[go: up one dir, main page]

CN101827106A - DHCP safety communication method, device and system - Google Patents

DHCP safety communication method, device and system Download PDF

Info

Publication number
CN101827106A
CN101827106A CN 201010166238 CN201010166238A CN101827106A CN 101827106 A CN101827106 A CN 101827106A CN 201010166238 CN201010166238 CN 201010166238 CN 201010166238 A CN201010166238 A CN 201010166238A CN 101827106 A CN101827106 A CN 101827106A
Authority
CN
China
Prior art keywords
client
message
server end
server
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 201010166238
Other languages
Chinese (zh)
Inventor
徐炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 201010166238 priority Critical patent/CN101827106A/en
Publication of CN101827106A publication Critical patent/CN101827106A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明实施例提供一种DHCP安全通信方法,包括:服务器端接收客户端发送的第一消息,第一消息包括接入挑战请求,用于请求服务器端对该客户端进行认证;服务器端生成服务器端消息,并进行加密得到服务器端密文;服务器端向客户端发送第一响应,第一响应包括服务器端密文;服务器端接收客户端返回的第二消息,第二消息包括服务器端消息,其中服务器端消息由客户端对服务器端密文解密后得到;服务器端验证第二消息中的服务器端消息和服务器端本地保存的服务器端是否消息一致,若一致则服务器端确认客户端可信。此外,本发明实施例还提供一种服务器端装置和客户端装置。

An embodiment of the present invention provides a DHCP secure communication method, comprising: the server receives the first message sent by the client, the first message includes an access challenge request, and is used to request the server to authenticate the client; the server generates a server end message, and encrypt it to obtain the server-side ciphertext; the server sends the first response to the client, and the first response includes the server-side ciphertext; the server receives the second message returned by the client, and the second message includes the server-side message, The server-side message is obtained after the client decrypts the server-side ciphertext; the server-side verifies whether the server-side message in the second message is consistent with the server-side message stored locally by the server-side, and if they are consistent, the server-side confirms that the client-side is credible. In addition, the embodiment of the present invention also provides a server device and a client device.

Description

一种DHCP安全通信方法、装置和系统 A DHCP secure communication method, device and system

技术领域technical field

本发明实施例涉及网络技术领域,尤其是一种DHCP(Dynamic HostConfiguration Protocol,动态主机配置协议)安全通信方法、装置以及系统。Embodiments of the present invention relate to the field of network technology, in particular to a DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol) secure communication method, device and system.

背景技术Background technique

随着网络技术的发展,网络设备得到了大量应用。由于网络的拓扑结构易于变化,很多网络设备需要通过动态获取IP地址来接入网络。在目前实现方案中,这些网络设备很多支持DHCP,由外部DHCP SERVER(服务器)分配动态IP地址。但是DHCP本身并没有考虑任何安全措施,实际应用中会存在比较多的安全隐患,使DHCP SERVER容易受到非法攻击。With the development of network technology, network equipment has been widely used. Since the topology of the network is easy to change, many network devices need to obtain IP addresses dynamically to access the network. In the current implementation scheme, many of these network devices support DHCP, and an external DHCP SERVER (server) assigns a dynamic IP address. However, DHCP itself does not consider any security measures, and there will be many security risks in practical applications, making DHCP SERVER vulnerable to illegal attacks.

在现有的一种解决方案中,网络设备(即客户端)向DHCP SERVER(即服务器端)发起请求时,在请求中携带自己的ID(身份),服务器端根据客户端的ID来识别客户端是否可信,如果可信,则允许客户端接入。由于客户端的ID由客户端自身提供,攻击者可以很容易地截取客户端的身份信息,从而伪造身份对服务器端发起非法攻击,导致网络系统的安全性较差。In an existing solution, when a network device (that is, a client) initiates a request to a DHCP SERVER (that is, a server), it carries its own ID (identity) in the request, and the server identifies the client according to the client's ID. Whether it is credible, and if it is credible, the client is allowed to access. Since the ID of the client is provided by the client itself, an attacker can easily intercept the identity information of the client, thereby forging the identity to launch an illegal attack on the server, resulting in poor security of the network system.

发明内容Contents of the invention

本发明实施例在于提供一种DHCP安全通信方法、装置和系统。Embodiments of the present invention provide a DHCP secure communication method, device and system.

一方面,本发明实施例提供一种DHCP安全通信方法,该方法包括:服务器端接收客户端发送的第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;服务器端生成服务器端消息,并进行加密得到服务器端密文;服务器端向客户端发送第一响应,第一响应包括服务器端密文;服务器端接收客户端返回的第二消息,第二消息包括服务器端消息,其中第二消息中的服务器端消息由客户端对服务器端密文解密后得到;服务器端验证第二消息中的服务器端消息和服务器端本地保存的服务器端是否消息一致,若一致则服务器端确认客户端可信。On the one hand, the embodiment of the present invention provides a DHCP secure communication method, the method includes: the server receives the first message sent by the client, the first message includes an access challenge request, and the access challenge request is used to request the server to Authenticate the client; the server generates a server-side message and encrypts it to obtain the server-side ciphertext; the server sends the first response to the client, and the first response includes the server-side ciphertext; the server receives the first response returned by the client Two messages, the second message includes a server-side message, wherein the server-side message in the second message is obtained after the client decrypts the server-side ciphertext; the server-side verifies the server-side message in the second message and the server-side message stored locally on the server side If the message is consistent, the server will confirm that the client is credible.

一方面,本发明实施例提供还一种DHCP安全通信方法,该方法包括:服务器端接收客户端发送的第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;服务器端生成服务器端消息,并进行加密得到服务器端密文;服务器端向客户端发送第一响应,第一响应包括服务器端密文;服务器端接收客户端返回的第二消息,第二消息包括客户端第二密文;其中客户端第二密文由客户端对服务器端消息和客户端消息的组合进行加密得到,服务器端消息由客户端对服务器端密文解密后得到;服务器端解密客户端第二密文得到服务器端消息;服务器端验证解密后得到的服务器端消息和服务器端本地保存的服务器端消息是否一致,若一致则服务器端确认客户端可信。On the one hand, the embodiment of the present invention provides a DHCP secure communication method, the method includes: the server receives the first message sent by the client, the first message includes an access challenge request, and the access challenge request is used to request the server to The client authenticates the client; the server generates a server-side message and encrypts it to obtain the server-side ciphertext; the server sends the first response to the client, and the first response includes the server-side ciphertext; the server receives the ciphertext returned by the client The second message, the second message includes the second ciphertext of the client; wherein the second ciphertext of the client is obtained by encrypting the combination of the server-side message and the client-side message by the client, and the server-side message is obtained by encrypting the server-side ciphertext by the client Obtained after decryption; the server side decrypts the second ciphertext of the client to obtain the server side message; the server side verifies whether the decrypted server side message is consistent with the server side message stored locally on the server side, and if they are consistent, the server side confirms that the client side is credible .

一方面,本发明实施例提供还一种DHCP安全通信方法,该方法包括:客户端向服务器端发送第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;客户端接收服务器端返回的第一响应,第一响应包括服务器端密文;客户端解密所述服务器端密文得到服务器端消息,客户端生成客户端消息,以及对客户端消息进行加密得到客户端第一密文或者对服务器端消息和客户端消息的组合进行加密得到客户端第二密文;客户端向服务器端发送第二消息,第二消息包括服务器端消息和客户端第一密文,或者第二消息包括客户端第二密文;客户端接收服务器端返回的第二响应,第二响应包括客户端消息,其中客户端消息由服务器端对客户端第一密文或客户端第二密文解密后得到;客户端验证接收到的客户端消息与客户端本地保存的客户端消息是否一致;若是,则客户端确认服务器端可信。On the one hand, the embodiment of the present invention provides a DHCP secure communication method, the method includes: the client sends a first message to the server, the first message includes an access challenge request, and the access challenge request is used to request the server to The client is authenticated; the client receives the first response returned by the server, and the first response includes the server-side ciphertext; the client decrypts the server-side ciphertext to obtain a server-side message, the client generates a client-side message, and Encrypt the client message to obtain the first ciphertext of the client or encrypt the combination of the server message and the client message to obtain the second ciphertext of the client; the client sends the second message to the server, and the second message includes the server message and the first ciphertext of the client, or the second message includes the second ciphertext of the client; the client receives the second response returned by the server, and the second response includes a client message, wherein the client message is sent by the server to the client The first ciphertext or the second ciphertext of the client is decrypted; the client verifies whether the received client message is consistent with the client message stored locally by the client; if so, the client confirms that the server is trustworthy.

另一方面,本发明实施例提供一种服务器端装置,包括:第一接收模块,用于接收客户端发送的第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;生成模块,用于在第一接收模块接收到接入挑战请求后生成服务器端密文;第一发送模块,用于向客户端发送第一响应,第一响应包括生成模块生成的服务器端密文;第二接收模块,用于接收客户端返回的第二消息,第二消息包括客户端对服务器端密文进行解密后得到的服务器端消息;验证模块,用于验证第二消息中的服务器端消息和服务器端本地保存的服务器端消息是否一致,在一致时确认客户端可信。On the other hand, an embodiment of the present invention provides a server device, including: a first receiving module, configured to receive a first message sent by a client, the first message includes an access challenge request, and the access challenge request is used to Requesting the server to authenticate the client; the generating module is used to generate server-side ciphertext after the first receiving module receives the access challenge request; the first sending module is used to send the first response to the client, the first The response includes the server-side ciphertext generated by the generating module; the second receiving module is used to receive the second message returned by the client, and the second message includes the server-side message obtained after the client decrypts the server-side ciphertext; the verification module, It is used to verify whether the server-side message in the second message is consistent with the server-side message stored locally by the server, and confirm that the client is credible if they are consistent.

另一方面,本发明实施例还提供一种服务器端装置,包括:第一接收模块,用于接收客户端发送的第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;生成模块,用于在第一接收模块接收到接入挑战请求后生成服务器端密文;第一发送模块,用于向客户端发送第一响应,第一响应包括生成模块生成的服务器端密文;第二接收模块,用于接收客户端返回的第二消息,第二消息包括客户端第二密文;其中客户端第二密文由客户端对服务器端消息和客户端消息的组合进行加密得到,服务器端消息由客户端对服务器端密文解密后得到;解密模块,用于解密客户端第二密文得到服务器端消息;第二接收模块服务器端消息和服务器端本地保存的服务器端消息是否一致,若一致时确认客户端可信。On the other hand, the embodiment of the present invention also provides a server device, including: a first receiving module, configured to receive a first message sent by a client, the first message includes an access challenge request, and the access challenge request uses To request the server to authenticate the client; the generation module is used to generate server-side ciphertext after the first receiving module receives the access challenge request; the first sending module is used to send the first response to the client, and the first sending module is used to send the first response to the client. A response includes the server-side ciphertext generated by the generating module; the second receiving module is used to receive the second message returned by the client, and the second message includes the second ciphertext of the client; wherein the second ciphertext of the client is generated by the client The combination of the server-side message and the client-side message is encrypted, and the server-side message is obtained by decrypting the server-side ciphertext by the client; the decryption module is used to decrypt the second ciphertext of the client to obtain the server-side message; the second receiving module server Check whether the server-side message is consistent with the server-side message stored locally on the server-side, and if they are consistent, confirm that the client is credible.

又一方面,本发明实施例还提供一种客户端装置,包括:第一发送模块,用于向服务器端发送第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;第一接收模块,用于接收服务器端返回的第一响应,第一响应包括服务器端密文;第一解密模块,用于对服务器端密文进行解密得到服务器端消息;生成模块,用于生成客户端消息;加密模块,用于对客户端消息进行加密得到客户端第一密文或者对服务器端消息和客户端消息的组合进行加密得到客户端第二密文;第二发送模块,用于向服务器端发送第二消息,第二消息包括服务器端消息和客户端第一密文,或者第二消息包括客户端第二密文;第二接收模块,用于接收服务器端返回的第二响应,第二响应包括客户端消息,其中第二响应中的客户端消息由服务器端对客户端第一密文或客户端第二密文解密后得到;验证模块,用于验证第二接收模块接收到的客户端消息与客户端本地保存的客户端消息是否一致,在一致时确认服务器端可信。In yet another aspect, the embodiment of the present invention also provides a client device, including: a first sending module, configured to send a first message to the server, the first message includes an access challenge request, and the access challenge request is used for The server is requested to authenticate the client; the first receiving module is used to receive the first response returned by the server, and the first response includes the server-side ciphertext; the first decryption module is used to decrypt the server-side ciphertext to obtain The server-side message; the generation module is used to generate the client-side message; the encryption module is used to encrypt the client-side message to obtain the first ciphertext of the client or to encrypt the combination of the server-side message and the client-side message to obtain the second ciphertext of the client Ciphertext; the second sending module is used to send a second message to the server, the second message includes the server-side message and the first ciphertext of the client, or the second message includes the second ciphertext of the client; the second receiving module, Used to receive a second response returned by the server, the second response includes a client message, wherein the client message in the second response is obtained by the server decrypting the first ciphertext of the client or the second ciphertext of the client; verifying A module for verifying whether the client message received by the second receiving module is consistent with the client message locally stored by the client, and confirming that the server is credible if they are consistent.

再一方面,本发明实施例提供一种系统,包括上述客户端装置以及服务器端装置。In another aspect, an embodiment of the present invention provides a system, including the above client device and server device.

本发明实施例中服务器端向客户端发送加密后的服务器端消息,并验证客户端返回的服务器端消息和服务器端本地保存的服务器端消息是否一致,若一致,则确认客户端可以正确解密,从而服务器端确认客户端可信。该方法可以有效验证客户端的合法性,减少或避免服务器端遭受的非法攻击,提高网络应用的安全性。In the embodiment of the present invention, the server sends the encrypted server-side message to the client, and verifies whether the server-side message returned by the client is consistent with the server-side message stored locally by the server. If they are consistent, it is confirmed that the client can decrypt correctly. Thus, the server confirms that the client is authentic. The method can effectively verify the legitimacy of the client, reduce or avoid illegal attacks on the server, and improve the security of network applications.

附图说明Description of drawings

图1为本发明实施例提供的一种DHCP安全通信方法流程示意图。FIG. 1 is a schematic flowchart of a DHCP secure communication method provided by an embodiment of the present invention.

图2为本发明实施例提供的另一种DHCP安全通信方法流程示意图。FIG. 2 is a schematic flowchart of another DHCP secure communication method provided by an embodiment of the present invention.

图3为本发明实施例提供的另一种DHCP安全通信方法流程示意图。FIG. 3 is a schematic flowchart of another DHCP secure communication method provided by an embodiment of the present invention.

图4为本发明实施例提供的另一种DHCP安全通信方法流程示意图。FIG. 4 is a schematic flowchart of another DHCP secure communication method provided by an embodiment of the present invention.

图5为本发明实施例提供的一种服务器端装置结构示意图。FIG. 5 is a schematic structural diagram of a server device provided by an embodiment of the present invention.

图6为本发明实施例提供的另一种服务器端装置结构示意图。FIG. 6 is a schematic structural diagram of another server-side device provided by an embodiment of the present invention.

图7为本发明实施例提供的一种客户端装置结构示意图。FIG. 7 is a schematic structural diagram of a client device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图对本发明实施例作具体说明,显然,下面所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。The embodiments of the present invention will be specifically described below in conjunction with the accompanying drawings. Apparently, the embodiments described below are only some of the embodiments of the present invention, not all of them.

请参阅图1,图1为本发明实施例提供的一种DHCP安全通信方法。该方法主要包括如下步骤。Please refer to FIG. 1 . FIG. 1 is a DHCP secure communication method provided by an embodiment of the present invention. The method mainly includes the following steps.

步骤102,服务器端接收客户端发送的第一消息,其中第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证。Step 102, the server receives a first message sent by the client, where the first message includes an access challenge request, and the access challenge request is used to request the server to authenticate the client.

步骤104,服务器端生成服务器端消息,并对服务器端消息进行加密得到服务器端密文。Step 104, the server side generates a server side message, and encrypts the server side message to obtain a server side ciphertext.

服务器端在接收到接入挑战请求后,生成服务器密文用来验证客户端是否可靠或可信。在具体应用时,服务器端消息可以是随机数,对该随机数进行加密即可得到服务器端密文。服务器端采用的加密算法可以为非对称算法或者对称算法。以非对称算法为例,考虑到一个服务器端往往对应多个客户端,为了降低服务器端的工作量,可以采用服务器端和该客户端上一次认证过程中生成的服务器端共享密钥对该随机数进行加密。After receiving the access challenge request, the server generates server ciphertext to verify whether the client is reliable or trustworthy. In a specific application, the server-side message may be a random number, and the server-side ciphertext can be obtained by encrypting the random number. The encryption algorithm adopted by the server side may be an asymmetric algorithm or a symmetric algorithm. Taking the asymmetric algorithm as an example, considering that one server often corresponds to multiple clients, in order to reduce the workload of the server, the server-side shared key generated by the server and the client in the last authentication process can be used to pair the random number to encrypt.

步骤106,服务器端向客户端发送第一响应,其中第一响应包括服务器端密文。Step 106, the server sends a first response to the client, where the first response includes server-side ciphertext.

步骤108,服务器端接收客户端返回的第二消息,第二消息包括服务器端消息;其中第二消息中的服务器端消息由客户端对服务器端密文解密后得到。Step 108, the server receives the second message returned by the client, the second message includes the server message; the server message in the second message is obtained by the client decrypting the server ciphertext.

客户端对服务器端密文解密时,可以采用服务器端和该客户端上一次认证过程中生成的客户端私钥来解密。When the client decrypts the server-side ciphertext, it can use the client private key generated by the server and the client during the last authentication process to decrypt.

进一步地,第二消息中还可以包括客户端第一密文,本实施例中客户端第一密文由客户端对客户端消息进行加密后得到。客户端消息也可以是一个随机数,在进行加密时,可以采用服务器端和该客户端上一次认证过程中生成的客户端共享密钥对该随机数进行加密,得到客户端第一密文。Further, the second message may also include the first ciphertext of the client. In this embodiment, the first ciphertext of the client is obtained after the client encrypts the client message. The client message can also be a random number. When encrypting, the random number can be encrypted with the client shared key generated by the server and the client during the last authentication process to obtain the first ciphertext of the client.

步骤110,服务器端验证接收到的服务器端消息和服务器端本地保存的服务器端消息一致。Step 110, the server side verifies that the received server side message is consistent with the server side message stored locally by the server side.

为验证客户端是否可信,服务器端可以通过验证客户端能否正确解密服务器端密文来进行。具体来说,服务器验证客户端返回的服务器端消息(即第二消息中包括的服务器端消息)是否与服务器端本地保存的服务器端消息一致。In order to verify whether the client is credible, the server can proceed by verifying whether the client can correctly decrypt the server-side ciphertext. Specifically, the server verifies whether the server-side message returned by the client (that is, the server-side message included in the second message) is consistent with the server-side message locally stored on the server side.

步骤112,若服务器端接收到的服务器端消息和服务器端本地保存的服务器端消息一致,则服务器端确认客户端可信。Step 112, if the server message received by the server is consistent with the server message locally stored by the server, the server confirms that the client is authentic.

在服务器端接收到的服务器端消息和服务器端本地保存的服务器端消息一致时,服务器端认为客户端可以正确解密服务器端密文,从而认为客户端是可信的。When the server-side message received by the server-side is consistent with the server-side message locally stored by the server-side, the server-side considers that the client-side can correctly decrypt the server-side ciphertext, and thus considers that the client-side is authentic.

进一步地,若第二消息中还可以包括客户端第一密文,则服务器端还可以对客户端第一密文进行解密得到客户端消息,并发送第二响应给客户端,其中第二响应包括该解密后得到的客户端消息。通过向客户端发送客户端消息可以起到由客户端来验证服务器端是否可信的作用。Further, if the second message can also include the first ciphertext of the client, the server can also decrypt the first ciphertext of the client to obtain the client message, and send a second response to the client, wherein the second response Include the decrypted client message. By sending a client message to the client, the client can verify whether the server is credible.

本实施例中服务器端向客户端发送加密后的服务器端消息即服务器端密文,并验证客户端返回的服务器端消息和服务器端本地保存的客户端消息是否一致,若一致,则确认客户端可以正确解密,从而确认客户端可信。该方法可以有效验证客户端的合法性,减少或避免服务器端遭受的非法攻击,提高网络应用的安全性In this embodiment, the server sends the encrypted server-side message to the client, that is, the server-side ciphertext, and verifies whether the server-side message returned by the client is consistent with the client-side message stored locally on the server-side. can be decrypted correctly, confirming that the client is authentic. This method can effectively verify the legitimacy of the client, reduce or avoid illegal attacks on the server, and improve the security of network applications

需要指出的是,本发明实施例除应用于因特网之外,还可以应用于支持DHCP协议和I P协议的通信网络系统,例如无线通信网络,其中客户端具体可以是基站,服务器端具体可以是基站控制器,或者是其它应用方式,本发明实施例对此不作限定。It should be pointed out that, in addition to being applied to the Internet, the embodiment of the present invention can also be applied to a communication network system supporting the DHCP protocol and the IP protocol, such as a wireless communication network, wherein the client end can specifically be a base station, and the server end can specifically be a The base station controller, or other application manners, are not limited in this embodiment of the present invention.

请参阅图2,图2为本发明实施例提供的另一种DHCP安全通信方法。该方法主要包括如下步骤。Please refer to FIG. 2 . FIG. 2 is another DHCP secure communication method provided by an embodiment of the present invention. The method mainly includes the following steps.

其中步骤202-206与步骤102-106大致相同,具体可参见上一实施例,此处不再详述。Steps 202-206 are substantially the same as steps 102-106, details may refer to the previous embodiment, and will not be described in detail here.

步骤208,服务器端接收客户端返回的第二消息,第二消息包括客户端第二密文;其中客户端第二密文由客户端对服务器端消息和客户端消息的组合进行加密得到,服务器端消息由客户端对服务器端密文解密后得到。Step 208, the server side receives the second message returned by the client, the second message includes the second ciphertext of the client; wherein the second ciphertext of the client is obtained by encrypting the combination of the server-side message and the client-side message by the client, and the server The terminal message is obtained by the client decrypting the server-side ciphertext.

服务器端消息、客户端消息均可以是一个随机数,将服务器端消息和客户端消息组合后得到一个随机数串,对该随机数串进行加密得到客户端第二密文。如果采用的是非对称算法,可以采用服务器端和该客户端上一次认证过程中生成的客户端共享密钥对该随机数串进行加密。Both the server-side message and the client-side message can be a random number. After combining the server-side message and the client-side message, a random number string is obtained, and the random number string is encrypted to obtain the second ciphertext of the client. If an asymmetric algorithm is used, the random number string may be encrypted using the client shared key generated by the server and the client during the last authentication process.

步骤210,服务器端解密客户端第二密文,得到服务器端消息。Step 210, the server side decrypts the second ciphertext of the client side to obtain the server side message.

服务器端解密客户端第二密文后,得到服务器端消息和客户端消息的组合,例如一个随机数串,进而可以根据该组合的结构得到服务器端消息和客户端消息。After the server side decrypts the second ciphertext of the client side, it obtains a combination of the server side message and the client side message, such as a random number string, and then obtains the server side message and the client side message according to the structure of the combination.

通常在一个消息中,会包含如下部分:消息类型,消息长度和消息内容。服务器端消息和客户端消息在进行组合时,一种组合结构可以是服务器端消息类型,服务器端消息长度,服务器端消息内容,客户端消息类型,客户端消息长度,客户端消息内容。或者可以是其它组合结构,例如将客户端消息置于服务器端消息之前,本发明实施例对此不作限定。Usually in a message, the following parts are included: message type, message length and message content. When the server-side message and the client-side message are combined, a combination structure may be the server-side message type, the server-side message length, the server-side message content, the client-side message type, the client-side message length, and the client-side message content. Or it may be other combination structures, for example, placing the client message before the server message, which is not limited in this embodiment of the present invention.

在进行解密时,还是以非对称算法为例进行说明,由于客户端采用服务器端和该客户端上一次认证过程中生成的客户端共享密钥对该随机数串进行加密,相应地,服务器端可以采用服务器端和该客户端上一次认证过程中生成的服务器端私钥对该随机数串进行解密。When decrypting, the asymmetric algorithm is still used as an example for illustration. Since the client encrypts the random number string using the client’s shared key generated by the server and the client in the previous authentication process, correspondingly, the server The random number string can be decrypted by using the server-side private key generated in the last authentication process of the server-side and the client-side.

步骤212,服务器端验证解密后得到的服务器端消息和服务器端本地保存的服务器端消息是否一致。Step 212, the server side verifies whether the decrypted server side message is consistent with the server side message stored locally on the server side.

为验证客户端是否可信,服务器端可以通过验证客户端能否正确解密服务器端密文来进行。具体来说,服务器解密客户端返回的第二消息得到服务器端消息后,验证该解密后得到的服务器端消息是否与服务器端本地保存的服务器端消息一致。In order to verify whether the client is credible, the server can proceed by verifying whether the client can correctly decrypt the server-side ciphertext. Specifically, after the server decrypts the second message returned by the client to obtain the server-side message, it verifies whether the decrypted server-side message is consistent with the server-side message locally stored by the server.

步骤214,若服务器端解密后得到的服务器端消息和服务器端本地保存的服务器端消息一致,则服务器端确认客户端可信。Step 214, if the server-side message obtained after decryption by the server side is consistent with the server-side message stored locally by the server side, then the server side confirms that the client side is authentic.

在服务器端解密后得到的服务器端消息和服务器端本地保存的服务器端消息一致时,服务器端认为客户端可以正确解密服务器端密文,从而认为客户端是可信的。When the server-side message obtained after the server-side decryption is consistent with the server-side message stored locally on the server-side, the server-side believes that the client-side can correctly decrypt the server-side ciphertext, and thus considers the client-side to be credible.

本实施例中服务器端向客户端发送加密后的服务器端消息即服务器端密文,并解密客户端返回的第二消息,通过比较解密得到的服务器端消息和服务器端本地保存的客户端消息是否一致,来确认客户端是否可以正确解密,从而确认客户端是否可信。该方法可以有效验证客户端的合法性,减少或避免服务器端遭受的非法攻击,提高网络应用的安全性。In this embodiment, the server sends the encrypted server-side message to the client, that is, the server-side ciphertext, and decrypts the second message returned by the client. Consistent, to confirm whether the client can decrypt correctly, so as to confirm whether the client is trustworthy. The method can effectively verify the legitimacy of the client, reduce or avoid illegal attacks on the server, and improve the security of network applications.

请参阅图3,图3为本发明实施例提供的另一种DHCP安全通信方法。该方法主要包括如下步骤。Please refer to FIG. 3 . FIG. 3 is another DHCP secure communication method provided by an embodiment of the present invention. The method mainly includes the following steps.

步骤302,客户端向服务器端发送第一消息,其中第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证。Step 302, the client sends a first message to the server, where the first message includes an access challenge request, and the access challenge request is used to request the server to authenticate the client.

步骤304,客户端接收服务器端返回的第一响应,第一响应包括服务器端密文。In step 304, the client receives the first response returned by the server, and the first response includes the ciphertext of the server.

服务器端密文由服务器端对服务器端消息进行加密得到。在具体应用时,服务器端消息可以是随机数,对该随机数进行加密即可得到服务器端密文。服务器端采用的加密算法可以为非对称算法或者对称算法。以非对称算法为例,考虑到一个服务器端往往对应多个客户端,为了降低服务器端的工作量,可以采用服务器端和该客户端上一次认证过程中生成的服务器端共享密钥对该随机数进行加密。The server-side ciphertext is obtained by encrypting the server-side message on the server side. In a specific application, the server-side message may be a random number, and the server-side ciphertext can be obtained by encrypting the random number. The encryption algorithm adopted by the server side may be an asymmetric algorithm or a symmetric algorithm. Taking the asymmetric algorithm as an example, considering that one server often corresponds to multiple clients, in order to reduce the workload of the server, the server-side shared key generated by the server and the client in the last authentication process can be used to pair the random number to encrypt.

步骤306,客户端解密所述服务器端密文得到服务器端消息,并生成客户端第一密文或客户端第二密文。Step 306, the client decrypts the server-side ciphertext to obtain the server-side message, and generates the client-side first ciphertext or the client-side second ciphertext.

客户端生成客户端消息,对客户端消息进行加密得到客户端第一密文;或者客户端对服务器端消息和客户端消息的组合进行加密得到客户端第二密文。The client generates a client message, and encrypts the client message to obtain the first ciphertext of the client; or the client encrypts a combination of the server message and the client message to obtain the second ciphertext of the client.

在具体应用时,客户端消息可以是一个随机数。对该随机数进行加密,得到客户端第一密文;或者将服务器端消息和客户端消息组合后得到一个随机数串,对该随机数串进行加密得到客户端第二密文,以非对称算法为例进行说明,在进行加密时,可以采用服务器端和该客户端上一次认证过程中生成的客户端共享密钥进行加密。In a specific application, the client message can be a random number. Encrypt the random number to obtain the first ciphertext of the client; or combine the server-side message and the client-side message to obtain a random number string, encrypt the random number string to obtain the second ciphertext of the client, and use asymmetric The algorithm is used as an example to illustrate. When encrypting, the client shared key generated by the server and the client during the previous authentication process can be used for encryption.

步骤308,客户端向服务器端发送第二消息,第二消息包括服务器端消息和客户端第一密文,或者第二消息包括客户端第二密文。Step 308, the client sends a second message to the server, the second message includes the server message and the client's first ciphertext, or the second message includes the client's second ciphertext.

以非对称算法为例,在实际应用时,在步骤308之前,客户端在本次认证过程中还可以重新生成一个客户端私钥和客户端公钥(即生成一个新的客户端私钥和一个新的客户端公钥),具体算法可以参考现有技术,此处不再详述。Taking the asymmetric algorithm as an example, in actual application, before step 308, the client can also regenerate a client private key and a client public key in this authentication process (that is, generate a new client private key and A new client public key), the specific algorithm can refer to the existing technology, and will not be described in detail here.

客户端可以进一步保存该重新生成的客户端私钥。The client can further save the regenerated client private key.

客户端还可以在第二消息中携带该新的客户端公钥,以保证服务器端能够在本次认证过程中根据该新的客户端公钥来生成一个新的服务器端共享密钥。The client may also carry the new client public key in the second message, so as to ensure that the server can generate a new server-side shared key according to the new client-side public key in this authentication process.

步骤310,客户端接收服务器端返回的第二响应,第二响应包括客户端消息。Step 310, the client receives the second response returned by the server, where the second response includes the client message.

服务器端在接收到第二消息后,若验证出第二消息中包含的服务器端消息和服务器端本地保存的服务器端消息一致,会确认客户端可信。进一步地,服务器端会对客户端第一密文进行解密得到服务器端消息;服务器端将对客户端第一密文解密后得到的服务器端消息发送给客户端,以便客户端可以来验证服务器端是否可信。After the server receives the second message, if it verifies that the server message contained in the second message is consistent with the server message stored locally by the server, it will confirm that the client is authentic. Further, the server will decrypt the first ciphertext of the client to obtain the server-side message; the server will send the server-side message obtained after decrypting the first ciphertext of the client to the client, so that the client can verify the server-side Is it credible.

或者服务器端在接到第二消息后,对客户端第二密文解密得到服务器端消息和客户端消息,并验证出解密后得到的服务器端消息和服务器端本地保存的服务器端消息一致时,会确认客户端可信。进一步地,服务器端将对客户端第二密文解密后得到的服务器端消息发送给客户端,以便客户端可以来验证服务器端是否可信。Or, after receiving the second message, the server decrypts the second ciphertext of the client to obtain the server message and the client message, and verifies that the decrypted server message is consistent with the server message stored locally on the server, will confirm that the client is trusted. Further, the server sends the server message obtained after decrypting the second ciphertext of the client to the client, so that the client can verify whether the server is credible.

步骤312,客户端验证接收到的客户端消息和客户端本地保存的客户端消息是否一致。In step 312, the client verifies whether the received client message is consistent with the client message locally stored by the client.

步骤314,若客户端接收到的客户端消息和客户端本地保存的客户端消息一致,则客户端确认服务器端可信。Step 314, if the client message received by the client is consistent with the client message locally stored by the client, the client confirms that the server is authentic.

在客户端接收到的客户端消息和客户端本地保存的客户端消息一致时,客户端认为服务器端可以正确解密客户端密文,从而认为服务器端是可信的。When the client message received by the client is consistent with the client message stored locally by the client, the client believes that the server can correctly decrypt the client ciphertext, and thus considers the server to be credible.

在实际应用时,为了进一步加强服务器端和客户端之间的安全通信,步骤310中的客户端消息也可以是服务器端重新加密后的客户端消息,服务器端在加密时可以利用上一次认证过程中生成的服务器端共享密钥;相应地,对客户端而言,利用上一次认证过程中客户端生成的私钥来进行解密。或者,服务器端在加密时也可以利用本次认证过程中生成的服务器端共享密钥,这时服务器端还需要进一步将本次认证过程中生成的新的服务器端公钥发给客户端,客户端基于该新的服务器端公钥生成一个新的客户端共享密钥,即本次认证过程中生成的客户端共享密钥。In actual application, in order to further strengthen the secure communication between the server and the client, the client message in step 310 can also be the client message re-encrypted by the server, and the server can use the last authentication process when encrypting The server-side shared key generated in ; correspondingly, for the client, the private key generated by the client in the last authentication process is used for decryption. Or, the server can also use the server-side shared key generated in this authentication process when encrypting. At this time, the server needs to further send the new server-side public key generated in this authentication process to the client. The terminal generates a new client shared key based on the new server-side public key, that is, the client shared key generated in this authentication process.

此外,在步骤310中,第二响应中还可以包括服务器端分配给客户端的IP地址;则在步骤314中客户端确认服务器端可信之后还可以包括:客户端获取该IP地址,与服务器端建立连接。In addition, in step 310, the second response may also include the IP address assigned by the server to the client; then in step 314, after the client confirms that the server is credible, it may also include: the client obtains the IP address, and communicates with the server establish connection.

本实施例中在服务器端通过对客户端的认证之后,进一步由客户端来对服务器端进行认证,能够进一步加强服务器端和客户端之间的安全通信。In this embodiment, after the server has passed the authentication of the client, the client further authenticates the server, which can further strengthen the secure communication between the server and the client.

请参阅图4,图4为本发明实施例提供的另一种DHCP安全通信方法。该实施例中采用的加密算法为非对称算法。该方法主要包括如下步骤。Please refer to FIG. 4 . FIG. 4 is another DHCP secure communication method provided by an embodiment of the present invention. The encryption algorithm used in this embodiment is an asymmetric algorithm. The method mainly includes the following steps.

步骤402,客户端向服务器端发送第一消息,其中第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证。Step 402, the client sends a first message to the server, where the first message includes an access challenge request, and the access challenge request is used to request the server to authenticate the client.

考虑到和DHCP协议的兼容,本实施例中第一消息可以是DHCPDISCOVER/OPTION消息。进一步地,该DHCP DISCOVER/OPTION消息中还可以携带客户端ID,时间戳。Considering the compatibility with the DHCP protocol, the first message in this embodiment may be a DHCPDISCOVER/OPTION message. Further, the DHCP DISCOVER/OPTION message may also carry a client ID and a timestamp.

步骤404,服务器端生成服务器端消息并加密,以及生成服务器端第一信息摘要。Step 404, the server side generates and encrypts the server side message, and generates the first server side message summary.

本实施例中服务器端消息可以是随机数s,对随机数s进行加密即可得到服务器端密文。服务器端第一信息摘要可以用于防止服务器端密文被篡改。In this embodiment, the server-side message may be a random number s, and the server-side ciphertext can be obtained by encrypting the random number s. The first information digest at the server side can be used to prevent the ciphertext at the server side from being tampered with.

考虑到一个服务器端往往对应多个客户端,为了降低服务器端的工作量,可以采用服务器端和该客户端上一次认证过程中生成的服务器端共享密钥对随机数s进行加密。Considering that one server often corresponds to multiple clients, in order to reduce the workload of the server, the random number s can be encrypted using the server-side shared key generated during the last authentication process between the server and the client.

步骤406,服务器端向客户端发送第一响应,其中第一响应包括服务器端密文和服务器端第一信息摘要。Step 406, the server sends a first response to the client, where the first response includes the server-side ciphertext and the server-side first information digest.

这里,第一响应可以是DHCP OFFER/OPTION消息。Here, the first response may be a DHCP OFFER/OPTION message.

步骤408,客户端对服务器端密文进行解密,得到服务器端消息。客户端生成客户端消息,对服务器端消息和客户端消息的组合进行加密得到客户端第二密文。客户端还生成客户端信息摘要。此外,客户端还生成客户端公钥和客户端私钥。Step 408, the client decrypts the server-side ciphertext to obtain the server-side message. The client generates a client message, and encrypts the combination of the server message and the client message to obtain the second ciphertext of the client. The client also generates a summary of client information. In addition, the client also generates a client public key and a client private key.

显然,步骤408中所生成的客户端公钥和客户端私钥在本次认证过程中生成的新的客户端公钥和客户端私钥。Apparently, the client public key and client private key generated in step 408 are new client public keys and client private keys generated during this authentication process.

客户端信息摘要可以用于防止客户端第二密文被篡改。The client information digest can be used to prevent the second ciphertext of the client from being tampered with.

本实施例中客户端消息可以是随机数c,服务器端消息和客户端消息的一种组合为c-s,即将随机数c和随机数s进行合并得到随机数串c-s,对随机数c-s进行加密得到客户端第二密文,例如可以采用服务器端和该客户端上一次认证过程中生成的客户端共享密钥对该随机数串c-s进行加密。In this embodiment, the client message can be a random number c, and a combination of the server-side message and the client message is c-s, that is, the random number c and the random number s are combined to obtain a random number string c-s, and the random number c-s is encrypted to obtain For the second ciphertext of the client, for example, the random number string c-s may be encrypted using the client shared key generated by the server and the client during the last authentication process.

步骤410,客户端向服务器端发送第二消息,第二消息包括客户端第二密文,客户端公钥和客户端信息摘要。Step 410, the client sends a second message to the server, and the second message includes the client's second ciphertext, the client's public key and the client's information digest.

具体实现时,第二消息可以是DHCP REQUEST/OPTION消息,该DHCPREQUEST/OPTION消息携带客户端公钥、客户端信息摘要以及加密后的随机数串c-s。During specific implementation, the second message may be a DHCP REQUEST/OPTION message, and the DHCP REQUEST/OPTION message carries the client public key, the client information digest and the encrypted random number string c-s.

步骤412,服务器端解密客户端第二密文,得到服务器端消息和客户端消息,在该解密后得到的服务器端消息和服务器端本地保存的服务器端消息一致时,确认客户端可信。Step 412, the server side decrypts the second ciphertext of the client side to obtain the server side message and the client side message, and when the decrypted server side message is consistent with the server side message stored locally by the server side, it is confirmed that the client side is authentic.

具体地,在进行解密时,采用上一次服务器端和该客户端认证过程中生成的服务器端私钥对该随机数串c-s进行加密,得到随机数c和随机数s,若随机数s没有发生改变,则确认客户端可信。Specifically, when decrypting, the random number string c-s is encrypted with the server-side private key generated in the last server-side and client-side authentication process to obtain random number c and random number s. If the random number s does not occur Change, confirm that the client is trusted.

服务器端还生成服务器端公钥和服务器端私钥,以及生成服务器端第二信息摘要。The server also generates a server-side public key and a server-side private key, and generates a server-side second information summary.

此外,服务器端根据客户端公钥生成服务器端共享密钥;进一步地,服务器端利用该服务器端共享密钥对客户端消息例如随机数c进行加密。In addition, the server generates a server-side shared key according to the client public key; further, the server uses the server-side shared key to encrypt client messages such as the random number c.

步骤414,服务器端向客户端返回第二响应,第二响应包括服务器端公钥,加密后的客户端消息,以及服务器端第二信息摘要。In step 414, the server returns a second response to the client, and the second response includes the server public key, the encrypted client message, and the second information summary of the server.

服务器端第二信息摘要用于防止加密后的客户端消息被篡改。The second information digest at the server end is used to prevent the encrypted client message from being tampered with.

具体地,第二响应可以是DHCP ACK消息,该DHCP ACK消息携带服务器端公钥,加密后的随机数c,以及服务器端第二信息摘要。Specifically, the second response may be a DHCP ACK message, and the DHCP ACK message carries the server-side public key, the encrypted random number c, and the server-side second information digest.

步骤416,客户端进行解密得到客户端消息,在该解密后得到的客户端消息和客户端本地保存的客户端消息一致时,确认服务器端可信。Step 416, the client decrypts to obtain the client message, and when the decrypted client message is consistent with the client message locally stored by the client, it is confirmed that the server is authentic.

具体地,在进行解密时,客户端利用本次认证过程中生成的客户端私钥(即步骤408中生成的客户端私钥)进行解密,得到随机数c,若随机数c没有发生改变,则确认服务器端可信。Specifically, when decrypting, the client uses the client private key generated in this authentication process (that is, the client private key generated in step 408) to decrypt to obtain the random number c. If the random number c has not changed, Then confirm that the server is trusted.

本实施例中对服务器端来说,可以有效验证客户端的合法性,对客户端来说,可以有效验证服务器端的合法性,从而保证客户端和服务器端之间的安全通信,减少或避免服务器端遭受的非法攻击,提高网络应用的安全性。In this embodiment, for the server side, the legitimacy of the client side can be effectively verified, and for the client side, the legitimacy of the server side can be effectively verified, thereby ensuring secure communication between the client side and the server side, reducing or avoiding the server side Illegal attacks suffered, improve the security of network applications.

图5为本发明实施例提供的一种服务器端装置结构示意图。该装置主要包括:第一接收模块502,生成模块504,第一发送模块506,第二接收模块508以及验证模块510。FIG. 5 is a schematic structural diagram of a server device provided by an embodiment of the present invention. The device mainly includes: a first receiving module 502 , a generating module 504 , a first sending module 506 , a second receiving module 508 and a verification module 510 .

其中第一接收模块502,用于接收客户端发送的第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;生成模块504,用于在第一接收模块502接收到接入挑战请求后生成服务器端密文;第一发送模块506,用于向客户端发送第一响应,第一响应包括生成模块504生成的服务器端密文;第二接收模块508,用于接收客户端返回的第二消息,第二消息包括客户端对服务器端密文进行解密后得到的服务器端消息;验证模块510,用于验证第二消息中的服务器端消息和服务器端本地保存的服务器端消息是否一致,在一致时确认客户端可信。The first receiving module 502 is configured to receive the first message sent by the client, the first message includes an access challenge request, and the access challenge request is used to request the server to authenticate the client; the generating module 504 uses Generate a server-side ciphertext after the first receiving module 502 receives the access challenge request; the first sending module 506 is configured to send a first response to the client, and the first response includes the server-side ciphertext generated by the generating module 504; The second receiving module 508 is used to receive the second message returned by the client. The second message includes the server-side message obtained after the client decrypts the server-side ciphertext; the verification module 510 is used to verify the server in the second message. Check whether the server-side message is consistent with the server-side message stored locally on the server-side, and confirm that the client is credible if they are consistent.

其中生成模块504在生成服务器端密文时,生成服务器端消息并进行加密得到服务器端密文,例如对非对称算法来说,可以采用服务器端和该客户端上一次认证过程中生成的服务器端共享密钥对该随机数进行加密。When generating the server-side ciphertext, the generation module 504 generates a server-side message and encrypts the server-side ciphertext. For example, for an asymmetric algorithm, the server-side and the server-side generated during the last authentication process of the client can be used. The shared key encrypts the random number.

若第二消息中还包括客户端第一密文,则服务器端还可以包括解密模块以及第二发送模块,其中解密模块用于在验证模块510确认客户端可信后,对客户端第一密文进行解密得到客户端消息,第二发送模块用于发送第二响应给客户端,其中第二响应包括客户端消息。If the second message also includes the first ciphertext of the client, the server may also include a decryption module and a second sending module, where the decryption module is used to send the first ciphertext to the client after the verification module 510 confirms that the client is authentic. The text is decrypted to obtain a client message, and the second sending module is configured to send a second response to the client, wherein the second response includes the client message.

本实施例中服务器端向客户端发送加密后的服务器端消息即服务器端密文,并验证客户端返回的服务器端消息和服务器端本地保存的客户端消息是否一致,若一致,则确认客户端可以正确解密,从而确认客户端可信。该方法可以有效验证客户端的合法性,减少或避免服务器端遭受的非法攻击,提高网络应用的安全性In this embodiment, the server sends the encrypted server-side message to the client, that is, the server-side ciphertext, and verifies whether the server-side message returned by the client is consistent with the client-side message stored locally on the server-side. can be decrypted correctly, confirming that the client is authentic. This method can effectively verify the legitimacy of the client, reduce or avoid illegal attacks on the server, and improve the security of network applications

图6为本发明实施例提供的另一种服务器端装置结构示意图。该装置主要包括:第一接收模块602,生成模块604,第一发送模块606,第二接收模块608,解密模块610以及验证模块612。FIG. 6 is a schematic structural diagram of another server-side device provided by an embodiment of the present invention. The device mainly includes: a first receiving module 602 , a generating module 604 , a first sending module 606 , a second receiving module 608 , a decryption module 610 and a verification module 612 .

其中第一接收模块602,用于接收客户端发送的第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;生成模块604,用于在第一接收模块接收到接入挑战请求后生成服务器端密文;第一发送模块606,用于向客户端发送第一响应,第一响应包括生成模块604生成的服务器端密文;第二接收模块608,用于接收客户端返回的第二消息,第二消息包括客户端第二密文;其中客户端第二密文由客户端对服务器端消息和客户端消息的组合进行加密得到,服务器端消息由客户端对服务器端密文解密后得到;解密模块610,用于解密客户端第二密文得到服务器端消息;验证模块612,用于验证解密后得到的服务器端消息和服务器端本地保存的服务器端消息是否一致,若一致时确认客户端可信。The first receiving module 602 is configured to receive the first message sent by the client, the first message includes an access challenge request, and the access challenge request is used to request the server to authenticate the client; the generating module 604 uses After the first receiving module receives the access challenge request, the server-side ciphertext is generated; the first sending module 606 is configured to send a first response to the client, and the first response includes the server-side ciphertext generated by the generating module 604; Two receiving module 608, configured to receive the second message returned by the client, the second message includes the second ciphertext of the client; wherein the second ciphertext of the client is obtained by encrypting the combination of the server-side message and the client-side message by the client , the server-side message is obtained after the client decrypts the server-side ciphertext; the decryption module 610 is used to decrypt the second ciphertext of the client to obtain the server-side message; the verification module 612 is used to verify the decrypted server-side message and the server-side message Check whether the server-side messages stored locally on the client side are consistent, and if they are consistent, confirm that the client side is credible.

其中生成模块602在生成服务器端密文时,生成服务器端消息并进行加密得到服务器端密文,例如对非对称算法来说,可以采用服务器端和该客户端上一次认证过程中生成的服务器端共享密钥对该随机数进行加密。When generating the server-side ciphertext, the generation module 602 generates a server-side message and encrypts the server-side ciphertext. For example, for an asymmetric algorithm, the server-side and the server-side generated during the last authentication process of the client can be used. The shared key encrypts the random number.

由于解密模块610解密客户端第二密文除得到服务器端消息外,还可以得到客户端消息,因而服务器端还可以进一步包括第二发送模块,用于发送第二响应给客户端,其中第二响应包括客户端消息。Since the decryption module 610 decrypts the second ciphertext of the client to obtain the client message in addition to the server message, the server may further include a second sending module for sending a second response to the client, wherein the second The response includes the client message.

本实施例中服务器端向客户端发送加密后的服务器端消息即服务器端密文,并解密客户端返回的第二消息,通过比较解密得到的服务器端消息和服务器端本地保存的客户端消息是否一致,来确认客户端是否可以正确解密,从而确认客户端是否可信。该方法可以有效验证客户端的合法性,减少或避免服务器端遭受的非法攻击,提高网络应用的安全性。In this embodiment, the server sends the encrypted server-side message to the client, that is, the server-side ciphertext, and decrypts the second message returned by the client. Consistent, to confirm whether the client can decrypt correctly, so as to confirm whether the client is trustworthy. The method can effectively verify the legitimacy of the client, reduce or avoid illegal attacks on the server, and improve the security of network applications.

图7为本发明实施例提供的一种客户端装置结构示意图。该装置主要包括:第一发送模块702,第一接收模块704,第一解密模块706,生成模块708,加密模块710,第二发送模块712,第二接收模块714,验证模块716。FIG. 7 is a schematic structural diagram of a client device provided by an embodiment of the present invention. The device mainly includes: a first sending module 702 , a first receiving module 704 , a first decryption module 706 , a generating module 708 , an encryption module 710 , a second sending module 712 , a second receiving module 714 , and a verification module 716 .

其中,第一发送模块702用于向服务器端发送第一消息,第一消息包括接入挑战请求,所述接入挑战请求用于请求服务器端对该客户端进行认证;第一接收模块704,用于接收服务器端返回的第一响应,第一响应包括服务器端密文;第一解密模块706,用于对服务器端密文进行解密得到服务器端消息;生成模块708,用于生成客户端消息;加密模块710,用于对客户端消息进行加密得到客户端第一密文或者对服务器端消息和客户端消息的组合进行加密得到客户端第二密文;第二发送模块712,用于向服务器端发送第二消息,第二消息包括服务器端消息和客户端第一密文,或者第二消息包括客户端第二密文;第二接收模块714,用于接收服务器端返回的第二响应,第二响应包括客户端消息,其中客户端消息由服务器端对客户端第一密文或客户端第二密文解密后得到;验证模块716,用于验证接收到的客户端消息与客户端本地保存的客户端消息是否一致,在一致时确认服务器端可信。Wherein, the first sending module 702 is configured to send a first message to the server, the first message includes an access challenge request, and the access challenge request is used to request the server to authenticate the client; the first receiving module 704, For receiving the first response returned by the server, the first response includes the server-side ciphertext; the first decryption module 706 is used to decrypt the server-side ciphertext to obtain the server-side message; the generation module 708 is used to generate the client-side message The encryption module 710 is used to encrypt the client message to obtain the first ciphertext of the client or to encrypt the combination of the server-side message and the client message to obtain the second ciphertext of the client; the second sending module 712 is used to send The server sends a second message, the second message includes the server message and the first ciphertext of the client, or the second message includes the second ciphertext of the client; the second receiving module 714 is configured to receive the second response returned by the server , the second response includes a client message, wherein the client message is obtained by decrypting the first ciphertext of the client or the second ciphertext of the client by the server; the verification module 716 is used to verify that the received client message is consistent with the client Check whether the locally saved client messages are consistent, and if they are consistent, confirm that the server is credible.

进一步地,若第二响应中的客户端消息为服务器端重新加密后的客户端消息;则所述客户端装置还包括第二解密模块,用于对所述重新加密后的客户端消息进行解密。验证模块716用于确认解密后得到的客户端消息与客户端本地保存的客户端消息是否一致,在一致时确认服务器端可信。Further, if the client message in the second response is a client message re-encrypted by the server; then the client device further includes a second decryption module, configured to decrypt the re-encrypted client message . The verification module 716 is used to confirm whether the client message obtained after decryption is consistent with the client message stored locally by the client, and confirm that the server is credible if they are consistent.

此外,若第二响应中还包括服务器端分配给客户端的IP地址,则客户端装置还可以包括连接建立模块,用于获取服务器端分配给客户端的IP地址,并与服务器端建立连接。In addition, if the second response also includes the IP address allocated by the server to the client, the client device may further include a connection establishment module, configured to obtain the IP address allocated by the server to the client, and establish a connection with the server.

本实施例中在服务器端通过对客户端的认证之后,向客户端返回客户端消息,由客户端来验证该返回的客户端消息是否保持不变,从而实现对服务器端的认证,能够进一步加强服务器端和客户端之间的安全通信。In this embodiment, after the server has passed the authentication to the client, it returns a client message to the client, and the client verifies whether the returned client message remains unchanged, thereby realizing authentication to the server and further strengthening the server. secure communication with clients.

此外,本发明实施例还提供了一种系统,该系统包括有服务器端装装置和客户端装置。其中,客户端装置或服务器端装孩子具体实现方式可以参照上述实施例,此处不再详叙。In addition, the embodiment of the present invention also provides a system, the system includes a server-end device and a client device. Wherein, the specific implementation manner of installing a child on the client device or the server side can refer to the above-mentioned embodiments, and will not be described in detail here.

本领域普通技术人员可以理解实现上述所有实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件完成,该程序可以存储于一种计算机可读存储介质中。Those skilled in the art can understand that all or part of the steps in the methods of all the above embodiments can be implemented by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (15)

1. a DHCP safety communicating method is characterized in that, comprising:
Server end receives first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Server end generates server end message, and encrypts and obtain the server end ciphertext;
Server end sends first response to client, and first response comprises the server end ciphertext;
Server end receives second message that client is returned, and second message comprises server end message, and the server end message in second message is obtained after to the server end decrypt ciphertext by client;
Server end verifies whether the server end message in second message is consistent with the local server end message of preserving of server end, if then server end affirmation client is credible for unanimity.
2. method according to claim 1 is characterized in that, described second message also comprises client first ciphertext, and described method also comprises:
Server end deciphering client first ciphertext obtains client message;
Server end sends second response to client, and second response comprises client message.
3. a DHCP safety communicating method is characterized in that, comprising:
Server end receives first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Server end generates server end message, and encrypts and obtain the server end ciphertext;
Server end sends first response to client, and first response comprises the server end ciphertext;
Server end receives second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client;
Server end deciphering client second ciphertext obtains server end message;
Server end verifies whether the server end message that obtains after the deciphering is consistent with the local server end message of preserving of server end, if then server end affirmation client is credible for unanimity.
4. method according to claim 3 is characterized in that, also obtains client message after server end deciphering client second ciphertext, and described method also comprises:
Server end sends second response to client, and second response comprises client message.
5. a DHCP safety communicating method is characterized in that, comprising:
The user end to server end sends first message, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
First response that client reception server end returns, first response comprises the server end ciphertext;
Client is deciphered described server end ciphertext and is obtained server end message, client generates client message, and client message encrypted obtains client first ciphertext or the combination of server end message and client message encrypted obtaining client second ciphertext;
The user end to server end sends second message, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext;
Second response that client reception server end returns, second response comprises client message, the client message in second response is obtained after to client first ciphertext or client second decrypt ciphertext by server end;
Whether the client message that client validation receives is consistent with the client message that client terminal local is preserved; If then client confirms that server end is credible.
6. method according to claim 5 is characterized in that, the client message in second response is the client message after server end is encrypted again;
Described method also comprises before described checking:
Client is decrypted the client message after encrypting again.
7. method according to claim 5 is characterized in that, comprises that also server end distributes to the IP address of client in second response;
Client confirms that the credible described method afterwards of server end also comprises:
Client is obtained this IP address, connects with server end.
8. a server-side device is characterized in that, comprising:
First receiver module is used to receive first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Generation module is used for receiving access challenge request back at first receiver module and generates the server end ciphertext;
First sending module is used for sending first response to client, and first response comprises the server end ciphertext that generation module generates;
Second receiver module is used to receive second message that client is returned, and second message comprises the server end message that obtains after client is decrypted the server end ciphertext;
Authentication module is used for verifying whether the server end message of second message is consistent with the local server end message of preserving of server end, confirms that when unanimity client is credible.
9. server-side device according to claim 8 is characterized in that, if also comprise client first ciphertext in second message, then server-side device also comprises:
Deciphering module is used for after authentication module confirms that client is credible, client first ciphertext is decrypted obtains client message;
Second sending module is used to send second response to client, and wherein second response comprises client message.
10. a server-side device is characterized in that, comprising:
First receiver module is used to receive first message that client sends, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
Generation module is used for receiving access challenge request back at first receiver module and generates the server end ciphertext;
First sending module is used for sending first response to client, and first response comprises the server end ciphertext that generation module generates;
Second receiver module is used to receive second message that client is returned, and second message comprises client second ciphertext; Wherein client second ciphertext is encrypted the combination of server end message and client message by client and is obtained, and server end message is obtained after to the server end decrypt ciphertext by client;
Deciphering module is used to decipher client second ciphertext and obtains server end message;
Authentication module is used to verify whether the server end message that the deciphering module deciphering obtains is consistent with the local server end message of preserving of server end, if the affirmation client is credible when consistent.
11. server-side device according to claim 10 is characterized in that, if also comprise client first ciphertext in second message, then server end also comprises:
Second sending module is used to send second response to client, and wherein second response comprises client message, and wherein client message is obtained by deciphering module deciphering client second ciphertext.
12. a client terminal device is characterized in that, comprising:
First sending module is used for sending first message to server end, and first message comprises that inserting challenge asks, and described access challenge request is used for the request server end this client is authenticated;
First receiver module is used for first response that the reception server end returns, and first response comprises the server end ciphertext;
First deciphering module is used for the server end ciphertext is decrypted and obtains server end message;
Generation module is used to generate client message;
Encrypting module is used for client message encrypted and obtains client first ciphertext or the combination of server end message and client message encrypted obtaining client second ciphertext;
Second sending module is used for sending second message to server end, and second message comprises server end message and client first ciphertext, and perhaps second message comprises client second ciphertext;
Second receiver module is used for second response that the reception server end returns, and second response comprises client message, and the client message in second response is obtained after to client first ciphertext or client second decrypt ciphertext by server end;
Authentication module is used to verify whether the client message that client message that second receiver module receives and client terminal local preserve is consistent, and the affirmation server end is credible when unanimity.
13. client terminal device according to claim 12 is characterized in that, comprises that also server end distributes to the IP address of client in described second response; Described client terminal device also comprises:
Connect and set up module, be used to obtain the IP address that server end is distributed to client, and connect with server end.
14. client terminal device according to claim 12 is characterized in that, the client message in second response is the client message after server end is encrypted again;
Described client terminal device also comprises:
Second deciphering module, the client message after the encryption again that is used for described second receiver module is received is decrypted;
Described authentication module is used to verify whether the client message that obtains after the deciphering of second deciphering module is consistent with the client message of client terminal local preservation, confirms that when unanimity server end is credible.
15. a system comprises server-side device, and as any described client terminal device among the claim 12-14.
CN 201010166238 2010-04-29 2010-04-29 DHCP safety communication method, device and system Pending CN101827106A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010166238 CN101827106A (en) 2010-04-29 2010-04-29 DHCP safety communication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010166238 CN101827106A (en) 2010-04-29 2010-04-29 DHCP safety communication method, device and system

Publications (1)

Publication Number Publication Date
CN101827106A true CN101827106A (en) 2010-09-08

Family

ID=42690807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010166238 Pending CN101827106A (en) 2010-04-29 2010-04-29 DHCP safety communication method, device and system

Country Status (1)

Country Link
CN (1) CN101827106A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790767A (en) * 2012-07-03 2012-11-21 北京神州绿盟信息安全科技股份有限公司 Information safety control method, information safety display equipment and electronic trading system
CN103209161A (en) * 2012-01-16 2013-07-17 深圳市腾讯计算机系统有限公司 Method and device for processing access requests
CN104954327A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Terminal connection control server and method, terminal and method and system
CN106034122A (en) * 2015-03-16 2016-10-19 联想(北京)有限公司 Information processing method, electronic equipment and server
US9479611B2 (en) 2011-12-26 2016-10-25 Huawei Technologies Co., Ltd. Method, device, and system for implementing communication after virtual machine migration
CN108055128A (en) * 2017-12-18 2018-05-18 数安时代科技股份有限公司 Generation method, device, storage medium and the computer equipment of RSA key
CN112367329A (en) * 2020-11-17 2021-02-12 北京知道创宇信息技术股份有限公司 Communication connection authentication method, communication connection authentication device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083660A (en) * 2007-05-30 2007-12-05 北京润汇科技有限公司 Session control based IP network authentication method of dynamic address distribution protocol
CN101127600A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A method for user access authentication
US7502929B1 (en) * 2001-10-16 2009-03-10 Cisco Technology, Inc. Method and apparatus for assigning network addresses based on connection authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7502929B1 (en) * 2001-10-16 2009-03-10 Cisco Technology, Inc. Method and apparatus for assigning network addresses based on connection authentication
CN101127600A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A method for user access authentication
CN101083660A (en) * 2007-05-30 2007-12-05 北京润汇科技有限公司 Session control based IP network authentication method of dynamic address distribution protocol

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9479611B2 (en) 2011-12-26 2016-10-25 Huawei Technologies Co., Ltd. Method, device, and system for implementing communication after virtual machine migration
CN103209161A (en) * 2012-01-16 2013-07-17 深圳市腾讯计算机系统有限公司 Method and device for processing access requests
CN103209161B (en) * 2012-01-16 2018-05-04 深圳市腾讯计算机系统有限公司 A kind of access request processing method and processing device
CN102790767A (en) * 2012-07-03 2012-11-21 北京神州绿盟信息安全科技股份有限公司 Information safety control method, information safety display equipment and electronic trading system
CN104954327A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Terminal connection control server and method, terminal and method and system
CN106034122A (en) * 2015-03-16 2016-10-19 联想(北京)有限公司 Information processing method, electronic equipment and server
CN108055128A (en) * 2017-12-18 2018-05-18 数安时代科技股份有限公司 Generation method, device, storage medium and the computer equipment of RSA key
CN112367329A (en) * 2020-11-17 2021-02-12 北京知道创宇信息技术股份有限公司 Communication connection authentication method, communication connection authentication device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN105050081B (en) Method, device and system for connecting network access device to wireless network access point
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
CN105162772B (en) A method and device for authentication and key agreement of Internet of Things equipment
CN103051628B (en) Obtain the method and system of authentication token based on server
US10680835B2 (en) Secure authentication of remote equipment
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
CN101978650B (en) Secure network authentication system and method
CN111869249A (en) Safe BLE JUST WORKS pairing method for man-in-the-middle attack
US20170201382A1 (en) Secure Endpoint Devices
CN101304423B (en) Method and system for authenticating user identification
CN110635901B (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN106464654B (en) Method, device and system for obtaining configuration file
CN111835774B (en) Data processing method, apparatus, equipment and storage medium
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN101662705A (en) Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
US20170126623A1 (en) Protected Subnet Interconnect
CN108809633B (en) Identity authentication method, device and system
CN102231725B (en) Method, equipment and system for authenticating dynamic host configuration protocol message
CN101827106A (en) DHCP safety communication method, device and system
RU2685975C2 (en) Providing communication security with extended multimedia platforms
CN110493367A (en) The non-public server of unaddressed IPv6, client computer and communication means
US20140237627A1 (en) Protecting data in a mobile environment
CN103401872B (en) The method prevented and detect man-in-the-middle attack based on RDP improved protocol
WO2009082950A1 (en) Key distribution method, device and system
CN103139774B (en) Short message service processing method and short message service treatment system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20100908