WO2011044807A1 - Procédé de communication et d'enregistrement de communication anonyme et système émetteur-récepteur de message de données - Google Patents

Procédé de communication et d'enregistrement de communication anonyme et système émetteur-récepteur de message de données Download PDF

Info

Publication number
WO2011044807A1
WO2011044807A1 PCT/CN2010/076945 CN2010076945W WO2011044807A1 WO 2011044807 A1 WO2011044807 A1 WO 2011044807A1 CN 2010076945 W CN2010076945 W CN 2010076945W WO 2011044807 A1 WO2011044807 A1 WO 2011044807A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
identity
anonymous
parameter
data packet
Prior art date
Application number
PCT/CN2010/076945
Other languages
English (en)
Chinese (zh)
Inventor
孙翼舟
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011044807A1 publication Critical patent/WO2011044807A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a registration, communication method, and data packet transmission and reception system for anonymous communication.
  • IP address in the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol widely used on the Internet has a dual function, and serves as a location identifier of a communication terminal host network interface of a network layer in a network topology, and also serves as a transmission. The identity of the layer host network interface.
  • the TCP/IP protocol was not designed at the beginning of the host.
  • semantic overload defects of such IP addresses are becoming increasingly apparent.
  • IP address of the host changes, not only the route changes, but also the identity of the host of the communication terminal changes. This causes the routing load to become heavier and heavy, and the change of the host identity causes the application and connection to be interrupted.
  • the purpose of separating the identity and location identifiers is to solve the problem of semantic overload and serious routing load and security of IP addresses, and separate the dual functions of IP addresses to achieve dynamic redistribution of mobility, multiple townships, and IP addresses. Support for mitigating routing load and mutual visits between different network areas in the next generation Internet.
  • identity identification and location separation There are two main solutions in the prior art for identity identification and location separation.
  • One is a host-based implementation, and the other is implemented by a router, and each implementation has various related technologies to support it.
  • the main host-based protocol is the Host Identity Protocol (HIP).
  • the existing primary protocol based on routing is the Locator/ID Separation Protocol (LISP).
  • HIP is a host mobility association protocol.
  • the HIP separates the IP address into an end identifier and a location identifier.
  • the basic idea of HIP is to introduce a 3.5-layer Host Identity Layer (HIL) between the Layer 3 network layer and the Layer 4 transport layer, that is, the host identifier is introduced between the domain name space and the IP address space. (Host Identity, referred to as HI) space.
  • HIL Host Identity Layer
  • the host identification layer separates the originally tightly coupled transport layer from the network layer.
  • the IP address no longer acts as the identity host. It is only responsible for The routing and forwarding of packets, that is, only used as locators, the host name is represented by the host identifier.
  • the HIL is logically located between the network layer and the transport layer.
  • the transport layer uses the transport layer identifier, and the host identifier layer completes the host identifier and IP address translation in the data packet.
  • the network layer is shielded from the transport layer, and any changes in the network layer (for example, changes in the host IP address during communication) do not affect the transport layer link unless the quality of service changes.
  • the connection of the transport layer based on the HIP protocol is established on the host identity, and the IP address is only used for network layer routing, and is no longer used to identify the host identity.
  • the key idea of HIP is to disconnect the tight coupling between the network layer and the transport layer, so that the connection between the application layer and the transport layer is not affected by the change of the IP address.
  • IP address When the IP address changes in a connection, HI remains unchanged, thereby ensuring that the connection is not interrupted.
  • the IP address is only used for routing and addressing functions, and HI is used to identify the end host corresponding to a connection, instead of the IP address used in the connection socket.
  • LISP reuses routing technology and has made some changes to the existing routing topology. Combined with the existing transport network, it optimizes the existing routing technology with minimal transformation.
  • the host uses an IP address, called EID (Endpoint Identifiers) in the LISP system to track sockets, establish connections, send and receive packets. Routers pass packets based on IP destination RLOCs (Routing Locators). Tunnel routing is introduced in the LISP system, the LISP header is encapsulated when the host packet is initiated and the packet is decapsulated before being finally delivered to the destination.
  • the IP address of the "outer header" in the LISP packet is RLOCs.
  • the ITR Ingress Tunnel Router
  • the ITR performs an EID-to-RLOC lookup to determine the routing path to the ETR (Egress Tunnel Router), which uses the RLOC as its address.
  • LISP is a network-based protocol that only affects the network part, and more precisely only affects existing
  • the Internet backbone (partial network) part does not affect the access layer and user host of the existing network, and is completely transparent to the host.
  • identity and location identification separation it must be the user's
  • the identity identifies the corresponding location identifier.
  • the identity must be the real identity of the communication node, and the identity must be passed between the communication nodes. Otherwise, the location identifier of the communication node cannot be determined, and the connection between the communication nodes cannot be established.
  • the technical problem to be solved by the present invention is to provide a registration and communication method for anonymous communication and a system for transmitting and receiving data messages, and realize anonymous communication in a network in which identity identification and location identification are separated.
  • an anonymous communication registration method of the present invention is applied to a network mechanism in which identity identification and location identification are separated, and includes: the first node sends an anonymous communication request to the first access node, where the anonymous communication is performed.
  • the request carries a first parameter and a second parameter, where the first parameter includes an identity of the first node, where the second parameter includes an identity of the communication peer node of the one or more first nodes;
  • the node After receiving the anonymous communication request, the node sends an anonymous identity assignment request to the first distribution node, where the request carries the first parameter and the second parameter; after receiving the anonymous identity assignment request, the first distribution node is the first
  • the node allocates an anonymous identity, establishes and saves the mapping information of the anonymous identity and the identity of the first node, and the identity of the second parameter, or the identity of the anonymous node and the identity and location identifier of the first node. Mapping information of the identity in the second parameter.
  • the method further includes: the first distribution node sending an anonymous communication response message to the first access node, where the response message carries the anonymous identity identifier and the identity identifier of the first node and the identity identifier in the second parameter Mapping information, or mapping information of the anonymous identity with the identity of the first node, the location identifier, and the identity identifier in the second parameter;
  • the first access node After receiving the anonymous communication response message, the first access node reads and saves the mapping information. Preferably, after receiving the anonymous identity assignment request, the first access node records, after receiving the anonymous communication response message, the first node, respectively, that the node identified by the identity identifier included in the second parameter is anonymous. Communication status. Preferably, after receiving the anonymous communication request, the first access node sends an anonymous identity identification request to the first distribution node, and further confirms to the authentication center whether the first node has the right to anonymous communication service; the authentication center queries the first node.
  • a registration system for anonymous communication includes a node and an access node associated therewith, and the system is configured to implement the registration method of the anonymous communication described above.
  • a method for registering an anonymous communication is applied to a network mechanism in which identity identification and location identification are separated, including: the first node sending an anonymous communication request to the first access node, where the anonymous communication request carries the first parameter And a second parameter, where the first parameter includes an identity of the first node, where the second parameter includes an identity of the communication peer of the one or more first nodes; after receiving the anonymous communication request, the first access node receives Allocating an anonymous identity to the first access node, establishing and saving mapping information of the anonymous identity and the identity of the first node and the identity in the second parameter, or an anonymous identity with the first node The mapping information of the identity, the location identifier, and the identity in the second parameter.
  • the method further includes: after the first access node establishes the mapping information, initiate registration of the mapping information to the first storage node, and associate the anonymous identity with the identity of the first node and the identity of the second parameter.
  • Mapping The information, or mapping information of the anonymous identity and the identity of the first node, the location identifier, and the identity of the second parameter are sent to the first storage node, where the first storage node saves.
  • the first receiving node after receiving the mapping information, records the node identified by the first node to the identity identifier included in the second parameter as an anonymous communication state.
  • the method further includes: after receiving the anonymous communication request, the first access node further confirms to the authentication center whether the first node has the right of the anonymous communication service; the authentication center queries the user attribute of the first node, if the first node The privilege of the anonymous communication service sends an acknowledgment message to the first access node. After receiving the acknowledgment message, the first access node performs an anonymous identity identification for the first access node.
  • a method for anonymous communication is applied to a network mechanism in which identity identification and location identification are separated, including:
  • the first node sends a first data packet to the second node by using the first access node that is accessed by the first node, where the first data packet carries the identity of the first node and the second node; After receiving the first data packet, the node determines whether the first node uses anonymous communication for the second node, and if so, replaces the identity of the first node in the first data packet with the anonymous identity of the first node. After the packet is added to the first data packet, the first data packet is sent to the second access node that is accessed by the second node by using the forwarding network, and the second access node decapsulates the And transmitting, by the first data packet, the decapsulated first data packet to the second node.
  • the second node After receiving the first data packet of the first node, the second node returns a second data packet to the first node, where the second data packet carries the identity of the second node and the anonymous identity of the first node.
  • the second access node adds the encapsulation location identifier to the second data packet, the second data packet is sent to the first access node by using the forwarding network;
  • the second data packet carries the second data packet.
  • the anonymous identity of the first node is replaced with the identity of the first node and sent to the first node.
  • the method for the first access node to determine whether the first node uses the anonymous communication for the second node comprises: the first access node saves the anonymity of the first node from the first storage node other than the local or local Querying the identity identifier with the identity information of the first node and the identity identifier of the second parameter, or the mapping information of the anonymous identity identifier and the identity identifier of the first node, the location identifier, and the identity identifier in the second parameter Whether the identity of the second node is included, and if so, the first node uses anonymous communication with the second node.
  • the method for the first access node to determine whether the first node uses anonymous communication for the second node includes: determining, by the first access node, whether the first node pair is recorded in the first storage node other than the local or local
  • the two nodes are information of an anonymous communication state. If the information is recorded, the first node uses anonymous communication with the second node.
  • a method for canceling anonymous communication is applied to a network mechanism in which the identity identification and the location identification are separated, and the method includes: the first node sending a cancel anonymous communication request to the first access node, and carrying the first in the canceling the anonymous communication request a parameter and a third parameter, where the first parameter includes an identity of the first node, where the third parameter includes an identity of the node that cancels the anonymous communication; and the first access node receives the request to cancel the anonymous communication, and then obtains the identity
  • the identity information contained in the third parameter is deleted from the mapping information of the identity.
  • the method further includes: the first access node sends a mapping information change request to the first storage node, where the first parameter and the third parameter are carried in the request; the first storage node saves the first The anonymous identity of the node and the body of the first node The mapping information of the identity identifier and the identity identifier in the second parameter, or the mapping information of the anonymous identity identifier and the identity identifier of the first node, the location identifier, and the identity identifier in the second parameter, the identity identifier included in the third parameter is deleted .
  • the first node identifies the node identified by the identity identifier in the third parameter as an anonymous communication state. Information is deleted.
  • the third parameter includes the identity of all the peer nodes in the mapping information, the first access node and the first storage node also delete the anonymous identity.
  • a data packet transceiving system is applied to a network mechanism in which identity identification and location identification are separated, and includes: an anonymous identity assignment unit; the anonymous identity assignment unit is configured to: assign an anonymous identity to the node, establish And storing the mapping information of the anonymous identity and the identity of the node and the identity of the received second parameter, or the identity of the anonymous identity and the identity of the node, the location identifier, and the received second parameter Mapping information for identity in the middle.
  • the system further includes: a transceiver unit configured to receive a data message sent by the first node to the second node, where the data message carries the identity of the first node and the second node; Determining whether the first node uses anonymous communication for the second node, and if so, notifying the update unit; the updating unit is configured to update the identity of the first node carried in the data packet as an anonymous identity; And configured to encapsulate the location identifiers of the first node and the second node in the data packet, so that the identity and the location separation network architecture implement route forwarding to send the data packet to the second node;
  • the transceiver unit is further configured to: when receiving the data packet sent by the second node to the first node, update the anonymous identity identifier of the first node carried in the data packet as the identity identifier of the first node, and forward the data packet To the first node.
  • a data packet transceiving system is applied to a network mechanism in which identity identification and location identification are separated.
  • the system includes: a first subsystem and a second subsystem, wherein the first subsystem includes: a unit, configured to receive a first data packet sent by the first node to the second node, where the first data packet carries an identity of the first node and the second node; and is further configured to receive the second subsystem a second data packet sent by the second transceiver unit, where the second data packet carries the anonymous identity identifier of the first node and the identity identifier of the second node; the first determining unit is configured to determine whether the first node is correct The second node uses anonymous communication, and if so, notifies the first update unit; the first update unit is configured to update the identity of the first node when the first node sends the first data message to the second node.
  • the first subsystem includes: a unit, configured to receive a first data packet sent by the first node to the second node, where the first data packet carries an identity of the first node and the second node; and is further configured to receive the second subsystem
  • the system includes: a second transceiver unit configured to receive the first data packet and forwarded to the first node; and configured to forward the second data packet from the second node to the first node, where the second data packet
  • the anonymous identity of the first node and the identity of the second node are carried.
  • the solution for identity identification and location separation based on the present invention can provide an anonymous system space to meet the needs of business development on the basis of constructing a real-name trust domain. Under the framework of identity and location separation, the real-name trust domain is guaranteed by network credit, and the anonymous space is operated by the network according to the business authorization.
  • FIG. 1 is a schematic diagram of a network topology based on an identity location separation architecture
  • FIG. 2 is a general flow of implementing anonymous communication according to Embodiment 1 of the present invention
  • FIG. 3 is a flowchart of an anonymous communication signaling initiated by a terminal according to Embodiment 2 of the present invention
  • Inventive embodiment 3 another signaling procedure for the terminal to initiate anonymous communication
  • 5 is a flowchart of establishing an end-to-end anonymous communication process according to Embodiment 4 of the present invention
  • FIG. 6 is a flowchart of canceling an anonymous communication signaling process by a terminal according to Embodiment 5 of the present invention
  • FIG. 7 is a structural diagram of an access service node according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram of a network topology of an identity identification and location separation architecture according to an embodiment of the present invention, where a system related to the present invention is shown. Key network elements/functional entities of the architecture.
  • the network is divided into an access network and a backbone network, and the access network is located at the edge of the backbone network, and is responsible for all terminals.
  • the backbone network is responsible for routing the terminals accessed through the access network.
  • An Access Service Node is located at the demarcation point between the backbone network and the access network, and interfaces with the access network to interface with the backbone network.
  • the ASN is used to provide access services for terminals, maintain user connections, and forward user data. There is no overlap between the access network and the backbone network in the topology relationship.
  • the Access Identifier (AID) and the Routing-Location Identifier (RID) are used.
  • the AID is a unique identifier assigned to each terminal in the network. It is used at the access layer and remains unchanged during the movement of the terminal.
  • the endpoints in the network of the architecture use the AID to identify the peer end. The peer AID needs to be used for communication.
  • the backbone network is divided into two planes during networking: a mapping forwarding plane and a generalized forwarding plane.
  • the main function of the generalized forwarding plane is to select and forward data packets according to the route identifier RID in the data packet.
  • the data routing and forwarding behavior in the generalized forwarding plane is consistent with the traditional IP network.
  • the main function of the mapping forwarding plane is to save mapping information of the mobile node identity location (ie, mapping information between RID-AID), process the registration process of the mobile node, process the location query process of the communication peer, and route and forward to access Identifies the data packet whose AID is the destination address.
  • the primary network element involved The functional entities are as follows: Terminal: In this architecture, the accessed terminal may be one or more of a mobile node, a fixed node, and a nomadic node.
  • Access network Provides Layer 2 (physical layer and link layer) access services for terminals.
  • the access network may be a base station system, such as a BSS (Base Station Subsystem), a RAN (Radio Access Network), an eNodeB (evolved Node B, an evolved Node B), or the like, or may be xDSL ( Digital Subscriber Line, Digital Subscriber Line, AP (Access Point, Wireless Access Point), etc.
  • ASN Maintains the connection between the terminal and the backbone network, assigns the RID to the terminal, processes the handover process, processes the registration process, and performs accounting/authentication, and maintains/queries the AID-RID mapping relationship of the communication peer.
  • the ASN When receiving the data packet sent by the terminal, the ASN searches for the corresponding RID locally according to the AID of the communication peer (CN) in the packet: If the corresponding AID-RID mapping entry is found, the data packet is in the data packet. The data message is forwarded to the backbone network by means of the RID, or the RID is encapsulated into the backbone network; if the corresponding AID-RID mapping entry is not found, the query flow is sent to the ILR (identity location register). To obtain an AID-RID mapping table entry, and then replace the AID with the RID in the related data packet, or forward the data packet by encapsulating the RID; or forward the data packet while issuing a query to the ILR. After routing to the backbone network, after receiving the AID-RID mapping relationship of the CN returned by the ILR, the AID-RID mapping of the CN is locally cached;
  • the ASN When receiving the data packet sent by the network to the terminal, the ASN strips the outer RID encapsulation and sends it to the terminal.
  • Certification Center responsible for recording user attributes of the network, including user categories, authentication information, user service levels, etc., generating user security information for authentication, integrity protection, and encryption, and legitimizing when users access Certification and authorization.
  • the certificate authority supports two-way authentication between the network and the user of the architecture.
  • ILR/PTF Identity Location Register/Packet Transfer Function
  • the ILR and PTF can be two functional modules on the same entity, which are located in the mapping forwarding plane of the backbone network.
  • the ILR is responsible for maintaining/storing the AID-RID mapping relationship of the users in the network-based identity and location separation architecture, implementing the registration function, and processing the location query process of the communication peer. Specifically, when the terminal (Mobile Node, MN for short) is powered on or the location changes, the registration process is initiated to the ILR through the ASN, so that the real-time AID-RID mapping relationship of the MN is saved in the ILR.
  • the PTF After receiving the data packet sent by the ASN, the PTF is routed and forwarded by the PTF according to the destination AID.
  • the PTF node in the mapping forwarding plane finds the mapping relationship of the destination AID-RID to the ILR, the RID information is encapsulated in the header of the data packet and forwarded to the ASN in the generalized forwarding plane to the ASN where the communication peer is located.
  • the access identifier AID of the terminal during the valid legal lifetime remains unchanged, and the route identifier RID identifies the location of the current ASN.
  • the access end identification AID of the source end is carried as a source address in the data packet to the communication peer end, and the communication peer end can learn the source end identity according to the source address carried in the data packet.
  • the network establishes a trust domain in the network by authenticating the identity of the user with the network credit to ensure the authenticity of the user identity.
  • the method for authenticating the user identity of the network uses different methods according to different network systems, which may be direct authentication of the user access identifier AID; and other user identifiers identifying the user in the network (for example, the international mobile subscriber identity IMSI)
  • the network device identifies the corresponding information between the user identifier and the AID.
  • the existing access network (RAN) part can ensure the security of the Layer 2 connection and ensure that the data packets are not tampered with when the terminal accesses the network.
  • CDMA Code Division Multiple Access
  • ADSL Asymmetric Digital Subscriber Line
  • VLAN Virtual Local Area Network, virtual LAN
  • GSM Global System Mobile
  • All terminals are valid and valid users authenticated.
  • the terminal accesses the network, it establishes a point-to-point connection between the terminal and the ASN of the network.
  • ASN will terminal The AID is bound to the end-to-end user connection between the terminal and the ASN. If the source address of the packet sent from the user connection does not match the AID of the user, the ASN will discard the data packet, thus, based on the identity location.
  • a separate architecture will ensure that the terminal's AID is not spoofed and altered.
  • the ASN and the communication equipment from the source ASN to the destination ASN are provided by the network operation and management, and the security of the data transmission by the network credit guarantees the data packet. Honest and reliable. Therefore, an identity-based location separation architecture will be able to build a trust domain with network credit in the network, ensuring the true reliability of the two ends of the data communication.
  • the method of the embodiment of the present invention carries two parameters when the terminal (MN) initiates an anonymous communication service, including: an initiator parameter and a receiver parameter, where the initiator parameter includes the identity identifier AIDm of the MN itself, and the receiver parameter includes one Or the identity AID of multiple communication peers.
  • the MN opens an anonymous communication service
  • the MN needs to be assigned an anonymous identity AIDx.
  • the ASN (ASNm) accessed by the MN replaces the source address of the data message with the anonymous identity AIDx for the data message whose destination address is included in the receiver parameter.
  • the AIDm is sent to the ASN accessed by the destination terminal through the backbone network, so that any data message sent by the MN to the communication peer in the receiver parameter identifies the MN with the anonymous identity AIDx.
  • the above method is actually an anonymous communication service for one or more users, and is not anonymous to users other than the receiver parameters.
  • FIG. 2 shows an overall implementation process of a method for implementing anonymous communication, including:
  • the MN After the terminal MN applies for opening the anonymous data service, the MN is used in the authentication center.
  • the user attribute stores the information that the MN has opened the anonymous communication service, and if the access identifier of the terminal MN is AIDm, the user attribute of the MN is identified by the AIDm;
  • the terminal MN accesses the network, and the ASN (ASNm) accessed by the terminal MN is assigned an RID (RIDm), and the ASNm registers mapping information with the home ILR (ILRm), and the ILRm stores the AIDm-RIDm mapping information of the MN;
  • the terminal MN applies for anonymous communication mode for one or more communication peers;
  • the terminal MN initiates end-to-end anonymous communication with the communication peer;
  • the terminal MN cancels the anonymous communication mode
  • FIG. 3 shows a detailed description of the above step 203, and the steps include:
  • the terminal MN initiates an anonymous communication request to the ASNm, where the request carries the initiator parameter and the receiver parameter, where the initiator parameter includes the identity identifier AIDm of the MN, and the receiver parameter includes the identity identifier of one or more communication peers;
  • ASNm confirms to the authentication center whether the MN has the right to anonymous communication service;
  • the authentication center queries the user attribute of the MN, and if the MN has the authority of the anonymous communication service, sends an acknowledgement message to the ASNm; the step is an optional step according to the operation requirement.
  • the ASNm After receiving the acknowledgement message, the ASNm initiates an anonymous identity assignment request to the ILRm, where the request carries the initiator parameter and the receiver parameter.
  • the ILRm After receiving the anonymous identity assignment request sent by the ASNm, the ILRm records the terminal's anonymous communication status with the terminal recorded in the receiver parameter, and assigns the anonymous identity to the MN, and establishes the anonymous identity and the AIDm, the RIDm, and the receiver.
  • the ILRm sends an anonymous communication response message to the ASNm, where the response message carries the mapping information of the anonymous identity (AIDx) and the MN identity (AIDm) and the identity identifier (AIDc) in the receiver parameter, or Carrying, in the response message, mapping information of the anonymous identity (AIDx) and the MN identity (AIDm), the location identifier (RIDm), and the identity identifier (AIDc) in the receiver parameter;
  • the ASNm After receiving the response message, the ASNm reads the mapping information from the message, and saves it in the data area corresponding to the terminal MN, and records that the terminal recorded by the MN to the receiver parameter is an anonymous communication state;
  • the ASNm sends an anonymous communication confirmation message to the terminal MN, where the message carries the AID included in the receiver parameter.
  • the identity of the MN received by the communication peer recorded in the receiver parameter is AIDx instead of AIDm, and the identity of the MN received by other communication peers is still AIDm.
  • FIG. 4 shows an equivalent alternative of the foregoing Embodiment 2, except that the following method uses the ASN to complete the allocation process of the anonymous identity AIDx, including:
  • the ASNm After receiving the confirmation message of the authentication center, the ASNm allocates AIDx to the terminal MN, and establishes mapping information between the anonymous identity and the AIDm, the RIDm, and the AID in the receiver parameter, or the mapping between the anonymous identity and the AIDm and the AID in the receiver parameter.
  • the information is stored in the data area corresponding to the terminal MN, and the record MN records the terminal recorded in the receiver parameter as an anonymous communication state;
  • the ASNm initiates a mapping information registration process to the ILRm, and sends the mapping information of the anonymous identity and the AIDm, the RIDm and the AID of the receiver parameter, or the mapping information of the anonymous identity and the AID and the AID of the receiver parameter to the ILRm, the ILRm
  • the received mapping information is saved, and the MN records the terminal recorded in the receiver parameter as an anonymous communication state;
  • the ASNm sends an anonymous communication confirmation message to the terminal MN, and carries the reception in the message.
  • the AID contained in the square parameter.
  • FIG. 5 is a detailed description of the above step 204.
  • the following describes the process of establishing communication between the terminal MN and the communication peer CN.
  • the steps include:
  • the terminal MN sends a data packet to the communication peer CN, where the source address of the data packet is AIDm, and the destination address is AIDc;
  • the ASNm After receiving the data message of the terminal MN, the ASNm determines whether the MN uses anonymous communication for the CN, and if so, replaces the AIDm in the data packet with AIDx; the ASNm from the local or ILRm anonymous identity and AIDm The RIDm and the mapping information of the AID in the receiver parameter, or the mapping information of the anonymous identity and the AIDm and the AID in the receiver parameter are searched for whether the AID of the CN is included, and if so, the MN uses anonymous communication for the CN.
  • the ASNm can also determine whether the information that the MN is in the anonymous communication state is recorded from the local or ILRm. If the information is recorded, the MN uses the anonymous communication with the CN. 503: The ASNm adds the encapsulated RID to the data packet, and then sends the data packet to the ASNc accessed by the communication peer CN through the forwarding network (ie, the backbone network); the data packet transmitted on the interface between the ASNm and the ASNc.
  • the address format is: RIDm; AIDx; RIDc; AIDc violent
  • the ASNc After receiving the data packet from the ASNm, the ASNc strips the RID encapsulation and sends the data packet to the communication peer CN;
  • the communication peer CN returns a data packet to the MN;
  • the source address of the CN data is AIDc and the destination address is AIDx.
  • the ASNc sends the data packet of the CN to the ASNm through the backbone network, and the address format of the data packet transmitted on the interface between the ASNc and the ASNm is: RIDc;
  • FIG. 6 shows a detailed description of the above step 205, and the steps of the terminal canceling the anonymous communication mode include:
  • the terminal MN initiates a cancel anonymous communication request, and carries two parameters, including: a sender parameter and a canceler parameter, where the sender parameter includes the MN identity AIDm; the canceler parameter includes one or more cancellation anonymous communication modes.
  • the identity of the communication peer 602: ASNm confirms to the authentication center whether the MN has the right to anonymous communication service;
  • the authentication center queries the user attribute of the MN, and if the MN has the authority of the anonymous communication service, sends an acknowledgement message to the ASNm;
  • the ASNm After receiving the acknowledgment message, the ASNm stores the mapping information of the anonymous identity and the AIDm, the RIDm, and the AID in the receiver parameter, or the mapping between the anonymous identity and the AIDm and the AID in the receiver parameter.
  • the AID included in the canceler parameter is deleted, and the MN deletes the information that the terminal identified by the AID in the canceler parameter is an anonymous communication state;
  • the canceler parameter contains all the AIDs of the communication peers in the mapping information, the ASN will delete the anonymous identity in the mapping information.
  • the ASNm initiates a mapping information change request to the ILRm, where the request message carries a sender parameter and a canceler parameter.
  • the ILRm deletes the AID included in the canceler parameter from the mapping information of the anonymous identity and the AIDm, the RIDm, and the AID in the receiver parameter, or the mapping information of the anonymous identity and the AIDm and the AID in the receiver parameter, and the MN pair is deleted.
  • the terminal identified by the AID in the canceling party parameter is the information of the anonymous communication state, and the response message is deleted from the ASN. If the canceling party parameter includes all the AIDs of the communication peers in the mapping information, the ILR deletes the anonymous identity identifier in the mapping information.
  • 607 The ASNm sends a cancel anonymous communication response message to the terminal MN, and the carrying parameter is an AID included in the canceler parameter. The subsequent ASNm will no longer replace the AIDm in the message sent by the terminal MN to the terminal identified by the AID in the canceler parameter to AIDx.
  • the present invention further provides an access service node, where the access service node includes: an anonymous identity assignment unit 701, a transceiver unit 702, a decision unit 703, an update unit 704, and an encapsulation unit 705, where:
  • the anonymous identity assigning unit 701 is configured to: allocate AIDx to the terminal MN, establish mapping information of the anonymous identity and AIDm, RIDm and AID in the receiver parameter, or mapping information of the anonymous identity and AIDm and the AID in the receiver parameter, and The data is stored in the data area corresponding to the terminal MN, and the MN records the terminal recorded in the receiver parameter as an anonymous communication state.
  • the transceiver unit 702 is configured to: receive the data message sent by the MN to the communication peer CN, and the source address of the data packet.
  • the destination address is AIDc; and is further configured to: when receiving the data packet returned by the CN to the MN, update the AIDx carried in the data packet to AIDm, and forward the data packet to the MN; After receiving the data message of the terminal MN, it is determined whether the MN uses anonymous communication for the CN, and if so, notifies the update list.
  • the updating unit 704 is configured to: replace the AIDm in the data packet with the AIDx; the encapsulating unit 705 is configured to: add the encapsulated RID to the data packet, and then send the data packet to the communication peer CN through the backbone network. ASNc; and de-encapsulated the data packet sent by the CN of the communication peer.
  • Another data packet transceiving system provided by the present invention includes: ASNm and ASNc, wherein:
  • the ASNm includes: a first transceiver unit, a first determining unit, and a first updating unit, where: the first transceiver unit is configured to: receive the first data packet sent by the MN to the communication peer CN, The first data packet carries the AIDm and the AIDc; and receives the second data packet returned by the CN to the MN, where the second data packet carries the anonymous identity identifier of the MN and the AIDc; the first determining unit is configured to: receive After the data message to the terminal MN, it is determined whether the MN uses anonymous communication for the CN, and if yes, notifies the first update unit; the first update unit is configured to: replace the AIDm in the first data message with AIDx; in
  • the CN When the CN returns the second data packet to the MN, the CN updates the anonymous identity of the MN in the second data packet to AIDm;
  • the ASNc includes: the second transceiver unit is configured to: receive the first data packet and forward the message to the CN; and forward the second data packet returned by the CN to the MN, where the second data packet carries the anonymous identity identifier of the MN and the AIDc .
  • a terminal in this document may also be referred to as a node.
  • the present invention provides a registration and communication method for anonymous communication and a system for transmitting and receiving data messages.
  • a real-name trust domain On the basis of constructing a real-name trust domain, an anonymous system space is provided to meet the needs of business development. Under the framework of identity and location separation, the real-name trust domain is guaranteed by network credit, and the anonymous space is operated by the network according to the business authorization.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention porte sur un procédé de communication et d'enregistrement de communication anonyme et un système émetteur-récepteur de message de données. Selon le procédé, un premier noeud envoie à un premier noeud d'accès une demande de communication anonyme portant un premier paramètre contenant l'identifiant d'identité du premier noeud et un second paramètre contenant au moins un identifiant d'identité du côté de communication opposé au premier noeud. Après réception de la demande de communication anonyme par le premier noeud d'accès, un identifiant d'identité anonyme est alloué au premier noeud d'accès, avec pour effet de créer et stocker soit l'information de mise en correspondance de l'identifiant d'identité anonyme, de l'identifiant d'identité du premier noeud et de l'identifiant d'identité contenu dans le second paramètre, soit l'information de mise en correspondance de l'identifiant d'identité anonyme, de l'identifiant d'identité du premier noeud, de l'identifiant de localisation et de l'identifiant d'identité contenu dans le second paramètre. Grâce à la création d'un domaine de confiance pour noms réels, l'invention propose un espace anonyme pour répondre aux besoins de développement commercial.
PCT/CN2010/076945 2009-10-16 2010-09-15 Procédé de communication et d'enregistrement de communication anonyme et système émetteur-récepteur de message de données WO2011044807A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200910205559 CN102045316B (zh) 2009-10-16 2009-10-16 一种匿名通信的注册、通信方法及数据报文的收发***
CN200910205559.7 2009-10-16

Publications (1)

Publication Number Publication Date
WO2011044807A1 true WO2011044807A1 (fr) 2011-04-21

Family

ID=43875825

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/076945 WO2011044807A1 (fr) 2009-10-16 2010-09-15 Procédé de communication et d'enregistrement de communication anonyme et système émetteur-récepteur de message de données

Country Status (2)

Country Link
CN (1) CN102045316B (fr)
WO (1) WO2011044807A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102892073A (zh) * 2012-09-11 2013-01-23 北京航空航天大学 一种适用于位置服务***中面向连续查询的位置匿名方法
CN111383775A (zh) * 2018-12-27 2020-07-07 福州依影健康科技有限公司 一种基于眼底筛查的会员用户匿名交流方法及存储设备

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753888A (zh) * 2013-12-31 2015-07-01 中兴通讯股份有限公司 一种报文的处理方法及装置
CN109150793B (zh) * 2017-06-15 2021-06-01 华为技术有限公司 一种隐私保护方法及设备
CN111709055A (zh) * 2020-06-16 2020-09-25 四川虹微技术有限公司 一种用户信息获取方法、装置、电子设备及存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000069140A1 (fr) * 1999-05-10 2000-11-16 Telefonaktiebolaget Lm Ericsson (Publ) Systeme reparti permettant d'etablir des sessions intelligentes entre des utilisateurs anonymes sur plusieurs reseaux
CN1703005A (zh) * 2005-03-29 2005-11-30 联想(北京)有限公司 一种实现网络接入认证的方法
CN1835439A (zh) * 2005-02-16 2006-09-20 株式会社东芝 匿名服务提供***和装置

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7324517B1 (en) * 2003-04-16 2008-01-29 Cisco Technology, Inc. Converting data packets in a communication network
CN100428719C (zh) * 2006-01-23 2008-10-22 北京交通大学 一种基于身份与位置分离的互联网接入方法
CN101521569B (zh) * 2008-02-28 2013-04-24 华为技术有限公司 实现服务访问的方法、设备及***

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000069140A1 (fr) * 1999-05-10 2000-11-16 Telefonaktiebolaget Lm Ericsson (Publ) Systeme reparti permettant d'etablir des sessions intelligentes entre des utilisateurs anonymes sur plusieurs reseaux
CN1835439A (zh) * 2005-02-16 2006-09-20 株式会社东芝 匿名服务提供***和装置
CN1703005A (zh) * 2005-03-29 2005-11-30 联想(北京)有限公司 一种实现网络接入认证的方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102892073A (zh) * 2012-09-11 2013-01-23 北京航空航天大学 一种适用于位置服务***中面向连续查询的位置匿名方法
CN102892073B (zh) * 2012-09-11 2015-07-01 北京航空航天大学 一种适用于位置服务***中面向连续查询的位置匿名方法
CN111383775A (zh) * 2018-12-27 2020-07-07 福州依影健康科技有限公司 一种基于眼底筛查的会员用户匿名交流方法及存储设备
CN111383775B (zh) * 2018-12-27 2023-05-16 福州依影健康科技有限公司 一种基于眼底筛查的会员用户匿名交流方法及存储设备

Also Published As

Publication number Publication date
CN102045316A (zh) 2011-05-04
CN102045316B (zh) 2012-11-14

Similar Documents

Publication Publication Date Title
JP5497901B2 (ja) 匿名通信の方法、登録方法、メッセージ受発信方法及びシステム
JP4727126B2 (ja) 近距離無線コンピューティング装置用のセキュア・ネットワーク・アクセスの提供
JP5335886B2 (ja) ローカル・ネットワーク間でデータ・パケットを通信するための方法および装置
EP2560331B1 (fr) Procédé, appareil et système d'accès radio
JP3667586B2 (ja) マルチキャストパケット転送装置、マルチキャストパケット転送システム及び記憶媒体
WO2011044808A1 (fr) Procédé et système de suivi de communication anonyme
WO2011032479A1 (fr) Réseau basé sur une architecture de séparation d'identificateur et de localisation, réseau d'infrastructure et élément de réseau correspondant
WO2008148357A1 (fr) Système et procédé de communication, passerelle de station de base domestique et serveur de station de base domestique
WO2011050676A1 (fr) Procédé de communication anonyme, procédé d'enregistrement et d'annulation, et noeud d'accès
WO2007112645A1 (fr) Procédé et système de mise en oeuvre d'un réseau privé virtuel mobile
WO2011035615A1 (fr) Procédé, système et appareil de transmission de données
WO2011035667A1 (fr) Procédés et systèmes pour réaliser une itinérance interréseau, interroger et rattacher un réseau
WO2008151557A1 (fr) Procédé, équipement et système ip mobile de serveur mandataire pour déclencher une optimisation de route
WO2011032462A1 (fr) Procédé d'envoi et de réception de données, système et routeur correspondants
WO2011032447A1 (fr) Procédé, système et terminal de communication permettant d'implémenter une intercommunication entre un nouveau réseau et internet
WO2012088882A1 (fr) Procédé et système pour la transmission de données, et passerelle d'accès
WO2011044807A1 (fr) Procédé de communication et d'enregistrement de communication anonyme et système émetteur-récepteur de message de données
EP2466815B1 (fr) Procédé et système de déclenchement d'acheminement de message de communication, d'informations et de données et de configuration de routage
WO2011057556A1 (fr) Procédé et système de réseau mobile pour réduire la demande d'adresse à protocole internet
JP4291262B2 (ja) ハードウエア・ファイアウォールを利用してネットワーク・データをホストと安全に共有する経路設定装置のシステムおよび方法
WO2011032478A1 (fr) Procédé, dispositif et terminal pour obtenir un identifiant de terminal
WO2009155863A1 (fr) Procédé et système destinés à prendre en charge une sécurité de mobilité dans un réseau de prochaine génération
WO2011120276A1 (fr) Procédé et système permettant d'établir une connexion entre des terminaux
WO2009074084A1 (fr) Procédé de traitement de données d'enregistrement, et dispositif et système de traitement de données
US20200137726A1 (en) Communications device and communication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10823037

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10823037

Country of ref document: EP

Kind code of ref document: A1