WO2011088658A1 - Procédé, serveur et système d'authentification des informations d'identification dans des messages de système de nom de domaine (dns) - Google Patents

Procédé, serveur et système d'authentification des informations d'identification dans des messages de système de nom de domaine (dns) Download PDF

Info

Publication number
WO2011088658A1
WO2011088658A1 PCT/CN2010/074492 CN2010074492W WO2011088658A1 WO 2011088658 A1 WO2011088658 A1 WO 2011088658A1 CN 2010074492 W CN2010074492 W CN 2010074492W WO 2011088658 A1 WO2011088658 A1 WO 2011088658A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
information
dns
server
query terminal
Prior art date
Application number
PCT/CN2010/074492
Other languages
English (en)
Chinese (zh)
Inventor
毛伟
李晓东
陈涛
王龑
沈烁
王利明
Original Assignee
中国科学院计算机网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算机网络信息中心 filed Critical 中国科学院计算机网络信息中心
Publication of WO2011088658A1 publication Critical patent/WO2011088658A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to the field of Internet technologies, and in particular, to a method, a server, and a system for authenticating identity information in a DNS packet. Background technique
  • the Internet has been widely used in people's work and life.
  • the Domain Name System provides convenience for human beings.
  • FIG. 1 is a schematic structural diagram of a domain name system supporting recursive query in the prior art.
  • the domain name system includes a host terminal, a recursive server, and a plurality of authoritative servers, such as an authoritative server A, a rights server B, and an authoritative server C.
  • the possible process of performing a recursive query in the domain name system shown in Figure 1 is as follows:
  • Step 11 The host terminal sends a DNS packet to the recursive server.
  • the DNS packet is used to query the IP address corresponding to a domain name.
  • Step 12 The recursive server forwards the DNS packet to the authoritative server A.
  • Step 13 If the IP address corresponding to the unknown domain name exists on the authoritative server A, the corresponding IP address is answered to the recursive server.
  • Step 14 The recursive server sends the corresponding IP address to the host terminal that initiated the query.
  • the authoritative server A does not have an associated record but knows that the authoritative server B may have the record, it will advise the recursive server to query the authoritative server B in the response.
  • the authoritative server B has an associated record, it will reply to the recursive server; if the authoritative server B does not have a related record but knows that the authoritative server C may have a relevant record, it will be advised to the recursive server to query the authoritative server C. And so on, until the authoritative server with the record returns the query result to the recursive server, and then the recursive server forwards the query result to the initial launch.
  • the host terminal of the query is not have an associated record but knows that the authoritative server B may have the record, it will advise the recursive server to query the authoritative server B in the response.
  • the authoritative server B has an associated record, it will reply to the recursive server; if the authoritative server B does not have a related record but knows that the authoritative server C may have a relevant record, it will be advised to the recursive server
  • the authoritative server that was last queried will answer a response to the recursive server that the domain name does not exist, and the recursive server will return the response back to the host terminal that initiated the query, thus completing a recursion.
  • the query process If all authoritative servers do not have related records, the authoritative server that was last queried will answer a response to the recursive server that the domain name does not exist, and the recursive server will return the response back to the host terminal that initiated the query, thus completing a recursion. The query process.
  • the embodiment of the invention provides a method, a server and a system for authenticating identity information in a DNS packet to improve the security of the domain name system.
  • the embodiment of the invention provides a method for authenticating identity information in a DNS packet, which includes:
  • the DNS packet includes signature information and verification information
  • the signature information is obtained by encrypting the verification information with a first key, where the verification information includes the query terminal.
  • the embodiment of the invention further provides a server, including:
  • a packet receiving module configured to receive a DNS packet, where the DNS packet includes signature information and verification information, where the signature information is obtained by encrypting the verification information with a first key, and the verification is performed.
  • the information includes identity information of the query terminal;
  • a key acquisition module configured to acquire a second key corresponding to the first key
  • a decryption module configured to decrypt the signature information by using the second key to obtain a decryption result
  • An authentication module configured to end the query when the decrypted result is consistent with the verification information The authentication of the identity information of the terminal is successful.
  • the embodiment of the present invention further provides a system for authenticating identity information in a DNS packet, including the foregoing server.
  • the embodiment of the present invention introduces a mechanism for authenticating the identity information in the DNS packet, and performs security authentication on the queried terminal identity information carried in the DNS packet to ensure that the queried terminal ID information carried in the DNS packet is authentic and reliable, and effectively prevents
  • the server performs the access control by using the identity information of the query terminal, the other terminal fakes the identity information of the query terminal with the access right to defraud the service, thereby improving the security of the domain name system.
  • FIG. 1 is a schematic structural diagram of a domain name system supporting recursive query in the prior art
  • FIG. 2 is a flowchart of a method for authenticating identity information in a DNS packet according to the first embodiment of the present invention
  • FIG. 3 is a flowchart of a method for authenticating identity information in a DNS packet according to a second embodiment of the present invention
  • FIG. 4 is a flowchart of a method for authenticating identity information in a DNS packet according to a third embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for authenticating identity information in a DNS packet according to a fourth embodiment of the present invention.
  • FIG. 6 is a flowchart of a method for authenticating identity information in a DNS packet according to a fifth embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a server according to a sixth embodiment of the present invention. detailed description
  • FIG. 2 is a flowchart of a method for authenticating identity information in a DNS packet according to the first embodiment of the present invention.
  • the execution body of this embodiment may be a server, such as an authoritative server or other type of DNS server.
  • the method provided in this embodiment includes:
  • Step 21 The server receives a DNS packet, where the DNS packet includes signature information and verification information.
  • the signature information is obtained by encrypting the verification information with a first key, where the verification information includes Query the identity information of the terminal.
  • the DNS packet can be specifically a DNS query request or other types of packets related to the DNS service.
  • the inquiring terminal is a terminal that initiates a DNS query request, such as a host terminal, a mobile terminal, an intelligent terminal, etc. that initiates a DNS query request.
  • the identity information of the querying terminal may be information such as an identity (ID), an IP address, and a device identifier of the querying terminal.
  • the verification information may be information related to the identity information of the query terminal, for example, the verification information may be specifically the identity information of the query terminal, that is, the verification information may be the content of the ID field in which the identity information of the terminal is located in the DNS message. .
  • the verification information may also be a combination of the identity information of the query terminal and other information, that is, the verification information may include an ID field of the DNS message and content of one or more other fields other than the ID field, such as a message type. , the check code of the ID field, or the ID field plus the check code of other fields.
  • the signature information may be obtained by encrypting the verification information by the query terminal using the first key, or in the domain name system of the recursive query, the signature information may also be obtained by the recursive server using the first key to encrypt the verification information.
  • Step 22 The server acquires a second key corresponding to the first key.
  • the method for obtaining the second key by the server is not limited, for example: the second key may be pre-stored on the server; if the second key is a public key, the public key or the public key may also be queried by the query terminal. Index information is sent directly to the server.
  • Step 23 The server decrypts the signature information by using the second key to obtain a decrypted result.
  • the first key and the second key may be a private key pair, that is, the embodiment may perform encryption and decryption processing by using a symmetric key mechanism.
  • the first key and the second key may be a private key-public key pair, that is, the encryption and decryption processing may be performed by using the mechanism of the asymmetric key in this embodiment.
  • Step 24 The server successfully authenticates the identity information of the query terminal when the decryption result is consistent with the verification information.
  • the identity information in the DNS query message is reliable.
  • the authentication of the identity information of the query terminal is successful, and the server processes the DNS packet to provide services for the query terminal. If the decryption result is inconsistent with the verification information, the identity information in the DNS query message may be fraudulently used by other terminals, and the authentication of the identity information of the query terminal fails.
  • the server refuses to provide a service for the query terminal, and the DNS report may be used.
  • the document is not processed or discarded.
  • the existing domain name system is configured to perform the function of authenticating the identity information of the queried terminal carried in the RADIUS packet, and performing security authentication for the queried terminal identity information carried in the DNS packet to ensure the query terminal carried in the DNS packet.
  • the ID information is authentic and reliable, effectively preventing the server from using the identity information of the query terminal for access control, and other terminals impersonating the identity information of the query terminal having the access right to defraud the service, thereby improving the security of the domain name system.
  • FIG. 3 is a flowchart of a method for authenticating identity information in a DNS packet according to a second embodiment of the present invention.
  • a private key is reserved between the host terminal and the authoritative server, and a symmetric key is used.
  • the law is certified.
  • the method provided in this embodiment includes:
  • Step 31 The private key is pre-agreed between the host terminal and the authoritative server.
  • the private key used by the host terminal may be referred to as the first private key, and the private key used by the authoritative server is referred to as the second private key.
  • the first private key is the same as the second private key.
  • step 31 is not required to be performed in each authentication process. As long as the private key is pre-agreed between the host terminal and the authoritative server, the agreed private key can be used for authentication processing in the subsequent authentication process.
  • Step 32 The host terminal generates a DNS packet, and uses the first private key to encrypt the verification information to obtain signature information, and sends a DNS packet including the signature information and the verification information to the recursive server.
  • the verification information may be specifically the ID of the host terminal, that is, the verification information may be the content of the ID field in which the ID of the host terminal in the DNS packet is located.
  • the verification information may also be a combination of the ID of the host terminal and other information, that is, the verification information may include an ID field of the DNS message, and content of one or more other fields other than the ID field, such as a packet type, The check code of the ID field, or the ID field plus the check code of other fields, and the like.
  • the ID of the host terminal can be a host name or an IP address.
  • Step 33 The recursive server forwards the DNS packet sent by the host terminal to an authoritative server, such as the authoritative server A.
  • Step 34 The authoritative server A pre-establishes a mapping relationship between the host terminal and the key information, and obtains a second private key corresponding to the host terminal according to the mapping relationship.
  • Step 35 The authoritative server A uses the second private key to decrypt the signature information in the DNS packet to obtain the decrypted result.
  • Step 36 The authoritative server A compares the decryption result with the verification information in the DNS packet, and determines whether the decryption result is consistent with the verification information in the DNS packet: If the decryption result is consistent with the verification information in the DNS packet, Then go to step 37; otherwise, go to step 38.
  • Step 37 The authentication is successful, and the authoritative server A provides services for the host terminal;
  • Step 38 The authentication fails, and the authoritative server A refuses to provide services for the host terminal; If the authoritative server does not have the information required for the DNS packet, such as the DNS packet to be queried. For IP addresses, etc., the existing recursive query mechanism can be used, and other authoritative servers, such as the authoritative server B and the authoritative server C, provide services for the host terminal.
  • the implementation of the authentication of the signature information in the DNS packet by the other authoritative server is similar to the implementation of the authentication of the signature information in the DNS packet by the authoritative server A, and details are not described herein.
  • a private key pair is pre-agreed between the host terminal and the authoritative server, and the ID information of the host terminal carried in the DNS packet is securely authenticated based on the private key pair to ensure the DNS packet.
  • the host terminal ID information carried in the device is authentic and reliable, effectively preventing the authoritative server from using the identity information of the host terminal for access control, and other terminals impersonating the identity information of the host terminal having the access authority to defraud the service, thereby improving the security of the domain name system. Sex.
  • FIG. 4 is a flowchart of a method for authenticating identity information in a DNS packet according to a third embodiment of the present invention.
  • a private key is reserved between the recursive server and the authoritative server, and the symmetric key method is used for authentication.
  • the method provided in this embodiment includes:
  • Step 41 Pre-arrange the private key between the recursive server and the authoritative server.
  • the private key used by the recursive server may be referred to as the first private key, and the private key used by the authoritative server is referred to as the second private key.
  • the first private key is the same as the second private key.
  • this embodiment does not need to perform step 41 in each authentication process. As long as the private key is pre-agreed between the recursive server and the authoritative server, in the subsequent authentication process, the agreed private key can be used for authentication processing.
  • Step 42 The host terminal generates a DNS packet, and sends the DNS packet to the recursive server, where the DNS packet includes the verification information.
  • the verification information may be specifically the ID of the host terminal, that is, the verification information may be the content of the ID field in which the ID of the host terminal in the DNS packet is located.
  • the verification information may also be a combination of the ID of the host terminal and other information, that is, the verification information may include an ID field of the DNS message, and content of one or more other fields other than the ID field, such as a packet type, The check code of the ID field, or the ID field plus the check code of other fields, and the like.
  • the ID of the host terminal can be a host name or an IP address.
  • Step 43 The recursive server receives the DNS packet sent by the host terminal, and uses the first private key to encrypt the verification information in the DNS packet to obtain signature information, and obtains the signature information to an authoritative server.
  • the server A sends a DNS message including signature information and verification information.
  • Step 44 - Step 48 Similar to Step 34 - Step 38, and details are not described herein again.
  • the existing recursive query mechanism may be used, and other authoritative servers, such as the authoritative server B and the authoritative server C, may be the host.
  • the terminal provides services.
  • the implementation of the authentication of the signature information in the DNS packet by the other authoritative server is similar to the implementation of the authentication of the signature information in the DNS packet by the authoritative server A, and is not described here.
  • This embodiment is based on a symmetric key authentication mechanism.
  • this embodiment introduces a server guarantee mechanism, that is, a private key pair is pre-arranged between the recursive server and the authoritative server. Based on the private key pair, the ID information of the host terminal carried in the DNS packet is securely authenticated to ensure that the host terminal ID information carried in the DNS packet is authentic and reliable, and the authoritative server is prevented from using the identity information of the host terminal for access control. At the same time, other terminals impersonate the identity information of the host terminal with access rights to defraud the service, thereby improving the security of the domain name system.
  • FIG. 5 is a flowchart of a method for authenticating identity information in a DNS packet according to a fourth embodiment of the present invention.
  • the asymmetric key method is used for authentication, and the public key information can be transmitted in a plaintext manner.
  • the method provided in this embodiment includes:
  • Step 51 Predetermine the private key-public key pair that the host terminal needs to use.
  • the private key-public key pair that needs to be used can be determined by the host terminal itself, or can be determined by other devices and used by the host terminal.
  • the host terminal can encrypt the DNS file by using the private key.
  • the private key is usually only known by the host terminal, and the public key is advertised. There is a correspondence between the public key and the private key.
  • Step 52 The host terminal generates a DNS packet, and uses the private key to encrypt the verification information to obtain signature information, and sends a DNS packet including the signature information, the verification information, and the public key to the recursive server.
  • the verification information may be specifically the ID of the host terminal, that is, the verification information may be the content of the ID field in which the ID of the host terminal in the DNS packet is located. Alternatively, the verification information may also be the ID of the host terminal and The combination of other information, that is, the verification information may include the ID field of the DNS message, and the contents of one or more other fields other than the ID field, such as the message type, the check code of the ID field, or the ID field plus other The checksum of the field, etc.
  • the ID of the host terminal can be a host name or an IP address.
  • the hash value of the public key can be used as the ID of the host terminal, which is equivalent to directly establishing an association between the public key and the host terminal ID. It avoids the need to establish an additional mechanism to associate the host terminal's ID, such as the IP address, with the public key, and can directly determine the identity of the host terminal through calculation, simplifying the user management mechanism; in addition, because the hash value of the public key is relative to the other The ID of the type, such as the stability and encryption function relative to the IP address, therefore, using the hash value of the public key as the ID of the host terminal, and also facilitating statistical analysis of the behavior of the host terminal in the mobile environment.
  • Step 53 The recursive server forwards the DNS packet sent by the host terminal to an authoritative server, such as the authoritative server A.
  • Step 54 The authoritative server A receives the DNS packet sent by the recursive server, and parses the DNS packet to obtain the public key.
  • Step 55 The authoritative server A decrypts the signature information in the DNS packet with the public key, and obtains the decrypted result.
  • Step 56 The authoritative server A compares the decryption result with the verification information in the DNS packet, and determines whether the decryption result is consistent with the verification information in the DNS packet: If the decryption result is consistent with the verification information in the DNS packet, Then step 57 is performed; otherwise, step 58 is performed.
  • Step 57 The authentication is successful, and the authoritative server A provides services for the host terminal;
  • Step 58 The authentication fails, and the authoritative server A refuses to provide services for the host terminal; If the authoritative server does not have the information required for the DNS packet, such as the IP address to be queried for the DNS packet, the existing recursive query mechanism may be used, and other authoritative servers, such as the authoritative server B and the authoritative server C, may be the host.
  • the terminal provides services.
  • the implementation of the authentication of the signature information in the DNS packet by the other authoritative server is similar to the implementation of the authentication of the signature information in the DNS packet by the authoritative server A, and details are not described herein.
  • the asymmetric key authentication mechanism is used to combine the private key and the public key pair to authenticate the host terminal ID information carried in the DNS packet, and ensure that the host terminal ID information carried in the DNS packet is authentic and reliable.
  • the authoritative server uses the identity information of the host terminal to perform access control, the other terminal impersonates the identity information of the host terminal with the access authority to defraud the service, thereby improving the security of the domain name system.
  • the public key can be transmitted in clear text in the DNS packet, and the public key does not need to be stored on the authoritative server, and the storage resource of the authoritative server is saved.
  • FIG. 6 is a flowchart of a method for authenticating identity information in a DNS packet according to a fifth embodiment of the present invention.
  • the asymmetric key method is used for authentication, and the index information of the public key is transmitted in plaintext.
  • the method provided in this embodiment includes:
  • Step 61 Predetermine the private key-public key pair that the host terminal needs to use.
  • the private key-public key pair that needs to be used can be determined by the host terminal itself, or can be determined by other devices and used by the host terminal.
  • the host terminal can encrypt the DNS file by using the private key.
  • the private key is usually only known by the host terminal, and the public key has a corresponding relationship between the public key and the private key.
  • Step 62 The host terminal generates a DNS packet, and obtains signature information by encrypting the verification information by using the private key, and sends the ID, the signature information, the verification information, and the public key index of the host terminal to the recursive server. DNS packet.
  • the verification information may be specifically the ID of the host terminal, that is, the verification information may be the content of the ID field in which the ID of the host terminal in the DNS packet is located.
  • the verification information may also be a combination of the ID of the host terminal and other information, that is, the verification information may include an ID field of the DNS message, and content of one or more other fields other than the ID field, such as a packet type, The check code of the ID field, or the ID field plus the check code of other fields, and the like.
  • the ID of the host terminal can be a host name or an IP address.
  • the ID of the host terminal can also be used as a public key index, which is equivalent to directly establishing an association between the public key index and the host terminal ID.
  • Step 63 The recursive server forwards the DNS packet sent by the host terminal to an authoritative server, such as the authoritative server A.
  • Step 64 The authoritative server A receives the DNS packet sent by the recursive server, and parses the DNS packet to obtain the public key index.
  • Step 65 The authoritative server A obtains the public key corresponding to the public key index by querying the pre-established public key index table, and uses the public key to decrypt the signature information in the DNS packet to obtain a decrypted result.
  • the public key index table stores the correspondence between the public key and the public key, and based on the public key index I query the public key index table, the required public key can be obtained.
  • Step 66-Step 68 Step 56-Step 58 is similar, and details are not described herein again.
  • the existing recursive query mechanism may be used, and other authoritative servers, such as the authoritative server B and the authoritative server C, may be the host.
  • the terminal provides services.
  • the implementation of the authentication of the signature information in the DNS packet by the other authoritative server is similar to the implementation of the authentication of the signature information in the DNS packet by the authoritative server A, and is not described here.
  • the asymmetric key authentication mechanism is used to combine the private key and the public key pair to authenticate the host terminal ID information carried in the DNS packet, and ensure that the host terminal ID information carried in the DNS packet is authentic and reliable.
  • the authoritative server uses the identity information of the host terminal to perform access control, the other terminal impersonates the identity information of the host terminal with the access authority to defraud the service, thereby improving the security of the domain name system.
  • the public key is transmitted in the clear text in the DNS packet, instead of directly transmitting the public key in the plaintext manner, the size of the packet can be reduced, which is beneficial to save resources required for transmitting the message.
  • FIG. 7 is a schematic structural diagram of a server according to a sixth embodiment of the present invention.
  • the server provided in this embodiment includes: a message receiving module 71, a key obtaining module 72, a decrypting module 73, and an authentication module 74.
  • the packet receiving module 71 is configured to receive a DNS packet, where the DNS packet includes signature information and verification information.
  • the signature information is obtained by encrypting the verification information with a first key.
  • the verification information may be specifically the identity information of the query terminal, that is, the verification information may be the body of the query terminal in the DNS message. The content of the ID field where the information is located.
  • the verification information may also be a combination of the identity information of the query terminal and other information, that is, the verification information may include an ID field of the DNS message and content of one or more other fields other than the ID field, such as a message type. , the check code of the ID field, or the ID field plus the check code of other fields.
  • the key obtaining module 72 is configured to acquire a second key corresponding to the first key.
  • the decryption module 73 is configured to decrypt the signature information by using the second key to obtain a decrypted result.
  • the authentication module 74 is configured to successfully authenticate the identity information of the query terminal when the decryption result is consistent with the verification information.
  • the authentication may be performed based on a symmetric key mechanism.
  • the first key is a first private key
  • the second key is a second private key that is the same as the first private key.
  • the message receiving module 71 may be configured to receive the DNS message sent by the query terminal or sent by the query terminal via the recursive server.
  • the signature information included in the DNS message is obtained by the query terminal encrypting the verification information by using the first private key.
  • the key obtaining module 72 is specifically configured to obtain the second private key corresponding to the query terminal according to a mapping relationship between the pre-established terminal and the key information.
  • the key pair is pre-agreed between the recursive server and the server described in this embodiment.
  • the packet receiving module 71 is specifically configured to receive the DNS packet sent by the recursive server, where the signature information included in the DNS packet is received by the recursive server after receiving the query terminal.
  • the verification information is obtained by encrypting the first private key.
  • the key obtaining module 72 is specifically configured to obtain the second private key corresponding to the recursive server according to a mapping relationship between the pre-established recursive server and the key information.
  • the private key and the public key may be combined to perform authentication based on the asymmetric key mechanism.
  • the first key is a private key
  • the second key is a pair with the private key
  • the public key may be transmitted in the DNS message.
  • the message receiving module 71 may be specifically configured to receive the DNS message sent by the query terminal or sent by the query terminal via the recursive server.
  • the signature information included in the DNS file is obtained by the query terminal using the private key to encrypt the verification information; and the DNS message further includes the public key.
  • the key obtaining module 72 is specifically configured to parse the DNS packet to obtain the public key.
  • the index information of the public key can be transmitted in clear text in the DNS packet.
  • the packet receiving module 71 is specifically configured to receive the DNS packet sent by the query terminal or sent by the query terminal via a recursive server, where the signature information included in the DNS packet is The querying terminal obtains the encrypted information by using the private key to obtain the verification information; and the DNS packet further includes index information of the public key.
  • the key obtaining block 72 is specifically configured to parse the DNS packet, obtain the index information, and obtain the public key corresponding to the index information by querying a pre-established public key index table.
  • the server can perform security authentication on the queried terminal identity information carried in the DNS packet based on the symmetrical or asymmetric crypto mechanism, and ensure that the queried terminal ID information carried in the DNS packet is authentic and reliable, thereby effectively preventing the server from using the query terminal.
  • identity information is subjected to access control, other terminals impersonate the identity information of the query terminal having the access right to defraud the service, thereby improving the security of the domain name system.
  • the performance entity of the server in this embodiment is not limited, such as an authoritative server or other types of DNS servers; the working mechanism can be referred to the description of the corresponding embodiment in FIG. 2, and the records of the authoritative server in FIG. 3-6. This will not be repeated here.
  • the embodiment of the invention further provides a system for authenticating identity information in a DNS packet, the system comprising the above server.
  • the server may be specifically an authoritative server; the recursive server, the query terminal, and the at least two authoritative servers may constitute a domain name system that supports recursive query.
  • the system result diagram can be seen in the description of FIG. 1 , the query terminal, the recursive server, and the authoritative servers. For the function and its interaction mechanism, refer to the corresponding description of FIG. 3 to FIG. 6 , and details are not described herein again.
  • the foregoing storage medium includes: a medium that can store a program code, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé, un serveur et un système servant à authentifier les informations d'identification dans les messages de système de nom de domaine (DNS), concernant le champ de la technologie Internet. Le procédé est le suivant : un message DNS contenant des informations de signatures et des informations de vérification est reçu; lesdites informations de signatures sont acquises en chiffrant lesdites informations de vérification au moyen d'une première clé secrète, et lesdites informations de vérification contiennent des informations d'identification dudit terminal d'interrogation; une seconde clé secrète correspondant à la première clé secrète est obtenue; lesdites informations de signature sont déchiffrées au moyen de la seconde clé secrète pour acquérir le résultat de déchiffrage; lorsque le résultat de déchiffrage est identique auxdites informations de vérification, l'authentification des informations d'identification dudit terminal d'interrogation est réussie. La présente invention introduit le principe consistant à authentifier les informations d'identification des messages DNS dans le système de nom de domaine, et empêche efficacement les autres terminaux, qui prétendent disposer des informations d'identification du terminal d'interrogation avec autorisation d'accès par tricherie des services lorsque le serveur utilise les informations d'identification des terminaux d'interrogation pour le contrôle d'accès, améliorant ainsi la sécurité du système de nom de domaine.
PCT/CN2010/074492 2010-01-22 2010-06-25 Procédé, serveur et système d'authentification des informations d'identification dans des messages de système de nom de domaine (dns) WO2011088658A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010100355A CN101841521A (zh) 2010-01-22 2010-01-22 对dns报文中的身份信息进行认证的方法、服务器和***
CN201010100355.X 2010-01-22

Publications (1)

Publication Number Publication Date
WO2011088658A1 true WO2011088658A1 (fr) 2011-07-28

Family

ID=42744646

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/074492 WO2011088658A1 (fr) 2010-01-22 2010-06-25 Procédé, serveur et système d'authentification des informations d'identification dans des messages de système de nom de domaine (dns)

Country Status (2)

Country Link
CN (1) CN101841521A (fr)
WO (1) WO2011088658A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324347A (zh) * 2019-07-08 2019-10-11 秒针信息技术有限公司 一种信息整合方法、装置及电子设备
CN112306753A (zh) * 2020-10-30 2021-02-02 联想(北京)有限公司 一种数据修复方法、装置及***

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997878A (zh) * 2010-11-23 2011-03-30 蓝汛网络科技(北京)有限公司 一种验证域名链接的方法、装置及***
CN102546632B (zh) * 2012-01-09 2015-05-06 北京佳讯飞鸿电气股份有限公司 Ip多媒体子***的网元设备域名自动配置方法
CN103916359A (zh) * 2012-12-30 2014-07-09 航天信息股份有限公司 防止网络中arp中间人攻击的方法和装置
CN104243413A (zh) * 2013-06-14 2014-12-24 航天信息股份有限公司 对局域网中的arp中间人攻击进行防范的方法和***
CN104348924A (zh) * 2013-07-30 2015-02-11 深圳市腾讯计算机***有限公司 一种域名解析方法、***及装置
CN103634314B (zh) * 2013-11-28 2017-06-16 新华三技术有限公司 一种基于虚拟路由器vsr的服务访问控制方法及设备
CN104735065B (zh) * 2015-03-16 2019-02-05 联想(北京)有限公司 一种数据处理方法、电子设备及服务器
CN105141612A (zh) * 2015-09-01 2015-12-09 中国互联网络信息中心 一种dns数据包隐私保护方法
CN108650244A (zh) * 2018-04-24 2018-10-12 网宿科技股份有限公司 一种域名解析方法、终端及递归dns服务器
CN111182497A (zh) * 2019-12-27 2020-05-19 国家计算机网络与信息安全管理中心 V2x匿名认证方法、设备及存储介质
CN111935123B (zh) * 2020-08-04 2023-04-28 广东科徕尼智能科技有限公司 一种检测dns欺骗攻击的方法、设备、存储介质
CN112671779B (zh) * 2020-12-25 2022-10-18 赛尔网络有限公司 基于DoH服务器的域名查询方法、装置、设备及介质
CN113556413B (zh) * 2021-08-13 2023-07-25 中国互联网络信息中心 一种报文处理方法及装置
CN114826654B (zh) * 2022-03-11 2023-09-12 中国互联网络信息中心 一种基于域名***命名的客户端认证方法及***
CN116032591A (zh) * 2022-12-23 2023-04-28 迈普通信技术股份有限公司 一种哑终端仿冒识别方法及***

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141396A (zh) * 2007-09-18 2008-03-12 华为技术有限公司 报文处理方法和网络设备
WO2008147302A1 (fr) * 2007-05-09 2008-12-04 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et appareil pour protéger le routage de paquets de données
CN101336535A (zh) * 2005-12-27 2008-12-31 法国电信公司 管理dnssec请求的服务器和方法
CN101594230A (zh) * 2008-05-30 2009-12-02 华为技术有限公司 处理动态主机配置消息的方法、装置及***

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101330438B (zh) * 2007-06-21 2011-06-08 华为技术有限公司 一种节点间安全通信的方法及***

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101336535A (zh) * 2005-12-27 2008-12-31 法国电信公司 管理dnssec请求的服务器和方法
WO2008147302A1 (fr) * 2007-05-09 2008-12-04 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et appareil pour protéger le routage de paquets de données
CN101141396A (zh) * 2007-09-18 2008-03-12 华为技术有限公司 报文处理方法和网络设备
CN101594230A (zh) * 2008-05-30 2009-12-02 华为技术有限公司 处理动态主机配置消息的方法、装置及***

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324347A (zh) * 2019-07-08 2019-10-11 秒针信息技术有限公司 一种信息整合方法、装置及电子设备
CN112306753A (zh) * 2020-10-30 2021-02-02 联想(北京)有限公司 一种数据修复方法、装置及***

Also Published As

Publication number Publication date
CN101841521A (zh) 2010-09-22

Similar Documents

Publication Publication Date Title
WO2011088658A1 (fr) Procédé, serveur et système d'authentification des informations d'identification dans des messages de système de nom de domaine (dns)
US6993652B2 (en) Method and system for providing client privacy when requesting content from a public server
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US10530582B2 (en) Method and device for information system access authentication
Li et al. A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems
WO2017028593A1 (fr) Procédé pour amener un dispositif d'accès à un réseau à accéder à un point d'accès à un réseau sans fil, dispositif d'accès à un réseau, serveur d'application et support de stockage lisible par ordinateur non volatil
KR101405509B1 (ko) 온라인 제 3 신뢰 기관을 도입함으로써 엔티티 공개키 획득, 인증서 검증 및 인증을 수행하는 방법 및 시스템
JP6896940B2 (ja) 第1のアプリケーションと第2のアプリケーションとの間の対称型相互認証方法
CN111050322B (zh) 基于gba的客户端注册和密钥共享方法、装置及***
CN1921682B (zh) 增强通用鉴权框架中的密钥协商方法
CN103023911A (zh) 可信网络设备接入可信网络认证方法
CN107517194B (zh) 一种内容分发网络的回源认证方法和装置
WO2005088892A1 (fr) Procede pour authentifier une procedure de questions-reponses virtuelle
JP2001186122A (ja) 認証システム及び認証方法
CN114513339A (zh) 一种安全认证方法、***及装置
CN110138558B (zh) 会话密钥的传输方法、设备及计算机可读存储介质
CN111314269B (zh) 一种地址自动分配协议安全认证方法及设备
WO2022033350A1 (fr) Procédé et dispositif d'enregistrement de service
CN110048842B (zh) 会话密钥处理方法、设备及计算机可读存储介质
RU2698424C1 (ru) Способ управления авторизацией
US9882891B2 (en) Identity verification
EP3125595A1 (fr) Procédé d'identification en mode confidentiel
Chen et al. SSL/TLS session-aware user authentication using a gaa bootstrapped key
Zhu et al. A web database Security model using the Host identity protocol
CN114915494B (zh) 一种匿名认证的方法、***、设备和存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10843698

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10843698

Country of ref document: EP

Kind code of ref document: A1