[go: up one dir, main page]

CN106685979B - Security terminal mark and authentication method and system based on STiP model - Google Patents

Security terminal mark and authentication method and system based on STiP model Download PDF

Info

Publication number
CN106685979B
CN106685979B CN201710013800.0A CN201710013800A CN106685979B CN 106685979 B CN106685979 B CN 106685979B CN 201710013800 A CN201710013800 A CN 201710013800A CN 106685979 B CN106685979 B CN 106685979B
Authority
CN
China
Prior art keywords
identifier
host identifier
source
binding information
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710013800.0A
Other languages
Chinese (zh)
Other versions
CN106685979A (en
Inventor
蒋文保
朱国库
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Information Science and Technology University
Original Assignee
Beijing Information Science and Technology University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Information Science and Technology University filed Critical Beijing Information Science and Technology University
Priority to CN201710013800.0A priority Critical patent/CN106685979B/en
Publication of CN106685979A publication Critical patent/CN106685979A/en
Application granted granted Critical
Publication of CN106685979B publication Critical patent/CN106685979B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种基于STiP模型的安全终端标识及认证方法及系统,其中方法包括:本端终端主机将包含有源和目的安全主机标识符的数据包原文进行签名,得到待发送数据包发送至接入认证服务器,接入认证服务器在本地映射缓存表中未查找到与源安全主机标识符绑定的绑定信息向本地映射解析器发送查询请求,绑定信息至少包括源安全主机标识符、与其绑定的公钥以及本端接入路由器的路由位置标识;本地映射解析器未查找到绑定信息依次向根、顶级和权限映射解析器进行迭代查询,接入认证服务器验证待发送数据包通过则转发至本端接入路由器,还使用哈希算法对源和目的安全主机标识符进行运算获得源和目的安全主机标识标签替换数据包原文中的源和目的安全主机标识符。

The invention provides a security terminal identification and authentication method and system based on the STiP model, wherein the method includes: the local terminal host signs the original text of the data packet containing the source and destination security host identifiers, and obtains the data packet to be sent. To the access authentication server, the access authentication server does not find the binding information bound with the source security host identifier in the local mapping cache table and sends a query request to the local mapping resolver, where the binding information at least includes the source security host identifier , the public key bound to it, and the routing location identifier of the local access router; the local mapping resolver does not find the binding information and iteratively queries the root, top-level and authority mapping resolvers in turn, and the access authentication server verifies the data to be sent When the packet passes, it is forwarded to the local access router, and a hash algorithm is used to calculate the source and destination secure host identifiers to obtain the source and destination secure host identifier labels to replace the source and destination secure host identifiers in the original data packet.

Description

Security terminal mark and authentication method and system based on STiP model
Technical field
The present invention relates to the communications fields, more particularly to one kind to be based on STiP (secure and trusted network protocol, Secure and Trusted internet Protocol) model communication means and system.
Background technique
With people for terminal mobility demand it is growing, movable equipment is made by more and more extensive With, such as the equipment such as laptop, smart phone and tablet computer.Meanwhile in order to avoid the limitation of cable network connection Property, wireless network also becomes increasingly popular.And used as movable equipment is more and more extensive, incident is removable set It is standby due to its mobility bring security risk, identify etc. simultaneously as existing ICP/IP protocol does not have address authenticity Inherent security mechanism causes to attack source and attacker's identity is difficult to trace.
Summary of the invention
The present invention is directed at least overcome one of drawbacks described above provide it is a kind of based on STiP model security terminal mark and recognize Method and system are demonstrate,proved, to guarantee the safety of local terminal end host access.
In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that
One aspect of the present invention provides a kind of security terminal mark and authentication method based on STiP model, comprising: Local terminal end host will be identified using the private key of local terminal end host comprising active security host identifier and purpose security host The data packet original text of symbol is signed, and data packet to be sent is obtained, and data packet to be sent is sent to access authentication server, In, data packet to be sent includes data packet original text and signature, and source security host identifier is unique mark of local terminal end host Know, purpose security host identifier is the unique identification of distant terminal host;Access authentication server receives data packet to be sent, In the case where not finding the binding information with the binding of source security host identifier in local mapped cache table, to local mapping Resolver sends the request of inquiry with the binding information of source security host identifier binding, wherein with source security host identifier It is whole that the binding information of binding includes at least source security host identifier, the public key bound with source security host identifier and local terminal The route location mark of the local terminal couple in router of end main frame access;Local Mapping Resolution device parsing inquiry and source security host mark The request for knowing the binding information of symbol binding is reflected in the binding information of local search and the binding of source security host identifier locally Radiolysis parser do not find with source security host identifier binding binding information in the case where, successively to root Mapping Resolution device, Top level map resolver and permissions mapping resolver make iterative queries into, and obtain and source safety master from permissions mapping resolver The binding information of machine identifier binding, and the binding information bound with source security host identifier is sent to access authentication service Device;Access authentication server receive with source security host identifier binding binding information, using with source security host identifier Data to be forwarded packet is sent to local terminal access routing if upchecking by the true and false of the public key verifications of binding data packet to be sent Device, wherein data to be forwarded packet includes at least data packet original text;Local terminal couple in router receives data to be forwarded packet, in local In the case where not found in mapped cache table with the binding information of purpose security host identifier binding, to local Mapping Resolution Device sends the request of inquiry with the binding information of purpose security host identifier binding, wherein with purpose security host identifier The public key and right that the binding information of binding includes at least purpose security host identifier, binds with purpose security host identifier Hold the route location mark of the opposite end couple in router of end host access;Local Mapping Resolution device parsing inquiry and purpose safety The request of the binding information of hostid binding is believed in local search and the binding with the binding of purpose security host identifier Breath, local Mapping Resolution device do not find with purpose security host identifier binding binding information in the case where, successively to Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver Obtain the binding information with the binding of purpose security host identifier, and the binding information that will be bound with purpose security host identifier It is sent to local terminal couple in router;Local terminal couple in router identifies source route location and purpose route location mark is encapsulated into Data to be forwarded packet after encapsulation is sent to opposite end couple in router, wherein source route location is identified as by data to be forwarded packet The route location of local terminal couple in router identifies, and purpose route location is identified as the route location mark of opposite end couple in router; Opposite end couple in router receives the data to be forwarded packet after encapsulation, and the data to be forwarded packet after encapsulation is decapsulated, is obtained Data to be forwarded packet, and data to be forwarded packet is sent to distant terminal host.
In addition, access authentication server is received with after the binding information of source security host identifier binding, method is also wrapped Include: the binding information bound with source security host identifier is stored in local mapped cache table by access authentication server.
In addition, when being also stored with the caching with the binding information of source security host identifier binding in local mapped cache table Between length;Method further include: access authentication server cache-time length then after, deletion tied up with source security host identifier Fixed binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver form tree-shaped topological structure.
In addition, the topology of root Mapping Resolution device, top level map resolver and the composition decentralization of permissions mapping resolver Structure.
In addition, data to be forwarded packet is sent to local terminal access after access authentication server receives data packet to be sent Before router, method further include: access authentication server is using hash algorithm to source security host identifier and purpose safety Hostid carries out operation, source security host identification (RFID) tag and purpose security host identification (RFID) tag is obtained, by source security host Identification (RFID) tag and source security host identifier and purpose safety master in purpose security host identification (RFID) tag replacement data packet original text Machine identifier.
Another aspect of the present invention provides a kind of security terminal mark and Verification System based on STiP model, comprising: this End host is held, for that will include active security host identifier and purpose security host mark using the private key of local terminal end host The data packet original text for knowing symbol is signed, and obtains data packet to be sent, data packet to be sent is sent to access authentication server, Wherein, data packet to be sent includes data packet original text and signature, and source security host identifier is the unique of local terminal end host Mark, purpose security host identifier are the unique identification of distant terminal host;Access authentication server, it is to be sent for receiving Data packet, in the case where not finding the binding information with the binding of source security host identifier in local mapped cache table, to Local Mapping Resolution device sends the request of inquiry with the binding information of source security host identifier binding, wherein main safely with source Machine identifier binding binding information include at least source security host identifier, with source security host identifier binding public key with And the route location mark of the local terminal couple in router of local terminal end host access;Local Mapping Resolution device, for parsing inquiry The request for the binding information bound with source security host identifier, in the binding of local search and the binding of source security host identifier Information, local Mapping Resolution device do not find with source security host identifier binding binding information in the case where, successively to Root Mapping Resolution device, top level map resolver and permissions mapping resolver make iterative queries into, and from permissions mapping resolver The binding information with the binding of source security host identifier is obtained, and the binding information bound with source security host identifier is sent To access authentication server;Access authentication server is also used to receive the binding information with the binding of source security host identifier, benefit With the true and false for the public key verifications data packet to be sent bound with source security host identifier, if upchecking, by data to be forwarded Packet is sent to local terminal couple in router, wherein data to be forwarded packet includes at least data packet original text;Local terminal couple in router is used In receiving data to be forwarded packet, does not find in local mapped cache table and believe with the binding of purpose security host identifier binding In the case where breath, the request for the binding information that inquiry is bound with purpose security host identifier is sent to local Mapping Resolution device, Wherein, purpose security host identifier and purpose safety are included at least with the binding information of purpose security host identifier binding The route location mark of the opposite end couple in router of the public key and distant terminal host access of hostid binding;Locally reflect Radiolysis parser, be also used to parse inquiry and purpose security host identifier binding binding information request, local search with With the binding information of purpose security host identifier binding, does not find in local Mapping Resolution device and identified with purpose security host In the case where the binding information for according with binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping resolver It makes iterative queries into, and obtains the binding information bound with purpose security host identifier from permissions mapping resolver, and will be with The binding information of purpose security host identifier binding is sent to local terminal couple in router;Local terminal couple in router, be also used to by Source route location mark and purpose route location mark are encapsulated into data to be forwarded packet, and the data to be forwarded packet after encapsulation is sent out It send to opposite end couple in router, wherein source route location is identified as the route location mark of local terminal couple in router, purpose routing Station location marker is that the route location of opposite end couple in router identifies;Opposite end couple in router, it is to be forwarded after encapsulating for receiving Data packet decapsulates the data to be forwarded packet after encapsulation, obtains data to be forwarded packet, and data to be forwarded packet is sent To distant terminal host.
In addition, access authentication server, is also used to after receiving the binding information bound with source security host identifier, The binding information bound with source security host identifier is stored in local mapped cache table.
In addition, when being also stored with the caching with the binding information of source security host identifier binding in local mapped cache table Between length;Access authentication server, be also used to cache-time length then after, delete with source security host identifier binding Binding information.
In addition, source security host identifier and purpose security host identifier are named according to preset structure.
In addition, root Mapping Resolution device, top level map resolver and permissions mapping resolver form tree-shaped topological structure.
In addition, the topology of root Mapping Resolution device, top level map resolver and the composition decentralization of permissions mapping resolver Structure.
In addition, access authentication server, is also used to after receiving data packet to be sent, data to be forwarded packet is sent to Before local terminal couple in router, source security host identifier and purpose security host identifier are transported using hash algorithm It calculates, obtains source security host identification (RFID) tag and purpose security host identification (RFID) tag, source security host identification (RFID) tag and purpose are pacified Source security host identifier and purpose security host identifier in full host identification label replacement data packet original text.
As seen from the above technical solution provided by the invention, provide through the embodiment of the present invention based on STiP model Security terminal mark and authentication method and system, the network securitys such as source address spoofing, identity security can be solved from source Problem, to be conducive to construct autonomous controllable, safe and reliable internet environment.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the structural representation of the security terminal mark and Verification System provided in an embodiment of the present invention based on STiP model Figure;
Fig. 2 is the flow chart of the security terminal mark and authentication method provided in an embodiment of the present invention based on STiP model.
Specific embodiment
Detailed description of embodiments of the present invention with reference to the accompanying drawing.
Fig. 1 shows a kind of security terminal mark and Verification System based on STiP model provided in an embodiment of the present invention Structural schematic diagram, referring to Fig. 1, the security terminal mark and Verification System provided in an embodiment of the present invention based on STiP model, packet Include: the mutually independent access net 10 of IP address and backbone network 20, wherein access net 10 include multiple end hosts (wherein extremely Less include local terminal end host 101 and distant terminal host 103) and at least one access authentication server is (wherein at least Including the local terminal access authentication server 102 being connect with local terminal end host 101).Certainly as a kind of optional reality of the invention Mode is applied, at least one access authentication server can also include the opposite end access authentication connecting with distant terminal host 103 Server (not shown).Backbone network 20 include multiple couple in routers (wherein at least include local terminal couple in router 201 with And opposite end couple in router 202), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and Permissions mapping resolver 206, local terminal couple in router 201 connect local terminal access authentication server 102, opposite end couple in router (with opposite end access authentication server, opposite end couple in router 202 connects 202 peer end of the connection end hosts 103 Opposite end access authentication server), local Mapping Resolution device 203, root Mapping Resolution device 204, top level map resolver 205 and power Limit Mapping Resolution device 206 is sequentially connected.It will be appreciated by persons skilled in the art that above-mentioned connection can be that wired connection can also Think wireless connection, this is not particularly limited in the present invention.Hereinafter, to provided in an embodiment of the present invention based on STiP model Security terminal mark and Verification System are described in detail:
Local terminal end host 101, for the private key using local terminal end host will comprising active security host identifier and The data packet original text of purpose security host identifier is signed, and data packet to be sent is obtained, and data packet to be sent is sent to Access authentication server 102, wherein data packet to be sent includes data packet original text and signature, and source security host identifier is The unique identification of local terminal end host 101, purpose security host identifier are the unique identification of distant terminal host 103;
Access authentication server 102 is not found and source for receiving data packet to be sent in local mapped cache table In the case where the binding information of security host identifier binding, inquiry and source security host are sent to local Mapping Resolution device 203 The request of the binding information of identifier binding, wherein pacify with the binding information of source security host identifier binding including at least source Full hostid, the local terminal couple in router with the public key of source security host identifier binding and the access of local terminal end host 201 route location mark;
Local Mapping Resolution device 203, for parsing the request of inquiry with the binding information of source security host identifier binding, In the binding information of local search and the binding of source security host identifier, do not found in local Mapping Resolution device main safely with source In the case where the binding information of machine identifier binding, successively to root Mapping Resolution device 204, top level map resolver 205 and power Limit Mapping Resolution device 206 makes iterative queries into, and obtains and the binding of source security host identifier from permissions mapping resolver 206 Binding information, and the binding information bound with source security host identifier is sent to access authentication server 102;
Access authentication server 102 is also used to receive the binding information with the binding of source security host identifier, utilization and source The true and false of the public key verifications data packet to be sent of security host identifier binding sends data to be forwarded packet if upchecking To local terminal couple in router 201, wherein data to be forwarded packet includes at least data packet original text;
Local terminal couple in router 201 is not found and mesh for receiving data to be forwarded packet in local mapped cache table Security host identifier binding binding information in the case where, to local Mapping Resolution device 203 send inquiry with purpose safety The request of the binding information of hostid binding, wherein at least wrapped with the binding information of purpose security host identifier binding Include purpose security host identifier, the opposite end with the public key of purpose security host identifier binding and the access of distant terminal host The route location of couple in router identifies;
Local Mapping Resolution device 203 is also used to parse the binding information of inquiry and the binding of purpose security host identifier Request is not found in local search and the binding information with the binding of purpose security host identifier in local Mapping Resolution device In the case where the binding information bound with purpose security host identifier, successively parsed to root Mapping Resolution device 204, top level map Device 205 and permissions mapping resolver 206 make iterative queries into, and obtain and purpose security host mark from permissions mapping resolver Know the binding information of symbol binding, and the binding information bound with purpose security host identifier is sent to local terminal couple in router 201;
Local terminal couple in router 201, be also used to identify source route location and purpose route location mark be encapsulated into Data packet is forwarded, the data to be forwarded packet after encapsulation is sent to opposite end couple in router 202, wherein source route location mark It is identified for the route location of local terminal couple in router 201, purpose route location is identified as the routing position of opposite end couple in router 202 Set mark;
Opposite end couple in router 202, for receiving the data to be forwarded packet after encapsulating, by the data to be forwarded packet after encapsulation It is decapsulated, obtains data to be forwarded packet, and data to be forwarded packet is sent to distant terminal host 103.
It can be seen that the security terminal mark and Verification System based on STiP model provided through the embodiment of the present invention, The network security problems such as source address spoofing, identity security can be solved from source, to be conducive to the autonomous controllable, safety of building Believable internet environment.
Specifically, access net 10 can complete the access of end host, in STiP model base provided in an embodiment of the present invention On plinth, accessed using globally unique SHI (security host identifier, Secure Host Identifier) to identify in network Every end host, the security host mark be not involved in global routing.Data routing may be implemented in backbone network 20, local to map Resolver 203, root Mapping Resolution device 204, top level map resolver 205 and permissions mapping resolver 206 are configurable to one A server, such as a mapping server, are also configurable to a server cluster, this is in the present invention with no restrictions.
Meanwhile accessing net 10 and backbone network 20 and using independent address space: access net 10 uses security terminal identifier Data are forwarded, backbone network 20 is routed and forwarded data packet using IP address.Since end host cannot directly access access routing Therefore device can effectively prevent attack of the end host to couple in router.So that STiP mould provided in an embodiment of the present invention Net 10 is accessed in type and this design of 20 separation architecture of backbone network can guarantee that future terminal access technology and backbone network framework are distinguished Independently evolution.
In access net 10, the authenticity of end host is verified by access authentication server.Specifically, before use, Each end host can be distributed a pair of public and private key by such as mapping server, which is bound with end host mark, I.e. public and private key is bound with SHI, meanwhile, also by the RLOC of SHI and couple in router, (route location is identified, Routing Locator it) is bound, that is, the triple that mapping server can recorde as the binding of each end host, the triple include SHI, the public key with SHI binding, the RLOC of the couple in router of SHI access.Source terminal host carries out data packet using private key Signature, access authentication server can be obtained by inquiring such as mapping server and the public key of source SHI binding, to whole from source The data packet of end main frame is identified.A kind of specific implementation presented below, but the present invention is not limited thereto, in STiP mould In type, when the end host of a website sends data to the end host of another website, i.e., when local terminal end host 101 to distant terminal host 103 send data when, when data reach access authentication server 102 after, if local terminal access recognize It demonstrate,proves in the local mapped cache table of server and does not find SHI-to-RLOC (the i.e. security host identifier of local terminal end host With local terminal access routing route location mark mapping relations) mapping item, can to LMR (local Mapping Resolution device, Local Map Resolver) send message, the mapping relations of request SHI-to-RLOC;LMR receives access authentication service Start to parse the request message after the request of device 102, is locally searching the binding letter bound with the SHI of local terminal end host first Breath, if SHI record is not present, LMR can initiate iterative query to RMR (root Mapping Resolution device, Root Map Resolver), Local Mapping Resolution device by root Mapping Resolution device, TMR (top level map resolver, Top-level Map Resolver) and It is parsed after the iterative query three times of AMR (permissions mapping resolver, Authoritative Map Resolver) from permissions mapping Device obtains the binding information of the SHI of the inquiry of access authentication server 102, i.e. SHI-Public Key-RLOC is (with SHI binding Public key).After access authentication server 102 sends data packets to local terminal couple in router 201, local terminal couple in router 201 The address RLOC of the SHI binding of distant terminal host 103 is obtained, then local terminal couple in router 201 is using the RLOC of oneself as source Address, using the RLOC of opposite end couple in router 202 as purpose address encapsulated message.Opposite end couple in router 202 receives data Message is decapsulated after packet, then sends distant terminal host 103 for message.
In access net 20 access authentication server 102 to verify the end host of access and not to be forge and pretend to be it is specific can To be accomplished in that message X is obtained very short message digest H1 after operation of making a summary by local terminal end host 101, D operation, i.e. digital signature are carried out to H1 with the private key of oneself again.After obtaining signature D (H1), it is attached to behind message X and is sent out It sees off, access authentication server 102 is received and signature D (H1) separated with message X first after message, then with local terminal end host 101 public key carries out E operation to D (H1), obtains message digest H1, then carry out abstract operation to message X, obtains message digest H2.If H1 is equal to H2, access authentication server 102 can conclude that the message received is true;Otherwise it is not just.
As an optional embodiment of the embodiment of the present invention, access authentication server 102 is also used in reception and source After the binding information of security host identifier binding, the binding information bound with source security host identifier is stored in local In mapped cache table.Specifically, it after each inquiry request of access authentication server 102 obtains response, can will be taken in response message The binding information of band is stored in local mapped cache table, to facilitate subsequent be employed without to go to inquire again, improves processing effect Rate.
As an optional embodiment of the embodiment of the present invention, also it is stored in local mapped cache table main safely with source The cache-time length of the binding information of machine identifier binding;Access authentication server, be also used to cache-time length then Afterwards, the binding information with the binding of source security host identifier is deleted.Specifically, in the caching record of local mapped cache table storage TTL (Time-To-Live) value, the i.e. time span of binding information caching can be set, to guarantee in a timing In while improve efficiency, beyond needing to reacquire binding information in the time to improve safety.
As an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host mark Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention, which can use, layer The host identification nomenclature scheme of secondary structure is named, and thereby may be ensured that the global uniqueness and polymerism of SHI.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205 And permissions mapping resolver 206 forms tree-shaped topological structure.The iterative query from top under can guarantee each time as a result, Mapping Resolution is all most short searching route, can both guarantee the global uniqueness and polymerism of SHI in this way, and also can control each The mapping table scale of layer Mapping Resolution device.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device 204, top level map resolver 205 And permissions mapping resolver 206 forms the topological structure of decentralization.Since the renewal frequency of mapping relations is mainly by terminal The mobile influence with reachable state of position of host machine, the present invention can quickly be rung by the tree-shaped Mapping Resolution system of the level established Registration, update, inquiry and the removal request of mapping relations are answered, the renewal frequency of mapping relations and the traffic of update message will not As the performance bottleneck of each layer Mapping Resolution device, because the maintenance of mapping relations is that state is convergent, map locating postpones and reflects The state scale of penetrating is controllable.
Specifically, such as SHI name topology example is as follows: facility.scheme.bistu.edu.cn, parsing Steps are as follows for the iterative query of the mapping relations of facility.scheme.bistu.edu.cn:
A, local Mapping Resolution device analyzes full name, determines the server for the control that needs to have authoritative weight to cn Mapping Resolution utensil Position, request and obtain response;
B, it requests to inquire cn Mapping Resolution device the reference information for obtaining edu.cn server;
C, it requests to inquire edu.cn Mapping Resolution device the reference information for obtaining bistu.edu.cn server;
D, bistu.edu.cn Mapping Resolution device is requested, the reference letter of the server of scheme.bistu.edu.cn is obtained Breath;
E, scheme.bistu.edu.cn Mapping Resolution device is requested, facility.scheme.bistu.edu.cn is obtained Binding information response.
As an optional embodiment of the embodiment of the present invention, access authentication server 102 is also used to pending in reception It is main safely to source using hash algorithm before data to be forwarded packet is sent to local terminal couple in router 201 after sending data packet Machine identifier and purpose security host identifier carry out operation, obtain source security host identification (RFID) tag and purpose security host mark Label, by the source security host mark in source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data packet original text Know symbol and purpose security host identifier.Due to security host identifier SHI be it is globally unique, in order to increase in backbone network 20 The privacy of source host identifier in the data packet of transmission, it is contemplated that being used in access authentication server 102 in specific implementation Hash algorithm generates SHIT (security host identification (RFID) tag, the Secure of regular length to the security host identifier of random length Host Identifier Tag), the source host identifier in raw data packets is then replaced with into the cryptographic Hash.
Fig. 2 shows a kind of security terminal marks and authentication method based on STiP model provided in an embodiment of the present invention Flow chart, the security terminal mark and authentication method provided in an embodiment of the present invention based on STiP model are applied to above system, Only the security terminal mark to provided in an embodiment of the present invention based on STiP model and authentication method are briefly described below, His unaccomplished matter, referring specifically to the related description of above system.Referring to fig. 2, provided in an embodiment of the present invention to be based on STiP model Security terminal mark and authentication method include:
S201, local terminal end host will include active security host identifier and purpose using the private key of local terminal end host The data packet original text of security host identifier is signed, and data packet to be sent is obtained, and data packet to be sent is sent to access Certificate server, wherein data packet to be sent includes data packet original text and signature, and source security host identifier is local terminal terminal The unique identification of host, purpose security host identifier are the unique identification of distant terminal host;
S202, access authentication server receive data packet to be sent, do not find in local mapped cache table and pacify with source In the case where the binding information of full hostid binding, inquiry and source security host identifier are sent to local Mapping Resolution device The request of the binding information of binding, wherein include at least source security host with the binding information of source security host identifier binding Identifier, the routing with the public key of source security host identifier binding and the local terminal couple in router of local terminal end host access Station location marker;
S203, the request of local Mapping Resolution device parsing inquiry and the binding information of source security host identifier binding, The binding information of local search and the binding of source security host identifier, does not find and source security host in local Mapping Resolution device In the case where the binding information of identifier binding, successively to root Mapping Resolution device, top level map resolver and permissions mapping solution Parser makes iterative queries into, and the binding information bound with source security host identifier is obtained from permissions mapping resolver, and will Access authentication server is sent to the binding information of source security host identifier binding;
S204, access authentication server receive with source security host identifier binding binding information, using with source safety Data to be forwarded packet is sent to this if upchecking by the true and false of the public key verifications data packet to be sent of hostid binding Hold couple in router, wherein data to be forwarded packet includes at least data packet original text;
S205, local terminal couple in router receive data to be forwarded packet, do not find in local mapped cache table and purpose In the case where the binding information of security host identifier binding, inquiry and purpose security host mark are sent to local Mapping Resolution device Know the request of the binding information of symbol binding, wherein include at least purpose with the binding information of purpose security host identifier binding Security host identifier, the opposite end access road with the public key of purpose security host identifier binding and the access of distant terminal host It is identified by the route location of device;
S206, the request of local Mapping Resolution device parsing inquiry and the binding information of purpose security host identifier binding, In local search and the binding information with the binding of purpose security host identifier, do not found and purpose in local Mapping Resolution device In the case where the binding information of security host identifier binding, successively to root Mapping Resolution device, top level map resolver and power Limit Mapping Resolution device makes iterative queries into, and the binding bound with purpose security host identifier is obtained from permissions mapping resolver Information, and the binding information bound with purpose security host identifier is sent to local terminal couple in router;
S207, local terminal couple in router identifies source route location and purpose route location mark is encapsulated into number to be forwarded According to packet, the data to be forwarded packet after encapsulation is sent to opposite end couple in router, wherein source route location is identified as local terminal access The route location of router identifies, and purpose route location is identified as the route location mark of opposite end couple in router;
S208, opposite end couple in router receive encapsulation after data to be forwarded packet, by the data to be forwarded packet after encapsulation into Row decapsulation, obtains data to be forwarded packet, and data to be forwarded packet is sent to distant terminal host.
It can be seen that the security terminal mark and authentication method based on STiP model provided through the embodiment of the present invention, The network security problems such as source address spoofing, identity security can be solved from source, to be conducive to the autonomous controllable, safety of building Believable internet environment.
As an optional embodiment of the embodiment of the present invention, access authentication server is received to be identified with source security host After the binding information for according with binding, method further include: the binding that access authentication server will be bound with source security host identifier Information preservation is in local mapped cache table.It specifically, can be by sound after each inquiry request of access authentication server obtains response The binding information carried in message is answered to be stored in local mapped cache table, to facilitate subsequent be employed without to go to inquire again, Improve treatment effeciency.
As an optional embodiment of the embodiment of the present invention, also it is stored in local mapped cache table main safely with source The cache-time length of the binding information of machine identifier binding;Method further include: access authentication server is in cache-time length After then, the binding information with the binding of source security host identifier is deleted.Specifically, in the caching of local mapped cache table storage TTL (Time-To-Live) value, the i.e. time span of binding information caching, to guarantee one can be set in record While improving efficiency in fixing time, need to reacquire binding information exceeding in the time to improve safety.
As an optional embodiment of the embodiment of the present invention, source security host identifier and purpose security host mark Symbol is named according to preset structure.Specifically, security host identifier provided in an embodiment of the present invention, which can use, layer The host identification nomenclature scheme of secondary structure is named, and thereby may be ensured that the global uniqueness and polymerism of SHI.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power Limit Mapping Resolution device forms tree-shaped topological structure.The iterative query from top under can guarantee Mapping Resolution each time as a result, All it is most short searching route, can have both guaranteed the global uniqueness and polymerism of SHI in this way, also can control each layer of mapping solution The mapping table scale of parser.
As an optional embodiment of the embodiment of the present invention, root Mapping Resolution device, top level map resolver and power Limit the topological structure of Mapping Resolution device composition decentralization.Since the renewal frequency of mapping relations is mainly moved by end host position Dynamic and reachable state influence, the present invention can be with quick response mapping relations by the tree-shaped Mapping Resolution system of the level established Registration, update, inquiry and removal request, the traffic of the renewal frequencies of mapping relations and update message will not become each layer and reflect The performance bottleneck of radiolysis parser, because the maintenance of mapping relations is that state is convergent, map locating delay and mapping status scale It is controllable.
As an optional embodiment of the embodiment of the present invention, access authentication server receive data packet to be sent it Afterwards, before data to be forwarded packet being sent to local terminal couple in router, method further include: access authentication server is calculated using Hash Method carries out operation to source security host identifier and purpose security host identifier, obtains source security host identification (RFID) tag and purpose Security host identification (RFID) tag, will be in source security host identification (RFID) tag and purpose security host identification (RFID) tag replacement data packet original text Source security host identifier and purpose security host identifier.Due to security host identifier SHI be it is globally unique, in order to increase Add the privacy of source host identifier in the data packet transmitted in backbone network 20, can be considered in specific implementation and taken in access authentication Being engaged in, SHIT of the device 102 using hash algorithm to the security host identifier generation regular length of random length (mark by security host mark Label, Secure Host Identifier Tag), the source host identifier in raw data packets is then replaced with into the Hash Value.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention Embodiment person of ordinary skill in the field understood.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.
Above embodiment is only that preferred embodiments of the present invention will be described, is not carried out to the scope of the present invention It limits, without departing from the spirit of the design of the present invention, this field ordinary engineering and technical personnel is to technical solution of the present invention The various changes and improvements made, should fall within the scope of protection determined by the claims of the present invention.

Claims (14)

1.一种基于STiP模型的安全终端标识及认证方法,其特征在于,包括:1. a security terminal identification and authentication method based on STiP model, is characterized in that, comprises: 本端终端主机利用所述本端终端主机的私钥将包含有源安全主机标识符和目的安全主机标识符的数据包原文进行签名,得到待发送数据包,将所述待发送数据包发送至接入认证服务器,其中,所述待发送数据包包括所述数据包原文以及所述签名,所述源安全主机标识符为所述本端终端主机的唯一标识,所述目的安全主机标识符为对端终端主机的唯一标识;The local terminal host uses the private key of the local terminal host to sign the original data packet containing the source security host identifier and the destination security host identifier, obtains the data packet to be sent, and sends the data packet to be sent to access authentication server, wherein the data packet to be sent includes the original text of the data packet and the signature, the source secure host identifier is the unique identifier of the local terminal host, and the destination secure host identifier is The unique identifier of the peer terminal host; 所述接入认证服务器接收所述待发送数据包,在本地映射缓存表中未查找到与所述源安全主机标识符绑定的绑定信息的情况下,向本地映射解析器发送查询与所述源安全主机标识符绑定的绑定信息的请求,其中,所述与所述源安全主机标识符绑定的绑定信息至少包括所述源安全主机标识符、与所述源安全主机标识符绑定的公钥以及所述本端终端主机接入的本端接入路由器的路由位置标识;The access authentication server receives the to-be-sent data packet, and in the case where the binding information bound to the source security host identifier is not found in the local mapping cache table, sends a query to the local mapping resolver with the requested information. request for binding information bound to the source security host identifier, wherein the binding information bound to the source security host identifier includes at least the source security host identifier, the source security host identifier and the source security host identifier. The public key bound to the token and the routing location identifier of the local access router accessed by the local terminal host; 所述本地映射解析器解析所述查询与所述源安全主机标识符绑定的绑定信息的请求,在本地查询所述与所述源安全主机标识符绑定的绑定信息,在本地映射解析器未查找到所述与所述源安全主机标识符绑定的绑定信息的情况下,依次向根映射解析器、顶级映射解析器以及权限映射解析器进行迭代查询,并从所述权限映射解析器获取所述与所述源安全主机标识符绑定的绑定信息,并将所述与所述源安全主机标识符绑定的绑定信息发送至所述接入认证服务器;The local mapping parser parses the request for querying the binding information bound to the source security host identifier, locally queries the binding information bound to the source security host identifier, and maps locally In the case where the parser does not find the binding information bound to the source security host identifier, iteratively queries the root map parser, the top-level map parser, and the authority map parser in turn, and retrieves the information from the authority. The mapping resolver obtains the binding information bound with the source secure host identifier, and sends the binding information bound with the source secure host identifier to the access authentication server; 所述接入认证服务器接收所述与所述源安全主机标识符绑定的绑定信息,利用所述与所述源安全主机标识符绑定的公钥验证所述待发送数据包的真伪,若检验通过,将待转发数据包发送至本端接入路由器,其中,所述待转发数据包至少包括所述数据包原文;The access authentication server receives the binding information bound with the source secure host identifier, and uses the public key bound with the source secure host identifier to verify the authenticity of the data packet to be sent , if the check is passed, send the data packet to be forwarded to the local access router, wherein the data packet to be forwarded at least includes the original text of the data packet; 所述本端接入路由器接收所述待转发数据包,在本地映射缓存表中未查找到与所述目的安全主机标识符绑定的绑定信息的情况下,向本地映射解析器发送查询与所述目的安全主机标识符绑定的绑定信息的请求,其中,所述与所述目的安全主机标识符绑定的绑定信息至少包括所述目的安全主机标识符、与所述目的安全主机标识符绑定的公钥以及所述对端终端主机接入的对端接入路由器的路由位置标识;The local access router receives the data packet to be forwarded, and in the case where the binding information bound to the destination secure host identifier is not found in the local mapping cache table, it sends a query and a query to the local mapping resolver. A request for binding information bound to the destination secure host identifier, wherein the binding information bound to the destination secure host identifier includes at least the destination secure host identifier, the destination secure host identifier, and the destination secure host identifier. The public key bound to the identifier and the routing location identifier of the peer access router accessed by the peer terminal host; 所述本地映射解析器解析所述查询与所述目的安全主机标识符绑定的绑定信息的请求,在本地查询与所述与所述目的安全主机标识符绑定的绑定信息,在本地映射解析器未查找到所述与所述目的安全主机标识符绑定的绑定信息的情况下,依次向根映射解析器、顶级映射解析器以及权限映射解析器进行迭代查询,并从所述权限映射解析器获取所述与所述目的安全主机标识符绑定的绑定信息,并将所述与所述目的安全主机标识符绑定的绑定信息发送至所述本端接入路由器;The local mapping parser parses the request for querying the binding information bound to the destination secure host identifier, locally queries the binding information bound to the destination secure host identifier, and locally In the case where the mapping resolver does not find the binding information bound to the destination secure host identifier, iteratively queries the root mapping resolver, the top-level mapping resolver, and the authority mapping resolver in turn, and retrieves the information from the The rights mapping parser obtains the binding information bound with the destination secure host identifier, and sends the binding information bound with the destination secure host identifier to the local access router; 所述本端接入路由器将源路由位置标识以及目的路由位置标识封装到所述待转发数据包,将封装后的待转发数据包发送至所述对端接入路由器,其中,所述源路由位置标识为所述本端接入路由器的路由位置标识,所述目的路由位置标识为所述对端接入路由器的路由位置标识;The local access router encapsulates the source routing location identifier and the destination routing location identifier into the to-be-forwarded data packet, and sends the encapsulated to-be-forwarded data packet to the opposite-end access router, wherein the source route The location identifier is the routing location identifier of the local access router, and the destination routing location identifier is the routing location identifier of the opposite end access router; 所述对端接入路由器接收所述封装后的待转发数据包,将所述封装后的待转发数据包进行解封装,得到所述待转发数据包,并将所述待转发数据包发送至所述对端终端主机。The peer access router receives the encapsulated data packet to be forwarded, decapsulates the encapsulated data packet to be forwarded, obtains the to-be-forwarded data packet, and sends the to-be-forwarded data packet to the opposite terminal host. 2.根据权利要求1所述的方法,其特征在于,所述接入认证服务器接收所述与所述源安全主机标识符绑定的绑定信息之后,所述方法还包括:所述接入认证服务器将所述与所述源安全主机标识符绑定的绑定信息保存在所述本地映射缓存表中。2. The method according to claim 1, wherein after the access authentication server receives the binding information bound with the source security host identifier, the method further comprises: the access The authentication server saves the binding information bound with the source security host identifier in the local mapping cache table. 3.根据权利要求2所述的方法,其特征在于,所述本地映射缓存表中还存储有所述与所述源安全主机标识符绑定的绑定信息的缓存时间长度;所述方法还包括:3. The method according to claim 2, wherein the local mapping cache table further stores the cache time length of the binding information bound to the source security host identifier; the method further include: 所述接入认证服务器在所述缓存时间长度到时后,删除所述与所述源安全主机标识符绑定的绑定信息。The access authentication server deletes the binding information bound with the source security host identifier after the cache time period expires. 4.根据权利要求1所述的方法,其特征在于,所述源安全主机标识符和所述目的安全主机标识符是按照预设结构命名的。4. The method according to claim 1, wherein the source secure host identifier and the destination secure host identifier are named according to a preset structure. 5.根据权利要求1至4任一项所述的方法,其特征在于,所述根映射解析器、所述顶级映射解析器以及所述权限映射解析器组成树状的拓扑结构。5. The method according to any one of claims 1 to 4, wherein the root map parser, the top-level map parser, and the authority map parser form a tree-like topology. 6.根据权利要求5所述的方法,其特征在于,所述根映射解析器、所述顶级映射解析器以及所述权限映射解析器组成去中心化的拓扑结构。6 . The method according to claim 5 , wherein the root map parser, the top-level map parser, and the authority map parser form a decentralized topology. 7 . 7.根据权利要求1所述的方法,其特征在于,所述接入认证服务器接收所述待发送数据包之后,将待转发数据包发送至本端接入路由器之前,所述方法还包括:7. The method according to claim 1, wherein, after the access authentication server receives the data packet to be sent, before sending the data packet to be forwarded to the local access router, the method further comprises: 所述接入认证服务器使用哈希算法对所述源安全主机标识符和所述目的安全主机标识符进行运算,获得所述源安全主机标识标签和目的安全主机标识标签,将所述源安全主机标识标签和所述目的安全主机标识标签替换所述数据包原文中的源安全主机标识符和所述目的安全主机标识符。The access authentication server uses a hash algorithm to calculate the source secure host identifier and the destination secure host identifier to obtain the source secure host identification label and the destination secure host identification label, and assign the source secure host The identification tag and the destination secure host identification tag replace the source secure host identifier and the destination secure host identifier in the original text of the data packet. 8.一种基于STiP模型的安全终端标识及认证系统,其特征在于,包括:8. a security terminal identification and authentication system based on STiP model, is characterized in that, comprises: 本端终端主机,用于利用所述本端终端主机的私钥将包含有源安全主机标识符和目的安全主机标识符的数据包原文进行签名,得到待发送数据包,将所述待发送数据包发送至接入认证服务器,其中,所述待发送数据包包括所述数据包原文以及所述签名,所述源安全主机标识符为所述本端终端主机的唯一标识,所述目的安全主机标识符为对端终端主机的唯一标识;The local terminal host is configured to use the private key of the local terminal host to sign the original text of the data packet containing the source secure host identifier and the destination secure host identifier to obtain a data packet to be sent, and to send the data to be sent. The packet is sent to the access authentication server, wherein the data packet to be sent includes the original text of the data packet and the signature, the source secure host identifier is the unique identifier of the local terminal host, and the destination secure host The identifier is the unique identifier of the opposite terminal host; 所述接入认证服务器,用于接收所述待发送数据包,在本地映射缓存表中未查找到与所述源安全主机标识符绑定的绑定信息的情况下,向本地映射解析器发送查询与所述源安全主机标识符绑定的绑定信息的请求,其中,所述与所述源安全主机标识符绑定的绑定信息至少包括所述源安全主机标识符、与所述源安全主机标识符绑定的公钥以及所述本端终端主机接入的本端接入路由器的路由位置标识;The access authentication server is configured to receive the to-be-sent data packet, and send the data packet to the local mapping resolver if the binding information bound to the source security host identifier is not found in the local mapping cache table A request for querying binding information bound to the source secure host identifier, wherein the binding information bound to the source secure host identifier includes at least the source secure host identifier, the source secure host identifier, and the source secure host identifier. The public key bound to the secure host identifier and the routing location identifier of the local access router accessed by the local terminal host; 所述本地映射解析器,用于解析所述查询与所述源安全主机标识符绑定的绑定信息的请求,在本地查询所述与所述源安全主机标识符绑定的绑定信息,在本地映射解析器未查找到所述与所述源安全主机标识符绑定的绑定信息的情况下,依次向根映射解析器、顶级映射解析器以及权限映射解析器进行迭代查询,并从所述权限映射解析器获取所述与所述源安全主机标识符绑定的绑定信息,并将所述与所述源安全主机标识符绑定的绑定信息发送至所述接入认证服务器;the local mapping parser, configured to parse the request for querying the binding information bound to the source security host identifier, and locally query the binding information bound to the source security host identifier, In the case where the local mapping resolver fails to find the binding information bound to the source security host identifier, iteratively queries the root mapping resolver, the top-level mapping resolver, and the authority mapping resolver in turn, and retrieves the information from the The rights mapping parser obtains the binding information bound with the source secure host identifier, and sends the binding information bound with the source secure host identifier to the access authentication server ; 所述接入认证服务器,还用于接收所述与所述源安全主机标识符绑定的绑定信息,利用所述与所述源安全主机标识符绑定的公钥验证所述待发送数据包的真伪,若检验通过,将待转发数据包发送至本端接入路由器,其中,所述待转发数据包至少包括所述数据包原文;The access authentication server is further configured to receive the binding information bound with the source secure host identifier, and verify the data to be sent by using the public key bound with the source secure host identifier The authenticity of the packet, if the verification is passed, the data packet to be forwarded is sent to the local access router, wherein the data packet to be forwarded includes at least the original text of the data packet; 所述本端接入路由器,用于接收所述待转发数据包,在本地映射缓存表中未查找到与所述目的安全主机标识符绑定的绑定信息的情况下,向本地映射解析器发送查询与所述目的安全主机标识符绑定的绑定信息的请求,其中,所述与所述目的安全主机标识符绑定的绑定信息至少包括所述目的安全主机标识符、与所述目的安全主机标识符绑定的公钥以及所述对端终端主机接入的对端接入路由器的路由位置标识;The local access router is configured to receive the to-be-forwarded data packet, and in the case where the binding information bound to the destination secure host identifier is not found in the local mapping cache table, map the resolver to the local Send a request for querying binding information bound to the destination secure host identifier, wherein the binding information bound to the destination secure host identifier includes at least the destination secure host identifier, the destination secure host identifier, and the destination secure host identifier. The public key bound to the destination security host identifier and the routing location identifier of the peer access router accessed by the peer terminal host; 所述本地映射解析器,还用于解析所述查询与所述目的安全主机标识符绑定的绑定信息的请求,在本地查询与所述与所述目的安全主机标识符绑定的绑定信息,在本地映射解析器未查找到所述与所述目的安全主机标识符绑定的绑定信息的情况下,依次向根映射解析器、顶级映射解析器以及权限映射解析器进行迭代查询,并从所述权限映射解析器获取所述与所述目的安全主机标识符绑定的绑定信息,并将所述与所述目的安全主机标识符绑定的绑定信息发送至所述本端接入路由器;The local mapping parser is further configured to parse the request for querying the binding information bound to the destination secure host identifier, and locally query the binding bound to the destination secure host identifier information, in the case where the local mapping resolver does not find the binding information bound to the destination secure host identifier, iteratively queries the root mapping resolver, the top-level mapping resolver, and the authority mapping resolver in turn, and obtain the binding information bound with the destination secure host identifier from the authority mapping parser, and send the binding information bound with the destination secure host identifier to the local end access router; 所述本端接入路由器,还用于将源路由位置标识以及目的路由位置标识封装到所述待转发数据包,将封装后的待转发数据包发送至所述对端接入路由器,其中,所述源路由位置标识为所述本端接入路由器的路由位置标识,所述目的路由位置标识为所述对端接入路由器的路由位置标识;The local access router is further configured to encapsulate the source routing location identifier and the destination routing location identifier into the to-be-forwarded data packet, and send the encapsulated to-be-forwarded data packet to the opposite-end access router, wherein, The source routing location identifier is the routing location identifier of the local access router, and the destination routing location identifier is the routing location identifier of the opposite end access router; 所述对端接入路由器,用于接收所述封装后的待转发数据包,将所述封装后的待转发数据包进行解封装,得到所述待转发数据包,并将所述待转发数据包发送至所述对端终端主机。The peer access router is configured to receive the encapsulated data packet to be forwarded, decapsulate the encapsulated data packet to be forwarded, obtain the to-be-forwarded data packet, and decapsulate the to-be-forwarded data packet The packet is sent to the opposite terminal host. 9.根据权利要求8所述的系统,其特征在于,所述接入认证服务器,还用于在接收所述与所述源安全主机标识符绑定的绑定信息之后,将所述与所述源安全主机标识符绑定的绑定信息保存在所述本地映射缓存表中。9. The system according to claim 8, wherein the access authentication server is further configured to, after receiving the binding information bound with the source security host identifier, bind the The binding information of the source security host identifier binding is stored in the local mapping cache table. 10.根据权利要求9所述的系统,其特征在于,所述本地映射缓存表中还存储有所述与所述源安全主机标识符绑定的绑定信息的缓存时间长度;所述接入认证服务器,还用于在所述缓存时间长度到时后,删除所述与所述源安全主机标识符绑定的绑定信息。10 . The system according to claim 9 , wherein the cache time length of the binding information bound to the source security host identifier is further stored in the local mapping cache table; the access The authentication server is further configured to delete the binding information bound with the source security host identifier after the cache time period expires. 11.根据权利要求8所述的系统,其特征在于,所述源安全主机标识符和所述目的安全主机标识符是按照预设结构命名的。11. The system according to claim 8, wherein the source secure host identifier and the destination secure host identifier are named according to a preset structure. 12.根据权利要求8至11任一项所述的系统,其特征在于,所述根映射解析器、所述顶级映射解析器以及所述权限映射解析器组成树状的拓扑结构。12. The system according to any one of claims 8 to 11, wherein the root map parser, the top-level map parser, and the authority map parser form a tree-like topology. 13.根据权利要求12所述的系统,其特征在于,所述根映射解析器、所述顶级映射解析器以及所述权限映射解析器组成去中心化的拓扑结构。13. The system of claim 12, wherein the root map parser, the top-level map parser, and the authority map parser form a decentralized topology. 14.根据权利要求8所述的系统,其特征在于,所述接入认证服务器,还用于在接收所述待发送数据包之后,将待转发数据包发送至本端接入路由器之前,使用哈希算法对所述源安全主机标识符和所述目的安全主机标识符进行运算,获得源安全主机标识标签和目的安全主机标识标签,将源安全主机标识标签和所述目的安全主机标识标签替换所述数据包原文中的源安全主机标识符和所述目的安全主机标识符。14. The system according to claim 8, wherein the access authentication server is further configured to, after receiving the to-be-sent data packet, before sending the to-be-forwarded data packet to the local access router, use The hash algorithm operates on the source secure host identifier and the destination secure host identifier to obtain the source secure host identification label and the destination secure host identification label, and replaces the source secure host identification label with the destination secure host identification label The source secure host identifier and the destination secure host identifier in the original text of the data packet.
CN201710013800.0A 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model Active CN106685979B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710013800.0A CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710013800.0A CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Publications (2)

Publication Number Publication Date
CN106685979A CN106685979A (en) 2017-05-17
CN106685979B true CN106685979B (en) 2019-05-28

Family

ID=58849294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710013800.0A Active CN106685979B (en) 2017-01-09 2017-01-09 Security terminal mark and authentication method and system based on STiP model

Country Status (1)

Country Link
CN (1) CN106685979B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243190A (en) * 2018-01-09 2018-07-03 北京信息科技大学 A trusted management method and system for network identification
CN111817854B (en) * 2020-06-04 2022-03-18 中国电子科技集团公司第三十研究所 Security authentication method and system based on centerless identification mapping synchronous management
CN113114616A (en) * 2021-01-18 2021-07-13 北京信息科技大学 Method and device for constructing and analyzing terminal protocol stack and terminal

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9344438B2 (en) * 2008-12-22 2016-05-17 Qualcomm Incorporated Secure node identifier assignment in a distributed hash table for peer-to-peer networks
EP2452298A4 (en) * 2009-07-10 2014-08-27 Certicom Corp System and method for performing serialization of devices
KR20120005363A (en) * 2010-07-08 2012-01-16 정보통신산업진흥원 Electronic document distribution system and electronic document distribution method
US9077753B2 (en) * 2012-01-26 2015-07-07 National Institute Of Information And Communications Technology Method for securing name registries, network access and data communication in ID/locator split-base networks
WO2014028712A1 (en) * 2012-08-15 2014-02-20 Telecommunication Systems, Inc. Device independent caller data access for emergency calls
US9391777B2 (en) * 2014-08-15 2016-07-12 Palo Alto Research Center Incorporated System and method for performing key resolution over a content centric network

Also Published As

Publication number Publication date
CN106685979A (en) 2017-05-17

Similar Documents

Publication Publication Date Title
CN105009509B (en) It is expanded in the information by trust anchor based on title/prefix Routing Protocol in heart network
Afanasyev et al. NDNS: A DNS-like name service for NDN
CN102045413B (en) DHT expanded DNS mapping system and method for realizing DNS security
CN101375566B (en) Domain name system using dynamic DNS and dynamic DNS server global address management method
US7516482B2 (en) Secure hierarchical namespaces in peer-to-peer networks
CN103248726B (en) A kind of many reciprocity Internet of Things identification analytic method
CN101964799B (en) Solution method of address conflict in point-to-network tunnel mode
CN102624728B (en) Method and system for carrying out whole-network login authentication by utilizing registered website user information
CN108366137A (en) The method and root DNS that domain name is handled based on block chain
CN103023856B (en) Method and system for single sign-on and information processing method and system
WO2008116416A1 (en) Method, device and system for domain name system to update dynamically
CN109076082A (en) Anonymous identities in identity-oriented networks and protocols
CN106790296B (en) Domain name record verification method and device
CN106685979B (en) Security terminal mark and authentication method and system based on STiP model
CN102437946B (en) Access control method, network access server (NAS) equipment and authentication server
Yan et al. Is DNS ready for ubiquitous Internet of Things?
CN103997479A (en) Asymmetric service IP proxy method and equipment
KR102156206B1 (en) Apparatus and method for providing security to an end-to-end communication
CN103402197A (en) Hidden position and path protection method based on IPv6 (Internet Protocol Version 6)
CN106027555B (en) A kind of method and system improving content distributing network safety using SDN technology
CN105245625A (en) Traceability system across multiple administrative domains
CN103916489A (en) Method and system for resolving single-domain-name multi-IP domain name
CN108243190A (en) A trusted management method and system for network identification
JP2012527794A (en) Method and system for host identity tag acquisition
Leshov et al. Content name privacy in tactical named data networking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
OL01 Intention to license declared
OL01 Intention to license declared