[go: up one dir, main page]

CN117375992A - Time synchronization security enhancement method and device based on random numbers - Google Patents

Time synchronization security enhancement method and device based on random numbers Download PDF

Info

Publication number
CN117375992A
CN117375992A CN202311507840.2A CN202311507840A CN117375992A CN 117375992 A CN117375992 A CN 117375992A CN 202311507840 A CN202311507840 A CN 202311507840A CN 117375992 A CN117375992 A CN 117375992A
Authority
CN
China
Prior art keywords
time
random number
time synchronization
unit
receiving
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311507840.2A
Other languages
Chinese (zh)
Inventor
李扬
徐兵杰
马荔
黄伟
罗钰杰
周创
杨杰
吴梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 30 Research Institute
Original Assignee
CETC 30 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 30 Research Institute filed Critical CETC 30 Research Institute
Priority to CN202311507840.2A priority Critical patent/CN117375992A/en
Publication of CN117375992A publication Critical patent/CN117375992A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Synchronisation In Digital Transmission Systems (AREA)

Abstract

The invention discloses a time synchronization security enhancement method and a device based on random numbers, wherein the method comprises the following steps: hiding the transmission time of the interactive information data between the sending end and the receiving end by adopting a random number distributed by the symmetric key; the transmitting end only transmits the information data in the window at the time determined by the random number, and the receiving end only receives the information data in the time receiving window determined by the random number; the receiving end only decrypts and authenticates the information data in the time receiving window. According to the method, the random number is added to the time synchronization interaction information to randomly process the sending time and the receiving time of the time interaction information data, so that an attacker can hardly conduct DOS attack in a targeted manner, and the safety of a time synchronization system can be remarkably enhanced.

Description

基于随机数的时间同步安全增强方法与装置Time synchronization security enhancement method and device based on random numbers

技术领域Technical field

本发明涉及通信技术领域,特别是一种基于随机数的时间同步安全增强方法与装置。The present invention relates to the field of communication technology, in particular to a random number-based time synchronization security enhancement method and device.

背景技术Background technique

时间是记录各个事件持续长度和相互之间间隔的量。通过观测得到准确的时间信息后,将时间信息通过某种手段传递给用户使用,这种系统被称为授时系统,也称为时间同步系统。现有的授时系统包括微波授时,卫星授时,光纤授时等方案。基于光纤的时间同步方案可以利用成熟的长距离大容量光通信技术和光网络的灵活组网特点,是该领域重要的技术方向。Time is a quantity that records the duration of individual events and the intervals between them. After obtaining accurate time information through observation, the time information is transmitted to the user through some means. This system is called a timing system, also called a time synchronization system. Existing timing systems include microwave timing, satellite timing, optical fiber timing and other solutions. The optical fiber-based time synchronization solution can take advantage of mature long-distance and large-capacity optical communication technology and the flexible networking characteristics of optical networks, and is an important technical direction in this field.

在实际的光纤授时系统中,存在物理信号脉冲的传输和信息数据的交互。在信息数据交互的过程中,为了防止攻击者篡改数据引起的时间同步问题,通常采用加解密和认证等密码技术对交互的信息数据进行保护。加解密和认证等密码学保护需要相应的硬件资源。采用密码技术后,攻击者虽然无法篡改数据信息,但可以通过发送大量的相似数据包,消耗时间同步系统用于密码学保护的硬件资源,导致时间同步系统由于无法实现解密和认证从而无法获得有效的用于时间同步的信息数据,导致时间同步失效。In the actual optical fiber timing system, there is the transmission of physical signal pulses and the interaction of information data. In the process of information data interaction, in order to prevent time synchronization problems caused by attackers tampering with data, cryptographic technologies such as encryption, decryption and authentication are usually used to protect the interactive information data. Cryptographic protection such as encryption, decryption and authentication requires corresponding hardware resources. After using cryptographic technology, although attackers cannot tamper with data information, they can consume the hardware resources used by the time synchronization system for cryptographic protection by sending a large number of similar data packets, causing the time synchronization system to be unable to achieve effective decryption and authentication. The information data used for time synchronization causes time synchronization to fail.

发明内容Contents of the invention

鉴于此,本发明提供一种基于随机数的时间同步安全增强方法与装置。In view of this, the present invention provides a random number-based time synchronization security enhancement method and device.

本发明公开了一种基于随机数的时间同步安全增强方法,其包括:The invention discloses a time synchronization security enhancement method based on random numbers, which includes:

步骤1:通过采用对称密钥分发的随机数对发送端和接收端之间的交互信息数据的传输时间进行隐藏;Step 1: Hide the transmission time of the interactive information data between the sender and the receiver by using random numbers distributed with symmetric keys;

步骤2:发送端仅在该随机数确定的时间发送窗口内的信息数据,接收端仅接收该随机数确定的时间接收窗口内的信息数据;接收端仅对该时间接收窗口内的信息数据进行解密和认证。Step 2: The sending end only sends the information data within the window at the time determined by the random number, and the receiving end only receives the information data within the time reception window determined by the random number; the receiving end only receives the information data within the time reception window. Decryption and authentication.

进一步地,所述步骤1包括:Further, the step 1 includes:

通过对称密钥分发技术,发送端和接收端获得相同的随机数序列N,并分别存储在发送端的第一随机数单元和接收端的第二随机数单元中;发送端的第一密码单元对输入的时间同步交互信息D进行密码学操作;其中,对称密钥分发技术包括公钥密钥协商和量子密钥分发;密码学操作包括加密和认证。Through symmetric key distribution technology, the sending end and the receiving end obtain the same random number sequence N, and store it in the first random number unit of the sending end and the second random number unit of the receiving end respectively; the first cryptographic unit of the sending end pairs the input Time synchronized interactive information D performs cryptographic operations; among them, symmetric key distribution technology includes public key key agreement and quantum key distribution; cryptographic operations include encryption and authentication.

进一步地,在所述步骤1中:Further, in step 1:

对时间同步交互信息D进行Hash操作,获得hash值hd;Perform a Hash operation on the time synchronization interaction information D to obtain the hash value hd;

采用私钥对hd进行加密,将hd附加在时间同步交互信息D后面;可选择对时间同步交互信息D或者D+hd再进行对称或者非对称加密。Use the private key to encrypt hd, and append hd to the time synchronization interaction information D; you can choose to perform symmetric or asymmetric encryption on the time synchronization interaction information D or D+hd.

进一步地,在所述步骤1中:Further, in step 1:

采用HAMC的方法对时间同步交互信息D进行Hash操作,获得hash值hd,将hd附加在时间同步交互信息D后面,以进行信息认证;对D或D+hd数据再进行对称或者非对称加密,以保障其机密性。Use the HAMC method to perform a hash operation on the time synchronization interactive information D to obtain the hash value hd, and append hd to the time synchronization interactive information D for information authentication; perform symmetric or asymmetric encryption on the D or D+hd data. to protect its confidentiality.

进一步地,所述步骤2包括:Further, the step 2 includes:

发送端仅在随机数确定的时间发送窗口内发送加密和认证后的时间同步交互信息D;接收端的接收单元仅在该随机数确定的时间接收窗口内接收加密和认证后的时间同步交互信息D,之后通过接收端的第二密码单元对加密和认证后的时间同步交互信息D进行解密和认证,还原时间同步交互信息D。The sending end only sends the encrypted and authenticated time synchronization interaction information D within the time transmission window determined by the random number; the receiving unit of the receiving end only receives the encrypted and authenticated time synchronization interaction information D within the time reception window determined by the random number. , and then the encrypted and authenticated time synchronization interactive information D is decrypted and authenticated through the second cryptographic unit of the receiving end, and the time synchronization interactive information D is restored.

进一步地,在所述步骤2中:Further, in step 2:

根据发送端和接收端之间共享的随机数序列N,发送端随机确定采用密码保护后的时间同步交互信息D的发送时间。According to the random number sequence N shared between the sender and the receiver, the sender randomly determines the sending time of the password-protected time synchronization interactive information D.

进一步地,若发送端和接收端的时间同步的时间周期为每秒一次,则交互信息需要在一秒内进行发送;假设随机数序列N∈[0,Nmax],若发送端和接收端任一次获得的随机数序列取值为n,则发送端选择在该次对应时间内的N/Nmax时刻发送密码保护后的时间同步交互信息D。Furthermore, if the time period of time synchronization between the sender and the receiver is once per second, the interactive information needs to be sent within one second; assuming a random number sequence N∈[0,N max ], if the sender and receiver are either If the value of the random number sequence obtained once is n, then the sending end chooses to send the password-protected time synchronization interactive information D at the N/N max time in the corresponding time.

进一步地,对于双向时间同步系统,若发送端需要时间t0才能获取到接收端发送的时间同步交互信息,则接收端选择N/Nmax*(1-t0)作为发送该时间同步交互信息的时间。Furthermore, for a two-way time synchronization system, if the sending end requires time t0 to obtain the time synchronization interaction information sent by the receiving end, the receiving end selects N/N max * (1-t0) as the time to send the time synchronization interaction information. .

进一步地,在所述步骤2中:Further, in step 2:

根据随机数序列N,接收端确定与发送端相对应的接收信息的时间接收窗口,即假设由随机数序列N确定的发送端的发送时间为f(N),f函数的具体形式由发送端和接收端预先约定,也即接收端能够通过N获得f(N);时间交互信息的传输时延为τ,接收端的接收单元的时间窗口为[f(N)+τ-u,f(N)+τ+u];其中,u由相关参数的不确定度决定;相关参数包括时钟差和传输时延迟;发送端和接收端仅在[f(N)+τ-u,f(N)+τ+u]时间窗口内进行时间同步交互信息D的接收。According to the random number sequence N, the receiving end determines the time reception window for receiving information corresponding to the sending end, that is, assuming that the sending time of the sending end determined by the random number sequence N is f(N), the specific form of the f function is determined by the sending end and The receiving end has agreed in advance, that is, the receiving end can obtain f(N) through N; the transmission delay of time interactive information is τ, and the time window of the receiving unit of the receiving end is [f(N)+τ-u, f(N) +τ+u]; where u is determined by the uncertainty of the relevant parameters; the relevant parameters include clock difference and transmission delay; the sending end and the receiving end are only in [f(N)+τ-u, f(N)+ The time synchronization interactive information D is received within the τ+u] time window.

本发明还公开了一种基于随机数的时间同步安全增强装置,用于实现上述任一项所述的基于随机数的时间同步安全增强方法,所述装置包括发送端和接收端;发送端包括第一密码单元、发送单元和第一随机数单元;接收端包括第二随机数单元、接收单元和第二密码单元;The invention also discloses a random number-based time synchronization security enhancement device, which is used to implement any of the above random number-based time synchronization security enhancement methods. The device includes a sending end and a receiving end; the sending end includes A first encryption unit, a sending unit and a first random number unit; the receiving end includes a second random number unit, a receiving unit and a second encryption unit;

第一密码单元和第一随机数单元的输出端分别与发送单元的输入端连接;第一随机数单元与第二随机数单元相互相连;发送单元的输出端与接收单元的输入端连接;第二随机数单元的输出端与接收单元的输入端连接;接收单元的输出端与第二密码单元的输入端连接。The output terminals of the first encryption unit and the first random number unit are respectively connected to the input terminal of the sending unit; the first random number unit and the second random number unit are connected to each other; the output terminal of the sending unit is connected to the input terminal of the receiving unit; The output end of the two random number units is connected to the input end of the receiving unit; the output end of the receiving unit is connected to the input end of the second encryption unit.

由于采用了上述技术方案,本发明具有如下的优点:Due to the adoption of the above technical solution, the present invention has the following advantages:

1.通过采用对称分发的随机数对交互信息数据的传输时间进行隐藏,发送者仅仅在该随机数确定的时间发送窗口内发送信息数据,接收者仅仅接收该随机数确定的时间接收窗口内的信息数据。由于攻击者不知道该时间窗口,无法针对该窗口进行针对性的攻击。由于接收方仅仅对有限的时间窗口内的信息数据进行解密和认证,计算负担可显著下降,且可大大提高时间同步的安全性。1. By using symmetrically distributed random numbers to hide the transmission time of interactive information data, the sender only sends information data within the time sending window determined by the random number, and the receiver only receives information within the time reception window determined by the random number. information data. Since the attacker does not know this time window, he cannot conduct targeted attacks against this window. Since the receiver only decrypts and authenticates information data within a limited time window, the computational burden can be significantly reduced and the security of time synchronization can be greatly improved.

2.本方案通过对时间同步交互信息加入随机数对时间交互信息数据的发送时间和接收时间进行随机处理,使得攻击者很难针对性地进行DOS攻击,可显著增强时间同步系统的安全性。2. This solution adds random numbers to the time synchronization interaction information to randomly process the sending time and reception time of the time interaction information data, making it difficult for attackers to carry out targeted DOS attacks, and can significantly enhance the security of the time synchronization system.

3.本发明还可与延时攻击防护技术(防止攻击者对时间交互信息进行延时)以及时间信息隐藏技术(防止攻击者从各种信息中分辨出时间交互信息)等结合,进一步增强时间同步系统的安全性。3. The present invention can also be combined with delay attack protection technology (preventing attackers from delaying time interaction information) and time information hiding technology (preventing attackers from distinguishing time interaction information from various information) to further enhance time Synchronize system security.

附图说明Description of the drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明实施例中记载的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的附图。In order to explain the technical solutions in the embodiments of the present invention more clearly, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only those recorded in the embodiments of the present invention. For some embodiments, those of ordinary skill in the art can also obtain other drawings based on these drawings.

图1为本发明实施例的一种单向时间同步系统示意图;Figure 1 is a schematic diagram of a one-way time synchronization system according to an embodiment of the present invention;

图2为本发明实施例的一种双向时间同步系统示意图;Figure 2 is a schematic diagram of a two-way time synchronization system according to an embodiment of the present invention;

图3为本发明实施例的一种基于随机数的时间同步安全增加信息交互示意图。Figure 3 is a schematic diagram of information interaction for securely adding time synchronization based on random numbers according to an embodiment of the present invention.

具体实施方式Detailed ways

结合附图和实施例对本发明作进一步说明,所描述的实施例仅是本发明实施例一部分实施例,而不是全部的实施例。本领域普通技术人员所获得的所有其他实施例,都应当属于本发明实施例保护的范围。The present invention will be further described with reference to the accompanying drawings and embodiments. The described embodiments are only some of the embodiments of the present invention, rather than all of the embodiments. All other embodiments obtained by those of ordinary skill in the art should fall within the scope of protection of the embodiments of the present invention.

本发明对单向时间同步系统和双向时间同步系统均适用。图1为单向时间同步系统的示意图,一个典型的单向时间同步系统分为L端和R端两个部分。L端和R端都各自包括一个时钟,L端包含发送单元,R端包含接收单元和时钟更新单元。单向时间同步系统的工作原理如下:The present invention is applicable to both one-way time synchronization systems and two-way time synchronization systems. Figure 1 is a schematic diagram of a one-way time synchronization system. A typical one-way time synchronization system is divided into two parts: the L end and the R end. The L end and the R end each include a clock, the L end includes a sending unit, and the R end includes a receiving unit and a clock update unit. The one-way time synchronization system works as follows:

时间同步系统的目的是使得R端时钟和L端时钟的时钟差为零。L端向R端发送同步信号,以L端时钟为准,信号的发送时刻为TL。以R端的时钟为准,R端接收到该信号的时刻为TR。同步信号由L端传输到R端的飞行时间为τLR。因此,以L端时钟为准,R端接收到的同步信号的时间为:The purpose of the time synchronization system is to make the clock difference between the R-side clock and the L-side clock zero. The L end sends a synchronization signal to the R end, based on the L end clock, and the signal sending time is TL . Based on the clock of the R terminal, the time when the R terminal receives the signal is TR . The flight time for the synchronization signal to be transmitted from the L end to the R end is τ LR . Therefore, based on the clock of the L terminal, the time of the synchronization signal received by the R terminal is:

TR 0=τLR+TLT R 0LR +T L .

因此,R端和L端的时钟差为:Therefore, the clock difference between the R terminal and the L terminal is:

ΔT=TR-TR 0=TR-TLLRΔT=T R -T R 0 =T R -T LLR ,

其中,TR由R端测量得到,τLR为由R端和L端之间的传输距离以及信号传输速度估计得到。TL由L端测量得到,但由于R端的时钟的修正需要该数据,因此,需要L端将该数据通过信息交互信道传输给R端。Among them, TR is measured from the R end, and τ LR is estimated from the transmission distance between the R end and the L end and the signal transmission speed. TL is measured by the L end, but since the correction of the R end's clock requires this data, the L end needs to transmit the data to the R end through the information exchange channel.

图2为双向时间同步系统的示意图。如图所示,一个典型的双向时间同步系统分为L端和R端两个部分。L端包括一个时钟,一个发送单元,一个接收单元。R端包括一个时钟,一个发送单元,一个接收单元,一个时钟更新单元。Figure 2 is a schematic diagram of a two-way time synchronization system. As shown in the figure, a typical two-way time synchronization system is divided into two parts: the L end and the R end. The L end includes a clock, a sending unit, and a receiving unit. The R end includes a clock, a sending unit, a receiving unit, and a clock update unit.

时间同步系统的目的是使得R端时钟和L端时钟的时钟差为零。一方面,L端发送同步信号时,时刻为TL,L端的时间间隔计数器开始计数,收到R端发送过来的同步脉冲时停止计数,计数值为TLR;另一方面,R端发送同步脉冲时,时刻为TR,R端的时间间隔计数器开始计数,收到L端发送过来的同步脉冲时停止计数,计数值为TRL。假设L端的脉冲传输到R端的时间为τLR,R端的脉冲传输到L端的时间为τRL,则有The purpose of the time synchronization system is to make the clock difference between the R-side clock and the L-side clock zero. On the one hand, when the L end sends a synchronization signal, the time is T L , the time interval counter of the L end starts counting, and stops counting when it receives the synchronization pulse sent from the R end, and the count value is T LR ; on the other hand, the R end sends a synchronization When pulse occurs, the time is T R , the time interval counter on the R end starts counting, and stops counting when it receives the synchronization pulse sent from the L end, and the count value is T RL . Assume that the time for the pulse from the L terminal to be transmitted to the R terminal is τ LR , and the time for the pulse from the R terminal to be transmitted to the L terminal is τ RL , then there is

TLR=(TRRL)-TL T LR =(T RRL )-T L

TRL=(TLLR)-TR T RL =(T LLR )-T R

R端和L端的时间差为:The time difference between R end and L end is:

其中,信号传输的非对称性(τLRRL)可提前通过设备校对以及信道估计获得。TRL由R端测量获得。TLR由L端测量获得。由于,R端修正本地时钟需要TLR数据,因此,需要从L端将该测量数据通过信息交互信道传输给R端。Among them, the asymmetry of signal transmission (τ LRRL ) can be obtained in advance through equipment calibration and channel estimation. T RL is measured from the R end. T LR is measured from the L end. Since the R end needs T LR data to correct the local clock, the measurement data needs to be transmitted from the L end to the R end through the information exchange channel.

本发明适用但不限于上述两类时间同步系统,也适用于NTP,PTP等时间同步系统。The present invention is applicable to but not limited to the above two types of time synchronization systems, and is also applicable to time synchronization systems such as NTP and PTP.

通过对单向时间同步系统和双向时间系统的分析,可以看出,以上方案中均需要通过信息交互信道传输信息,而且信息的准确性直接与时间同步精度相关。为了防止攻击者篡改信息,通常对交互信息进行加解密或者认证等密码学保护措施。然而,密码学保护方法需要相应的硬件资源支撑。攻击者可以实施DOS(Denial of Service)攻击,通过发送大量相似信息来消耗该硬件资源,使得真正的时间同步交互信息无法进行解密或认证,从而导致合法用户无法获取需要的时间交互信息,导致时间同步失败,时间同步性能下降。Through the analysis of the one-way time synchronization system and the two-way time synchronization system, it can be seen that the above solutions need to transmit information through the information interaction channel, and the accuracy of the information is directly related to the time synchronization accuracy. In order to prevent attackers from tampering with information, cryptographic protection measures such as encryption, decryption or authentication are usually implemented for interactive information. However, cryptographic protection methods require corresponding hardware resource support. An attacker can implement a DOS (Denial of Service) attack and consume the hardware resources by sending a large amount of similar information, making the real time synchronization interaction information unable to be decrypted or authenticated, causing legitimate users to be unable to obtain the required time interaction information, resulting in time Synchronization fails and time synchronization performance degrades.

为了提高时间同步性能在上述DOS攻击下的安全性,本发明提出了一种基于随机数的时间同步安全增强方法的实施例,其包括:In order to improve the security of time synchronization performance under the above-mentioned DOS attack, the present invention proposes an embodiment of a time synchronization security enhancement method based on random numbers, which includes:

S1、通过采用对称密钥分发的随机数对发送端和接收端之间的交互信息数据的传输时间进行隐藏;S1. Hide the transmission time of interactive information data between the sender and the receiver by using random numbers distributed with symmetric keys;

S2、发送端仅在该随机数确定的时间发送窗口内的信息数据,接收端仅接收该随机数确定的时间接收窗口内的信息数据;接收端仅对该时间接收窗口内的信息数据进行解密和认证。S2. The sending end only sends the information data within the window at the time determined by the random number, and the receiving end only receives the information data within the time reception window determined by the random number; the receiving end only decrypts the information data within the time reception window. and certification.

如图3所示,通过对称密钥分发技术(包括但不限于公钥密钥协商、量子密钥分发等技术),两端获得相同的随机数序列N,存储在随机数单元中。发送端的时间同步交互信息D通过密码单元,完成对该信息数据的加密和认证等密码学操作。具体的方案包括但不限于以下示例方案。As shown in Figure 3, through symmetric key distribution technology (including but not limited to public key key negotiation, quantum key distribution and other technologies), both ends obtain the same random number sequence N, which is stored in the random number unit. The time synchronization interactive information D at the sender passes through the cryptographic unit to complete cryptographic operations such as encryption and authentication of the information data. Specific solutions include but are not limited to the following example solutions.

示例方案1:首先对数据D首先进行Hash操作,获得hash值hd,然而对hd采用私钥进行加密,将hd附加在原始的数据D后面。可以选择对D或者D+hd数据再进行对称或者非对称加密。Example solution 1: First perform a Hash operation on the data D to obtain the hash value hd, then encrypt hd using the private key, and append hd to the original data D. You can choose to perform symmetric or asymmetric encryption on D or D+hd data.

示例方案2:采用HAMC的方法对数据D进行Hash操作,获得hash值hd,将hd附加在原始数据D后面,以进行信息认证。对D或D+hd数据再进行对称或者非对称加密,以保障其机密性。Example solution 2: Use the HAMC method to perform a Hash operation on the data D, obtain the hash value hd, and append hd to the original data D for information authentication. The D or D+hd data is then symmetrically or asymmetrically encrypted to ensure its confidentiality.

根据交互双方共享的随机数序列N,发送端随机确定采用密码保护后交互信息的发送时间。比如,如果时间同步的时间周期为每秒一次,那交互信息需要在一秒内进行发送。假设随机序列取值N∈[0,Nmax],如果交互双方某次获得的随机序列取值为n,那可以选择在该秒内的N/Nmax时刻发送该相应交互信息。在实际实施过程中,发送端可能需要一定时间t0才能获取到时间交互信息,比如对于图2所述的双向时间同步系统。因此,可以选择N/Nmax*(1-t0)作为发送交互信息的时间。According to the random number sequence N shared by both interacting parties, the sending end randomly determines the sending time of the interactive information after password protection. For example, if the time period of time synchronization is once per second, the interaction information needs to be sent within one second. Assume that the random sequence value is N∈[0,N max ]. If the random sequence value obtained by the interacting parties at a certain time is n, then the corresponding interactive information can be sent at the N/Nmax time within the second. In the actual implementation process, it may take a certain time t0 for the sending end to obtain the time interaction information, such as the two-way time synchronization system described in Figure 2. Therefore, N/Nmax*(1-t0) can be selected as the time to send interactive information.

根据随机序列N,接收端确定与发送端相对应的接收信息时间窗口。原则上,根据发送时间再加上传输时间,可以确定接收开始的时间。然而,由于两端时钟存在时钟差,传输时延迟存在不确定性等因素,接收时间存在一定的不确定性,因此,需要在一定的时间窗口内接收信息。假设由随机数N确定的发送端的发送时间为f(N),f函数的具体形式发送端和接收端提前约定好,也就是接收端能够通过N获得f(N)。时间交互信息的传输时延为τ,那接收端打开接收单元的时间窗口为[f(N)+τ-u,f(N)+τ+u],其中,u为时钟差、传输时延迟等不确定度决定。According to the random sequence N, the receiving end determines the time window for receiving information corresponding to the sending end. In principle, the time when reception starts can be determined based on the send time plus the transmission time. However, due to the clock difference between the clocks at both ends and the uncertainty in the delay during transmission, there is a certain uncertainty in the reception time. Therefore, the information needs to be received within a certain time window. Assume that the sending time of the sender determined by the random number N is f(N), and the specific form of the f function is agreed upon by the sender and the receiver in advance, that is, the receiver can obtain f(N) through N. The transmission delay of time interactive information is τ, and the time window for the receiving end to open the receiving unit is [f(N)+τ-u, f(N)+τ+u], where u is the clock difference and transmission delay Wait for the uncertainty to decide.

由于仅仅在[f(N)+τ-u,f(N)+τ+u]时间窗口内进行时间交互信息的接收,而且攻击者在未获取合法通信双方共享随机数的条件下无法提前获知该时间窗口。因此,攻击者无法针对该时间窗口发送大量攻击数据,从而,大大较少了攻击者DOS攻击对密码学保护所需硬件资源的消耗,从而提高了此类攻击条件下正确时间同步交互信息的解密以及认证的可完成性,大大增强了时间同步系统抗DOS攻击的能力。Since the time interaction information is only received within the [f(N)+τ-u, f(N)+τ+u] time window, and the attacker cannot know in advance without obtaining the random number shared by the legitimate communicating parties. this time window. Therefore, the attacker cannot send a large amount of attack data for this time window, thereby greatly reducing the attacker's DOS attack on the hardware resources required for cryptographic protection, thereby improving the decryption of correct time synchronization interaction information under such attack conditions. As well as the completionability of authentication, the time synchronization system's ability to resist DOS attacks is greatly enhanced.

参见图3,本发明还提供了实现上述方法实施例的一种基于随机数的时间同步安全增强装置的实施例,其包括发送端和接收端;发送端包括第一密码单元、发送单元和第一随机数单元;接收端包括第二随机数单元、接收单元和第二密码单元;Referring to Figure 3, the present invention also provides an embodiment of a time synchronization security enhancement device based on random numbers that implements the above method embodiment, which includes a sending end and a receiving end; the sending end includes a first cryptographic unit, a sending unit and a third A random number unit; the receiving end includes a second random number unit, a receiving unit and a second cryptographic unit;

第一密码单元和第一随机数单元的输出端分别与发送单元的输入端连接;第一随机数单元与第二随机数单元相互相连;发送单元的输出端与接收单元的输入端连接;第二随机数单元的输出端与接收单元的输入端连接;接收单元的输出端与第二密码单元的输入端连接。The output terminals of the first encryption unit and the first random number unit are respectively connected to the input terminal of the sending unit; the first random number unit and the second random number unit are connected to each other; the output terminal of the sending unit is connected to the input terminal of the receiving unit; The output end of the two random number units is connected to the input end of the receiving unit; the output end of the receiving unit is connected to the input end of the second encryption unit.

最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that the present invention can still be modified. Modifications or equivalent substitutions may be made to the specific embodiments, and any modifications or equivalent substitutions that do not depart from the spirit and scope of the invention shall be covered by the scope of the claims of the invention.

Claims (10)

1. A random number-based time synchronization security enhancement method, comprising:
step 1: hiding the transmission time of the interactive information data between the sending end and the receiving end by adopting a random number distributed by the symmetric key;
step 2: the transmitting end only transmits the information data in the window at the time determined by the random number, and the receiving end only receives the information data in the time receiving window determined by the random number; the receiving end only decrypts and authenticates the information data in the time receiving window.
2. The method for enhancing time synchronization security based on random numbers according to claim 1, wherein the step 1 comprises:
the method comprises the steps that through a symmetric key distribution technology, a sending end and a receiving end obtain the same random number sequence N and respectively store the same random number sequence N in a first random number unit of the sending end and a second random number unit of the receiving end; the first cipher unit of the transmitting end carries out cipher operation on the input time synchronization interaction information D; the symmetric key distribution technology comprises public key negotiation and quantum key distribution; cryptographic operations include encryption and authentication.
3. The random number based time synchronization security enhancement method according to claim 2, wherein in said step 1:
carrying out Hash operation on the time synchronization interaction information D to obtain a Hash value hd;
encrypting hd by adopting a private key, and attaching hd to the back of the time synchronization interaction information D; the time synchronization interaction information D or D+hd can be selected to be encrypted symmetrically or asymmetrically.
4. The random number based time synchronization security enhancement method according to claim 2, wherein in said step 1:
carrying out Hash operation on the time synchronization interaction information D by adopting a HAMC method to obtain a Hash value hd, and attaching hd to the back of the time synchronization interaction information D to carry out information authentication; and D or D+hd data is symmetrically or asymmetrically encrypted to ensure confidentiality.
5. The method for enhancing time synchronization security based on random numbers according to claim 1, wherein the step 2 comprises:
the transmitting end only transmits the encrypted and authenticated time synchronization interaction information D in a time transmitting window determined by the random number; the receiving unit of the receiving end only receives the encrypted and authenticated time synchronization interaction information D in the time receiving window determined by the random number, and then decrypts and authenticates the encrypted and authenticated time synchronization interaction information D through the second password unit of the receiving end to restore the time synchronization interaction information D.
6. The random number based time synchronization security enhancement method according to claim 1, wherein in said step 2:
and according to the random number sequence N shared between the transmitting end and the receiving end, the transmitting end randomly determines the transmitting time of the time synchronization interaction information D after password protection.
7. The method for enhancing time synchronization security based on random numbers according to claim 6, wherein if the time period of time synchronization of the transmitting end and the receiving end is once per second, the interactive information needs to be transmitted within one second; suppose that the sequence of random numbers N E [0, N max ]If the random number sequence obtained by the transmitting end and the receiving end at any time takes the value of N, the transmitting end selects N/N in the corresponding time max And sending the time synchronization interaction information D after password protection at the moment.
8. The method for enhancing time synchronization security based on random numbers as claimed in claim 7, wherein for the bi-directional time synchronization system, if the transmitting end needs time t0 to acquire the time synchronization interaction information transmitted by the receiving end, the receiving end selects N/N max * (1-t 0) as a time for transmitting the time synchronization interaction information.
9. The random number based time synchronization security enhancement method according to claim 1, wherein in said step 2:
according to the random number sequence N, the receiving end determines a time receiving window of the receiving information corresponding to the transmitting end, namely, the transmitting end is assumed to transmit the time f (N) determined by the random number sequence N, the specific form of the f function is pre-agreed by the transmitting end and the receiving end, namely, the receiving end can obtain f (N) through N; the transmission delay of the time interaction information is tau, and the time window of the receiving unit of the receiving end is [ f (N) +tau-u, f (N) +tau+u ]; wherein u is determined by uncertainty of the relevant parameter; the relevant parameters include clock skew and transmission time delay; the transmitting end and the receiving end only receive the time synchronization interaction information D in the time windows of [ f (N) +tau-u, f (N) +tau+u ].
10. A random number-based time synchronization security enhancement device for implementing the random number-based time synchronization security enhancement method as claimed in any one of claims 1 to 9, characterized in that the device comprises a transmitting end and a receiving end; the transmitting end comprises a first password unit, a transmitting unit and a first random number unit; the receiving end comprises a second random number unit, a receiving unit and a second password unit;
the output ends of the first password unit and the first random number unit are respectively connected with the input end of the sending unit; the first random number unit and the second random number unit are mutually connected; the output end of the sending unit is connected with the input end of the receiving unit; the output end of the second random number unit is connected with the input end of the receiving unit; the output end of the receiving unit is connected with the input end of the second password unit.
CN202311507840.2A 2023-11-10 2023-11-10 Time synchronization security enhancement method and device based on random numbers Pending CN117375992A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311507840.2A CN117375992A (en) 2023-11-10 2023-11-10 Time synchronization security enhancement method and device based on random numbers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311507840.2A CN117375992A (en) 2023-11-10 2023-11-10 Time synchronization security enhancement method and device based on random numbers

Publications (1)

Publication Number Publication Date
CN117375992A true CN117375992A (en) 2024-01-09

Family

ID=89389270

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311507840.2A Pending CN117375992A (en) 2023-11-10 2023-11-10 Time synchronization security enhancement method and device based on random numbers

Country Status (1)

Country Link
CN (1) CN117375992A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119232306A (en) * 2024-10-17 2024-12-31 中电信量子科技有限公司 Time synchronization method, cloud server, electronic device and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119232306A (en) * 2024-10-17 2024-12-31 中电信量子科技有限公司 Time synchronization method, cloud server, electronic device and storage medium

Similar Documents

Publication Publication Date Title
KR102619383B1 (en) End-to-end double ratchet encryption using epoch key exchange
Badar et al. An identity based authentication protocol for smart grid environment using physical uncloneable function
US7457411B2 (en) Information security via dynamic encryption with hash function
US5297208A (en) Secure file transfer system and method
US20110107086A1 (en) Secure authentication and privacy of data communication links via dynamic key synchronization
Vanhoef et al. Predicting, Decrypting, and Abusing {WPA2/802.11} Group Keys
US8656170B2 (en) Protection of control plane traffic against replayed and delayed packet attack
EP3673610B1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
WO2007011897A2 (en) Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks
US20250088352A1 (en) Password security hardware module
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN111526001B (en) Clock synchronization method, device and system
Shaikh et al. LSec: Lightweight security protocol for distributed wireless sensor network
CN109150906A (en) A kind of real-time data communication safety method
CN117375992A (en) Time synchronization security enhancement method and device based on random numbers
US7376232B2 (en) Computer system security via dynamic encryption
CN111404659B (en) Privacy protection communication method, server and communication system based on chaotic system
Anderson et al. Addressing a Critical Vulnerability in upcoming Broadcast-only TESLA-based GNSS-enabled Systems
Xiao et al. Security mechanisms, attacks and security enhancements for the IEEE 802.11 WLANs
Anderson et al. Time Synchronization of TESLA-enabled GNSS Receivers
Xiao et al. Vulnerabilities and security enhancements for the IEEE 802.11 WLANs
Bowers et al. Drifting keys: Impersonation detection for constrained devices
Liu et al. A Secure and Low-Latency Design for Ldacs Ground Station Handover
CN116684091B (en) Relay multi-level data blockchain sharing method and system based on quantum key distribution
Smart Certificates, key transport and key agreement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination