CN115348112B - Method for local area network exchange equipment access authentication and trusted networking - Google Patents
Method for local area network exchange equipment access authentication and trusted networking Download PDFInfo
- Publication number
- CN115348112B CN115348112B CN202211271629.0A CN202211271629A CN115348112B CN 115348112 B CN115348112 B CN 115348112B CN 202211271629 A CN202211271629 A CN 202211271629A CN 115348112 B CN115348112 B CN 115348112B
- Authority
- CN
- China
- Prior art keywords
- authentication
- message
- switching equipment
- switching
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for access authentication and trusted networking of local area network switching equipment, and belongs to the technical field of network connection control. The method realizes access authentication among all the switching devices by integrating the secure trusted card on each switching device in the local area network, thereby obtaining the trusted networking in the local area network. The secure trusted card is connected with a mainboard of the switching equipment in a plugging mode, a connection port is a Mini-PCI-E port located on the mainboard, a software module of the secure trusted card is composed of a driver TDD and a packaged standard library TDDL, and the software module is communicated with a network protocol stack in an operating system of the switching equipment and provides a kernel interface for interaction with upper-layer application.
Description
Technical Field
The invention belongs to the technical field of network connection control, and particularly relates to a method for access authentication and trusted networking of local area network switching equipment.
Background
The lan switching device is an important network device, which is a core device for constructing a lan, and its importance in the entire network is self-evident. How to realize secure networking becomes an urgent problem to be solved for a unit or organization related to sensitive information transmission. The access authentication technology ensures network security by proving the legality of a user by using an access control technology at a client, and plays an important role in network security access. However, there is basically no authentication protocol for networking between switching devices, and devices trust each other by default, resulting in easy attack or monitoring.
The 802.1x protocol defined by the IEEE 802 working group is a port-based access control protocol that can restrict unauthorized users from accessing the local area network through a port. In recent years, many research institutes at home and abroad mainly focus on improving the whole network communication security on the analysis and the transformation of the client identity authentication based on the authentication server. The main means is to authenticate the identity of the user and the equipment accessing the network through an authentication server, only the client with the legal identity can access the network resource, and a plurality of achievements are applied to various secret-related network systems.
Through the combing of open documents and technical data, the research on the interconnection authentication of the switching equipment at home and abroad is found to be less, and the security requirements of mutual identity authentication and access control among networking equipment in a high-security networking can not be met due to the unidirectional authentication based on the 802.1x protocol. Meanwhile, the cost of network deployment is increased, and the server usually needs more complex strategy configuration to play a role of security protection, thereby increasing the complexity of network networking and the maintenance cost.
Disclosure of Invention
In order to solve the above technical problem, the present invention provides a method for access authentication and trusted networking of local area network switching devices.
The invention discloses a method for access authentication and trusted networking of local area network switching equipment. The method realizes the access authentication among all the switching equipment by integrating a secure trusted card on each switching equipment in the local area network, thereby obtaining the trusted networking in the local area network; the method specifically comprises the following steps: s1, configuring the secure trusted cards on a mainboard of each switching device, wherein each secure trusted card has a built-in trusted root which is configured uniformly; s2, each exchange device acquires an identity certificate with a unique identifier, which is uniformly issued by a certificate issuing center, based on a built-in trusted root of the secure trusted card; and S3, completing access authentication by each exchange device through each safe trusted card based on each identity certificate so as to realize trusted networking in the local area network.
Wherein, in the step S1: the secure trusted card is connected with a mainboard of the switching equipment in a plugging mode, a connection port is a Mini-PCI-E port located on the mainboard, a software module of the secure trusted card is composed of a driver TDD and an encapsulated standard library TDDL, the software module is communicated with a network protocol stack in an operating system of the switching equipment, and meanwhile, a kernel interface is provided for interaction with upper-layer application.
Wherein, in the step S2: after the switching equipment corresponding to the secure trusted card is determined, injecting the user file of the corresponding switching equipment into a secure trusted root of the secure trusted card, so that the certificate issuing center generates the identity certificate with the unique identifier of the switching equipment according to the uniformly configured information resource in the secure trusted root and the user file of the corresponding switching equipment.
Specifically, in step S3, for both sides of the switching device in the process of access authentication, the respective port for performing the access authentication only receives and transmits the packet related to the access authentication, and the packets of other service types cannot be forwarded through the port.
Specifically, in step S3, the protocol of the access authentication adopts an OVER-LAN bearer mode, and the messages in the access authentication process all adopt a message format based on the protocol; the message based on the protocol consists of an Ethernet header and a data packet load; the Ethernet header comprises a receiver MAC address, a sender MAC address and protocol Ethernet type information; the data packet load comprises a protocol version number, ethernet message type information, message length information of the data packet load and message payload information.
Specifically, in step S3, the access authentication performed by the two parties of the switching device includes authentication initiation, authentication negotiation, and authentication keep-alive; wherein, determining the first exchange device side and the second exchange device side at the authentication initiation stage specifically includes: for each of the two parties of the switching device: sending a detection message to the opposite side at regular time, wherein the message payload of the detection message comprises a hash value used for checking and a type value of switching equipment of a sending side; after receiving the sending detection message from the other side, extracting the hash value from the received detection message to complete the hash value check; and determining whether the priority of the opposite party is lower or not according to the switching equipment type value and the sender MAC address in the received detection message and by combining the switching equipment type value and the sender MAC address in the sent detection message, if so, taking the opposite party as the first switching equipment party, and if not, taking the opposite party as the second switching equipment party.
Specifically, the determining the priority specifically includes: comparing the switching equipment type values of the two switching equipment parties, wherein the larger switching equipment type value has lower priority; and when the exchange equipment type values of the two exchange equipment parties are equal, comparing the sender MAC addresses of the two exchange equipment parties, wherein the larger sender MAC address has lower priority.
Specifically, in the authentication initiation phase, the first switching device sends an initial acknowledgement packet to the second switching device, and then the first switching device enters a negotiation waiting state.
Specifically, in the authentication negotiation stage, the second exchange device side actively initiates an authentication negotiation process after receiving the initial acknowledgement packet, and the method specifically includes: the second exchange equipment side obtains a 32-bit random number Rb from a secure trusted card thereof, encapsulates the random number Rb into an authentication request message, sends the authentication request message to the first exchange equipment side, and then enters the negotiation waiting state; the first switching equipment side stores the random number Rb in the authentication request message locally, acquires a 32-bit random number Ra and an identity certificate Ca from a secure trusted card of the first switching equipment side, determines a digital signature value Sa of the first switching equipment side by calculating a hash value of the random number Rb, the random number Ra and the identity certificate Ca, and packages the random number Rb, the random number Ra, the identity certificate Ca and the digital signature value Sa into an authentication response message to be sent to the second switching equipment side; after receiving the authentication response message, the second switching device side verifies the random number Rb, the digital signature value Sa and the identity certificate Ca, stores the identity certificate Ca locally after the verification is passed, acquires an identity certificate Cb from a secure trusted card thereof, calculates a hash value for the random number Rb and the identity certificate Cb to determine the digital signature value Sb of the second switching device side, and encapsulates the identity certificate Cb and the digital signature value Sb into an authentication completion message to be sent to the first switching device side; after receiving the authentication end message, the first switching equipment side verifies the digital signature value Sb, stores the identity certificate Cb locally after passing, and sends an authentication end confirmation message to the second switching equipment side, and then the equipment switching sides enter an authentication success state.
Specifically, in the authentication keep-alive phase: the second switching equipment side periodically sends a connection keep-alive request to the first switching equipment side, and the first switching equipment side sends a connection keep-alive response message to the second switching equipment side after receiving the connection keep-alive request; when the first exchange equipment does not return the connection keep-alive response message within the preset time, the connection keep-alive is failed; and when the connection keep-alive failure exceeds the preset value, the access authentication is converted into a failure state, and the equipment exchanges the disconnection of both sides.
Therefore, in a private network with high security requirement, a stable and secure local area network needs to be constructed through a secure, reliable and efficient switching device. The method provided by the invention solves the problems of local area network security networking and self security of the switching equipment: (1) The problem of entity identity authentication of the switching equipment node is solved, bidirectional identity authentication between the terminal equipment and the switching equipment and between the switching equipment is realized, and identity credibility of the network access equipment is ensured. (2) Based on the access control of the port, only the node with successful identity authentication negotiation can access the network, so that the data invasion of illegal nodes is blocked, the network resources are prevented from being seized, the data in the network is prevented from being stolen by capturing the data through the switching equipment, and the targeted attack is initiated according to the captured data. (3) The switching equipment integrates the software and hardware integrated design of the secure trusted card and the framework of bidirectional peer-to-peer authentication, does not need centralized management, does not need to deploy an authentication server, reduces the network deployment cost and reduces the configuration complexity. (4) The trusted root is arranged in the equipment, message interaction with the certificate server is not needed, mutual exchange between authentication peers is achieved, the identity certificate is verified, identity authentication between the equipment is completed, the authentication safety is guaranteed, the authentication process is simplified, and the authentication time delay is reduced.
Drawings
In order to more clearly illustrate the embodiments or prior art solutions of the present invention, the drawings used in the embodiments or prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without inventive efforts.
Fig. 1 is a schematic diagram of a trusted networking of a secure trusted card based lan switching device according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a secure trusted card based switching device platform architecture according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a message format according to an embodiment of the present invention;
fig. 4 is a flowchart of access authentication according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention discloses a method for access authentication and trusted networking of local area network switching equipment in a first aspect. The method realizes the access authentication among the exchange devices by integrating the secure trusted card on each exchange device in the local area network, thereby obtaining the trusted networking in the local area network.
The invention provides a safe trusted card integrated by switching equipment in a local area network, which adopts the safe trusted card as a built-in trusted root to finish end-to-end bidirectional identity authentication between the switching equipment and realize access control of the switching equipment to the local area network. By utilizing services such as safe storage, integrity verification, data encryption and decryption and the like provided by the safe trusted card, the high safety and the high reliability of local area network networking are ensured without increasing networking complexity by performing data source verification, anti-replay, protocol data integrity verification and confidentiality protection on the access authentication protocol message.
Fig. 1 is a schematic diagram of a trusted networking of a secure trusted card based lan switching device according to an embodiment of the present invention; as shown in fig. 1, the method specifically includes: s1, configuring the secure trusted cards on a mainboard of each switching device, wherein each secure trusted card has a built-in trusted root which is configured uniformly; s2, each exchange device acquires an identity certificate with a unique identifier, which is uniformly issued by a certificate issuing center, based on a built-in trusted root of the secure trusted card; and S3, completing access authentication by each exchange device through each safe trusted card based on each identity certificate so as to realize trusted networking in the local area network.
FIG. 2 is a diagram illustrating a secure trusted card based switching device platform architecture according to an embodiment of the present invention; as shown in fig. 2, the secure trusted card is connected to the motherboard of the switching device in a plug-in manner, a connection port is a Mini-PCI-E port located on the motherboard, a software module of the secure trusted card is composed of a driver TDD and a packaged standard library TDDL, and the software module communicates with a network protocol stack in an operating system of the switching device and provides a kernel interface for interaction with an upper application.
In the hardware design of the switching equipment, the secure trusted card and the main board of the switching equipment form a trusted hardware platform, and data exchange can be carried out with a CPU (central processing unit) by using a Mini PCI-E interface, for example. The function of the safe trusted card is realized by two parts, namely hardware and a host software module. The software module of the secure trusted card is communicated with an operating system protocol stack through a driver and an encapsulated standard library, and provides services such as secure storage, integrity verification, data encryption and decryption and the like for the whole exchange equipment.
In some embodiments, after determining the switching device corresponding to the secure trusted card, a user file of the corresponding switching device is injected into a secure trusted root of the secure trusted card, so that the certificate issuing center generates the identity certificate with the unique identifier of the switching device according to the uniformly configured information resource in the secure trusted root and the user file of the corresponding switching device. I.e. information resources such as system card files, key fob files and user card files required for the secure trusted card to operate are injected at initialization.
In some embodiments, in step S3, for both sides of the switching device in the process of access authentication, the respective port for performing the access authentication only receives and sends the packet related to the access authentication, and the packets of other service types cannot be forwarded through the port.
The hardware and software functions of the exchange equipment are utilized, and access control and safe networking among the equipment are realized through access authentication among the local area network exchange equipment. The bidirectional identity authentication process between the local area network switching devices is as follows: the identity certificates of the opposite terminal equipment and the local terminal equipment are respectively used in the process of mutual authentication of access authentication of the two exchange equipment, so that the realization of the bidirectional identity authentication of the exchange equipment based on the secure trusted card is a precondition for the secure networking and access authentication of the local area network exchange equipment, and the certificates are issued by the same issuing center. Authentication and authorization are first bound together using port-based access control techniques on a port of the switching device using trusted secure access. And closing the forwarding functions of all data messages except the authentication protocol message on the port on the switching equipment, and performing the two-way identity authentication between the nodes with opposite-end equipment connected to the trusted security access port. Before the bidirectional identity authentication is not finished, only the authentication protocol message is allowed to pass through the port, and after the authentication is passed, the data of other service types can be smoothly forwarded through the port. The interconnected exchange equipment ensures that the identity of the networking node of the local area network is credible through bidirectional identity authentication, ensures that the equipment which is not credible cannot be accessed into the local area network through access control on the port, and ensures the safety of the local area network.
FIG. 3 is a diagram illustrating a message format according to an embodiment of the present invention; as shown in fig. 3, the format of the LAN switch device secure networking and access authentication protocol message adopts OVER-LAN bearer mode.
In some embodiments, in step S3, the protocol of the access authentication uses an OVER-LAN bearer mode, and the messages in the access authentication process all use a message format based on the protocol; wherein the protocol-based message consists of an ethernet header and a packet payload (authentication protocol data); the ethernet header includes a receiver MAC address (destination MAC,6 bytes), a sender MAC address (source MAC,6 bytes) and protocol ethernet type information (2 bytes); the data packet payload (authentication protocol data) includes a protocol version number (1 byte), ethernet message type information (1 byte), message length information (2 bytes) of the data packet payload, and message payload information (0-1024 bytes).
Fig. 4 is a flow chart of access authentication according to an embodiment of the present invention; as shown in fig. 4, in some embodiments, in step S3, the performing, by both sides of the switch device, access authentication includes authentication initiation, authentication negotiation, and authentication keep-alive.
In some embodiments, determining the first exchange device side and the second exchange device side in the authentication initiation stage specifically includes: for each of the two parties of the switching device: sending a detection message to an opposite side at regular time, wherein the message payload of the detection message comprises a hash value for checking and a type value of switching equipment of a sending side; after receiving the sending detection message from the other side, extracting the hash value from the received detection message to complete the check of the hash value; and determining whether the priority of the opposite party is lower or not according to the switching equipment type value and the sender MAC address in the received detection message and by combining the switching equipment type value and the sender MAC address in the sent detection message, if so, taking the opposite party as the first switching equipment party, and if not, taking the opposite party as the second switching equipment party.
In some embodiments, determining the priority specifically includes: comparing the exchange equipment type values of the two exchange equipment sides, wherein the side with the larger exchange equipment type value has lower priority; and when the exchange equipment type values of the two exchange equipment parties are equal, comparing the sender MAC addresses of the two exchange equipment parties, wherein the larger sender MAC address has lower priority.
In some embodiments, in the authentication initiation phase, the first switching device side sends an initial acknowledgement packet to the second switching device side, and then the first switching device side enters a negotiation waiting state.
In some embodiments, in the authentication negotiation stage, the second exchange device side actively initiates an authentication negotiation process after receiving the initial confirmation packet, and specifically includes: the second exchange equipment side obtains a 32-bit random number Rb from a secure trusted card thereof, encapsulates the random number Rb into an authentication request message, sends the authentication request message to the first exchange equipment side, and then enters the negotiation waiting state; the first switching equipment side stores the random number Rb in the authentication request message locally, acquires a 32-bit random number Ra and an identity certificate Ca from a secure trusted card of the first switching equipment side, determines a digital signature value Sa of the first switching equipment side by calculating a hash value of the random number Rb, the random number Ra and the identity certificate Ca, and packages the random number Rb, the random number Ra, the identity certificate Ca and the digital signature value Sa into an authentication response message to be sent to the second switching equipment side; after receiving the authentication response message, the second switching equipment side verifies the random number Rb, the digital signature value Sa and the identity certificate Ca, stores the identity certificate Ca locally after the verification is passed, acquires an identity certificate Cb from a secure trusted card thereof, calculates a hash value for the random number Rb and the identity certificate Cb to determine a digital signature value Sb of the second switching equipment side, and packages the identity certificate Cb and the digital signature value Sb into an authentication end message to be sent to the first switching equipment side; after receiving the authentication end message, the first switching equipment side verifies the digital signature value Sb, stores the identity certificate Cb locally after passing, and sends an authentication end confirmation message to the second switching equipment side, and then the equipment switching sides enter an authentication success state.
In some embodiments, during the authentication keep-alive phase: the second switching equipment side periodically sends a connection keep-alive request to the first switching equipment side, and the first switching equipment side sends a connection keep-alive response message to the second switching equipment side after receiving the connection keep-alive request; when the first exchange equipment does not return the connection keep-alive response message within the preset time, the connection keep-alive is failed; when the connection keep-alive failure exceeds the preset value, the access authentication is converted into a failure state, and the equipment exchange parties are disconnected.
Among them, as shown in fig. 4: step 1: the two end devices send a detection message (start) to each other to inform the other end of going online. Step 2: after receiving the start message, firstly carrying out hash value verification, adding opposite terminal information to a neighbor table after the verification is passed, and returning to the initial state if the hash value verification fails; then, the priority of the equipment is compared, and the equipment end with the lower priority sends an initial acknowledgement (Ack) message. The priority comparison rule is as follows: firstly, comparing equipment type values, wherein the priority of small type values is high; when the types of the devices are the same, the MAC addresses are compared, and the smaller MAC addresses have higher priority. And entering an authentication negotiation waiting state, and waiting to receive an initial acknowledgement (Ack) message sent by a device terminal with a low priority if the device priority of the local terminal is high. And step 3: and after receiving the initial response success message, the end equipment B with high priority actively initiates authentication negotiation. The method comprises the steps of firstly reading a local secure trusted card to obtain a 32-bit random number Rb, then packaging the Rb into an authentication Request message (identity Request) to be sent to a device A, and meanwhile entering a negotiation waiting state. And 4, step 4: after receiving the identity Request message, the equipment a at the end with the low priority stores the Rb information to the local, reads the secure trusted card at the home to obtain the 32-bit random number Ra and the identity certificate Ca at the home, performs HASH on the Rb, ra and Ca to obtain the digital signature value Sa, and encapsulates the Rb, ra, ca and Sa into an authentication response message (identity reply) to send the authentication response message to the equipment B. And 5: after receiving an authentication response message (Identify reply), the end device B with high priority firstly judges the correctness of Rb, and ignores the received message if the Rb is wrong; then, the signature and the certificate of the A are verified, if the verification is successful, the Ca information is stored locally, otherwise, the received message is ignored; and then reading the secure trusted card of the home terminal to obtain an identity certificate Cb of the home terminal, calculating after HASH is carried out on Rb and Cb to obtain a digital signature value Sb, encapsulating Cb and Sb to an authentication finish message (identity finish) and sending the message to the equipment A, and entering an authentication success state. Step 6: after receiving the authentication end message, the end device A with a small priority firstly verifies the signature and the certificate of the terminal B, if the verification is successful, the Cb information is stored to the local, otherwise, the received message is ignored; and sending an authentication end confirmation message (finish ack) to the equipment B, and entering an authentication success state.
After the authentication is successful, in order to determine whether the device at the opposite end is working normally, the device end with a large priority periodically sends a connection keep-alive request at a short interval (for example, 30 seconds), and the device end with a small priority sends a connection keep-alive response message to the opposite end after receiving the connection keep-alive request. If the continuous keep-alive failure exceeds the preset times, the authentication is converted into a failure state, and the connection is disconnected.
In summary, the invention provides a bidirectional identity authentication method between local area network switching devices based on a secure trusted card, and provides an effective security mechanism for ensuring the credibility of the identity of the switching device accessed to the local area network; secondly, the invention solves the defects that the traditional access authentication technology needs an authentication server and only completes the one-way authentication of the access equipment, and realizes the two-way identity authentication of the equipment at two ends of the network connection under the condition of not deploying the authentication server; in addition, the invention integrates the safe trusted card on the exchange equipment, solves the problems of low efficiency, difficult control and the like caused by difficult cooperation of communication and security protection through the integrated design of hardware and software, can ensure the credibility of the identity of the exchange equipment accessed to the network, can also meet the requirement of credibility of the safe access authentication protocol message, and provides important thought reference for the safe networking of the exchange equipment under the scene of high-safety special network requirement.
It should be noted that the technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, the scope of the present description should be considered. The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (8)
1. A method for local area network switching device access authentication and trusted networking is characterized in that the method realizes access authentication among switching devices by integrating a secure trusted card on each switching device in the local area network, thereby obtaining the trusted networking in the local area network; the method specifically comprises the following steps:
s1, configuring the secure trusted cards on a mainboard of each switching device, wherein each secure trusted card has a built-in trusted root which is configured uniformly;
s2, each exchange device acquires an identity certificate with a unique identifier, which is uniformly issued by a certificate issuing center, based on a built-in trusted root of the secure trusted card;
s3, the exchange devices complete access authentication through respective safe trusted cards based on respective identity certificates so as to realize trusted networking in the local area network;
wherein, in the step S1: the secure trusted card is connected with a mainboard of the switching equipment in a plugging mode, a connection port is a Mini-PCI-E port located on the mainboard, a software module of the secure trusted card consists of a driver TDD and a packaged standard library TDDL, and the software module is communicated with a network protocol stack in an operating system of the switching equipment and provides a kernel interface for interaction with upper-layer application;
wherein, in the step S2: after the switching equipment corresponding to the secure trusted card is determined, injecting the user file of the corresponding switching equipment into a secure trusted root of the secure trusted card, so that the certificate issuing center generates the identity certificate with the unique identifier of the switching equipment according to the uniformly configured information resource in the secure trusted root and the user file of the corresponding switching equipment.
2. The method according to claim 1, wherein in step S3, for both sides of the switching device in the process of access authentication, the respective port for performing the access authentication only receives and transmits the message related to the access authentication, and the messages of other service types cannot be forwarded through the port.
3. The method according to claim 2, wherein in step S3, the protocol of the access authentication adopts an OVER-LAN bearer mode, and the messages in the access authentication process all adopt a message format based on the protocol;
the message based on the protocol consists of an Ethernet header and a data packet load; the Ethernet header comprises a receiver MAC address, a sender MAC address and protocol Ethernet type information; the data packet load comprises a protocol version number, ethernet message type information, message length information of the data packet load and message payload information.
4. The method according to claim 3, wherein in step S3, the access authentication performed by both sides of the exchange device includes authentication initiation, authentication negotiation, and authentication keep-alive; the determining a first exchange device side and a second exchange device side in an authentication initiation stage specifically includes:
for each of the two parties of the switching device:
sending a detection message to an opposite side at regular time, wherein the message payload of the detection message comprises a hash value for checking and a type value of switching equipment of a sending side;
after receiving the sending detection message from the other side, extracting the hash value from the received detection message to complete the check of the hash value;
and determining whether the priority of the opposite party is lower or not according to the switching equipment type value and the sender MAC address in the received detection message and by combining the switching equipment type value and the sender MAC address in the sent detection message, if so, taking the opposite party as the first switching equipment party, and if not, taking the opposite party as the second switching equipment party.
5. The method of claim 4, wherein the determining the priority specifically comprises: comparing the exchange equipment type values of the two exchange equipment sides, wherein the side with the larger exchange equipment type value has lower priority; and when the exchange equipment type values of the two exchange equipment parties are equal, comparing the sender MAC addresses of the two exchange equipment parties, wherein the larger sender MAC address has lower priority.
6. The method as claimed in claim 5, wherein in the authentication initiation phase, the first switching device sends an initial acknowledgement message to the second switching device, and then the first switching device enters the negotiation wait state.
7. The method according to claim 6, wherein in an authentication negotiation stage, the second switching device side actively initiates an authentication negotiation process after receiving the initial confirmation packet, specifically comprising:
the second exchange equipment side obtains a 32-bit random number Rb from a secure trusted card thereof, encapsulates the random number Rb into an authentication request message, sends the authentication request message to the first exchange equipment side, and then enters the negotiation waiting state;
the first switching equipment side stores the random number Rb in the authentication request message locally, acquires a 32-bit random number Ra and an identity certificate Ca from a secure trusted card of the first switching equipment side, determines a digital signature value Sa of the first switching equipment side by calculating a hash value of the random number Rb, the random number Ra and the identity certificate Ca, and packages the random number Rb, the random number Ra, the identity certificate Ca and the digital signature value Sa into an authentication response message to be sent to the second switching equipment side;
after receiving the authentication response message, the second switching equipment side verifies the random number Rb, the digital signature value Sa and the identity certificate Ca, stores the identity certificate Ca locally after the verification is passed, acquires an identity certificate Cb from a secure trusted card thereof, calculates a hash value for the random number Rb and the identity certificate Cb to determine a digital signature value Sb of the second switching equipment side, and packages the identity certificate Cb and the digital signature value Sb into an authentication end message to be sent to the first switching equipment side;
after receiving the authentication end message, the first switching equipment side verifies the digital signature value Sb, stores the identity certificate Cb locally after passing, and sends an authentication end confirmation message to the second switching equipment side, and then the equipment switching sides enter an authentication success state.
8. The method of claim 7, wherein in the authentication keep-alive phase:
the second switching equipment side periodically sends a connection keep-alive request to the first switching equipment side, and the first switching equipment side sends a connection keep-alive response message to the second switching equipment side after receiving the connection keep-alive request;
when the first exchange equipment does not return the connection keep-alive response message within the preset time, the connection keep-alive is failed; and when the connection keep-alive failure exceeds the preset value, the access authentication is converted into a failure state, and the equipment exchanges the disconnection of both sides.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211271629.0A CN115348112B (en) | 2022-10-18 | 2022-10-18 | Method for local area network exchange equipment access authentication and trusted networking |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211271629.0A CN115348112B (en) | 2022-10-18 | 2022-10-18 | Method for local area network exchange equipment access authentication and trusted networking |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115348112A CN115348112A (en) | 2022-11-15 |
CN115348112B true CN115348112B (en) | 2022-12-09 |
Family
ID=83956962
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211271629.0A Active CN115348112B (en) | 2022-10-18 | 2022-10-18 | Method for local area network exchange equipment access authentication and trusted networking |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115348112B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103368905A (en) * | 2012-03-29 | 2013-10-23 | 同方股份有限公司 | Trustable cipher module chip-based network access authentication method |
CN103428211A (en) * | 2013-08-07 | 2013-12-04 | 华南理工大学 | Network authentication system on basis of switchboards and authentication method for network authentication system |
CN109726540A (en) * | 2018-12-21 | 2019-05-07 | 郑州云海信息技术有限公司 | A kind of method and system for issuing endorsement certificate for virtual credible root in Qemu |
CN111191217A (en) * | 2019-12-27 | 2020-05-22 | 华为技术有限公司 | Password management method and related device |
CN111901119A (en) * | 2020-06-21 | 2020-11-06 | 苏州浪潮智能科技有限公司 | Security domain isolation method, system and device based on trusted root |
CN113364807A (en) * | 2021-06-30 | 2021-09-07 | 四川更元科技有限公司 | Network node credibility authentication implementation method |
CN113839787A (en) * | 2021-11-29 | 2021-12-24 | 军事科学院系统工程研究院网络信息研究所 | Bidirectional authentication local area network security access protocol method and system |
CN114115836A (en) * | 2022-01-28 | 2022-03-01 | 麒麟软件有限公司 | Design method and system of trusted TCM software stack based on Linux operating system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11321465B2 (en) * | 2019-04-04 | 2022-05-03 | Cisco Technology, Inc. | Network security by integrating mutual attestation |
-
2022
- 2022-10-18 CN CN202211271629.0A patent/CN115348112B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103368905A (en) * | 2012-03-29 | 2013-10-23 | 同方股份有限公司 | Trustable cipher module chip-based network access authentication method |
CN103428211A (en) * | 2013-08-07 | 2013-12-04 | 华南理工大学 | Network authentication system on basis of switchboards and authentication method for network authentication system |
CN109726540A (en) * | 2018-12-21 | 2019-05-07 | 郑州云海信息技术有限公司 | A kind of method and system for issuing endorsement certificate for virtual credible root in Qemu |
CN111191217A (en) * | 2019-12-27 | 2020-05-22 | 华为技术有限公司 | Password management method and related device |
CN111901119A (en) * | 2020-06-21 | 2020-11-06 | 苏州浪潮智能科技有限公司 | Security domain isolation method, system and device based on trusted root |
CN113364807A (en) * | 2021-06-30 | 2021-09-07 | 四川更元科技有限公司 | Network node credibility authentication implementation method |
CN113839787A (en) * | 2021-11-29 | 2021-12-24 | 军事科学院系统工程研究院网络信息研究所 | Bidirectional authentication local area network security access protocol method and system |
CN114115836A (en) * | 2022-01-28 | 2022-03-01 | 麒麟软件有限公司 | Design method and system of trusted TCM software stack based on Linux operating system |
Also Published As
Publication number | Publication date |
---|---|
CN115348112A (en) | 2022-11-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2055071B1 (en) | Improved authentication for devices located in cable networks | |
CN102291441B (en) | Method and security agent device for protecting against attack of synchronize (SYN) Flood | |
CN112073379A (en) | Lightweight Internet of things security key negotiation method based on edge calculation | |
US6754712B1 (en) | Virtual dial-up protocol for network communication | |
JP5068495B2 (en) | Distributed authentication function | |
US20040010713A1 (en) | EAP telecommunication protocol extension | |
CN112615866B (en) | Pre-authentication method, device and system for TCP connection | |
EP1766845A2 (en) | Host credentials authorization protocol | |
CN111541776A (en) | Safe communication device and system based on Internet of things equipment | |
CN112436940A (en) | Internet of things equipment trusted boot management method based on zero-knowledge proof | |
CN113055361A (en) | Secure communication method, device and system for DC interconnection | |
CN114844730A (en) | Network system constructed based on trusted tunnel technology | |
US20230099263A1 (en) | Secure link aggregation | |
CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
CN101166093A (en) | An authentication method and system | |
CN1658553B (en) | Strong discrimination method of enciphered mode by public key cryptographic algorithm | |
CN115348112B (en) | Method for local area network exchange equipment access authentication and trusted networking | |
CN108712398B (en) | Port authentication method of authentication server, switch and storage medium | |
CN111586017A (en) | Method and device for authenticating communication user | |
CN102447710A (en) | Method and system for controlling access right of user | |
CN100428667C (en) | Strong authentication method for digital signature mode using public key encrgption algorithm | |
US8607058B2 (en) | Port access control in a shared link environment | |
JP2001186186A (en) | Device for exchanging packets, network system and method for exchanging packets | |
CN100490375C (en) | Strong authentication method based on symmetric encryption algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |