CN115765979B - Communication method and communication device - Google Patents
Communication method and communication deviceInfo
- Publication number
- CN115765979B CN115765979B CN202211180875.5A CN202211180875A CN115765979B CN 115765979 B CN115765979 B CN 115765979B CN 202211180875 A CN202211180875 A CN 202211180875A CN 115765979 B CN115765979 B CN 115765979B
- Authority
- CN
- China
- Prior art keywords
- key
- security
- network device
- random number
- bit random
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请提供一种通信方法及通信装置,通信方法包括:配置第一安全连通集密钥;接收第二网络设备发出的密钥协商协议报文,密钥协商协议报文中包括预设扩展参数集,预设扩展参数集包括根据第二安全连通集密钥和安全联盟密钥生成的多位随机数;其中,第二网络设备作为用于提供安全联盟密钥的密钥服务器,第二网络设备上配置有第二安全连通集密钥;根据多位随机数和第一安全连通集密钥确定安全联盟密钥;安全联盟密钥用于对第一网络设备与第二网络设备之间的通信报文进行加密。本申请提高了安全联盟密钥分发的安全性,进而提高网络设备间传输的通信报文的安全性。
The present application provides a communication method and communication device, comprising: configuring a first security connectivity set key; receiving a key agreement protocol message from a second network device, the key agreement protocol message including a preset extended parameter set, the preset extended parameter set including a multi-bit random number generated based on the second security connectivity set key and a security association key; wherein the second network device acts as a key server for providing the security association key, and the second network device is configured with the second security connectivity set key; determining the security association key based on the multi-bit random number and the first security connectivity set key; and using the security association key to encrypt communication messages between the first network device and the second network device. The present application improves the security of security association key distribution, thereby improving the security of communication messages transmitted between network devices.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication method and a communication device.
Background
MACsec (MEDIA ACCESS Control Security) defines a data Security communication method based on IEEE802 (local area network/metropolitan area network standard committee) local area network, which can provide secure MAC (MEDIA ACCESS Control) layer data transmission and reception services for users, including user data encryption, data frame integrity check and data authenticity check, and provide line speed forwarding of encrypted data for users. MACsec can support ports of terminal equipment and switch equipment, is positioned between a MAC medium layer and a logical link layer, and provides security protection for port receiving and transmitting messages based on the existing MAC service of an ethernet port.
The MACsec-protected session where both ends of the MACsec link use the same SAK (Security Association Key ) for transmitting messages is called SA (Security Association ) security session, and the SAK used by the SA is generated by KEY SERVER (key server) and then issued to the participants of the non-key server identity. The SA session establishment is a negotiation process for using the same SAK for messaging protection at both the key server and the non-key server. When the key server decides that MACsec protection service needs to be started, a new SAK is generated, and SA security session is started to be established. In the related art, the SAK is sent by an MKA (MACSEC KEY AGREEMENT ) protocol message, and is sent from the key server to the participants with non-key server identities.
However, if the MKA protocol packet for SAK distribution is monitored by an attacker (e.g. "man-in-the-middle attack"), and then the intercepted MKA protocol packet is decrypted, the risk of SAK leakage is likely to be caused, resulting in a problem of unsafe communication between network devices. Therefore, in the related art, as long as the SAK is transmitted in the message, no matter what encryption algorithm is used to encrypt the SAK, the message for transmitting the SAK may be decrypted after being intercepted, so that the problem of disclosure of the communication message between the network devices is easy to occur.
Disclosure of Invention
In order to solve the problem that SAK is transmitted in an MKA protocol message and has leakage risk, the application can provide a communication method and a communication device, so that SAK is prevented from being transmitted in the message, thereby effectively preventing SAK from being intercepted and decrypted and improving the safety of communication message transmission between network devices.
The application provides a communication method which is applied to first network equipment, and the communication method comprises the steps of configuring a first security connectivity set key, receiving a key negotiation protocol message sent by second network equipment, wherein the key negotiation protocol message comprises a preset extension parameter set, the preset extension parameter set comprises a multi-bit random number generated according to the second security connectivity set key and a security alliance key, the second network equipment is used as a key server for providing the security alliance key, the second network equipment is configured with the second security connectivity set key, determining the security alliance key according to the multi-bit random number and the first security connectivity set key, and the security alliance key is used for encrypting communication messages between the first network equipment and the second network equipment.
The method comprises the steps of taking a first secure connection set key as a key decryption key, decrypting the multi-bit random number in a preset decryption mode to decrypt the secure connection key, wherein the multi-bit random number is obtained by encrypting the secure connection key by a second network device through a second secure connection set key, and the preset decryption mode corresponds to the encryption mode of the secure connection key.
In at least one embodiment of the application, the communication method further comprises the steps of monitoring the data traffic of the encrypted communication message between the first network device and the second network device, and if the data traffic reaches the threshold value, performing session negotiation between the first network device and the second network device again to negotiate a new security alliance key.
In at least one embodiment of the present application, the preset extension parameter set includes a message body, and the multi-bit random number is set at a target position in the message body.
In at least one embodiment of the present application, the multi-bit random number is a plurality of random numbers whose all bit values are not repeated.
In at least one embodiment of the present application, the first secure connection set key is the same as the second secure connection set key, and the first secure connection set key and the second secure connection set key are both pre-shared keys, or the first secure connection set key and the second secure connection set key are both secure connection set keys generated in a mutual identity authentication process between the second network device and the first network device.
In order to achieve the above technical object, the present application also provides a communication device. The communication device may include, but is not limited to, a key configuration unit, a message receiving unit, and a key determination unit. The communication method is applied to a first network device.
And the key configuration unit is used for configuring the first security connectivity set key.
The message receiving unit is used for receiving a key negotiation protocol message sent by the second network equipment, wherein the key negotiation protocol message comprises a preset extension parameter set, the preset extension parameter set comprises a multi-bit random number generated according to a second security connected set key and a security alliance key, the second network equipment is used as a key server for providing the security alliance key, and the second network equipment is configured with the second security connected set key.
The key determining unit is used for determining a security alliance key according to the multi-bit random number and the first security connectivity set key, and the security alliance key is used for encrypting communication messages between the first network device and the second network device.
In at least one embodiment of the application, the key determining unit is used for decrypting the multi-bit random number by taking the first secure connection set key as a key decryption key through a preset decryption mode so as to decrypt the secure alliance key, wherein the multi-bit random number is obtained by encrypting the secure alliance key by the second network equipment through the second secure connection set key, and the preset decryption mode corresponds to the encryption mode of the secure alliance key.
In at least one embodiment of the application, the communication device further comprises a key refreshing unit for monitoring the data traffic of the encrypted communication message between the first network device and the second network device, and the key refreshing unit is used for carrying out session negotiation between the first network device and the second network device again according to the data traffic reaching a threshold value so as to negotiate a new security alliance key.
In at least one embodiment of the present application, the preset extension parameter set includes a message body, and the multi-bit random number is set at a target position in the message body.
In at least one embodiment of the present application, the multi-bit random number is a plurality of random numbers whose all bit values are not repeated.
In at least one embodiment of the present application, the first secure connection set key is the same as the second secure connection set key, and the first secure connection set key and the second secure connection set key are both pre-shared keys, or the first secure connection set key and the second secure connection set key are both secure connection set keys generated in a mutual identity authentication process between the second network device and the first network device.
To achieve the above object, the present application further provides a computer device, including a memory and a processor, where the memory stores computer readable instructions that, when executed by the processor, cause the processor to perform the communication method according to any of the embodiments of the present application.
To achieve the above technical object, the present application also provides a storage medium storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform a communication method in any one of the embodiments of the present application.
The second network device serving as the key server sets the multi-bit random number generated according to the security alliance key and the preconfigured second security intercommunication set key in the preset extended data set, and after the first network device serving as the non-key server receives the key negotiation message containing the multi-bit random number, the security alliance key is determined according to the preconfigured first security intercommunication set key and the parsed multi-bit random number, so that the application can be seen to avoid directly transmitting the security alliance key in the key negotiation protocol message, but realize the purpose of distributing the security alliance key by transmitting the random number and decrypting the random number. Therefore, the technical scheme of the application greatly improves the safety of the distribution of the security alliance secret key, and further improves the safety of the communication message transmitted between network devices.
Drawings
FIG. 1 shows a schematic diagram of a communication method flow in one or more embodiments of the application.
Fig. 2 is a schematic diagram of an EAPOL (Extensible Authentication Protocol Over LAN, extensible authentication protocol over local area network) message format in one or more embodiments of the application.
Fig. 3 is a diagram illustrating a MKPDU (MACSEC KEY AGREEMENT Protocol Data Unit, key agreement protocol data unit) message format in one or more embodiments of the application.
Fig. 4 shows a schematic diagram of an extended parameter set format in one or more embodiments of the application.
Fig. 5 shows a schematic diagram of a communication device structure in one or more embodiments of the application.
Fig. 6 shows a schematic diagram of a network device architecture in one or more embodiments of the application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The term "if" as used herein may be interpreted as "at..once" or "when..once" or "in response to a determination", depending on the context.
The following describes and illustrates a communication method and a communication device provided by the present application in detail with reference to the accompanying drawings.
MACsec itself contains two parts of functional entities, secY (Security Entity) and KaY (KEY AGREEMENT ENTITY ). The SecY is implemented by a hardware chip at a driving layer, and is located on a link port to provide MAC security forwarding service for controlled port users and non-security service for non-controlled port users. The SecY uses the SAK key issued by KaY to encrypt the message sent by the channel according to SA, and can decrypt and restore the message received by the safety channel, and at the same time replay protection is carried out on the receiving channel according to each SA. KaY is realized by software, is responsible for generating and releasing a secret key, finding and establishing a safety channel between devices, and provides the same SAK for SecY between the end-to-end of the safety channel for message encryption protection. The SAK is sent to the participant with the non-key server identity by the key server, and may be specifically issued through a SAK distribution parameter set included in the MKA protocol packet, where although the SAK parameter may be encrypted in the MKA protocol packet, the MKA protocol packet is likely to be peeped by an attacker, especially when the MKA protocol packet is distributed with the SAK, if the attacker listens to the MKA protocol packet in the link and then decrypts the MKA protocol packet, a risk of leakage of the SAK distributed by the key server easily occurs, which further results in a problem that a communication packet between network devices is prone to be compromised.
Compared with the conventional technology, the communication method can be applied to first network equipment, the communication method comprises the steps of configuring a first security connectivity set key, receiving a key negotiation protocol message sent by second network equipment, wherein the key negotiation protocol message comprises a preset extension parameter set, the preset extension parameter set comprises a multi-bit random number generated according to the second security connectivity set key and a security association key, the second network equipment is used as a key server for providing the security association key, the second network equipment is configured with the second security connectivity set key, the security association key is determined according to the multi-bit random number and the first security connectivity set key, and the security association key is used for encrypting communication messages between the first network equipment and the second network equipment. Therefore, the application can avoid directly transmitting the security alliance key in the key negotiation protocol message, but realize the purpose of distributing the security alliance key by transmitting the random number and decrypting the random number, even if the key negotiation protocol message transmitted by the application can be intercepted and decrypted by an attacker, the attacker can only obtain the multi-bit random number and can not obtain the security alliance key. Therefore, the scheme of the application can greatly improve the safety of the distribution of the security alliance secret key, thereby improving the data security of the communication message transmitted between network devices.
As shown in fig. 1, at least one embodiment of the present application can provide a communication method applied to a first network device, the communication method including, but not limited to, steps S100 to S300, which will be described in detail below.
In step S100, a first secure connection set key is configured, and it can be seen that the first network device in this embodiment is configured with the first secure connection set key. The security connectivity set key involved in the application is specifically CAK, which is known as Connectivity Association KEY.
In one or more alternative embodiments of the present application, the first secure connection set key may be a Pre-shared key (PSK, pre-SHARED KEY), or the first secure connection set key may be a first secure connection set key generated during a mutual identity authentication procedure between the second network device and the first network device, where the mutual identity authentication procedure may be performed before the method is performed, and the identity authentication procedure in this embodiment may specifically be an 802.1X (a client/server-based access control and authentication protocol) authentication procedure.
Step S200, receiving a key agreement protocol message sent by a second network device, where the key agreement protocol message includes a preset extension parameter set, and the preset extension parameter set includes a multi-bit random number generated according to a second security connectivity set key and a security association key, the second network device is used as a key server (KEY SERVER) for providing the security association key, the second network device is configured with the second security connectivity set key, and the first network device is used as a key client (KEY CLIENT), where it is understood that a manner of selecting a key server from a plurality of network devices is determined based on a port priority manner, and a network device with a high priority port is selected as the key server. The second network device of the embodiment of the present application may be configured to send the key negotiation protocol packet to the first network device according to a specified configuration instruction, where the specified configuration instruction can be generated based on a command line (e.g., MKA SAK ASYMMETRIC-encryption-algorithm) input by the user to the second network device.
The second secure connection set key in the embodiment of the present application is the same as the first secure connection set key, that is, the second secure connection set key in the embodiment of the present application may be a Pre-shared key (PSK, pre-SHARED KEY), or the second secure connection set key may be a second secure connection set key generated in a mutual identity authentication process between the second network device and the first network device, where the mutual identity authentication process may be performed before the execution of the method, and the identity authentication process in the embodiment may specifically be an 802.1X (an access control and authentication protocol based on a client/server) authentication process.
In an alternative embodiment of the present application, the multi-bit random number may be a plurality of random numbers whose all bit values are not repeated, and the multi-bit random number forms a random number sequence, and in this embodiment, the multi-bit random number is a random number whose all positions of 32 bytes are not repeated.
As shown in fig. 2, in the embodiment of the present application, the key negotiation Protocol message is specifically a message encapsulated by EAPOL (Extensible Authentication Protocol Over LAN ), and the type of message includes Protocol Version (Protocol Version), message type (PACKET TYPE), message Body length (Packet Body Length), and message Body (Packet Body). The EAPOL is an encapsulation technology for carrying EAP (Extensible Authentication Protocol ) messages defined by the 802.1X protocol, and is mainly used for transmitting EAP messages between a client and a device in a local area network.
As shown in fig. 3, the EAP packet in the embodiment of the present application is specifically MKPDU (MACSEC KEY AGREEMENT Protocol Data Unit, key agreement protocol data unit) packet. The value of the message type (PACKET TYPE) in the EAP message in this embodiment is 0000 0101, and the EAP message is MKPDU, which is a key negotiation protocol message used in the embodiment of the present application. MKPDU the message includes a protocol version, a message type (whose Value is 0000 0101, which may be represented by EAPLO-MKA), a message body length, a message body, and the MKPDU message includes a Basic parameter set (Basic PARAMETER SET), one or more other parameter sets (PARAMETER SET), and an integrity check Value (ICV, integrity Check Value). In the embodiment of the application, the preset extension parameter set (Expanded Types) is newly added in other parameter sets, and the preset extension parameter set can support the extension of a third party protocol.
In the embodiment of the application, the preset extension parameter set comprises a message body, and the multi-bit random number is arranged at a target position in the message body.
As shown in fig. 4, the embodiment specifically provides an extended parameter set format, including a parameter set Type (PARAMETER SET TYPE), a Version (Version), a Type (Type), a Length (Length), and a Packet Body (Packet Body), where a preset extended parameter set Type field value in this embodiment is specifically 254 (PARAMETER SET TYPE =254), version 1 can be used to indicate that the current preset extended protocol Version is 1, type 4 indicates an asymmetric algorithm protection symmetric key (ASYMMETRIC ALGORITHMS PROTECT SYMMETRIC KEYS), length indicates an overall Length of a Packet, and includes a parameter set Type (PARAMETER SET TYPE), version (Version), type (Type), length (Length), and a Data (Data) field, where a unit is bytes, and a Packet Body (Packet Body) stores a Packet content carried in the extended field, and a Packet format in the Packet Body is specifically a Distributed SAK parameter set. It can be seen that, in the embodiment of the present application, when the SAK is negotiated, the Distributed SAK parameter set carrying the SAK is not filled in MKPDU messages, but the preset extension parameter set is added, and the Type of the preset extension parameter set is filled to be 4, and the Distributed SAK parameter set is filled in the Data (Data) field, which is defined in accordance with IEEE8021X-2010 (an IEEE802 protocol standard), but a random number with non-repeated bit value of 32 bytes after encryption is filled in 17 to 49 bytes.
In the embodiment of the application, after receiving the key negotiation protocol message sent by the second network device, the first network device analyzes the key negotiation protocol message to obtain a preset extension parameter set, and analyzes the preset extension parameter set to obtain the multi-bit random number. It can be seen that the present embodiment can directly obtain the multi-bit random number from the key negotiation protocol message, so as to be used in the subsequent decryption process. In the embodiment of the application, the first network device and the second network device both support the extended parameter set, and the first network device can analyze the key negotiation protocol message sent by the second network device.
In an alternative embodiment of the application, the method analyzes a preset extension parameter set to obtain a multi-bit random Number, and comprises the steps of analyzing a parameter set type in the preset extension parameter set to obtain a type parameter, wherein the preset extension parameter set comprises a parameter set type (PARAMETER SET TYPE) and a message body, the preset extension parameter set can also comprise a parameter set entity length (PARAMETER SET body length), a Key Number (Key Number), a MACsec cipher component (MACSEC CIPHER Suite) and the like, the type parameter in the embodiment of the application can be specifically 4, a target position of the multi-bit random Number in the message body is determined according to the type parameter, the target position determined according to the type parameter of 4 is specifically the last 17 to 49 bytes in a Distributed SAK parameter set, and the multi-bit random Number is analyzed from the preset extension parameter set according to the target position. The embodiment can ensure the safety and the accuracy of the analysis of a plurality of random numbers based on the scheme, thereby improving the reliability of the key negotiation process.
And step S300, a security alliance key is determined according to the multi-bit random number and the first security connectivity set key, wherein the security alliance key is used for encrypting communication messages between the first network device and the second network device.
In an alternative embodiment of the application, determining the security association key according to the multi-bit random number and the first security intercommunication set key comprises decrypting the multi-bit random number by a preset decryption mode by taking the first security intercommunication set key as a key decryption key so as to decrypt the security association key. The multi-bit random number is obtained by encrypting the security association key by the second network device through the second security connectivity set key, namely, the security association key is encrypted through a key encryption key (KEK, key Encryption Key), and the preset decryption mode corresponds to the encryption mode of the security association key. In the embodiment of the present application, the encryption mode of the security association key is, for example, an AES (Advanced Encryption Standard ) mode, and the corresponding preset decryption mode is also an AES (Advanced Encryption Standard ) mode. After the random numbers are decrypted by the KEK and the AES algorithm, the values on each digit of the random numbers are extracted from the positions corresponding to the configured CAKs to form the SAKs. For the specific implementation strategies of the KEK and AES algorithms, this embodiment may be selected according to actual requirements, and will not be described in detail. It can be seen that, in this embodiment, multiple random numbers are generated based on the key encryption key, and the distributed SAK is determined according to the received random numbers based on the key decryption key corresponding to the key encryption key, so that the security of SAK distribution is further improved based on the above scheme, and the security of communication between network devices is further improved.
The embodiments of the present application will be described below with examples of two specific applications, namely, a secure connected set key (CAK), a random number, and a Security Association Key (SAK).
Example one:
The pre-configured secure connected set key (CAK) is:
1112131415161718192021222324252627282930313233343536373839404142
The random number analyzed by the first network device is:
32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
the Security Association Key (SAK) used by both parties is determined after decryption to be:
4241403938373635343332313029282726252423222120191817161514131211
Example two:
The pre-configured secure connected set key (CAK) is:
123456
The random number analyzed by the first network device is:
32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
the Security Association Key (SAK) used by both parties is determined after decryption to be:
0000000000000000000000000000000000000000000000000000000000654321
Therefore, when the MKA negotiation is performed between different network devices in the present application, specifically, when the second network device is used as an initiator (key server) to perform MKA negotiation with the first network device (neighbor device of the second network device), the present application cancels the mode of directly sending the SAK in the MKA protocol message in the conventional scheme, but realizes the function of SAK distribution based on the mode of setting the multi-bit random number in the preset extension parameter set, so the present application can still ensure that the communication message between the first network device and the second network device is encrypted by adopting the same SAK. Therefore, the application effectively solves the problem that the SAK is leaked in the transmission of the MKA protocol message in the conventional technology, and effectively improves the safety of data communication between different network devices.
In an alternative embodiment of the present application, the communication method further includes monitoring data traffic of the encrypted communication packet between the first network device and the second network device, and if the data traffic reaches a threshold, performing session negotiation between the first network device and the second network device again to negotiate a new security association key. In this embodiment, the first network device may monitor the data traffic of the encrypted communication packet through the first network device and/or the second network device, and the first network device may send the monitored data traffic result to the second network device. The threshold value in the present embodiment may be, for example, C000 0000 defined in IEEE8021X-2010, but is not limited thereto. In this embodiment, the session negotiation process between the first network device and the second network device is performed again, specifically, the process from step S100 to step S300 in the present application, so as to continuously ensure that SAKs used between different network devices in the present application are difficult to be cracked in a manner of message interception and decryption, that is, the problem of cracking SAKs by a listening message is avoided, and the communication security between network devices is improved.
As shown in fig. 5, the communication method specifically provided with at least one embodiment of the present application is based on the same inventive technical concept, and the at least one embodiment of the present application can also provide a communication apparatus, which is applied to the first network device.
The communication device may include, but is not limited to, a key configuration unit, a message receiving unit, and a key determining unit, as described in detail below.
And the key configuration unit is used for configuring the first security connectivity set key.
The message receiving unit is used for receiving a key negotiation protocol message sent by the second network equipment, wherein the key negotiation protocol message comprises a preset extension parameter set, the preset extension parameter set comprises a multi-bit random number generated according to a second security connected set key and a security alliance key, the second network equipment is used as a key server for providing the security alliance key, and the second network equipment is configured with the second security connected set key.
The key determining unit is used for determining a security alliance key according to the multi-bit random number and the first security connectivity set key, and the security alliance key is used for encrypting communication messages between the first network device and the second network device.
In an alternative embodiment of the present application, the communication device further includes a message parsing unit. The message analysis unit is used for analyzing the key agreement protocol message to obtain a preset extension parameter set, and is also used for analyzing the preset extension parameter set to obtain a multi-bit random number.
In an alternative embodiment of the present application, the key determining unit is configured to decrypt the multi-bit random number by using the first secure connection set key as a key decryption key in a preset decryption manner, so as to decrypt the security association key.
The multi-bit random number is obtained by encrypting the security alliance key by the second network device through the second security connectivity set key, and the preset decryption mode corresponds to the encryption mode of the security alliance key.
In an alternative embodiment of the application, the communication device further comprises a key refreshing unit.
And the key refreshing unit is used for monitoring the data traffic of the encrypted communication message between the first network equipment and the second network equipment.
And the key refreshing unit is used for carrying out session negotiation between the first network equipment and the second network equipment again according to the data traffic reaching the threshold value so as to negotiate a new security alliance key.
In an alternative embodiment of the present application, the preset extension parameter set includes a message body, and the multi-bit random number is set at a target position in the message body.
In an alternative embodiment of the present application, the multi-bit random number is a plurality of random numbers whose all bit values are not repeated.
In an alternative embodiment of the present application, the first secure connection set key and the second secure connection set key are the same, and are both pre-shared keys, or are both secure connection set keys generated in the mutual identity authentication process between the second network device and the first network device.
Based on the same inventive concept, an embodiment of the present application further provides a network device, and in conjunction with fig. 6, the network device includes a processor, a transceiver, and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, where the processor is caused to perform the communication method provided by the embodiment of the present application. The communication device shown in fig. 5 may be implemented by using a hardware structure of a network device as shown in fig. 6. The computer readable storage medium may include Random access Memory (Random AccessMemory, RAM) or nonvolatile Memory (NVM), such as at least one magnetic disk Memory. Optionally, the computer readable storage medium may also be at least one storage device located remotely from the aforementioned processor. The Processor may be a general-purpose Processor including a Central processing unit (Central ProcessingUnit, CPU), a network Processor (Network Processor, NP), etc., or may be a digital signal Processor (DIGITAL SIGNAL Processor, DSP), an application specific integrated circuit (ApplicationSpecific Integrated Circuit, ASIC), a Field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In an embodiment of the present application, a processor, by reading machine-executable instructions stored in a machine-readable storage medium, is caused by the machine-executable instructions to implement the processor itself and invoke the transceiver to perform the communication method described in the foregoing embodiment of the present application.
Additionally, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor itself and the invoking transceiver to perform the communication methods described in the foregoing embodiments of the present application.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present application without undue burden.
For the communication device and the machine-readable storage medium embodiments, since the method content involved is substantially similar to the method embodiments described above, the description is relatively simple, and reference will only be made to part of the description of the method embodiments.
The above description is only of the preferred embodiments of the present application, and is not intended to limit the application, but any modifications, equivalents, and simple improvements made within the spirit of the present application should be included in the scope of the present application.
Claims (10)
1. A communication method, wherein the communication method is applied to a first network device, the communication method comprising:
configuring a first secure connection set key;
Receiving a key negotiation protocol message sent by second network equipment, wherein the key negotiation protocol message comprises a newly added preset extension parameter set, and the preset extension parameter set comprises a multi-bit random number generated according to a second security connected set key and a security alliance key;
Analyzing the key negotiation protocol message to obtain the preset extension parameter set, analyzing the parameter set type in the preset extension parameter set to obtain type parameters, determining a target position of the multi-bit random number in a message body contained in the preset extension parameter set according to the type parameters, and analyzing the multi-bit random number from the preset extension parameter set according to the target position;
And determining the security alliance key according to the multi-bit random number and the first security connectivity set key, wherein the security alliance key is used for encrypting a communication message between the first network device and the second network device.
2. The method of communicating of claim 1, wherein said determining the security association key from the multi-bit random number and the first secure connected set key comprises:
The first secure connection set key is used as a key decryption key, and the multi-bit random number is decrypted in a preset decryption mode to decrypt the secure alliance key;
The multi-bit random number is obtained by encrypting the security alliance key by the second network device through the second security connectivity set key, and the preset decryption mode corresponds to the encryption mode of the security alliance key.
3. The communication method according to claim 1 or 2, characterized by further comprising:
Monitoring the data traffic of the communication message encrypted between the first network device and the second network device;
and if the data traffic reaches a threshold value, performing session negotiation between the first network equipment and the second network equipment again to negotiate a new security association key.
4. A communication method according to claim 1 or 2, characterized in that,
The multi-bit random number is a plurality of random numbers whose all bit values are not repeated.
5. A communication method according to claim 1 or 2, characterized in that,
The first secure connection set key and the second secure connection set key are the same, are both pre-shared keys, or are both secure connection set keys generated in the mutual identity authentication process between the second network device and the first network device.
6. A communication apparatus, wherein the communication apparatus is applied to a first network device, the communication apparatus comprising:
a key configuration unit configured to configure a first secure connection set key;
The message receiving unit is used for receiving a key negotiation protocol message sent by second network equipment, wherein the key negotiation protocol message comprises a newly added preset extension parameter set, and the preset extension parameter set comprises a multi-bit random number generated according to a second security connected set key and a security alliance key;
A message parsing unit, configured to parse the key negotiation protocol message to obtain the preset extension parameter set, parse a parameter set type in the preset extension parameter set to obtain a type parameter, determine a target position of the multi-bit random number in a message body included in the preset extension parameter set according to the type parameter, and parse the multi-bit random number from the preset extension parameter set according to the target position;
the key determining unit is used for determining the security alliance key according to the multi-bit random number and the first security connectivity set key, and the security alliance key is used for encrypting the communication message between the first network device and the second network device.
7. The communication device of claim 6, wherein the communication device comprises a communication device,
The key determining unit is configured to decrypt the multi-bit random number by using the first secure connection set key as a key decryption key in a preset decryption manner, so as to decrypt the secure connection set key;
The multi-bit random number is obtained by encrypting the security alliance key by the second network device through the second security connectivity set key, and the preset decryption mode corresponds to the encryption mode of the security alliance key.
8. The communication apparatus according to claim 6 or 7, further comprising:
the key refreshing unit is used for monitoring the data traffic of the communication message encrypted between the first network equipment and the second network equipment;
and the key refreshing unit is also used for carrying out session negotiation between the first network equipment and the second network equipment again according to the data traffic reaching a threshold value so as to negotiate a new security alliance key.
9. A communication device according to claim 6 or 7, characterized in that,
The multi-bit random number is a plurality of random numbers whose all bit values are not repeated.
10. A communication device according to claim 6 or 7, characterized in that,
The first secure connection set key and the second secure connection set key are the same, are both pre-shared keys, or are both secure connection set keys generated in the mutual identity authentication process between the second network device and the first network device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211180875.5A CN115765979B (en) | 2022-09-27 | 2022-09-27 | Communication method and communication device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211180875.5A CN115765979B (en) | 2022-09-27 | 2022-09-27 | Communication method and communication device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115765979A CN115765979A (en) | 2023-03-07 |
| CN115765979B true CN115765979B (en) | 2025-09-19 |
Family
ID=85352033
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211180875.5A Active CN115765979B (en) | 2022-09-27 | 2022-09-27 | Communication method and communication device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115765979B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037504B (en) * | 2022-04-15 | 2025-02-11 | 新华三技术有限公司 | Communication method and device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312495A (en) * | 2013-06-25 | 2013-09-18 | 杭州华三通信技术有限公司 | Grouped connectivity association (CA) forming method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090090974A (en) * | 2008-02-22 | 2009-08-26 | 삼성전자주식회사 | Device and method for generating encryption key in wireless communication system |
| CN102447674B (en) * | 2010-10-08 | 2016-06-29 | 中兴通讯股份有限公司 | A kind of method of security negotiation and device |
| CN105721443B (en) * | 2016-01-25 | 2019-05-10 | 飞天诚信科技股份有限公司 | A kind of link session key negotiation method and device |
| CN111835752B (en) * | 2020-07-09 | 2022-04-12 | 国网山西省电力公司信息通信分公司 | Lightweight authentication method and gateway based on device identity |
| CN115037504B (en) * | 2022-04-15 | 2025-02-11 | 新华三技术有限公司 | Communication method and device |
-
2022
- 2022-09-27 CN CN202211180875.5A patent/CN115765979B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312495A (en) * | 2013-06-25 | 2013-09-18 | 杭州华三通信技术有限公司 | Grouped connectivity association (CA) forming method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115765979A (en) | 2023-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8788805B2 (en) | Application-level service access to encrypted data streams | |
| CN101822082B (en) | Techniques for secure channelization between UICC and terminal | |
| US6965992B1 (en) | Method and system for network security capable of doing stronger encryption with authorized devices | |
| EP1946479B1 (en) | Communication securiy | |
| US7269730B2 (en) | Method and apparatus for providing peer authentication for an internet key exchange | |
| US9319220B2 (en) | Method and apparatus for secure network enclaves | |
| US8559640B2 (en) | Method of integrating quantum key distribution with internet key exchange protocol | |
| CN111052672B (en) | Secure key transfer protocol without certificate or pre-shared symmetric key | |
| CN113228721B (en) | Communication method and related product | |
| CN104683304B (en) | A kind of processing method of secure traffic, equipment and system | |
| US12316619B2 (en) | Methods and systems for internet key exchange re-authentication optimization | |
| KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
| WO2023020164A1 (en) | Method and apparatus for managing communication channel | |
| CN115037504B (en) | Communication method and device | |
| US8281134B2 (en) | Methods and apparatus for layer 2 and layer 3 security between wireless termination points | |
| CN115484038A (en) | A data processing method and device thereof | |
| WO2017197968A1 (en) | Data transmission method and device | |
| US20220124074A1 (en) | Method and apparatus for encrypted communication | |
| Zhou et al. | A hybrid authentication protocol for LTE/LTE-A network | |
| CN115765979B (en) | Communication method and communication device | |
| WO2016134631A1 (en) | Processing method for openflow message, and network element | |
| WO2021032304A1 (en) | Gateway devices and methods for performing a site-to-site communication | |
| CN116232570B (en) | Method for protecting data flow security and data management system | |
| Niemiec et al. | Authentication in virtual private networks based on quantum key distribution methods | |
| CN117201052A (en) | Quantum cryptography QVPN-based one-time pad energy data transmission method, storage device and intelligent terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |