CN118075021B - A method and system for establishing encrypted communication and a method and system for establishing encrypted communication - Google Patents

Abstract

The present application relates to an encrypted communication establishment method and system and an encrypted communication method and system, belonging to the field of communication technology, and is applied to an IPv6 dual-plane stealth communication system including a management plane and a data plane. The encrypted communication establishment method includes: establishing an IPv6 stealth communication mutual trust relationship between various components in the management plane; responding to an IPv6 stealth terminal to be online sending an online connection request to the management plane, controlling the IPv6 stealth communication authorization component in the management plane to verify the online connection request; responding to the verification result of the online connection request, establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal in the data plane and the management plane; establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal that has successfully gone online and other IPv6 stealth terminals in the data plane. The present application can establish a security protection system for the management plane and the data plane, and improve the security of the entire IPv6 communication system.

Description

Encryption communication establishment method and system and encryption communication method and system

Technical Field

The present application relates to the field of communications technologies, and in particular, to an encrypted communication establishing method and system, and an encrypted communication method and system.

Background

In the related art, since the IPv4 protocol end-to-end communication is not encrypted by default, a man-in-the-middle can easily analyze traffic information, with the risk of various information and data leakage. The zero trust technology improves the encryption VPN technology, opens a specific port for a user passing identity authentication, realizes the hiding of the port layer, and can realize end-to-end encryption. However, the zero trust gateway based on IPv4 still configures a fixed IPv4 address, and even if its port cannot be sniffed, a man-in-the-middle attacker can find its address and perform a resource exhaustion attack on it, so that a host at the back end of the zero trust gateway cannot normally communicate. Similarly, the components themselves are configured with IPv4 addresses, and these IPv4 addresses are also vulnerable to such attacks after being discovered by an attacker.

Meanwhile, although any one subnet of IPv6 has 2 ⁶⁴ address spaces compared to IPv4, which is only 43 million, in the related art, an administrator of the network is generally configured according to the habit of IPv4 when configuring an IPv6 address, and the IPv6 terminal is forced to install the IPsec protocol but is not opened by default, so that in a practical scenario, encryption is not performed between IPv6 terminals by IPsec in a vast majority.

Therefore, there is a need for implementing encrypted communications between components in an IPv6 communication system using an encrypted communications establishment method that is more suitable for the IPv6 protocol. Meanwhile, in the IPv6 communication system, data when a user accesses related services is referred to as a data plane, in order to manage the large-scale data plane, including implementing unified configuration management, routing management, security management, fault management, and the like for each component in the data plane, some control components need to be additionally deployed, where the control components may be deployed at the same location, or may be deployed in a distributed manner at a plurality of locations to implement nearby communication with the data plane, and a set of these control components is referred to as a management plane. Secure communication is required between the components of the management plane and secure communication is required between the components of the data plane and secure communication is required between the components of the management plane and the data plane on demand. Once a secure communication therein is breached, an attacker may breach a component of a management plane or data plane, thereby breaking the entire communication system.

Therefore, how to build a security protection system for the management plane and the data plane, so that in all situations, the security communication between all the above components can prevent an attacker from scanning any one component in the system is a problem to be solved.

Disclosure of Invention

In order to establish a security protection system of a management plane and a data plane, the application provides an encryption communication establishment method and system and an encryption communication method and system.

In a first aspect, the present application provides an encrypted communication establishing method, which adopts the following technical scheme:

An encrypted communication establishment method applied to an IPv6 biplane stealth communication system including a management plane and a data plane, the encrypted communication establishment method comprising:

Establishing IPv6 stealth communication mutual trust relations among all components in the management plane according to the component certificate information of all components in the management plane;

component certificate information of the IPv6 stealth terminal to be online in the data plane is input to the management plane;

Responding to the IPv6 stealth terminal to be online to send an online connection request to the management plane, and controlling an IPv6 stealth communication authorization component in the management plane to verify the online connection request, wherein the online connection request is preconfigured according to the IPv6 stealth communication authorization component and component certificate information of the IPv6 stealth terminal to be online;

responding to the verification passing result of the online connection request, determining that the online of the IPv6 stealth terminal is successful, and establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal in the data plane and the management plane;

And establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal successful in online and other IPv6 stealth terminals in the data plane according to the component certificate information of the IPv6 stealth terminal successful in online.

By adopting the technical scheme, the IPv6 stealth communication mutual trust relationship between each component in the management plane is established firstly to enhance the safety and privacy of communication between each component in the management plane, when a new IPv6 stealth terminal is successfully connected to the data plane, a safety communication channel between the IPv6 stealth terminal and the management plane is established to ensure the communication safety between the management plane and the data plane and prevent man-in-the-middle attacks and data interception, and the safety communication relationship between the IPv6 stealth terminal and other IPv6 stealth terminals in the data plane is established again, so that the IPv6 stealth communication mutual trust relationship between all IPv6 stealth terminals in the data plane can be realized through the steps.

The application provides a comprehensive safety protection system through registration of certificate information, application of encryption algorithm and establishment of mutual trust relationship, and the system can effectively prevent an attacker from scanning any component in the system, thereby greatly improving the safety of the whole IPv6 communication system and solving the safety communication problem between the components of a management plane and a data plane under all communication scenes.

Optionally, the method further includes a configuration step of the online connection request, where the configuration step includes:

Generating a target IPv6 address based on a first preset algorithm according to an IPv6 prefix of the IPv6 stealth communication authorization component, a certificate private key of the IPv6 stealth terminal to be online, a certificate public key of the IPv6 stealth communication authorization component and a first timestamp, wherein the first timestamp is a timestamp for sending the online connection request;

Generating an IPv6 message according to the target IPv6 address;

and encrypting the load of the IPv6 message according to the public key of the certificate of the IPv6 stealth communication authorization component to obtain the online connection request.

By adopting the technical scheme, the security in the data transmission process is enhanced, the confidentiality of sensitive information in the transmission process is ensured, and only the intended receiver can access the content, so that the privacy and the security are improved.

Optionally, the step of controlling the IPv6 stealth communications authorization component in the management plane to verify the online connection request includes:

Based on a second preset algorithm, obtaining the first timestamp according to an IPv6 prefix of the IPv6 stealth communication authorization component, a certificate public key of the IPv6 stealth terminal to be online, a certificate private key of the IPv6 stealth communication authorization component and the target IPv6 address;

Calculating a first time difference value according to the first time stamp and a second time stamp, wherein the second time stamp is the time stamp when the IPv6 stealth communication authorization component receives the online connection request;

judging whether the first time difference value is smaller than a first preset threshold value, if so, outputting a verification passing result of the online connection request, and if not, outputting a verification failure result of the online connection request.

By adopting the technical scheme, the dynamic generation of the target IPv6 address, the time stamp verification and the key technology are combined, a safe verification mechanism is provided for components in the management plane, so that only authorized IPv6 stealth terminals can be successfully brought on line, the network security is enhanced, unauthorized access is prevented, and the capability of resisting network scanning and analysis attacks is provided.

Optionally, the step of establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal in the data plane and the management plane includes:

and controlling the IPv6 stealth communication authorization component of the management plane to send configuration information and access rights to the IPv6 stealth terminal in the data plane.

By adopting the technical scheme, the configuration consistency and the safety of the IPv6 stealth terminal in the data plane are ensured, and meanwhile, the IPv6 stealth terminal is enabled to know the authority owned by the IPv6 stealth terminal, thereby being beneficial to realizing fine-granularity access control.

Optionally, the step of establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal and other IPv6 stealth terminals that are successfully online in the data plane includes:

and updating the IPv6 stealth terminal information list in the data plane according to the component certificate information of the IPv6 stealth terminal successfully on line, and distributing the updated content to other IPv6 stealth terminals in the data plane.

By adopting the technical scheme, after the new IPv6 stealth terminal is successfully connected on line, the IPv6 stealth terminal information list is updated, updated contents are issued to other terminals through the established security channel, and by receiving the updated contents from the management plane, the mutual trust relationship is also established among all IPv6 stealth terminals in the data plane, namely, each IPv6 stealth terminal is provided with the IPv6 prefix and certificate public key information of the other terminals, and can mutually identify and verify, so that point-to-point security communication among the terminals is realized, transfer is not required to be carried out through the management plane each time of communication, and the communication efficiency and expansibility are improved.

In a second aspect, the present application provides an encrypted communication method, which adopts the following technical scheme:

An encryption communication method applied to an initiator IPv6 stealth terminal in a data plane, after the step of establishing an IPv6 stealth communication mutually trusted relationship between IPv6 stealth terminals in the data plane according to the encryption communication establishment method of the first aspect, the encryption communication method comprising:

responding to a data transmission request of a service access message to be sent, and randomly generating a dynamic key factor;

Performing irreversible operation according to the dynamic key factor and a key seed to obtain a dynamic key, wherein the key seed is obtained by negotiating according to the IPv6 stealth communication mutual trust relationship between an initiator IPv6 stealth terminal and a receiver IPv6 stealth terminal in the data plane;

encrypting the service access message according to the dynamic key;

generating a dynamic target IPv6 address according to the dynamic key factor and a third timestamp, wherein the third timestamp is a timestamp for sending a service access message;

Generating an encrypted IPv6 message according to the encrypted service access message and the dynamic target IPv6 address;

and sending the encrypted IPv6 message to the IPv6 stealth terminal of the receiving party.

By adopting the technical scheme, the encryption communication method provides a highly safe encryption mechanism for communication between IPv6 stealth terminals in a data plane through the use of the dynamic secret key and the dynamic target IPv6 address, and can effectively prevent data leakage, man-in-the-middle attack and IP tracking, thereby improving the safety and privacy of the whole network communication.

In a third aspect, the present application provides an encrypted communication method, which adopts the following technical scheme:

An encryption communication method applied to an IPv6 stealth terminal of a receiving party in a data plane, after the step of establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminals in the data plane according to the encryption communication establishment method of the first aspect, the encryption communication method comprising:

receiving an encrypted IPv6 message sent by an IPv6 stealth terminal of an initiator, wherein the encrypted IPv6 message is generated by the IPv6 stealth terminal of the initiator by applying the encrypted communication method of the second aspect;

Analyzing to obtain a third timestamp and a dynamic key factor according to the dynamic target IPv6 address of the encrypted IPv6 message;

Calculating a second time difference value according to the third time stamp and a fourth time stamp, wherein the fourth time stamp is the time stamp of the receiving party IPv6 stealth terminal receiving the encrypted IPv6 message;

Judging whether the second time difference value is smaller than a second preset threshold value or not;

if yes, carrying out irreversible operation according to the dynamic key factor and the key seed to generate the dynamic key;

decrypting the encrypted IPv6 message according to the dynamic key to obtain a service access message;

and transmitting the service access message based on a preset target IPv6 address.

By adopting the technical scheme, a set of complete receiving processing flow is provided for the IPv6 stealth terminal of the receiver, the confidentiality and the integrity of data are ensured, the verification of time efficiency is also provided, and by sending the decrypted service access message to a preset target IPv6 address, the service data can be ensured to be correctly sent to a destination, and the last step of encrypted communication is completed.

In a fourth aspect, the present application provides an encrypted communication establishing system, which adopts the following technical scheme:

an encrypted communication establishment system applied to an IPv6 biplane stealth communication system including a management plane and a data plane, the encrypted communication establishment system comprising:

The first establishing module is used for establishing IPv6 stealth communication mutual trust relations among all the components in the management plane according to the component certificate information of all the components in the management plane;

The component certificate information input module is used for inputting the component certificate information of the IPv6 stealth terminal to be online in the data plane to the management plane;

The authentication control module is used for responding to the IPv6 stealth terminal to be online to send an online connection request to the management plane and controlling an IPv6 stealth communication authorization component in the management plane to authenticate the online connection request, wherein the online connection request is preconfigured according to the IPv6 stealth communication authorization component and the component certificate information of the IPv6 stealth terminal to be online;

The second establishing module is used for responding to the verification passing result of the online connection request, determining that the online of the IPv6 stealth terminal is successful, and establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal in the data plane and the management plane;

And the third establishing module is used for establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal with successful online and other IPv6 stealth terminals in the data plane according to the component certificate information of the IPv6 stealth terminal with successful online.

In a fifth aspect, the present application provides an encrypted communication system, which adopts the following technical scheme:

An encrypted communication system applied to an initiator IPv6 stealth terminal in a data plane, the IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminals in the data plane being established by applying the encrypted communication establishment method of the first aspect, the encrypted communication system comprising:

The dynamic key factor generation module is used for responding to a data transmission request of a service access message to be sent and randomly generating a dynamic key factor;

The dynamic key generation module is used for carrying out irreversible operation according to the dynamic key factor and a key seed to obtain a dynamic key, wherein the key seed is obtained by negotiating according to the IPv6 stealth communication mutual trust relationship between an initiator IPv6 stealth terminal and a receiver IPv6 stealth terminal in the data plane;

the message encrypting module is used for encrypting the service access message according to the dynamic key;

The dynamic target IPv6 address generation module is used for generating a dynamic target IPv6 address according to the dynamic key factor and a third timestamp, wherein the third timestamp is a timestamp for sending a service access message;

The encrypted IPv6 message generation module is used for generating an encrypted IPv6 message according to the encrypted service access message and the dynamic target IPv6 address;

and the encryption IPv6 message sending module is used for sending the encryption IPv6 message to the receiver IPv6 stealth terminal.

In a sixth aspect, the present application provides an encrypted communication system, which adopts the following technical scheme:

an encrypted communication system applied to an IPv6 stealth terminal of a receiving party in a data plane, wherein an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminals in the data plane is established by using the encrypted communication establishment method of the first aspect, the encrypted communication system comprising:

The system comprises an encryption IPv6 message receiving module, an encryption IPv6 message sending module and a communication module, wherein the encryption IPv6 message receiving module is used for receiving an encryption IPv6 message sent by an initiator IPv6 stealth terminal, and the encryption IPv6 message is generated by the initiator IPv6 stealth terminal by applying the encryption communication method of the second aspect;

the analysis module is used for analyzing and obtaining a third time stamp and a dynamic key factor according to the dynamic target IPv6 address of the encrypted IPv6 message;

the second time difference value calculation module is used for calculating a second time difference value according to the third time stamp and a fourth time stamp, wherein the fourth time stamp is the time stamp of the receiving party IPv6 stealth terminal receiving the encrypted IPv6 message;

the judging module is used for judging whether the second time difference value is smaller than a second preset threshold value or not, and if yes, outputting a verification passing result;

The dynamic key generation module is used for responding to the verification passing result and generating the dynamic key by carrying out irreversible operation according to the dynamic key factor and the key seed;

the service access message generation module is used for decrypting the encrypted IPv6 message according to the dynamic key to obtain the service access message;

and the service access message sending module is used for sending the service access message based on a preset target IPv6 address.

In summary, the application has at least one of the following beneficial technical effects that through registration of certificate information, application of encryption algorithm and establishment of mutual trust relationship, a comprehensive safety protection system is provided, and the system can effectively prevent an attacker from scanning any one component in the system, thereby greatly improving the safety of the whole IPv6 communication system and solving the problem of safety communication between components of a management plane and a data plane under all communication scenes.

Drawings

Fig. 1 is a schematic structural diagram of an IPv6 biplane stealth communication system according to one embodiment of the present application.

Fig. 2 is a flow chart of an encryption communication establishment method according to one embodiment of the present application.

Fig. 3 is a flow chart of an encryption communication establishment method according to still another embodiment of the present application.

Fig. 4 is a flow chart of an encryption communication establishment method according to another embodiment of the present application.

Fig. 5 is a flow chart of an encryption communication method based on the IPv6 stealth terminal side of the initiator according to one embodiment of the present application.

Fig. 6 is a flow chart of an encryption communication method based on the receiver IPv6 stealth terminal side according to one embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings 1 to 6 and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

First, an IPv6 biplane stealth communication system according to the present application will be briefly described.

With reference to the related content in the background art, in order to further exploit the advantages of the IPv6 protocol, the applicant provides an IPv6 biplane stealth communication system.

Referring to fig. 1, the IPv6 biplane stealth communication system comprises a management plane and a data plane, wherein the management plane can comprise an IPv6 stealth communication management center, an IPv6 stealth communication authorization component, an IPv6 stealth communication control component and other components, the IPv6 stealth communication management center is used for providing a unified graphical management interface, a user can check information such as state, configuration and flow of the whole system through the management center and can also configure services and access control, the IPv6 stealth communication authorization component is used for performing access management on an IPv6 stealth terminal, for an untrusted terminal, rejecting the access system, and allowing the trusted terminal to access and issue corresponding configuration, and the IPv6 stealth communication control component is used for managing IPv6 stealth security communication of the data plane and can be responsible for network slicing, flow optimization, route management and the like;

The data plane contains IPv6 stealth terminals of various access systems, the terminals can be hardware devices, can be deployed by software, can be used as APP to be installed in various operating systems, can only realize end-to-end stealth safety communication for the terminal, and can also provide IPv6 stealth safety protection for the terminals in the downlink IPv4/IPv6 network.

In order to realize that data transmission can be safely carried out between any two main bodies in the system, including between IPv6 stealth terminals of a data plane, between the IPv6 stealth terminals and a management plane and between all components in the management plane, an encryption communication establishment method is needed to establish the IPv6 stealth communication mutual trust relationship among all the components.

The embodiment of the application discloses an encryption communication establishment method.

Referring to fig. 2, an encryption communication establishment method applied to an IPv6 biplane stealth communication system including a management plane and a data plane, includes:

Step S101, establishing IPv6 stealth communication mutual trust relationship among all components in a management plane according to the component certificate information of all components in the management plane;

Specifically, since each component in the management plane knows the IPv6 prefixes and certificate public keys of the other components, the components can exchange required information by sending IPv6 messages. The target IPv6 address in the IPv6 message is dynamically generated by an encryption algorithm, the encryption algorithm is f (the IPv6 prefix of the opposite terminal, the certificate private key of the component, the certificate public key of the opposite terminal and the timestamp), and simultaneously the load of the IPv6 message is encrypted by the certificate public key of the opposite terminal, so that when the opposite terminal receives the message, the opposite terminal can verify that the message is a legal message sent from other components to the component and has the completeness of cryptography, thereby establishing the mutual trust relationship of IPv6 stealth communication among the components in a management plane;

Step S102, inputting the component certificate information of the IPv6 stealth terminal to be online in the data plane to a management plane;

Before an IPv6 stealth terminal in a data plane is first online, component certificate information registration is required to be carried out in a management plane, wherein the component certificate information comprises information such as an IPv6 prefix, a certificate public key and the like of the terminal;

It can be understood that this step establishes the identity profile of the IPv6 stealth terminal, so that the management plane can identify and verify the request from the IPv6 stealth terminal, ensuring that only the registered terminal can be brought online, and reducing the security risk brought by the unknown terminal;

Step S103, responding to the IPv6 stealth terminal to be online to send an online connection request to a management plane, and controlling an IPv6 stealth communication authorization component in the management plane to verify the online connection request;

the online connection request is preconfigured according to the IPv6 stealth communication authorization component and the component certificate information of the IPv6 stealth terminal to be online;

It can be understood that the IPv6 stealth communication authorization component can verify the validity of the online connection request through the component certificate information of the IPv6 stealth terminal to be online, which is pre-recorded, and ensures that only the legal IPv6 stealth terminal can be online through verification, thereby preventing impersonation and other related security threats;

Step S104, the successful online of the IPv6 stealth terminal is determined in response to the verification passing result of the online connection request, and an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal in the data plane and the management plane is established;

It can be understood that when the online connection request passes the verification, the online connection request can confirm that the IPv6 stealth terminal is successfully online, and the management plane can authorize the IPv6 stealth terminal to be online and send the required configuration information and access rights to the IPv6 stealth terminal, so that a secure communication channel between the IPv6 stealth terminal in the data plane and the management plane is established, and two parties can safely perform two-way communication;

Step S105, establishing IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal successfully online and other IPv6 stealth terminals in the data plane according to the component certificate information of the IPv6 stealth terminal successfully online.

It can be understood that through the steps, all IPv6 stealth terminals to be online in the data plane can realize the IPv6 stealth communication mutual trust relationship with other IPv6 stealth terminals, so that point-to-point safety communication between terminals in the data plane is realized, the communication efficiency is improved, and the dependence on the management plane is reduced.

In the embodiment, the IPv6 stealth communication mutual trust relationship between each component in the management plane is established firstly to enhance the safety and privacy of the communication between each component in the management plane, when a new IPv6 stealth terminal is successfully connected to the data plane, a safety communication channel between the IPv6 stealth terminal and the management plane is established to ensure the communication safety between the management plane and the data plane and prevent the attack of intermediate persons and the interception of data, and the safety communication relationship between the IPv6 stealth terminal and other IPv6 stealth terminals in the data plane is established again, so that the IPv6 stealth communication mutual trust relationship between all IPv6 stealth terminals in the data plane can be realized through the steps.

The application provides a comprehensive safety protection system through registration of certificate information, application of encryption algorithm and establishment of mutual trust relationship, and the system can effectively prevent an attacker from scanning any component in the system, thereby greatly improving the safety of the whole IPv6 communication system and solving the safety communication problem between the components of a management plane and a data plane under all communication scenes.

Referring to fig. 3, as an embodiment of step S103, the method further includes a configuration step of the online connection request, the configuration step including:

Step S201, generating a target IPv6 address based on a first preset algorithm according to an IPv6 prefix of an IPv6 stealth communication authorization component, a certificate private key of an IPv6 stealth terminal to be online, a certificate public key of the IPv6 stealth communication authorization component and a first timestamp, wherein the first timestamp is a timestamp for sending an online connection request;

The first preset algorithm formula can be expressed as f (an IPv6 prefix of an IPv6 stealth communication authorization component, a certificate private key of an IPv6 stealth terminal to be online, a certificate public key of the IPv6 stealth communication authorization component, and a first timestamp), namely a target IPv6 address can be dynamically generated through an encryption algorithm, and the generated opposite-end IPv6 addresses are uniformly distributed in the opposite-end IPv6 prefix due to the uniform distribution characteristic of the encryption algorithm, so that an attacker cannot position terminal equipment through prediction or scanning due to the strong anti-scanning and anti-attack characteristics;

step S202, generating an IPv6 message according to a target IPv6 address;

The IPv6 message contains necessary header information and predefined load, so that correct routing and transmission in the IPv6 network are facilitated, and meanwhile, the concealment of communication is improved because the target IPv6 address is dynamically generated.

Step S203, the load of the IPv6 message is encrypted according to the public key of the certificate of the IPv6 stealth communication authorization component, and an online connection request is obtained.

The load (such as authentication information, configuration request and the like) of the message can be encrypted by an encryption technology, and only the IPv6 stealth communication authorization component can decrypt the message content, so that the message content is ensured not to be revealed even if the message is intercepted in the transmission process.

In the embodiment, the security in the data transmission process is enhanced, the confidentiality of sensitive information in the transmission process is ensured, and only the intended receiver can access the content, so that the privacy and the security are improved.

Referring to fig. 4, the step of verifying the online connection request as the IPv6 stealth communication authorization component within the control management plane in step S103 includes:

Step S301, based on a second preset algorithm, obtaining a first timestamp according to an IPv6 prefix of an IPv6 stealth communication authorization component, a certificate public key of an IPv6 stealth terminal to be online, a certificate private key of the IPv6 stealth communication authorization component and a target IPv6 address;

The second preset algorithm formula can be expressed as g (an IPv6 prefix of the IPv6 stealth communication authorization component, a certificate public key of an IPv6 stealth terminal to be online, a certificate private key of the IPv6 stealth communication authorization component and a target IPv6 address), and controlling the IPv6 stealth communication authorization component to recalculate a first timestamp by using a second preset algorithm and related key information according to the target IPv6 address, thereby providing a basis for comparison of subsequent timestamps;

Step S302, calculating a first time difference value according to a first time stamp and a second time stamp, wherein the second time stamp is the time stamp when the IPv6 stealth communication authorization component receives an online connection request;

Specifically, the first time difference is a time interval between the first time stamp and the second time stamp, and is used for reflecting time consumed by transmission of the online connection request in the network;

Step S303, judging whether the first time difference value is smaller than a first preset threshold value, if yes, jumping to step S304, and if not, jumping to step S305;

Step S304, outputting a verification passing result of the online connection request;

step S305, outputting the verification failure result of the online connection request.

The management plane can confirm that the online connection request is from a legal and registered IPv6 stealth terminal, and when the first time difference value is greater than or equal to the second preset threshold value, the request can be outdated or replay attack, so that a verification failure result is output.

In the above embodiment, in combination with the dynamically generated target IPv6 address, timestamp verification and key technology, a secure verification mechanism is provided for components in the management plane to ensure that only authorized IPv6 stealth terminals can be successfully brought online, which enhances network security, prevents unauthorized access, and provides the capability of combating network scanning and analysis attacks.

As an implementation manner of step S104, the step of establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal and the management plane in the data plane includes:

the IPv6 stealth communication authorization component of the control management plane sends configuration information and access rights to the IPv6 stealth terminal in the data plane.

The configuration information may include network settings, encryption parameters, authentication information, etc., and the access rights define resources and service ranges that the terminal can access.

In the embodiment, the configuration consistency and the security of the IPv6 stealth terminal in the data plane are ensured, and meanwhile, the IPv6 stealth terminal is enabled to know the authority owned by the IPv6 stealth terminal, thereby being beneficial to realizing fine-granularity access control.

As an implementation manner of step S105, the step of establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal and other IPv6 stealth terminals that are successfully online in the data plane includes:

And updating the IPv6 stealth terminal information list in the data plane according to the component certificate information of the IPv6 stealth terminal which is successfully connected with the line, and distributing the updated content to other IPv6 stealth terminals in the data plane.

In the embodiment, after the new IPv6 stealth terminal is successfully connected to the line, the information list of the IPv6 stealth terminal is updated, and the updated content is issued to other terminals through the established security channel, and by receiving the updated content from the management plane, the mutual trust relationship is also established among all the IPv6 stealth terminals in the data plane, namely, each IPv6 stealth terminal is provided with the IPv6 prefix and the certificate public key information of the other terminals, and can be mutually identified and verified, so that point-to-point security communication among the terminals is realized, transfer is not required to be carried out through the management plane each time of communication, and the communication efficiency and the expansibility are improved.

The embodiment of the application also discloses an encryption communication establishment system.

An encrypted communication establishment system applied to an IPv6 biplane stealth communication system including a management plane and a data plane, the encrypted communication establishment system comprising:

the first establishing module is used for establishing IPv6 stealth communication mutual trust relations among all the components in the management plane according to the component certificate information of all the components in the management plane;

the component certificate information input module is used for inputting the component certificate information of the IPv6 stealth terminal to be online in the data plane to the management plane;

The system comprises an authentication control module, a management plane, an IPv6 stealth communication authorization component, an IPv6 stealth terminal, a verification control module and a management module, wherein the authentication control module is used for responding to the IPv6 stealth terminal to be online to send an online connection request to the management plane and controlling the IPv6 stealth communication authorization component in the management plane to authenticate the online connection request;

The second establishing module is used for responding to the verification passing result of the online connection request, determining that the online of the IPv6 stealth terminal is successful, and establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal in the data plane and the management plane;

And the third establishing module is used for establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal successfully online and other IPv6 stealth terminals in the data plane according to the component certificate information of the IPv6 stealth terminal successfully online.

In the above embodiment, through registration of certificate information, application of encryption algorithm and establishment of mutual trust relationship, a comprehensive security protection system is provided, and the system can effectively prevent an attacker from scanning any one component in the system, thereby greatly improving the security of the whole IPv6 communication system and solving the security communication problem between the components of the management plane and the data plane in all communication scenes.

The encryption communication establishing system of the embodiment of the application can realize any method of the encryption communication establishing method, and the specific working process of each module in the encryption communication establishing system can refer to the corresponding process in the method embodiment.

The embodiment of the application also discloses an encryption communication method based on the IPv6 stealth terminal side of the initiator.

Referring to fig. 5, an encryption communication method applied to an initiator IPv6 stealth terminal in a data plane, after establishing an IPv6 stealth communication mutually trusted relationship between IPv6 stealth terminals in the data plane according to the encryption communication establishment method described above, includes:

Step S401, responding to the data transmission request of the service access message to be sent, and randomly generating a dynamic key factor;

It can be understood that, in order to ensure the security of each communication, the initiator IPv6 stealth terminal firstly randomly generates a dynamic key factor before preparing to send data, which ensures that even if the same data is sent for multiple times, the dynamic key factors used each time are different, so that an attacker cannot crack and encrypt by analyzing the key pattern, and the security of data transmission is protected;

step S402, performing irreversible operation according to the dynamic key factor and the key seed to obtain a dynamic key;

the key seed is obtained by negotiating the mutual trust relationship between the IPv6 stealth communication of the initiator IPv6 stealth terminal and the receiver IPv6 stealth terminal in the data plane;

Specifically, the key factor and the key seed generate a dynamic key through one-way hash operation, and the one-way hash operation is an irreversible encryption process, namely an original input value cannot be calculated from a hash value, so that the dynamic key is protected from being cracked. Meanwhile, as different dynamic key factors are used in each communication, even if the key seeds are kept unchanged in multiple communications, the finally generated dynamic keys are different, so that the unpredictability of the keys is improved, and the security of the communication is improved.

In some embodiments, when an IPv6 stealth communication channel is required to be established by an IPv6 stealth terminal in a data plane (for example, when a secure channel is required to be established between IPv6 stealth terminals to transmit IPv4/IPv6 traffic in an IPv6 private network scenario, or when a user needs to access a protected application after performing a login operation in an application release scenario), the two IPv6 stealth terminals establish an IPv6 stealth communication mutually trusted relationship in the same manner as in step S101, and negotiate a key seed according to the IPv6 stealth communication mutually trusted relationship, and in the negotiation process, a target IPv6 address is dynamically generated and a load is encrypted, so that the method has strong anti-scanning anti-attack anti-analysis characteristics, and ensures that only two IPv6 stealth terminals know how to generate and analyze a dynamic key, thereby ensuring the consistency and the unique characteristics of the key.

It should be noted that, the initiator IPv6 stealth terminal and the receiver IPv6 stealth terminal are preconfigured and determined in advance when the service access message is transmitted, and the key seed is only applied to communication between the initiator IPv6 stealth terminal and the receiver IPv6 stealth terminal, and in addition, if triggered when the user logs in, the application range is further narrowed to be that the specific user terminal can only use the key seed when accessing the opposite terminal IPv6 stealth terminal.

Step S403, encrypting the service access message according to the dynamic key;

The service access message is encrypted, so that the safety of data in the transmission process is ensured, and the data is protected from being read or tampered by an unauthorized third party;

step S404, generating a dynamic target IPv6 address according to the dynamic key factor and the third timestamp;

The third timestamp is a timestamp for sending a service access message;

It can be understood that the dynamic target IPv6 address is generated through linear operation and shuffling, so that not only is the actual target address hidden, but also the address of each communication is unique through the third timestamp, thereby increasing the protection of the terminal position and preventing an attacker from tracking and positioning the terminal through the target address.

Step S405, generating an encrypted IPv6 message according to the encrypted service access message and the dynamic target IPv6 address;

The encrypted message and the dynamic target address are integrated to form a complete encrypted IPv6 message, and double protection is provided for data transmission.

And step S406, the encrypted IPv6 message is sent to the IPv6 stealth terminal of the receiver.

In the embodiment, through the use of the dynamic key and the dynamic target IPv6 address, a highly safe encryption mechanism is provided for communication between IPv6 stealth terminals in a data plane, and data leakage, man-in-the-middle attack and IP tracking can be effectively prevented, so that the safety and privacy of the whole network communication are improved.

The embodiment of the application also discloses an encryption communication method based on the IPv6 stealth terminal side of the receiver.

Referring to fig. 6, an encryption communication method applied to a receiver IPv6 stealth terminal in a data plane, after establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminals in the data plane according to the encryption communication establishment method described above, the encryption communication method includes:

Step S501, receiving an encrypted IPv6 message sent by an IPv6 stealth terminal of an initiator, wherein the encrypted IPv6 message is generated by the IPv6 stealth terminal of the initiator by applying the encryption communication method from the step S401 to the step S405;

step S502, according to the dynamic target IPv6 address of the encrypted IPv6 message, analyzing to obtain a third timestamp and a dynamic key factor;

The third timestamp and the dynamic key factor are resolved from the dynamic target IPv6 address of the encrypted IPv6 message through linear operation back mixed arrangement, so that a receiving party can perform subsequent dynamic key generation and message verification steps, and necessary parameters are provided for a decryption process;

Step S503, calculating a second time difference value according to a third time stamp and a fourth time stamp, wherein the fourth time stamp is the time stamp when the IPv6 stealth terminal of the receiver receives the encrypted IPv6 message;

Specifically, the second time difference is a time interval between the third time stamp and the fourth time stamp, and is used for reflecting time consumed by transmission of the encrypted IPv6 message in the network;

Step S504, judging whether the second time difference value is smaller than a second preset threshold value, if not, jumping to step S505, and if so, jumping to step S506;

Specifically, in step S505, the verification is failed, and the processing of the encrypted IPv6 message is refused;

judging whether the message arrives within reasonable time, thereby being capable of detecting and preventing replay attack and improving communication safety;

Step S506, performing irreversible operation according to the dynamic key factor and the key seed to generate a dynamic key;

if the time difference value passes the verification, the receiver and the initiator use the same method to generate a dynamic key through one-way hash operation, so that the receiver can correctly generate the same key as the initiator, and the message can be decrypted;

step S507, the encrypted IPv6 message is decrypted according to the dynamic key to obtain a service access message;

The method comprises the steps of obtaining a service access message through decryption, enabling a receiving party to obtain original service data, and thus completing a decryption process of encrypted communication;

Step S508, based on the preset target IPv6 address, the service access message is sent.

The preset target IPv6 address can be a preset application address and can be obtained according to parameters issued by the management platform, and the preset target IPv6 address can also be an original target address embedded into the service access message and can be directly obtained according to the service access message.

In the above embodiment, a set of complete receiving processing flow is provided for the receiver IPv6 stealth terminal, so that not only confidentiality and integrity of data are ensured, but also verification of time efficiency is provided, by sending the decrypted service access message to the preset target IPv6 address, it is ensured that the service data can be correctly sent to the destination, and the last step of encrypted communication is completed.

The embodiment of the application also discloses an encryption communication system based on the IPv6 stealth terminal side of the initiator.

An encryption communication system applied to an initiator IPv6 stealth terminal in a data plane, wherein an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminals in the data plane is established by the encryption communication establishment method, and the encryption communication system comprises:

The dynamic key factor generation module is used for responding to a data transmission request of a service access message to be sent and randomly generating a dynamic key factor;

the dynamic key generation module is used for carrying out irreversible operation according to the dynamic key factor and the key seed to obtain a dynamic key, wherein the key seed is obtained by negotiation according to the IPv6 stealth communication mutual trust relationship between an initiator IPv6 stealth terminal and a receiver IPv6 stealth terminal in a data plane;

The message encrypting module is used for encrypting the service access message according to the dynamic key;

The dynamic target IPv6 address generation module is used for generating a dynamic target IPv6 address according to the dynamic key factor and a third timestamp, wherein the third timestamp is a timestamp for sending a service access message;

the encrypted IPv6 message generation module is used for generating an encrypted IPv6 message according to the encrypted service access message and the dynamic target IPv6 address;

and the encryption IPv6 message sending module is used for sending the encryption IPv6 message to the IPv6 stealth terminal of the receiver.

In the embodiment, through the use of the dynamic key and the dynamic target IPv6 address, a highly safe encryption mechanism is provided for communication between IPv6 stealth terminals in a data plane, and data leakage, man-in-the-middle attack and IP tracking can be effectively prevented, so that the safety and privacy of the whole network communication are improved.

The embodiment of the application also discloses an encryption communication system based on the IPv6 stealth terminal side of the receiver.

An encryption communication system is applied to a receiver IPv6 stealth terminal in a data plane, the IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminals in the data plane is established by the encryption communication establishment method, and the encryption communication system comprises:

the system comprises an encryption IPv6 message receiving module, a communication module and a communication module, wherein the encryption IPv6 message receiving module is used for receiving an encryption IPv6 message sent by an initiator IPv6 stealth terminal, wherein the encryption IPv6 message is generated by the initiator IPv6 stealth terminal by applying the encryption communication method from the step S401 to the step S405;

The analysis module is used for analyzing and obtaining a third timestamp and a dynamic key factor according to the dynamic target IPv6 address of the encrypted IPv6 message;

The second time difference value calculation module is used for calculating a second time difference value according to a third time stamp and a fourth time stamp, wherein the fourth time stamp is the time stamp of the receiving party IPv6 stealth terminal receiving the encrypted IPv6 message;

The judging module is used for judging whether the second time difference value is smaller than a second preset threshold value or not, and if yes, outputting a verification passing result;

the dynamic key generation module is used for responding to the verification passing result, and generating a dynamic key by carrying out irreversible operation according to the dynamic key factor and the key seed;

the service access message generation module is used for decrypting the encrypted IPv6 message according to the dynamic key to obtain a service access message;

and the service access message sending module is used for sending the service access message based on the preset target IPv6 address.

In the above embodiment, a set of complete receiving processing flow is provided for the receiver IPv6 stealth terminal, so that not only confidentiality and integrity of data are ensured, but also verification of time efficiency is provided, by sending the decrypted service access message to the preset target IPv6 address, it is ensured that the service data can be correctly sent to the destination, and the last step of encrypted communication is completed.

The encryption communication system of the embodiment of the application can realize any method of the encryption communication method, and the specific working process of each module in the encryption communication system can refer to the corresponding process in the embodiment of the method.

In several embodiments provided by the present application, it should be understood that the methods and systems provided may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the partitioning of a module is merely a logical function partitioning, and there may be additional partitioning in actual implementation, e.g., multiple modules may be combined or integrated into another system, or some features may be omitted, or not performed.

In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.

The foregoing description of the preferred embodiments of the application is not intended to limit the scope of the application in any way, including the abstract and drawings, in which case any feature disclosed in this specification (including abstract and drawings) may be replaced by alternative features serving the same, equivalent purpose, unless expressly stated otherwise. That is, each feature is one example only of a generic series of equivalent or similar features, unless expressly stated otherwise.

Claims (8)

1. An encrypted communication establishing method applied to an IPv6 biplane stealth communication system including a management plane and a data plane, the encrypted communication establishing method comprising:

Establishing IPv6 stealth communication mutual trust relations among all components in the management plane according to the component certificate information of all components in the management plane;

component certificate information of the IPv6 stealth terminal to be online in the data plane is input to the management plane;

Responding to the IPv6 stealth terminal to be online to send an online connection request to the management plane, and controlling an IPv6 stealth communication authorization component in the management plane to verify the online connection request, wherein the online connection request is preconfigured according to the IPv6 stealth communication authorization component and component certificate information of the IPv6 stealth terminal to be online;

responding to the verification passing result of the online connection request, determining that the online of the IPv6 stealth terminal is successful, and establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal in the data plane and the management plane;

Establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal successful in online and other IPv6 stealth terminals in the data plane according to the component certificate information of the IPv6 stealth terminal successful in online, wherein the method further comprises a configuration step of the online connection request, and the configuration step comprises the following steps:

Generating a target IPv6 address based on a first preset algorithm according to an IPv6 prefix of the IPv6 stealth communication authorization component, a certificate private key of the IPv6 stealth terminal to be online, a certificate public key of the IPv6 stealth communication authorization component and a first timestamp, wherein the first timestamp is a timestamp for sending the online connection request;

Generating an IPv6 message according to the target IPv6 address;

Encrypting the load of the IPv6 message according to the certificate public key of the IPv6 stealth communication authorization component to obtain the online connection request; the step of controlling the IPv6 stealth communication authorization component in the management plane to verify the online connection request comprises the following steps:

Based on a second preset algorithm, obtaining the first timestamp according to an IPv6 prefix of the IPv6 stealth communication authorization component, a certificate public key of the IPv6 stealth terminal to be online, a certificate private key of the IPv6 stealth communication authorization component and the target IPv6 address;

Calculating a first time difference value according to the first time stamp and a second time stamp, wherein the second time stamp is the time stamp when the IPv6 stealth communication authorization component receives the online connection request;

judging whether the first time difference value is smaller than a first preset threshold value, if so, outputting a verification passing result of the online connection request, and if not, outputting a verification failure result of the online connection request.

2. The method for establishing encrypted communication according to claim 1, wherein the step of establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal in the data plane and the management plane comprises:

and controlling the IPv6 stealth communication authorization component of the management plane to send configuration information and access rights to the IPv6 stealth terminal in the data plane.

3. A method for establishing an encrypted communication according to any one of claims 1 to 2, wherein the step of establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal and other IPv6 stealth terminals within the data plane for which the online is successful comprises:

and updating the IPv6 stealth terminal information list in the data plane according to the component certificate information of the IPv6 stealth terminal successfully on line, and distributing the updated content to other IPv6 stealth terminals in the data plane.

4. An encrypted communication method, characterized in that it is applied to an initiator IPv6 stealth terminal in a data plane, and after the step of establishing an IPv6 stealth communication mutually trusted relationship between IPv6 stealth terminals in a data plane according to the encrypted communication establishment method according to any one of claims 1 to 3, the encrypted communication method comprises:

responding to a data transmission request of a service access message to be sent, and randomly generating a dynamic key factor;

Performing irreversible operation according to the dynamic key factor and a key seed to obtain a dynamic key, wherein the key seed is obtained by negotiating according to the IPv6 stealth communication mutual trust relationship between an initiator IPv6 stealth terminal and a receiver IPv6 stealth terminal in the data plane;

encrypting the service access message according to the dynamic key;

generating a dynamic target IPv6 address according to the dynamic key factor and a third timestamp, wherein the third timestamp is a timestamp for sending a service access message;

Generating an encrypted IPv6 message according to the encrypted service access message and the dynamic target IPv6 address;

and sending the encrypted IPv6 message to the IPv6 stealth terminal of the receiving party.

5. An encrypted communication method, characterized in that it is applied to a receiver IPv6 stealth terminal in a data plane, and after the step of establishing an IPv6 stealth communication mutually trusted relationship between IPv6 stealth terminals in a data plane according to the encrypted communication establishment method of any one of claims 1 to 3, the encrypted communication method comprises:

receiving an encrypted IPv6 message sent by an IPv6 stealth terminal of an initiator, wherein the encrypted IPv6 message is generated by the IPv6 stealth terminal of the initiator by applying the encryption communication method of claim 4;

Analyzing to obtain a third timestamp and a dynamic key factor according to the dynamic target IPv6 address of the encrypted IPv6 message;

Calculating a second time difference value according to the third time stamp and a fourth time stamp, wherein the fourth time stamp is the time stamp of the receiving party IPv6 stealth terminal receiving the encrypted IPv6 message;

Judging whether the second time difference value is smaller than a second preset threshold value or not;

if yes, carrying out irreversible operation according to the dynamic key factor and the key seed to generate the dynamic key;

decrypting the encrypted IPv6 message according to the dynamic key to obtain a service access message;

and transmitting the service access message based on a preset target IPv6 address.

6. An encrypted communication establishment system applied to an IPv6 dual-plane stealth communication system including a management plane and a data plane, the encrypted communication establishment system comprising:

The first establishing module is used for establishing IPv6 stealth communication mutual trust relations among all the components in the management plane according to the component certificate information of all the components in the management plane;

The component certificate information input module is used for inputting the component certificate information of the IPv6 stealth terminal to be online in the data plane to the management plane;

The authentication control module is used for responding to the IPv6 stealth terminal to be online to send an online connection request to the management plane and controlling an IPv6 stealth communication authorization component in the management plane to authenticate the online connection request, wherein the online connection request is preconfigured according to the IPv6 stealth communication authorization component and the component certificate information of the IPv6 stealth terminal to be online;

The second establishing module is used for responding to the verification passing result of the online connection request, determining that the online of the IPv6 stealth terminal is successful, and establishing an IPv6 stealth communication mutually trusted relationship between the IPv6 stealth terminal in the data plane and the management plane;

the third establishing module is used for establishing an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminal successful in uploading and other IPv6 stealth terminals in the data plane according to the component certificate information of the IPv6 stealth terminal successful in uploading;

The encrypted communication establishing system is further configured to:

Generating a target IPv6 address based on a first preset algorithm according to an IPv6 prefix of the IPv6 stealth communication authorization component, a certificate private key of the IPv6 stealth terminal to be online, a certificate public key of the IPv6 stealth communication authorization component and a first timestamp, wherein the first timestamp is a timestamp for sending the online connection request;

Generating an IPv6 message according to the target IPv6 address;

encrypting the load of the IPv6 message according to the certificate public key of the IPv6 stealth communication authorization component to obtain the online connection request;

Based on a second preset algorithm, obtaining the first timestamp according to an IPv6 prefix of the IPv6 stealth communication authorization component, a certificate public key of the IPv6 stealth terminal to be online, a certificate private key of the IPv6 stealth communication authorization component and the target IPv6 address;

Calculating a first time difference value according to the first time stamp and a second time stamp, wherein the second time stamp is the time stamp when the IPv6 stealth communication authorization component receives the online connection request;

judging whether the first time difference value is smaller than a first preset threshold value, if so, outputting a verification passing result of the online connection request, and if not, outputting a verification failure result of the online connection request.

7. An encrypted communication system, characterized in that it is applied to an initiator IPv6 stealth terminal in a data plane, and an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminals in the data plane is established by using the encrypted communication establishment method according to any one of claims 1 to 3, and the encrypted communication system includes:

The dynamic key factor generation module is used for responding to a data transmission request of a service access message to be sent and randomly generating a dynamic key factor;

The dynamic key generation module is used for carrying out irreversible operation according to the dynamic key factor and a key seed to obtain a dynamic key, wherein the key seed is obtained by negotiating according to the IPv6 stealth communication mutual trust relationship between an initiator IPv6 stealth terminal and a receiver IPv6 stealth terminal in the data plane;

the message encrypting module is used for encrypting the service access message according to the dynamic key;

The dynamic target IPv6 address generation module is used for generating a dynamic target IPv6 address according to the dynamic key factor and a third timestamp, wherein the third timestamp is a timestamp for sending a service access message;

The encrypted IPv6 message generation module is used for generating an encrypted IPv6 message according to the encrypted service access message and the dynamic target IPv6 address;

and the encryption IPv6 message sending module is used for sending the encryption IPv6 message to the receiver IPv6 stealth terminal.

8. An encrypted communication system, characterized in that it is applied to a receiver IPv6 stealth terminal in a data plane, and an IPv6 stealth communication mutual trust relationship between the IPv6 stealth terminals in the data plane is established by using the encrypted communication establishment method according to any one of claims 1 to 3, and the encrypted communication system includes:

The system comprises an encryption IPv6 message receiving module, an encryption IPv6 message sending module and an encryption communication module, wherein the encryption IPv6 message receiving module is used for receiving an encryption IPv6 message sent by an initiator IPv6 stealth terminal, and the encryption IPv6 message is generated by the initiator IPv6 stealth terminal by applying the encryption communication method described in claim 4;

the analysis module is used for analyzing and obtaining a third time stamp and a dynamic key factor according to the dynamic target IPv6 address of the encrypted IPv6 message;

the second time difference value calculation module is used for calculating a second time difference value according to the third time stamp and a fourth time stamp, wherein the fourth time stamp is the time stamp of the receiving party IPv6 stealth terminal receiving the encrypted IPv6 message;

the judging module is used for judging whether the second time difference value is smaller than a second preset threshold value or not, and if yes, outputting a verification passing result;

The dynamic key generation module is used for responding to the verification passing result and generating the dynamic key by carrying out irreversible operation according to the dynamic key factor and the key seed;

the service access message generation module is used for decrypting the encrypted IPv6 message according to the dynamic key to obtain a service access message;

and the service access message sending module is used for sending the service access message based on a preset target IPv6 address.