiment of the present application;
fig. 1B is a schematic diagram of a system in which an attack apparatus exists in a communication network according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a method for communication packet verification according to embodiment 1 of the present application;
fig. 3 is a schematic flowchart of a method for communication packet verification according to embodiment 2 of the present application;
fig. 4 is a schematic flowchart of a method for communication packet verification according to embodiment 3 of the present application;
fig. 5 is a schematic flowchart of a method for communication packet verification according to embodiment 4 of the present application;
fig. 6 is a schematic structural diagram of an apparatus for communication packet verification according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another apparatus for communication packet verification according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of another electronic device provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of yet another apparatus for communication packet verification according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of another electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
In the communication field, both communication parties need to encrypt the message before transmitting the communication message, so both communication parties need to negotiate and confirm the key information used for encryption, and the existing Diffie Hellman algorithm can skillfully solve the problem of negotiating and managing the key by both communication parties. However, the algorithm does not perform identity authentication on both communication parties, so that the both communication parties cannot perceive whether attack equipment exists in a communication channel during communication, and further cannot resist attack behaviors.
In order to solve the above technical problem, embodiments of the present application provide a method and an apparatus for communication packet verification, which are applicable to various communication networks, for example, a one-to-one or one-to-many peer communication network system.
Fig. 1A is a schematic diagram of a communication network system according to an embodiment of the present application. As shown in fig. 1A, the communication network system includes: the system comprises a sending device A, a receiving device B, at least one forwarding device H and a network management system S. Wherein, all the devices are connected by optical fibers.
And the sending equipment A is used for initiating a communication request and encrypting the communication message to be transmitted.
And the receiving equipment B is used for receiving the communication request and decrypting the received communication message.
The sending device a and the receiving device B may negotiate key information by using an algorithm, and then determine a public key. To effect encryption and decryption of the communication message.
And the forwarding equipment H is used for forwarding data such as the encrypted message, the key information, the user identification and the like. The forwarding device H needs to have a function of identifying the digital signature packet and a function of negotiating and judging with other forwarding devices H, and the forwarding device may be a routing device in the present application, and the specific device type is not limited in the present application.
And the network management system S is used for monitoring and checking the equipment information and the equipment state of the forwarding equipment.
Fig. 1B is a schematic diagram of a system in which an attack device exists in a communication network according to an embodiment of the present application. As shown in fig. 1B, the system includes: sending equipment A, receiving equipment B, attack equipment C, at least one forwarding equipment H, cooperation verifier T and network management system S
The attack device C is a device that can communicate with the receiving device B by intercepting the encrypted message and the key information and pretending the identity of the sending device a in the communication network.
The verifier T is cooperated to verify more than one user id received by the receiving device B. The forwarding device H and the cooperating verifier T refer to the same device differently, and the forwarding device H and the cooperating verifier T are distinguished for convenience of description because the forwarding device H and the cooperating verifier T have different specific functions.
In this embodiment, a sending device a initiates a communication request, encrypts a communication packet, and sends the encrypted communication packet to a communication network, where a destination address is set as an address of a receiving device B, and a forwarding device H in the network receives, identifies, and forwards the encrypted communication packet. At this time, if the attack device C exists in the communication network, the attack device C may intercept the encrypted message and communicate with the receiving device B by fictitious user information of the sending device a. Similarly, the attack device C sends the intercepted encrypted message to the communication network, the destination address is set as the address of the receiving device B, and the forwarding device H in the network receives, identifies and forwards the encrypted message, so that the receiving device B can receive more than one user identifier and encrypted message. Therefore, in the present application, whether an attack device exists in the communication network may be determined by determining the number of the user identifiers received by the receiving device B. If the attack equipment C exists in the communication network, the user identification received by the receiving equipment B is subjected to identity verification by the matching verifier T, and after the user identification of the attack equipment C is determined, the network management system locks the connection interface of the attack equipment C and the communication network so as to resist the attack behavior of the attack equipment C.
The technical solution of the present application will be described in detail below with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 2 is a schematic flowchart of a method for communication packet verification according to embodiment 1 of the present application. As shown in fig. 2, the execution subject in this embodiment is a sending device, and it is understood that the following steps may be implemented by hardware, software, or a combination of hardware and software. The method of embodiment 1, comprising:
s201: and encrypting the message to be transmitted, wherein the message carries the user identification of the sending equipment.
In this embodiment, the user identifier of the sending device refers to identification information that can prove the identity of the sending device, and may be a user ID of the sending device.
In the communication process of two communication parties, in order to prevent communication messages from being divulged, before the communication messages are transmitted, the sending equipment needs to encrypt the messages to be transmitted. The message carries the user identifier of the sending device, so that the identity information of the sending device can be verified subsequently.
S202: and generating a first random number as a digital signature, and carrying the digital signature in the encrypted message.
In one possible embodiment, the digital signature may be added to the encrypted message as follows. Specifically, the sending device randomly determines the insertion position of the first random number in the encrypted message; and adding a first random number as a digital signature at the insertion position in the encrypted message.
In this embodiment, after encrypting the communication packet, the sending device needs to continue generating the first random number, and add the first random number as a digital signature to the encrypted packet. Specifically, the sending device randomly determines an insertion position of the first random number in the encrypted message, and adds the digital signature to the insertion position in the encrypted message.
It should be understood that the position of the digital signature inserted into the encrypted message is random and can be any position in the encrypted message.
S203: and sending the encrypted message carrying the digital signature to forwarding equipment in a communication network.
The sending equipment sends the encrypted message carrying the digital signature to a communication network, the destination address is set as the address of the receiving equipment, and the forwarding equipment in the network receives, identifies and forwards the encrypted message. The method specifically comprises the following steps:
the forwarding equipment receives the encrypted message sent by the sending equipment, identifies the digital signature in the encrypted message and generates a second random number; judging whether the second random number is smaller than the first random number; if yes, sending the encrypted message to next hop equipment; otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment. The receiving equipment receives the user identification and the encrypted message sent by the forwarding equipment, judges whether the number of the received user identifications exceeds a threshold value within set time, and if so, initiates a verification request to determine the user identification of the attacking equipment so as to resist the attacking behavior of the attacking equipment; otherwise, the receiving device continues to communicate with the sending device.
In this embodiment, the sending device not only encrypts the communication message, which ensures the security of the communication message; in addition, user identification and digital signature are added in the communication message, so that an identity verification mechanism is introduced subsequently to verify the identity of the sending equipment, and the safety of a communication network system is improved.
Fig. 3 is a flowchart illustrating a method for verifying a communication packet according to embodiment 2 of the present application. As shown in fig. 3, the execution subject in this embodiment is a forwarding device, and it is understood that the following steps may be implemented by hardware, software, or a combination of hardware and software. The method of embodiment 2, comprising:
s301: receiving an encrypted message carrying a digital signature; a digital signature in the encrypted message is identified, and a second random number is generated.
In this embodiment, more than one forwarding device may be included. When the sending equipment sends the encrypted message carrying the digital signature to the communication network, the encrypted message is received by forwarding equipment in the network, and the digital signature in the encrypted message is identified. The digital signature is a first random number generated by the sending equipment, and the encrypted message carries the user identification of the sending equipment. At the same time, the forwarding device generates a second random number.
For example, when the sending device sends an encrypted message carrying the digital signature N1 to the communication network, the forwarding device H1 in the network first receives and identifies the digital signature N1 in the encrypted message, and generates the second random number N2.
In this embodiment, for convenience of description, the first random number generated by the sending device is set to be N1, and the second random number generated by the forwarding device H1 is set to be N2.
S302: and judging whether the second random number is smaller than the first random number.
The forwarding device determines whether the second random number is smaller than the first random number, and if the second random number is smaller than the first random number, S303 is executed; otherwise, S304 is performed.
S303: and sending the encrypted message carrying the digital signature to the next hop equipment.
In this embodiment, the next hop device refers to a device in the next link in the forwarding process. For example, the next hop device of the forwarding device H1 is the forwarding device H2.
In this embodiment, first, the forwarding device H1 determines whether the second random number is smaller than the first random number, and if so, the forwarding device H1 forwards the encrypted packet with the digital signature to a next-hop device, that is, the forwarding device H2, and the forwarding device H2 repeatedly executes S301 to S302. Specifically, the forwarding device H2 receives an encrypted message carrying a digital signature sent by the forwarding device H1, identifies the digital signature N1 in the encrypted message, generates and updates the second random number N2, and determines whether the updated second random number is smaller than the first random number until the second random number is greater than or equal to the first random number.
It should be noted that the second random number generated by the next hop forwarding device must be generated from a range of numbers larger than the second random number generated by the previous hop forwarding device. For example, the second random number generated by the forwarding device H2 must be generated from a range of numbers greater than the second random number generated by the forwarding device H1.
S304: and deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment.
The forwarding device Hn deletes the digital signature in the encrypted message, and sends the identified user identifier and the encrypted message from which the digital signature has been deleted to the receiving device.
In this embodiment, the forwarding device Hn refers to a forwarding device that generates a second random number that is not less than the first random number. To facilitate differentiation from other forwarding devices, the forwarding device Hn is referred to as a partner verifier.
It should be understood that the forwarding device Hn to be the cooperative verifier has randomness due to uncertainty in the size of the random number generated by each forwarding device, i.e., any forwarding device in the communication network system has an opportunity to be referred to as a cooperative verifier. In addition, when the cooperative verifier appears, the forwarding device behind the cooperative verifier only needs to execute the forwarding function, that is, the user identifier of the sending device and the encrypted message from which the digital signature is deleted are continuously forwarded to the receiving device.
In this embodiment, the forwarding device introduces an identity verification mechanism by determining the sizes of the second random number and the first random number, that is, determines the matching verifier at random by determining the sizes of the second random number and the first random number, so that the attacking device cannot attack a forwarding device or a link in the network communication system, thereby improving the security of the communication network system.
Fig. 4 is a flowchart illustrating a method for verifying a communication packet according to embodiment 3 of the present application. As shown in fig. 4, the executing subject is a receiving device in this embodiment, and it is understood that the following steps may be implemented by hardware, software, or a combination of hardware and software. The method of embodiment 3, comprising:
s401: and receiving the user identification and the encrypted message of the sending equipment, which are sent by the forwarding equipment.
The receiving device receives the user identifier and the encrypted message of the sending device sent by the forwarding device, and it should be understood that the encrypted message does not carry the digital signature, but the encrypted message carries the user identifier of the sending device.
S402: and judging whether the number of the received user identifications in the set time exceeds a threshold value.
In the present embodiment, the specific period is [0, T0]. Wherein T0 may be determined according to how many forwarding devices are, the emergency of communication, and the like. When T > T0, the receiving device judges whether the number of received user identifications exceeds a threshold value. Wherein the threshold is 1.
If the number of the user identifications exceeds the threshold value, executing S403-S404; otherwise, S404 is performed.
S403: an authentication request is initiated.
When the receiving device receives more than one user identity, it is determined that an attacking device is present in the communication network. At this time, the receiving device sends an authentication request to the cooperation verifier, and sends all the received user identifications to the cooperation verifier.
Receiving a verification request sent by receiving equipment by a verifier in cooperation, wherein the verification request carries a user identifier received by the receiving equipment; and identifying the user identification of the sending equipment in the user identification received by the receiving equipment, thereby determining the attack equipment. Specifically, the verifier is matched to receive the verification request and the user identifier, and performs verification and identification on the user identifier, so as to distinguish the user identifier of the sending device from the user identifier of the attacking device. After the verification is finished, the user identification of the sending equipment is sent to the receiving equipment by matching with the verifier, and the receiving equipment continues to execute S404; and the user identification of the attack equipment is simultaneously sent to the network management system by matching with the verifier, and a blocking request is sent to the network management system.
It should be noted that the cooperative verifier in this embodiment is the same device as the cooperative verifier in embodiment 2 shown in fig. 3, that is, the forwarding device Hn, and details thereof are not described herein.
After receiving the user identifier of the attack device and the blocking request sent by the matched verifier, the network management system positions the user identifier of the attack device, determines a connection interface of the attack device in the communication network, and blocks the connection interface to disconnect the attack device from the communication network system, thereby ensuring the safety of the communication network.
In one possible implementation, the partner verifier may determine the user identity of the transmitting device as follows. The method comprises the following steps:
1. according to the characteristic that the attack equipment has a plurality of user identifications, the attack equipment is matched with a verifier to respectively initiate an independent conversation to the equipment corresponding to each user identification, and the user identifications in the conversation information are extracted. If the user identification in the dialogue information is consistent with the user identification initiating the conversation, determining the equipment as sending equipment; otherwise, the device is an attack device. The initiating of the individual session may be initiating of various session types such as a connection request, and the application is not limited. In addition, to improve the accuracy of the verification, the partner verifier may perform the verification by initiating multiple or multiple types of individual sessions.
2. According to the characteristic that the forwarding device H1 and the sending device are connected through the optical fiber, the cooperation verifier initiates a communication request to the forwarding device H1, and after the forwarding device H1 receives the communication request, the user identification of the sending device is extracted from a network interface connected with the sending device and sent to the cooperation verifier.
3. According to the characteristic that the network management system can monitor and check the equipment information of all the forwarding equipment, the cooperation verifier initiates a communication request to the network management system, and the network management system extracts the user identification of the sending equipment from the network interface of the sending equipment and the forwarding equipment H1 and requests the user identification to be sent to the cooperation verifier.
S404: communication continues with the sending device.
And the receiving equipment receives the user identification of the sending equipment sent by the matched verifier, decrypts the received encrypted message through the public key, and continues to perform subsequent communication with the sending equipment.
In this embodiment, the receiving device determines whether to initiate an authentication request by determining the number of received user identifiers in a set time period. If the receiving device initiates a verification request, the verification device verifies the device information of each user identifier, so that the user identifiers of the sending device and the attacking device can be distinguished. The three different verification methods can be adopted by the matched verifier, so that the accuracy of identity verification is improved. The network management system positions the network connection interface between the attack device and the communication network and blocks the connection interface, so that the attack behavior of the attack device is resisted, and the safety of the communication network system is improved.
Fig. 5 is a flowchart illustrating a method for verifying a communication packet according to embodiment 4 of the present application. In addition to embodiment 1 shown in fig. 2, the present embodiment describes step S201 in embodiment 1 in more detail. As shown in fig. 5, the method includes:
in step S201 shown in fig. 2, the sending apparatus encrypts the message to be transmitted, and before this, the sending apparatus further includes step S501 shown in fig. 5.
S501: the sending equipment and the message receiving equipment adopt algorithm negotiation to determine the public key.
In this embodiment, the public key is also called a symmetric key, and each pair of communication parties have a pair of public keys in common. Both communication parties can realize the encryption and decryption of communication messages by using the public key.
In this embodiment, a sending device initiates a communication request to a communication network, and a forwarding device in the network forwards the communication request to a receiving device; after receiving the communication request, the receiving device negotiates with the sending device by adopting an algorithm to determine a public key so as to realize encryption and decryption of the communication message.
It should be noted that, the generation of the public key may adopt various algorithms, and the application is not limited. It should be understood that the generation process of the public key varies from one algorithm to another.
In one possible implementation, the two communicating parties can generate the public key by invoking Diffie Hellman algorithm, including: negotiating an integer g and a prime number P with a message receiving device; with K = g ab The mod (p) algorithm determines the public key K. The method specifically comprises the following steps:
the sending device negotiates an integer g and a prime p with the receiving device by invoking the Diffie Hellman algorithm. Wherein, to satisfy [ gmod (p)]、[g 2 mod(p)]、……、[g p-1 mod(p)]Are different integers, and the integer g needs to be an original root of the prime number p. In addition, the security level of the key is positively correlated with the size of the prime number P, i.e., the greater the prime number P, the higher the security level of the key.
Meanwhile, the transmitting apparatus generates an integer a (1)<a<p-1), the public key X is calculated. Wherein, X = g a mod (p); the receiving device generates the integer b (1)<b<p-1), the public key Y is calculated. Wherein Y = g b mod (p). Similarly, the security level of the key is positively correlated with the size of the integers a and b, i.e., the larger the value of the integers a and b, the higher the security level of the key.
The two communication parties further generate a public key through the public key. The method comprises the following steps: both communication parties respectively send the public key X, Y to the communication network, and the public key is forwarded by forwarding equipment in the network, and the destination addresses are respectively set as the addresses of opposite-end communication equipment. And the two communication parties receive the public key from the opposite-end communication equipment and further calculate the public key K. Specifically, the sending device receives the public key Y sent by the receiving device at the opposite end, and calculates the public key K A . Wherein, K A =g a Y=g ab mod (p). Similarly, the receiving device receives the public key X from the transmitting device and calculates the public key K B . Wherein, K B =g b X=g ab mod (p). Wherein K = K A =K B 。
Up to this point, the two communicating parties have negotiated to determine the public key K.
S502: the sending equipment encrypts the message to be transmitted, and the message carries the user identification of the sending equipment.
In one possible embodiment, the sending device may encrypt the message to be transmitted using the public key. The method specifically comprises the following steps:
after the two communication parties negotiate and determine the public key, in order to ensure the privacy of the message in the transmission process, the sending equipment encrypts the message to be transmitted by adopting the public key. The message carries the user identifier of the sending device, so that the identity information of the sending device can be verified subsequently.
In this embodiment, the two communication parties negotiate and confirm the public key by using an algorithm to realize encryption of the communication message, thereby ensuring the security of the message in the communication process and improving the communication security.
Fig. 6 is a schematic structural diagram of an apparatus for communication packet verification according to an embodiment of the present disclosure. As shown in fig. 6, the communication transmission apparatus 60 according to the present embodiment includes: a determination module 61, an encryption module 62, a first authentication module 63 and a sending module 64. Wherein,
the encryption module 62 is configured to encrypt a message to be transmitted, where the message carries a user identifier of a sending device;
the first verification module 63 is configured to generate a first random number as a digital signature, and carry the digital signature in the encrypted message;
and a sending module 64, configured to send the encrypted message carrying the digital signature to a forwarding device in the communication network.
In a possible implementation, the first verification module 63 is further configured to: randomly determining the insertion position of a first random number in an encrypted message; and adding a first random number as a digital signature at the insertion position in the encrypted message.
In one possible embodiment, the communication transmission apparatus 60 further includes:
a determining module 61, configured to determine a public key by using algorithm negotiation with a message receiving device;
the encryption module 62 is specifically configured to encrypt a packet to be transmitted by using a public key.
In a possible implementation, the determining module 61 is specifically configured to: negotiating an integer g and a prime number P with a message receiving device; with K = g ab The mod (p) algorithm determines the public key K.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 70 of the present embodiment may include: at least one processor 71 and a memory 72.
A memory 72 for storing computer-executable instructions;
a processor 71 for executing computer-executable instructions stored by the memory to implement the various steps performed in the above-described method embodiments. Reference may be made in particular to the description relating to the method embodiments described above.
Alternatively, the memory 72 may be separate or integrated with the processor 71.
When the memory 72 is provided separately, the electronic apparatus further includes a bus 73 for connecting the memory 72 and the processor 71.
Fig. 8 is a schematic structural diagram of another apparatus for communication packet verification according to an embodiment of the present disclosure. As shown in fig. 8, the communication forwarding apparatus 80 provided in this embodiment includes: a first receiving module 81, an identifying module 82, a first judging module 83 and a second verifying module 84. Wherein,
a first receiving module 81, configured to receive an encrypted message carrying a digital signature, where the digital signature is a first random number generated by a sending device, and the encrypted message carries a user identifier of the sending device;
an identifying module 82, configured to identify the digital signature in the encrypted message and generate a second random number;
a first judging module 83, configured to judge whether the second random number is smaller than the first random number; if the second random number is smaller than the first random number, sending the encrypted message carrying the digital signature to next hop equipment; otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment.
In a possible embodiment, the communication forwarding apparatus 80 further includes:
a second verification module 84, configured to receive a verification request sent by a receiving device, where the verification request carries a user identifier received by the receiving device; and identifying the user identification of the sending device from the user identifications received by the receiving device, thereby determining the attacking device.
Fig. 9 is a schematic structural diagram of another electronic device according to an embodiment of the present application. As shown in fig. 9, the electronic device 90 of the present embodiment may include: at least one processor 91 and a memory 92.
A memory 92 for storing computer-executable instructions;
a processor 91 for executing computer executable instructions stored by the memory to implement the various steps performed in the above-described method embodiments. Reference may be made in particular to the description relating to the method embodiments described above.
Alternatively, the memory 92 may be separate or integrated with the processor 91.
When the memory 92 is provided separately, the electronic apparatus further includes a bus 93 for connecting the memory 92 and the processor 91.
Fig. 10 is a schematic structural diagram of another apparatus for communication packet verification according to an embodiment of the present application. As shown in fig. 10, the communication receiving apparatus 100 according to the present embodiment includes: a second receiving module 101 and a second judging module 102. Wherein,
a second receiving module 101, configured to receive a user identifier and an encrypted packet of a sending device sent by a forwarding device;
a second judging module 102, configured to judge whether the number of the received user identifiers within a set time exceeds a threshold; if the number of the user identifications exceeds a threshold value, initiating a verification request; otherwise, communication continues with the sending device.
Fig. 11 is a schematic structural diagram of another electronic device according to an embodiment of the present application. As shown in fig. 11, the electronic device 110 of the present embodiment may include: at least one processor 111 and a memory 112.
A memory 112 for storing computer-executable instructions;
a processor 111 for executing computer executable instructions stored by the memory to implement the steps performed in the above-described method embodiments. Reference may be made in particular to the description relating to the method embodiments described above.
Alternatively, the memory 112 may be separate or integrated with the processor 111.
When the memory 112 is separately provided, the electronic device further includes a bus 113 for connecting the memory 112 and the processor 111.
The embodiment of the application also provides a computer readable storage medium. The computer readable storage medium has stored therein computer executable instructions which, when executed by a processor, implement the authentication method as performed by the electronic device.
The embodiment of the present application further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the computer program is used to execute the technical solution of the verification method for a communication packet in the foregoing embodiment.
The computer-readable storage medium described above may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk. A readable storage medium may be any available medium that can be accessed by a general purpose or special purpose computer.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (14)
1. A method for validating a communication packet, comprising:
encrypting a message to be transmitted, wherein the message carries a user identifier of a sending device;
generating a first random number as a digital signature, and carrying the digital signature in an encrypted message;
and sending the encrypted message carrying the digital signature to forwarding equipment in a communication network.
2. The method of claim 1, wherein said carrying the digital signature in an encrypted message comprises:
randomly determining the insertion position of the first random number in an encrypted message;
adding the first random number as a digital signature at the insertion location in the encrypted message.
3. The method according to claim 1 or 2, wherein before encrypting the message to be transmitted, the method comprises:
determining a public key by algorithm negotiation with the message receiving equipment;
the encrypting the message to be transmitted includes:
and encrypting the message to be transmitted by adopting the public key.
4. The method of claim 3, wherein determining the public key using an algorithm negotiation with the message receiving device comprises:
negotiating an integer g and a prime number P with the message receiving device;
with K = g ab mod (p) algorithm determinationThe public key K.
5. A method for validating a communication packet, comprising:
receiving an encrypted message carrying a digital signature, wherein the digital signature is a first random number generated by sending equipment, and the encrypted message carries a user identifier of the sending equipment;
identifying a digital signature in the encrypted message and generating a second random number;
judging whether the second random number is smaller than the first random number;
if the second random number is smaller than the first random number, sending the encrypted message carrying the digital signature to next hop equipment; and otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment.
6. The method of claim 5, further comprising:
receiving a verification request sent by the receiving equipment, wherein the verification request carries a user identifier received by the receiving equipment;
and identifying the user identification of the sending equipment in the user identifications received by the receiving equipment so as to determine the attacking equipment.
7. A method for validating a communication packet, comprising:
receiving a user identifier and an encrypted message of sending equipment sent by forwarding equipment;
judging whether the number of the user identifications received within the set time exceeds a threshold value;
if the number of the user identifications exceeds a threshold value, initiating a verification request; otherwise, communication continues with the sending device.
8. A communication transmission apparatus, comprising:
the encryption module is used for encrypting a message to be transmitted, wherein the message carries a user identifier of the sending equipment;
the first verification module is used for generating a first random number as a digital signature and carrying the digital signature in the encrypted message;
and the sending module is used for sending the encrypted message carrying the digital signature to forwarding equipment in a communication network.
9. A communication forwarding apparatus, comprising:
the first receiving module is used for receiving an encrypted message carrying a digital signature, wherein the digital signature is a first random number generated by sending equipment, and the encrypted message carries a user identifier of the sending equipment;
the identification module is used for identifying the digital signature in the encrypted message and generating a second random number;
the first judgment module is used for judging whether the second random number is smaller than the first random number or not; if the second random number is smaller than the first random number, sending the encrypted message carrying the digital signature to next hop equipment; and otherwise, deleting the digital signature in the encrypted message, and sending the user identifier of the sending equipment and the encrypted message to the receiving equipment.
10. A communication receiving apparatus, comprising:
the second receiving module is used for receiving the user identification and the encrypted message of the sending equipment, which are sent by the forwarding equipment;
the second judgment module is used for judging whether the number of the user identifications received within the set time exceeds a threshold value; if the number of the user identifications exceeds a threshold value, initiating a verification request; otherwise, communication continues with the sending device.
11. An electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of any one of claims 1-4.
12. An electronic device, comprising: at least one processor and a memory;
the memory stores computer-executable instructions;
execution of the computer-executable instructions stored by the memory by the at least one processor causes the at least one processor to perform the method of any of claims 5-6, or the method of claim 7.
13. A computer-readable storage medium having computer-executable instructions stored thereon which, when executed by a processor, implement the method of any one of claims 1-4.
14. A computer-readable storage medium having computer-executable instructions stored thereon which, when executed by a processor, implement the method of any one of claims 5-6, or the method of claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211097028.2A CN115766055A (en) | 2022-09-08 | 2022-09-08 | Method and device for communication message verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211097028.2A CN115766055A (en) | 2022-09-08 | 2022-09-08 | Method and device for communication message verification |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766055A true CN115766055A (en) | 2023-03-07 |
Family
ID=85349784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211097028.2A Pending CN115766055A (en) | 2022-09-08 | 2022-09-08 | Method and device for communication message verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766055A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20020087896A (en) * | 2002-08-12 | 2002-11-23 | 학교법인 한국정보통신학원 | Method for producing and certificating id-based digital signature from decisional diffie-hellman groups |
| CN107547559A (en) * | 2017-09-20 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| CN108322464A (en) * | 2018-01-31 | 2018-07-24 | 中国联合网络通信集团有限公司 | A kind of secret key verification method and equipment |
| CN109005175A (en) * | 2018-08-07 | 2018-12-14 | 腾讯科技(深圳)有限公司 | Network protection method, apparatus, server and storage medium |
| CN109040090A (en) * | 2018-08-17 | 2018-12-18 | 北京海泰方圆科技股份有限公司 | A kind of data ciphering method and device |
| CN110781140A (en) * | 2019-09-06 | 2020-02-11 | 平安科技(深圳)有限公司 | Method and device for data signature in block chain, computer equipment and storage medium |
-
2022
- 2022-09-08 CN CN202211097028.2A patent/CN115766055A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20020087896A (en) * | 2002-08-12 | 2002-11-23 | 학교법인 한국정보통신학원 | Method for producing and certificating id-based digital signature from decisional diffie-hellman groups |
| CN107547559A (en) * | 2017-09-20 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| CN108322464A (en) * | 2018-01-31 | 2018-07-24 | 中国联合网络通信集团有限公司 | A kind of secret key verification method and equipment |
| CN109005175A (en) * | 2018-08-07 | 2018-12-14 | 腾讯科技(深圳)有限公司 | Network protection method, apparatus, server and storage medium |
| CN109040090A (en) * | 2018-08-17 | 2018-12-18 | 北京海泰方圆科技股份有限公司 | A kind of data ciphering method and device |
| CN110781140A (en) * | 2019-09-06 | 2020-02-11 | 平安科技(深圳)有限公司 | Method and device for data signature in block chain, computer equipment and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| 吴云霞: "一种基于Crowds的改进匿名通信***", 《江西师范大学学报(自然科学版)》, 28 February 2009 (2009-02-28), pages 1 * |
| 吴艳辉;王伟平;陈建二;: "匿名通信研究综述", 小型微型计算机***, no. 04, 30 April 2007 (2007-04-30) * |
| 宋利民;宋晓锐;: "一种基于混合加密的数据安全传输方案的设计与实现", 信息网络安全, no. 12, 10 December 2017 (2017-12-10) * |
| 肖亚飞;: "Diffie-Hellman协议密钥交互***的研究", 电脑知识与技术, no. 03, 25 January 2018 (2018-01-25) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104023013B (en) | Data transmission method, server side and client | |
| Giesen et al. | On the security of TLS renegotiation | |
| KR101498323B1 (en) | Secure communications in computer cluster systems | |
| CN108599925B (en) | Improved AKA identity authentication system and method based on quantum communication network | |
| RU2406251C2 (en) | Method and device for establishing security association | |
| US8484469B2 (en) | Method, system and equipment for key distribution | |
| US6401204B1 (en) | Process for cryptographic code management between a first computer unit and a second computer unit | |
| US8683194B2 (en) | Method and devices for secure communications in a telecommunications network | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| JP2021524944A (en) | Internet of Things Security with Multi-Party Computation (MPC) | |
| EP2023526A1 (en) | Client device, mail system, program, and recording medium | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| US10298394B2 (en) | Method to authenticate two devices to establish a secure channel | |
| CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
| US9614820B2 (en) | Method and system for the manipulation-protected generation of a cryptographic key | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN115086951A (en) | Message transmission system, method and device | |
| CN114928503A (en) | Method for realizing secure channel and data transmission method | |
| CN115766055A (en) | Method and device for communication message verification | |
| KR20230039722A (en) | Pre-shared key PSK update method and device | |
| CN113765900A (en) | Protocol interaction information output transmission method, adapter device and storage medium | |
| KR101204648B1 (en) | Method for exchanging key between mobile communication network and wireless communication network | |
| Gupta et al. | Security mechanisms of Internet of things (IoT) for reliable communication: a comparative review | |
| WO2008004174A2 (en) | Establishing a secure authenticated channel | |
| WO2023151427A1 (en) | Quantum key transmission method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |