CN116506138A - Safe interaction method and device and related equipment - Google Patents

Safe interaction method and device and related equipment Download PDF

Info

Publication number
CN116506138A
CN116506138A CN202210059302.0A CN202210059302A CN116506138A CN 116506138 A CN116506138 A CN 116506138A CN 202210059302 A CN202210059302 A CN 202210059302A CN 116506138 A CN116506138 A CN 116506138A
Authority
CN
China
Prior art keywords
network element
object file
message
strategy
interaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210059302.0A
Other languages
Chinese (zh)
Inventor
邵京
陈美玲
粟栗
安宁宇
闫茹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210059302.0A priority Critical patent/CN116506138A/en
Publication of CN116506138A publication Critical patent/CN116506138A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a secure interaction method, a secure interaction device and related equipment, which are executed by a first network element of a digital twin network, wherein the method comprises the following steps: acquiring a strategy sending message, wherein the strategy sending message comprises a network element equipment address and strategy information for communication of a second network element; carrying out integrity protection and encryption on the strategy sending message to obtain a first object file; transmitting the first object file to the second network element; and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message. Therefore, the first network element performs integrity protection and encryption on the interactive content and then sends the interactive content to the second network element, so that the effect of safe interaction between the first network element and the second network element is realized.

Description

Safe interaction method and device and related equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an interaction method, an interaction device, and related devices.
Background
Digital twinning is a real-time mirror image of physical entities in the digital world and is becoming a new focus of global information technology development and industry digitization. A digital twin network (Digital Twin Network, DTN for short) is a network system with physical network entities and virtual twin entities, which can be mapped interactively in real time. In this system, various network management and applications can utilize the network virtual twin constructed by digital twin technology to efficiently analyze, diagnose, simulate and control the physical network based on data and model. In the prior art, the interaction between the digital twin network and the physical network layer is not configured from the security perspective, so that the problem of how the digital twin network and the physical network interact securely arises.
Disclosure of Invention
The embodiment of the invention provides a secure interaction method, a secure interaction device and related equipment, which are used for solving the problem of how to securely interact a digital twin network and a physical network.
To solve the above problems, the present invention is achieved as follows:
in a first aspect, an embodiment of the present invention provides a secure interaction method, performed by a first network element of a digital twin network, the method comprising:
acquiring a strategy sending message, wherein the strategy sending message comprises a network element equipment address and strategy information for communication of a second network element;
carrying out integrity protection and encryption on the strategy sending message to obtain a first object file;
transmitting the first object file to the second network element;
and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message.
Optionally, before the acquiring policy sends the message, the method further includes:
determining a shared key with the second network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Optionally, the sending the first object file to the second network element includes:
and sending the first object file to the second network element through communication equipment, wherein the communication equipment is used for carrying out checksum modification on the first object file.
In a second aspect, an embodiment of the present invention provides a secure interaction method, performed by a second network element of a physical network, where the method includes:
receiving a first object file sent by a first network element, wherein the first object file is obtained after integrity protection and encryption of strategy sending information;
decrypting and verifying the first object file to obtain a strategy response message, wherein the strategy response message comprises an interaction success message or an interaction failure message;
and sending the strategy response message to the first network element.
Optionally, before the receiving the first object file sent by the first network element, the method further includes:
determining a shared key with the first network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Optionally, the receiving the first object file sent by the first network element includes:
and receiving a first object file sent by the first network element through communication equipment, wherein the communication equipment is used for checking and modifying the first object file.
In a third aspect, an embodiment of the present invention further provides a secure interaction method, performed by a communication device, the method including:
receiving a first object file sent by a first network element;
performing checksum modification on the first object file;
and sending the first object file after the checksum modification to a second network element.
Optionally, the performing checksum modification on the first object file includes:
determining a security level corresponding to the second network element;
and performing checksum modification on the first object file according to the security level and the historical data.
In a fourth aspect, an embodiment of the present invention further provides a secure interaction device, including:
a first processor, configured to obtain a policy sending message, where the policy sending message includes a network element device address used for communication by the second network element and information of a policy; carrying out integrity protection and encryption on the strategy sending message to obtain a first object file;
a first transceiver configured to send the first object file to the second network element; and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message.
In a fifth aspect, an embodiment of the present invention further provides a secure interaction device, including:
the second processor is used for decrypting and verifying the first object file to obtain a strategy response message, wherein the strategy response message comprises an interaction success message or an interaction failure message;
the second transceiver is used for receiving the first object file sent by the first network element, and the first object file is obtained after integrity protection and encryption of the strategy sending message; and sending the strategy response message to the first network element.
In a sixth aspect, an embodiment of the present invention further provides a secure interaction device, including:
a third processor for performing checksum modification on the first object file;
a third transceiver, configured to receive the first object file sent by the first network element; and sending the first object file after the checksum modification to a second network element.
In a seventh aspect, an embodiment of the present invention further provides a communication device, including: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor; wherein the processor is configured to read a program in the memory to implement the steps of the method according to the first aspect; or, a step in a method as described in the second aspect above; or, as in the method of the third aspect described above.
In an eighth aspect, embodiments of the present invention further provide a readable storage medium storing a program, which when executed by a processor implements the steps of the method according to the first aspect, or implements the steps of the method according to the second aspect; or, as in the method of the third aspect described above.
In an embodiment of the present invention, an interaction method, an interaction device, and a related device are provided, where the method is performed by a first network element of a digital twin network, and the method includes: acquiring a strategy sending message, wherein the strategy sending message comprises a network element equipment address and strategy information for communication of a second network element; carrying out integrity protection and encryption on the strategy sending message to obtain a first object file; transmitting the first object file to the second network element; and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message. Therefore, the first network element performs integrity protection and encryption on the interactive content and then sends the interactive content to the second network element, so that the effect of safe interaction between the first network element and the second network element is realized.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
FIG. 1 is a schematic flow chart of a secure interaction method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of interaction between a digital twin network and a physical network provided by an embodiment of the present invention;
FIG. 3 is a second flow chart of a secure interaction method according to an embodiment of the present invention;
FIG. 4 is a third flow chart of a method for secure interaction according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of a TSC provided by the embodiment of the present invention;
FIG. 6 is a schematic diagram of the structure of a digital twin network and a physical network provided by an embodiment of the present invention;
FIG. 7 is a schematic diagram of a security interaction device according to an embodiment of the present invention;
FIG. 8 is a second schematic diagram of a security interaction device according to an embodiment of the present invention;
FIG. 9 is a third schematic diagram of a security interaction device according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a communication device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms "first," "second," and the like in embodiments of the present invention are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the use of "and/or" in this application means at least one of the connected objects, such as a and/or B and/or C, is meant to encompass the 7 cases of a alone, B alone, C alone, and both a and B, both B and C, both a and C, and both A, B and C.
The following describes a secure interaction method provided by the embodiment of the present invention.
Referring to fig. 1, fig. 1 is a schematic flow chart of a secure interaction method according to an embodiment of the present invention. The secure interaction method shown in fig. 1 may be performed by a first network element of a digital twin network.
As shown in fig. 1, the secure interaction method may include the steps of:
step 101, acquiring a strategy sending message, wherein the strategy sending message comprises a network element equipment address and strategy information for the second network element to communicate.
In this embodiment, the first network element of the digital twin network and the second network element of the physical network are both communication devices, and the first network element device may be a server, a data center, or the like, and the second network element device may be a computer, a terminal, or the like, which is described by taking the first network element and the second network element as examples, and in order to ensure the security of data interaction between the digital twin network and the physical network, a matched digital twin boundary agent (Digital Twin Boarder Proxy, abbreviated as DTBP) is added into both the digital twin network and the physical network. The DTBP is responsible for message filtering and security policy management on the interface between the digital twin network and the physical network, mainly as a border gateway for both networks. The DTBP equipment is deployed in pairs and is mainly used for supporting authentication of identities of two parties and providing confidentiality and integrity protection of information for interaction information: all messages should be integrity protected and important messages should be transmitted using encryption. The DTBP device should support message filtering, attack detection and defense. As shown in fig. 2, fig. 2 is an interaction schematic diagram of the digital twin network and the physical network in the present embodiment, where the DTBP devices in the digital twin network and the physical network are represented by D-DTBP and I-DTBP, respectively. A digital twin network generation Policy (PDE) in the digital twin network may send a Policy send message (Policy setting) to a D-DTBP in the digital twin network, where the Policy send message includes a network element device address and a Policy of the physical network.
Optionally, before the acquiring policy sends the message, the method further includes: determining a shared key with the second network element; and determining the communication connection between the first network element and the second network element according to the shared secret key.
Specifically, before the first network element and the second network element communicate, the D-DTBP and the I-DTBP negotiate a shared key between the two parties in a certificate or secure tunnel manner, and the communication connection between the first network element and the second network element is determined through the shared key.
And 102, carrying out integrity protection and encryption on the strategy sending message to obtain a first object file.
In this embodiment, the DTBP may provide encryption or integrity protection for the interaction messages using an application layer security protection (JSON Web Encryption, JWE) mechanism, and signature for the signaling modifications required by the intermediate node twinning security center (TWIN Security Center, TSC) on the interface using an application layer signature (JSON Web Signature, JWS) mechanism. Specifically, when the physical network is a single domain network, that is, only one physical network exists, the DTBP in the digital twin network receives the message and uses the symmetric key to provide independent encryption and integrity protection for each JSON object in the policy sending message, and the generated first object file is the JWE object.
Step 103, the first object file is sent to the second network element.
In this embodiment, the D-DTBP sends the generated JWE object to the I-DTBP to perform subsequent authentication and decryption. Optionally, the sending the first object file to the second network element includes: and sending the first object file to the second network element through communication equipment, wherein the communication equipment is used for carrying out checksum modification on the first object file. Specifically, when the physical network is a cross-domain network, that is, there are multiple physical networks, the DTBP of the digital twin network receives the message and uses the symmetric key to provide independent encryption and integrity protection for each JSON object in the message, and sends the generated JWE object to the TSC. The TSC is responsible for cross-domain content verification, such as policy secondary verification, policy traceability and the like, and the process is optional. The TSC may verify and modify the transmitted content, and the opposite DTBP may verify the authenticity of the policy modification. After the message is modified, the TSC signs the modified content and attaches the JWS object containing the signature and the modified content to the message and sends the JWS object to the I-DTBP.
Step 104, receiving a policy response message fed back by the second network element based on the first object file, where the policy response message includes an interaction success message or an interaction failure message.
In this embodiment, after receiving the first object file, the I-DTBP of the physical network performs confidentiality and integrity verification on the first object file, specifically, receives the first object file from the TSC or the DTBP, that is, the JWE object, so as to recover the original message from the digital twin network. The signature in the JWS object continues to be verified and the corresponding content in the message is updated in connection with the changes of the intermediate node. And filtering the message, and judging whether the message is sent to the physical network or not based on the access control strategy. And if all the verification passes, returning an interaction success message, and if the verification fails, returning an interaction failure message. It should be noted that the steps in this embodiment are also applicable to the case where the physical network sends a message to the digital twin network, and will not be described in detail in this embodiment.
According to the security interaction method provided by the embodiment of the invention, the security problem of policy issuing is solved by introducing a pair of matched border gateway proxy equipment and a twin security center, the border gateway proxy equipment can provide confidentiality and integrity of issued messages, internal and external attacks are prevented to a certain extent, and the twin security center can verify, audit and trace the policy, so that the security of issued policies is ensured.
Referring to fig. 3, fig. 3 is a second flowchart of a secure interaction method according to an embodiment of the present invention. The secure interaction method of the embodiment of the invention can be executed by the second network element of the physical network.
As shown in fig. 3, the secure interaction method may include the steps of:
step 301, receiving a first object file sent by a first network element, where the first object file is obtained after integrity protection and encryption of a policy sending message.
In this embodiment, the D-DTBP sends the generated JWE object to the I-DTBP to perform subsequent authentication and decryption. Optionally, the sending the first object file to the second network element includes: and sending the first object file to the second network element through communication equipment, wherein the communication equipment is used for carrying out checksum modification on the first object file. The receiving the first object file sent by the first network element includes: and receiving a first object file sent by the first network element through communication equipment, wherein the communication equipment is used for checking and modifying the first object file. Specifically, when the physical network is a cross-domain network, that is, there are multiple physical networks, the DTBP of the digital twin network receives the message and uses the symmetric key to provide independent encryption and integrity protection for each JSON object in the message, and sends the generated JWE object to the TSC. The TSC is responsible for cross-domain content verification, such as policy secondary verification, policy traceability and the like, and the process is optional. The TSC may verify and modify the transmitted content, and the opposite DTBP may verify the authenticity of the policy modification. After the message is modified, the TSC signs the modified content and attaches the JWS object containing the signature and the modified content to the message and sends the JWS object to the I-DTBP.
Optionally, before the receiving the first object file sent by the first network element, the method further includes: determining a shared key with the first network element; and determining the communication connection between the first network element and the second network element according to the shared secret key. Specifically, before the first network element and the second network element communicate, the D-DTBP and the I-DTBP negotiate a shared key between the two parties in a certificate or secure tunnel manner, and the communication connection between the first network element and the second network element is determined through the shared key.
Step 302, decrypting and verifying the first object file to obtain a policy response message, where the policy response message includes an interaction success message or an interaction failure message.
In this embodiment, after receiving the first object file, the I-DTBP of the physical network performs confidentiality and integrity verification on the first object file, specifically, receives the first object file from the TSC or the DTBP, that is, the JWE object, so as to recover the original message from the digital twin network. The signature in the JWS object continues to be verified and the corresponding content in the message is updated in connection with the changes of the intermediate node. And filtering the message, and judging whether the message is sent to the physical network or not based on the access control strategy. And returning the strategy response message to the digital twin network after the verification result is obtained.
Step 303, sending the policy response message to the first network element.
In this embodiment, if all the verifications pass, an interaction success message is returned, and if the verification fails, an interaction failure message is returned. It should be noted that the steps in this embodiment are also applicable to the case where the physical network sends a message to the digital twin network, and will not be described in detail in this embodiment.
According to the data decryption method, the security problem of strategy issuing is solved by introducing a pair of matched border gateway proxy equipment and a twin security center, the border gateway proxy equipment can provide confidentiality and integrity of issued messages, internal and external attacks are prevented to a certain extent, and the twin security center can verify, audit and trace the strategy, so that the security of issued strategies is guaranteed.
Referring to fig. 4, fig. 4 is a third flowchart of a secure interaction method according to an embodiment of the present invention. The secure interaction method of the embodiment of the invention can be executed by the communication equipment.
Step 401, receiving a first object file sent by a first network element.
In this embodiment, the communication device is a TSC, specifically, when the physical network is a cross-domain network, that is, there are multiple physical networks, the DTBP of the digital twin network receives the message and uses the symmetric key to provide independent encryption and integrity protection for each JSON object in the message, and sends the generated JWE object to the TSC. The TSC is responsible for cross-domain content verification, such as policy secondary verification, policy traceability and the like, and the process is optional. The TSC may verify and modify the transmitted content, and the opposite DTBP may verify the authenticity of the policy modification. After the message is modified, the TSC signs the modified content and attaches the JWS object containing the signature and the modified content to the message and sends the JWS object to the I-DTBP.
Step 402, performing checksum modification on the first object file.
Step 403, sending the first object file after the checksum modification to a second network element.
In this embodiment, referring to fig. 5, fig. 5 is a schematic flow chart of a TSC in this embodiment, and optionally, the performing checksum modification on the first object file includes: determining a security level corresponding to the second network element; and performing checksum modification on the first object file according to the security level and the historical data. Specifically, the digital twin physical network may be a cellular access network, a cellular core network, or a data center network, or a campus. The object A, B, C in the lower diagram represents each cross-domain network, which has different security levels. For heterogeneous cross-domain networks, when policies are sent to a network boundary security gateway through a control issuing center of a digital twin network layer, the twin security center can conduct differential security configuration aiming at different security levels of a physical network, and different security policies are scheduled and combined, so that policy issuing efficiency is improved.
The TSC is mainly used for supplementary verification of the transmitted message. For example, the TSC may compare the sending address and identity of the policy based on a historical policy repository, and whether the sender of the policy matches the policy content. When the policy check is correct, the private key is used for signing the checked information, which indicates that the check is correct. When the strategy checking part is in doubt and the TSC selects to issue the strategy after correction, the corrected information is signed by using the private key and is issued after being attached to the original information. When the policy check fails, the TSC directly returns a policy response message to the D-DTBP and carries an interaction failure message.
According to the security interaction method provided by the embodiment of the invention, the security problem of policy issuing is solved by introducing a pair of matched border gateway proxy equipment and a twin security center, the border gateway proxy equipment can provide confidentiality and integrity of issued messages, internal and external attacks are prevented to a certain extent, and the twin security center can verify, audit and trace the policy, so that the security of issued policies is ensured.
The various optional embodiments described in the embodiments of the present invention may be implemented in combination with each other without collision, or may be implemented separately, which is not limited to the embodiments of the present invention.
For ease of understanding, examples are illustrated below:
as shown in fig. 6, fig. 6 is a schematic structural diagram of the digital twin network and the physical network in the present embodiment. In order to ensure the interaction safety between the digital twin network and the physical network, DTBP and TSC are introduced.
The DTBP is responsible for message filtering and security policy management on the interface between the digital twin network and the physical network, mainly as a border gateway for both networks. The DTBP equipment is deployed in pairs, and the main functions are as follows:
the identity authentication of both sides is supported, and confidentiality and integrity protection of the message are provided for the interaction information: all messages should be integrity protected and important messages should be transmitted using encryption. The DTBP device should support message filtering, attack detection and defense.
The TSC is responsible for cross-domain content verification, such as policy secondary verification, policy traceability and the like, and the process is optional. The TSC may verify and modify the transmitted content, and the opposite DTBP may verify the authenticity of the policy modification.
Referring to fig. 7, fig. 7 is one of structural diagrams of a secure interactive apparatus provided in an embodiment of the present invention. As shown in fig. 7, the secure interaction device 700 includes:
a first processor 710, configured to obtain a policy sending message, where the policy sending message includes a network element device address used for the second network element to communicate and information of a policy; carrying out integrity protection and encryption on the strategy sending message to obtain a first object file;
a first transceiver 720, configured to send the first object file to the second network element; and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message.
Optionally, the first processor 710 is further configured to determine a shared key with the second network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Optionally, the first transceiver 720 is further configured to send the first object file to the second network element through a communication device, where the communication device is configured to perform checksum modification on the first object file.
The security interaction device 700 can implement the processes of the method embodiment of fig. 1 in the embodiment of the present invention, and achieve the same beneficial effects, and for avoiding repetition, the description is omitted here.
Referring to fig. 8, fig. 8 is a second block diagram of a secure interactive apparatus according to an embodiment of the present invention. As shown in fig. 8, the secure interaction device 800 includes:
a second processor 810, configured to decrypt and verify the first object file, and obtain a policy response message, where the policy response message includes an interaction success message or an interaction failure message;
a second transceiver 820, configured to receive the first object file sent by the first network element, where the first object file is obtained after integrity protection and encryption of a policy sent message; and sending the strategy response message to the first network element.
Optionally, the second processor 810 is further configured to determine a shared key with the first network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Optionally, the second transceiver 820 is further configured to receive a first object file sent by the first network element through a communication device, where the communication device is configured to perform checksum modification on the first object file.
The secure interaction device 800 can implement the processes of the method embodiment of fig. 3 in the embodiment of the present invention, and achieve the same beneficial effects, and for avoiding repetition, a detailed description is omitted here.
Referring to fig. 9, fig. 9 is a third block diagram of a secure interactive apparatus according to an embodiment of the present invention. As shown in fig. 9, the secure interaction device 900 includes:
a third processor 910 configured to perform checksum modification on the first object file;
a third transceiver 920, configured to receive the first object file sent by the first network element; and sending the first object file after the checksum modification to a second network element.
Optionally, the third processor 910 is further configured to determine a security level corresponding to the second network element;
and performing checksum modification on the first object file according to the security level and the historical data.
The embodiment of the invention also provides communication equipment. Referring to fig. 10, a communication device may include a processor 1001, a memory 1002, and a program 10021 stored on the memory 1002 and executable on the processor 1001.
In the case of the communication device being the first network element of the digital twin network, the program 10021, when executed by the processor 1001, may implement the steps in the method embodiment corresponding to fig. 1:
performed by a first network element of a digital twin network, the method comprising:
acquiring a strategy sending message, wherein the strategy sending message comprises a network element equipment address and strategy information for communication of a second network element;
carrying out integrity protection and encryption on the strategy sending message to obtain a first object file;
transmitting the first object file to the second network element;
and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message.
Optionally, before the acquiring policy sends the message, the method further includes:
determining a shared key with the second network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Optionally, the sending the first object file to the second network element includes:
and sending the first object file to the second network element through communication equipment, wherein the communication equipment is used for carrying out checksum modification on the first object file.
In the case where the communication device is the second network element of the physical network, the program 10021, when executed by the processor 1001, may implement the steps in the method embodiment corresponding to fig. 3:
performed by a second network element of a physical network, the method comprising:
receiving a first object file sent by a first network element, wherein the first object file is obtained after integrity protection and encryption of strategy sending information;
decrypting and verifying the first object file to obtain a strategy response message, wherein the strategy response message comprises an interaction success message or an interaction failure message;
and sending the strategy response message to the first network element.
Optionally, before the receiving the first object file sent by the first network element, the method further includes:
determining a shared key with the first network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Optionally, the receiving the first object file sent by the first network element includes:
and receiving a first object file sent by the first network element through communication equipment, wherein the communication equipment is used for checking and modifying the first object file.
In the case where the communication device is a communication device, the program 10021, when executed by the processor 1001, may implement the steps in the method embodiment corresponding to fig. 4:
performed by a communication device, the method comprising:
receiving a first object file sent by a first network element;
performing checksum modification on the first object file;
and sending the first object file after the checksum modification to a second network element.
Optionally, the performing checksum modification on the first object file includes:
determining a security level corresponding to the second network element;
and performing checksum modification on the first object file according to the security level and the historical data.
The communication equipment of the embodiment of the invention solves the security problem of strategy issuing by introducing a pair of matched border gateway proxy equipment and a twin security center, the border gateway proxy equipment can provide confidentiality and integrity of issued messages, and prevent internal and external attacks to a certain extent, and the twin security center can verify, audit and trace the strategy, thereby guaranteeing the security of issued strategies.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of implementing the methods of the embodiments described above may be implemented by hardware associated with program instructions, where the program may be stored on a readable medium. The embodiment of the present invention further provides a readable storage medium, where a computer program is stored, where the computer program when executed by a processor may implement the steps in the method embodiments corresponding to fig. 1, 3, or 4.
Performed by a first network element of a digital twin network, the method comprising:
acquiring a strategy sending message, wherein the strategy sending message comprises a network element equipment address and strategy information for communication of a second network element;
carrying out integrity protection and encryption on the strategy sending message to obtain a first object file;
transmitting the first object file to the second network element;
and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message.
Optionally, before the acquiring policy sends the message, the method further includes:
determining a shared key with the second network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Optionally, the sending the first object file to the second network element includes:
and sending the first object file to the second network element through communication equipment, wherein the communication equipment is used for carrying out checksum modification on the first object file.
Or; performed by a second network element of a physical network, the method comprising:
receiving a first object file sent by a first network element, wherein the first object file is obtained after integrity protection and encryption of strategy sending information;
decrypting and verifying the first object file to obtain a strategy response message, wherein the strategy response message comprises an interaction success message or an interaction failure message;
and sending the strategy response message to the first network element.
Optionally, before the receiving the first object file sent by the first network element, the method further includes:
determining a shared key with the first network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
Or; performed by a communication device, the method comprising:
receiving a first object file sent by a first network element;
performing checksum modification on the first object file;
and sending the first object file after the checksum modification to a second network element.
Optionally, the performing checksum modification on the first object file includes:
determining a security level corresponding to the second network element;
and performing checksum modification on the first object file according to the security level and the historical data.
Any combination of one or more computer readable media may be employed in the computer readable storage media of the embodiments herein. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or terminal. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The readable storage medium of the embodiment of the invention solves the security problem of strategy issuing by introducing a pair of matched border gateway proxy equipment and a twin security center, the border gateway proxy equipment can provide confidentiality and integrity of issued messages, and prevents internal and external attacks to a certain extent, and the twin security center can verify, audit and trace the strategy, thereby guaranteeing the security of issued strategies.
While the foregoing is directed to the preferred embodiments of the present application, it will be appreciated by those of ordinary skill in the art that numerous modifications and variations can be made without departing from the principles set forth herein, and such modifications and variations are to be regarded as being within the scope of the present application.

Claims (13)

1. A method of secure interaction performed by a first network element of a digital twin network, the method comprising:
acquiring a strategy sending message, wherein the strategy sending message comprises a network element equipment address and strategy information for communication of a second network element;
carrying out integrity protection and encryption on the strategy sending message to obtain a first object file;
transmitting the first object file to the second network element;
and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message.
2. The method of claim 1, wherein before the acquisition policy sends the message, the method further comprises:
determining a shared key with the second network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
3. The method of claim 1, wherein said sending the first object file to the second network element comprises:
and sending the first object file to the second network element through communication equipment, wherein the communication equipment is used for carrying out checksum modification on the first object file.
4. A method of secure interaction performed by a second network element of a physical network, the method comprising:
receiving a first object file sent by a first network element, wherein the first object file is obtained after integrity protection and encryption of strategy sending information;
decrypting and verifying the first object file to obtain a strategy response message, wherein the strategy response message comprises an interaction success message or an interaction failure message;
and sending the strategy response message to the first network element.
5. The method of claim 4, wherein prior to receiving the first object file sent by the first network element, the method further comprises:
determining a shared key with the first network element;
and determining the communication connection between the first network element and the second network element according to the shared secret key.
6. The method of claim 4, wherein receiving the first object file sent by the first network element comprises:
and receiving a first object file sent by the first network element through communication equipment, wherein the communication equipment is used for checking and modifying the first object file.
7. A secure interaction method performed by a communication device, the method comprising:
receiving a first object file sent by a first network element;
performing checksum modification on the first object file;
and sending the first object file after the checksum modification to a second network element.
8. The method of claim 7, wherein said performing checksum modification on said first object file comprises:
determining a security level corresponding to the second network element;
and performing checksum modification on the first object file according to the security level and the historical data.
9. A secure interactive apparatus, comprising:
a first processor, configured to obtain a policy sending message, where the policy sending message includes a network element device address used for communication by the second network element and information of a policy; carrying out integrity protection and encryption on the strategy sending message to obtain a first object file;
a first transceiver configured to send the first object file to the second network element; and receiving a strategy response message fed back by the second network element based on the first object file, wherein the strategy response message comprises an interaction success message or an interaction failure message.
10. A secure interactive apparatus, comprising:
the second processor is used for decrypting and verifying the first object file to obtain a strategy response message, wherein the strategy response message comprises an interaction success message or an interaction failure message;
the second transceiver is used for receiving the first object file sent by the first network element, and the first object file is obtained after integrity protection and encryption of the strategy sending message; and sending the strategy response message to the first network element.
11. A secure interactive apparatus, comprising:
a third processor for performing checksum modification on the first object file;
a third transceiver, configured to receive the first object file sent by the first network element; and sending the first object file after the checksum modification to a second network element.
12. A communication device, comprising: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor; -characterized in that the processor is arranged to read a program in a memory for implementing the steps in the secure interaction method according to any of claims 1 to 3; or, a step in a secure interaction method according to any of claims 4 to 6; or, a step in a secure interaction method as defined in any one of claims 7 to 8.
13. A readable storage medium storing a program, wherein the program when executed by a processor implements the steps of the secure interaction method of any of claims 1 to 3; or, implementing the steps in the secure interaction method of any of claims 4 to 6; or, a step in a secure interaction method as defined in any one of claims 7 to 8.
CN202210059302.0A 2022-01-19 2022-01-19 Safe interaction method and device and related equipment Pending CN116506138A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210059302.0A CN116506138A (en) 2022-01-19 2022-01-19 Safe interaction method and device and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210059302.0A CN116506138A (en) 2022-01-19 2022-01-19 Safe interaction method and device and related equipment

Publications (1)

Publication Number Publication Date
CN116506138A true CN116506138A (en) 2023-07-28

Family

ID=87318878

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210059302.0A Pending CN116506138A (en) 2022-01-19 2022-01-19 Safe interaction method and device and related equipment

Country Status (1)

Country Link
CN (1) CN116506138A (en)

Similar Documents

Publication Publication Date Title
KR101133829B1 (en) Verifying authenticity of webpages
US8762731B2 (en) Multi-system security integration
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
CN107425983A (en) A kind of unified identity authentication method and system platform based on WEB service
Zhong et al. Distributed blockchain‐based authentication and authorization protocol for smart grid
CN109309565A (en) A kind of method and device of safety certification
CN109495445A (en) Identity identifying method, device, terminal, server and medium based on Internet of Things
CN101860540A (en) Method and device for identifying legality of website service
CN103297437A (en) Safety server access method for mobile intelligent terminal
CN110175466B (en) Security management method and device for open platform, computer equipment and storage medium
CN109741068A (en) Internetbank inter-bank contracting method, apparatus and system
Bojjagani et al. PhishPreventer: a secure authentication protocol for prevention of phishing attacks in mobile environment with formal verification
CN105516066B (en) A kind of method and device that internuncial presence is recognized
CN114244527B (en) Block chain-based electric power Internet of things equipment identity authentication method and system
CN105447715A (en) Method and apparatus for anti-theft electronic coupon sweeping by cooperating with third party
CN110708162B (en) Resource acquisition method and device, computer readable medium and electronic equipment
Alhaidary et al. Vulnerability analysis for the authentication protocols in trusted computing platforms and a proposed enhancement of the offpad protocol
Phoha Internet security dictionary
CN112532599A (en) Dynamic authentication method, device, electronic equipment and storage medium
JP2006079213A (en) Relay device, authentication server, and authentication method
CN113111386A (en) Privacy protection method for block chain transaction data
CN109218334A (en) Data processing method, device, access control equipment, certificate server and system
CN115967941A (en) Power 5G terminal authentication method and authentication system
CN103716280A (en) Data transmission method, server and system
CN109981677A (en) A kind of credit management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination