CN1314237C - Dynamic supercode generating method and exchange board safety managing method - Google Patents
Dynamic supercode generating method and exchange board safety managing method Download PDFInfo
- Publication number
- CN1314237C CN1314237C CNB031373186A CN03137318A CN1314237C CN 1314237 C CN1314237 C CN 1314237C CN B031373186 A CNB031373186 A CN B031373186A CN 03137318 A CN03137318 A CN 03137318A CN 1314237 C CN1314237 C CN 1314237C
- Authority
- CN
- China
- Prior art keywords
- password
- switch
- configuration
- supercode
- managing security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention provides a dynamic supercode generating method and an exchange board safety managing method using the supercode. The dynamic supercode generating method comprises the following steps: reading the MAC address of equipment, generating the dynamic supercode according to the MAC address by a cryptographic algorithm and storing the dynamic supercode. The exchange board safety managing method using the supercode comprises the following steps: B1, a start code is input; B2, a system judges whether the start code is correct, if the start code is correct, then go to step B4, if the start code is incorrect, then go to step B3; B3, the supercode is input; B4, go to a bootstrap program file system. The present invention can make the supercode of the exchange board more safe and reliable, effectively eliminate a series of managerial troubles after the multiple supercodes of the exchange board are lost and increase the performance of safety operation and simple management of the equipment. The configuration file can be more simply operated than before after a configuration code is lost.
Description
Technical field
The present invention relates to network equipment safety guarantee technology, be specifically related to a kind of switch method for managing security.
Background technology
Fast development along with Ethernet, various places metropolitan area network and enterprise network have all dropped into large-scale construction, Ethernet switch has obtained using widely with its distinctive surface speed forwarding performance, therefore the safety problem of switch also more and more is subjected to people's attention, and this wherein also comprises the safety management problem to switch.In order to improve the security performance of switch, satisfy user's demand better, generally the management to switch is provided with the double code protection: the first road password is that BOOTROM (boot) starts password, promptly when equipment begins to start, if desired the boot file that is stored among the FLASH ROM (flash memory) of switch is operated, then must be carried out password identification; The second road password is the switch configuration password, promptly when equipment operation, if desired existing configuration is made amendment or reads, also will be through the identification of password.This twice password can be set arbitrarily by the system manager, if but the system manager loses the password of setting, and then mean and can't manage system again.Usually after password is lost, can adopt following means to save the situation:
Start password for BOOTROM, in order to solve the problem that can control switch again after the password loss, manufacturer can define a character string specially in code, and the content of this character string is exactly the super code of factory settings.If user-defined password loss can't be controlled switch more effectively, then the user can apply for this super code to the producer under this product.At present, this super code generally is defined by the character string of fixing.This fixing character string password is easy to occur the leakage of password, in case the non-management employee obtains this super code, just can arbitrarily operate, destroy system file, even make equipment enter state of paralysis the boot file that is stored among the FLASH ROM (flash memory) of switch.
For the switch configuration password, this password normally is configured on Command Line Interface, and this password promptly is written in the configuration file of switch after the configuration.
The network security problem of Ethernet does not also cause everybody enough attention at present, and on the problem for the treatment of this configuration password loss, the equipment supplier does not do particular processing basically.In case this situation occurs, mainly be to adopt following method to solve:
The switch outage is restarted, start password by input BOOTROM and enter into the boot file system, delete the configuration file that this switch is preserved then, then entering configuration mode next time will no longer need password authentification.
But there is very big shortcoming in above-mentioned realization: in case configuration file is deleted, mean that all user configuration informations all will lose.Want network recovery is arrived former state, need the user to pass through order line and recover former configuration information one by one.Consider the complexity of existing network, these customer parameters of full recovery will be pretty troublesome things, and network system stable had very big influence.
Summary of the invention
The objective of the invention is to overcome the shortcoming of above-mentioned prior art, a kind of switch method for managing security is provided, solving effectively needs series of complex operations that switch is done after the password loss in the prior art.
The switch method for managing security is: the step that starts switch comprises:
B1. input starts password;
B2. system judges whether the startup password is correct: start password and correctly then enter step B4, start password bad and then enter step B3;
B3. read the MAC Address of switch, and after generating dynamic super code according to described MAC Address and cryptographic algorithm, the dynamic super code that storage generates; Read and import dynamic super code then;
B4. enter the boot file system.
The boot running paper finishes the back if to enter configuration mode then necessary:
C1. password is disposed in input;
C2. system judges whether the configuration password is correct: the configuration password correctly then enters step C4, and the configuration password bad then enters step B1 and restarts switch, enters step C3 then;
C3. open switch configuration file by order, deletion configuration password;
C4. configuration file is operated.
Owing in switch, adopted the method for above-mentioned switch safety management, make that the fail safe of super code is more reliable, after the password loss, operation to configuration file is simpler, eliminate the trouble in the sequence of operations that brings to management work after the multiple password of switch is lost effectively, improved the safe operation of equipment, the performance of simple management.
Description of drawings
Fig. 1 has described the process chart that in the preferred embodiments of the present invention the BOOTROM of switch is started password and super code;
Fig. 2 has described the flow chart of steps of losing the processing method of configuration behind the password in the preferred embodiments of the present invention switch method for managing security.
Embodiment
The present invention is described in further detail below in conjunction with drawings and embodiments:
At first with reference to Fig. 1.Fig. 1 has described the handling process that in the preferred embodiments of the present invention the BOOTROM of switch is started password and super code:
If the system manager is provided with password to switch, want to obtain control to switch boot file system, must the correct keeper of input start password to the BOOTROM that switch is provided with, just can enter into the boot file system of switch, realize operation file among the switch FLASH ROM; If the BOOTROM that the system manager is provided with voluntarily starts password loss, then, obtain super code, by importing the boot file system that this super code enters into switch according to the unique identification MAC Address of the network equipment.These two passwords do not have essential distinction on function.
Below in the described the preferred embodiments of the present invention of Fig. 1 the BOOTROM of switch being started handling process do one detailed description of password and super code:
At first, start switch in step 10;
Then, enter step 11 and enter into input BOOTROM startup cryptographic interface by order, this moment, the system requirements user inputed BOOTROM startup password, and the user can import password string on the office terminal of switch or on specific management platform;
Enter into step 12 then, system receives the password string of user's input;
System enters step 13 after receiving the password string of user's input, judges whether the password string of user's input is identical with the BOOTROM startup password that the keeper is provided with,
If it is identical, show that then the password string that the user imports is correct, enter step 14, enter the boot file system, behind the boot end of run, can operate the file among the FLASH of equipment, simultaneously, can also revise BOOTROM by order and start password, also can open switch configuration file by order.The method of revising BOOTROM startup password is: the described switch b OOTROM of pre-configured modification starts the modification order of password, resets BOOTROM by this modification order under described switch system file interface of main menu then and starts password.
If it is inequality, then show the password string mistake that the user imports, enter step 15, refusing user's enters the boot file system, has so promptly limited the nonsystematic keeper and has entered the boot file system, has guaranteed the safety of switch system, but, start password if the system manager has lost the BOOTROM of own setting, if desired the file among the FLASH is operated, also can't enter the boot file system;
At this moment, need enter step 16, obtain the unique identification MAC Address of switch device,
Then, enter step 17, the MAC Address of switch is encrypted the super code that generates switch, the encryption method to MAC Address in the process of this generation super code preestablishes in equipment;
Enter step 18, import super code on the office terminal of switch or on specific management platform;
Then, can enter step 15, enter the boot file system.
In above-mentioned steps 17, the MAC Address of switch is encrypted in the process of the super code that generates switch, adopted the method for the MAC Address of switch being encrypted the super code that generates dynamic switch.
To describe this dynamic super code generation technique below in detail:
At first MAC Address being done one simply introduces.
MAC Address also is physical address, hardware address or link address, writes on hardware inside when being produced by network device manufacturers.This address and network are irrelevant, and where the hardware (as network interface card, hub, router, switch etc.) that also promptly no matter will have this address is linked into network, and it all has identical MAC Address, and MAC Address is generally immutable, can not be set by user oneself.
The length of MAC Address is 48 (6 bytes), be typically expressed as 12 16 system numbers, separate with colon between per 2 16 system numbers, as: 08:00:20:0A:8C:6D is exactly a MAC Address, wherein preceding 6 16 systems are counted the numbering that 08:00:20 represents network hardware manufacturer, it is distributed by IEEE (IEEE), and then 3 16 systems are counted the series number that 0A:8C:6D represents certain networking products (as network interface card) of this manufacturer's manufacturing.Each network manufacturer must guarantee that each ethernet device of its manufacturing all has first three identical byte and different back three bytes.So just can guarantee that each ethernet device all has unique MAC Address in the world.
Because each ethernet device all has a unique MAC Address, therefore can utilize these characteristics to realize the generation of dynamic super code, it comprises the content of following two aspects:
(1) password generation technique
Suppose that Y is the super code that will generate, x is the MAC Address of every network equipment, and function f () be specific password generating algorithm, and then the super code generation can be by following formulate:
Y=f(x)
By this formula as can be known,, can obtain different Y (super code), and along with the difference of function f (), the Y that obtains (super code) also can be different along with the difference of x (MAC Address of every network equipment).Producer can select a kind of cryptographic algorithm of existing maturation arbitrarily, also can adopt the cryptographic algorithm of development voluntarily.
(2) generative process of super code in equipment
After network equipment production was finished, its MAC Address was determined unique.Selected cryptographic algorithm is also write in system software code and is finished.During the device power initialization, systems soft ware is the MAC Address of fetch equipment, by the selected function f () that is provided with in the code MAC Address of equipment encrypted the super code of this equipment of generation then, and this super code is deposited in the specific physical address.This super code has following characteristics:
A. this super code is dynamic.Different equipment has different super codes, and super code also was different when same equipment adopted different cryptographic algorithm.
B. this super code is difficult for being decrypted.
C. this super code is difficult for being revealed.If the user needs this super code, he at first will offer producer with some relevant informations of equipment and the MAC Address of this equipment, has only producer to confirm that this user for behind the validated user of equipment, just can offer the super code of this equipment this user.
Above-mentioned method by the MAC Address of the network equipment is encrypted generation equipment super code can not only be applied to the network switch, also can be applied to the network equipment that other need be provided with super code.
In a preferred embodiment of the invention, cryptographic algorithm has adopted the encryption method of MD5.The full name of MD5 is Message-Digest Algorithm 5 (md5-challenge), and it is technical that it is widely used in encryption and decryption.As everyone knows, encryption method has been stipulated expressly and the transform method between the ciphertext.MD5 adopts the encryption method of One-Way Encryption, and it has the characteristic of two particular importances: the firstth, and any two sections clear datas, it can not be identical encrypting later ciphertext; The secondth, any one section clear data, after encrypting, its result must be constant forever.The former meaning is impossible have any two sections plain text encryption to obtain identical ciphertext later on, and the latter's the meaning is that the ciphertext that obtains must be identical if encrypt specific data.
Except the encryption method of above-described MD5, can also adopt other encryption method to generate the super code of equipment in the present invention, such as existing RSA method, DES method, ElGamal method etc.In addition, each producer also can adopt the encryption method of development voluntarily to generate the super code of equipment.The uncertainty of this encryption method that adopts makes the super code safety and reliability of the equipment of generation.
Below with reference to Fig. 2, Fig. 2 has described the steps flow chart of losing the processing method of configuration behind the password in the preferred embodiments of the present invention switch method for managing security:
The configuration password of switch is the password that need verify when allowing the user to enter the configuration mode of switch.Generally speaking, existing configuration is made amendment or when reading, need be operated under configuration mode to system.After configuration finished, all configuration informations can be kept in the configuration file.
Describe the processing method lose behind the configuration password in detail below in conjunction with Fig. 2:
After the configuration password loss of switch,
At first enter step 20, restart switch;
Enter step 21, enter BOOTROM by order and start the password state;
Then, enter step 22, the BOOTROM that the input user is provided with starts password, if starting password, also loses the BOOTROM that the user is provided with, then import the super code of switch, the generation of the super code of switch is described in conjunction with Fig. 1 in the above, is not described in detail at this;
Enter step 23, enter into the boot file system of switch;
Then, enter step 24, open switch configuration file by order, that is to say, as long as have BOOTROM startup password or super code can open the configuration file of switch by this order, this order is implied, do not appear on the interface, need be pre-configured in system, and only after switch restarts, just can use, because control desk is locked after the configuration password loss, do not allow anyone to enter.In order to guarantee fail safe, just the startup password or the super code that still need to input bootrom after restarting can imply process of commands, this implicit process of commands is carried out automatically simultaneously.
Preserved the configuration information of this system in the described configuration file, and if be provided with the configuration password, then allow the information of password configuration also to be kept in this configuration file, but cryptopart wherein is for hiding;
Enter into step 25, the order line that allows to be provided with the switch configuration password that has disposed in the deletion switch configuration file;
Then, enter into step 26, preserve amended switch configuration file, so just the switch configuration password is deleted, and do not influence other content of switch configuration file, and that is to say the original configuration information that does not influence switch, this moment, switch was in no cryptoguard running status, under this state, do not needed to dispose the configuration mode that password can enter switch;
Enter into step 27; reset the switch configuration password by the system manager; make the management system of switch obtain the double code protection again; in this process; need be introduced into the configuration mode of switch, the order line that password is set in the configuration interface input is provided with a new password, after above-mentioned switch configuration password is set on the switch; preserve this configuration information, the order line (comprising the password keyword) that then disposes this password promptly is written in the configuration file of switch system.After treating that next switch restarts, switch will if the keeper need enter into system's effective configuration state, then must be imported this password and carry out authentication automatically with this password setting.
Then, enter into step 28, enter the normal operating conditions of switch.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and does not break away from spirit of the present invention, adopt cryptographic algorithm to generate in the super code of dynamic switch as described, existing ripe cryptographic algorithm is varied, each producer also may develop own unique cryptographic algorithm voluntarily simultaneously, no matter adopt which kind of cryptographic algorithm, can both embody spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (7)
1. a switch method for managing security is characterized in that, the step that starts switch comprises:
B1. input starts password;
B2. system judges whether the startup password is correct: start password and correctly then enter step B4, start password bad and then enter step B3;
B3. read the MAC Address of switch, and after generating dynamic super code according to described MAC Address and cryptographic algorithm, the dynamic super code that storage generates; Read and import dynamic super code then;
B4. enter the boot file system.
2. switch method for managing security as claimed in claim 1 is characterized in that, described method also comprises: B5. resets the startup password.
3. switch method for managing security as claimed in claim 2 is characterized in that step B5 comprises:
B51. the described switch of pre-configured modification starts the modification order of password;
B52. reset the startup password of described switch by described described modification order of having disposed.
4. switch method for managing security as claimed in claim 1 is characterized in that, described method also comprises and enters configuration mode:
C1. password is disposed in input;
C2. system judges whether the configuration password is correct: the configuration password correctly then enters step C4, and the configuration password bad then enters step B1 and restarts switch, enters step C3 then;
C3. open switch configuration file by order, deletion configuration password;
C4. configuration file is operated.
5. switch method for managing security as claimed in claim 4 is characterized in that step C3 comprises:
C31. the pre-configured order of opening of opening CONFIG.SYS;
C32. open order and open described CONFIG.SYS by described;
C33. delete the permission configuration code word row in the described CONFIG.SYS;
C34. preserve the described CONFIG.SYS of having revised.
6. switch method for managing security as claimed in claim 4 is characterized in that, described method also comprises the configuration password of resetting described switch.
7. switch method for managing security as claimed in claim 6, it is characterized in that the described step of resetting described switch configuration password comprises: the order line that password is set in the input of the password configuration interface of described switch is provided with new described switch configuration password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031373186A CN1314237C (en) | 2003-06-08 | 2003-06-08 | Dynamic supercode generating method and exchange board safety managing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031373186A CN1314237C (en) | 2003-06-08 | 2003-06-08 | Dynamic supercode generating method and exchange board safety managing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1553650A CN1553650A (en) | 2004-12-08 |
| CN1314237C true CN1314237C (en) | 2007-05-02 |
Family
ID=34323564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031373186A Expired - Fee Related CN1314237C (en) | 2003-06-08 | 2003-06-08 | Dynamic supercode generating method and exchange board safety managing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1314237C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102629900B (en) * | 2012-03-06 | 2016-03-30 | 北京东土科技股份有限公司 | A kind of super password generation system and application process |
| CN103731299A (en) * | 2013-11-29 | 2014-04-16 | 上海斐讯数据通信技术有限公司 | Safety management method of switch |
| CN109979116B (en) * | 2019-04-01 | 2021-04-20 | 深圳市摩线科技有限公司 | Offline password encryption method for equipment leasing |
| CN110545191A (en) * | 2019-09-24 | 2019-12-06 | 深圳市永达电子信息股份有限公司 | dynamic password generation system and method |
| CN116541898B (en) * | 2023-07-07 | 2023-10-13 | 山东多次方半导体有限公司 | FPGA-based reconfigurable password card design method for realizing multiple algorithms |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2344977A (en) * | 1998-12-17 | 2000-06-21 | 3Com Technologies Ltd | Password generation by hashing site and time data |
| CN1392475A (en) * | 2001-06-20 | 2003-01-22 | 徐孝民 | Multiple cipher privacy warning system |
| US20030046566A1 (en) * | 2001-09-04 | 2003-03-06 | Yrjo Holopainen | Method and apparatus for protecting software against unauthorized use |
| CN1411200A (en) * | 2001-09-27 | 2003-04-16 | 株式会社东芝 | Electronic apparatus, wireless communication apparatus and encryption key setting-up method |
-
2003
- 2003-06-08 CN CNB031373186A patent/CN1314237C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2344977A (en) * | 1998-12-17 | 2000-06-21 | 3Com Technologies Ltd | Password generation by hashing site and time data |
| CN1392475A (en) * | 2001-06-20 | 2003-01-22 | 徐孝民 | Multiple cipher privacy warning system |
| US20030046566A1 (en) * | 2001-09-04 | 2003-03-06 | Yrjo Holopainen | Method and apparatus for protecting software against unauthorized use |
| CN1411200A (en) * | 2001-09-27 | 2003-04-16 | 株式会社东芝 | Electronic apparatus, wireless communication apparatus and encryption key setting-up method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1553650A (en) | 2004-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Cash et al. | Dynamic proofs of retrievability via oblivious RAM | |
| WO2021218328A1 (en) | Multi-tenant access service implementation method, apparatus and device, and storage medium | |
| WO2020207233A1 (en) | Permission control method and apparatus for blockchain | |
| US7181016B2 (en) | Deriving a symmetric key from an asymmetric key for file encryption or decryption | |
| EP1805571B1 (en) | Verifying binding of an initial trusted device to a secured processing system | |
| US7171557B2 (en) | System for optimized key management with file groups | |
| CN1234081C (en) | Method and device for realizing computer safety and enciphering based on identity confirmation | |
| US20020141588A1 (en) | Data security for digital data storage | |
| WO2021143025A1 (en) | Internet-of-things data transmission method and apparatus, and medium and electronic device | |
| US8528057B1 (en) | Method and apparatus for account virtualization | |
| US20090296926A1 (en) | Key management using derived keys | |
| EP2017765A2 (en) | System and method for out-of-band assisted biometric secure boot | |
| WO2003073690A2 (en) | Method and apparatus for managing a key management system | |
| WO2016053729A1 (en) | Method and system for secure management of computer applications | |
| US20030070099A1 (en) | System and methods for protection of data stored on a storage medium device | |
| US20170099144A1 (en) | Embedded encryption platform comprising an algorithmically flexible multiple parameter encryption system | |
| WO2019134234A1 (en) | Rooting-prevention log-in method, device, terminal apparatus, and storage medium | |
| US20040139317A1 (en) | Methods for improved security of software applications | |
| CN111247521A (en) | Remotely locking multi-user devices as a set of users | |
| CN103077345A (en) | Software authorization method and system based on virtual machine | |
| CN1314237C (en) | Dynamic supercode generating method and exchange board safety managing method | |
| US9594918B1 (en) | Computer data protection using tunable key derivation function | |
| US20140041053A1 (en) | Data block access control | |
| US20240037212A1 (en) | Implementing multi-party authorizations within an identity and access management regime | |
| WO2009106176A1 (en) | Dynamic creation of privileges to secure system services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070502 Termination date: 20150608 |
|
| EXPY | Termination of patent right or utility model |