WO2005057845A1 - The safe verify method between the manager and the proxy in network transmission - Google Patents

The safe verify method between the manager and the proxy in network transmission Download PDF

Info

Publication number
WO2005057845A1
WO2005057845A1 PCT/CN2004/001425 CN2004001425W WO2005057845A1 WO 2005057845 A1 WO2005057845 A1 WO 2005057845A1 CN 2004001425 W CN2004001425 W CN 2004001425W WO 2005057845 A1 WO2005057845 A1 WO 2005057845A1
Authority
WO
WIPO (PCT)
Prior art keywords
manager
agent
algorithm
ciphertext
network transmission
Prior art date
Application number
PCT/CN2004/001425
Other languages
French (fr)
Chinese (zh)
Inventor
Muhong Zhu
Ruijie Zhou
Qiang Wu
Bangqing Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2005057845A1 publication Critical patent/WO2005057845A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to a method for security verification in a network, and in particular, to a method for mutual security calibration between managers and agents.
  • the existing network management and control architecture uses a system management model of remote monitoring and logical management.
  • the core of the system management model is a pair of system management entities: a manager and an agent, which are interconnected through a management communication protocol.
  • the manager is the entity that manages the management process of the system
  • the agent is the peer process entity in the managed system.
  • the manager issues a management operation command to the agent, and the agent is responsible for accessing the managed objects in the management information database managed by the manager, executing the operation command issued by the manager, and reporting the operation result to the manager.
  • the agent will actively pass the notification of the managed object to the manager.
  • the transmission of related operation commands, operation results, and notifications depends on relevant standard communication protocols, such as the Open System Interconnect Reference Model (OS I for short), Transmission Control Protocol / Internet Protocol ( Transfer Control Protocol / International Protocol (known as "TCP / IP").
  • OS I Open System Interconnect Reference Model
  • TCP / IP Transfer Control Protocol / International Protocol
  • a management node issues an operation command to another management node, it is a manager; and when it accepts an operation command from another management node, it is an agent. Therefore, the manager and the agent can also be regarded as two roles of a management entity.
  • the management entity composed of the roles of the manager and the agent has the following characteristics: First, it can take the role of manager.
  • EMS Elastic Management System
  • the above solution has the following problems: first, the user management system of each agent cannot exist independently of the manager system; second, the problem of the complexity of the manager system cannot be solved; third, it cannot Solve the problem that illegal users can steal user names and passwords through the network.
  • the main reason for this is that, first of all, managers use The user and password information is part of the agent's security management information. If an agent modifies its own security management information, such as modifying or deleting a user, the administrator must be notified to make the corresponding changes before the follow-up can be performed. Management. This system management method inevitably leads to the existence of an agent's user management system depending on the manager system.
  • the method that one manager manages multiple agents is currently more commonly used, and the passwords and passwords of each agent are different. In this way, the manager must save and record the passwords and passwords of all these agents.
  • the direct result is It is because the complexity of security management is too high, which not only increases the workload of maintenance, but also reduces the security of the system.
  • the main object of the present invention is to provide a method for mutual security verification between managers and agents in network transmission, so that each agent's user management system can exist independently of the manager system, improving security The maintainability of the system improves management efficiency.
  • the present invention provides a method for mutual security verification between a manager and an agent in network transmission, including the following steps:
  • a agent determines the encrypted ciphertext and sends the encrypted ciphertext to the manager
  • said manager uses a third algorithm to encrypt said encrypted ciphertext and sends it to said agent;
  • the agent uses the reverse algorithm of the third algorithm to decrypt the received ciphertext
  • the agent determines whether the identity check passes by comparing whether the decrypted ciphertext and the encrypted ciphertext are equal.
  • the step A further includes: the agent adds the encrypted ciphertext using the first algorithm
  • the step B further comprises: the manager decrypts the received dense secret using a reverse algorithm of the first algorithm.
  • the encrypted cipher text described in step A is a random number generated by the agent.
  • the third algorithm and the first algorithm are different algorithms. Actually, the third algorithm is a custom simple algorithm, or a data encryption standard algorithm, or a very small encryption algorithm.
  • the first algorithm may also be a custom simple algorithm, or a data encryption standard algorithm, or a very small encryption algorithm.
  • the manager described above is a telecommunications network element management system, and the agent is a network element.
  • the technical solution of the present invention replaces the original authentication of the password with the process of verifying the security algorithm, unifying the managers and agents.
  • the user management system of each agent can exist independently of the manager system, which simplifies the manager's security management mode.
  • the technical solution of the present invention implements two-way verification between the manager and the agent, which improves the security of the manager's connection with the agent, improves the verification speed, and increases the maintainability of the entire system. This technical solution difference brings relatively obvious beneficial effects.
  • the technical solution of the present invention enables the user management system of each agent to be independent of The manager system exists, so that agents and managers no longer rely on their respective security management systems.
  • the technical solution of the present invention makes the security management of the agent independent, so that the manager can save the need to save and record the password and password of each agent, thereby simplifying the security of the manager. Effect of management mode.
  • the technical solution of the present invention With the agent, a certain verification mechanism is used to ensure their permanent mutual trust, so that the security of the manager's connection with the agent is guaranteed, the speed is increased, and the entire system has good maintainability.
  • the technical solution of the present invention solves the shortcomings of the current EMS management system well, can simplify the security verification steps under the premise of ensuring security, and significantly improves the maintainability of the security system. Improving management efficiency has high practical value.
  • FIG. 1 is a schematic flowchart of mutual security verification between a manager and an agent in network transmission according to an embodiment of the present invention.
  • step 100 in the process of mutual security verification between the manager and the agent according to an embodiment of the present invention, when the manager is ready to establish a connection with the agent, step 100 is first performed, and the manager sends the message to the agent.
  • a connection request requires identity verification.
  • the connection is usually initiated by the manager. This is because the manager's job is to issue management operation commands to the agent, and the agent is only responsible for accessing the managed objects in its own management information database and executing the operation commands issued by the manager. And return the operation result to the manager.
  • step 110 is executed, and the agent generates a random number M after receiving the connection request sent by the manager.
  • the generation of random numbers is generally generated by a random function. There is no fixed relationship between the generated random numbers. Even if they are captured during transmission, it is difficult for criminals to find the rules, and it is impossible to crack the acceptance of transmission. Encryption algorithm used by both parties.
  • step 120 is performed, and the agent uses the first algorithm to generate the random number generated in the previous step.
  • M encrypts to obtain the first ciphertext, and then sends it to the manager.
  • the encryption algorithm is, for example, the most typical data encryption standard algorithm (Da ta Encryption Standard, referred to as "DES"), or a very small encryption algorithm (Tiny Encryption Algor i thm, referred to as "TEA").
  • DES data encryption standard
  • TAA Transport Encryption Algor i thm
  • the first cipher text in step 120 may be determined by the agent and then sent directly to the manager, and directly proceeds to step 140 without encryption and decryption.
  • the first ciphertext may also be agreed in advance by both parties.
  • the process proceeds to step 130.
  • the manager uses the reverse algorithm of the first algorithm to decrypt the first ciphertext to obtain the second ciphertext. Because the administrator needs to use a reverse algorithm to decrypt the received cipher text, the manager and the agent must fix the encryption algorithm to be used and the corresponding reverse algorithm before establishing a connection, so that they can be managed in the management.
  • the agent and agent perform encryption and decryption respectively.
  • step 140 uses the third algorithm to encrypt the second ciphertext just decrypted again, and then transmits the obtained third ciphertext to the manager, and the agent executes step 150.
  • step 150 the agent decrypts the third ciphertext by using the reverse of the third algorithm and the fourth algorithm to obtain the fourth ciphertext.
  • the relationship between the third algorithm and the fourth algorithm is the same as the relationship between the first algorithm and the second algorithm above. They are a pair of reciprocal algorithms, which makes the ciphertext M pass through the first algorithm. After four operations, the second algorithm, the third algorithm, and the fourth algorithm can be restored to the ciphertext M, the technical solution of the present invention uses this principle for verification.
  • step 160 is executed.
  • the agent compares the calculated fourth ciphertext with the initial random number M. If they are equal, the check passes and sends a message to the manager to establish a connection. If they are not equal, the check fails and the connection is established. termination. It should be noted that the above entire process can actually be attributed to the relationship between managers and agents In the process of two-way verification between parties, this kind of calibration strictly guarantees the identity of both parties in the process of data transmission between the two parties in the future. In addition, encrypted random numbers are transmitted on the network. Even if they are captured maliciously, criminals cannot know how the encryption algorithms of both sides are implemented, so they have high security.

Abstract

The present invention relates to the safe verify method in network, discloses a method by which the manager and the proxy can verify each other safely in network transmission, makes the user manage system of each proxy independent with the manager system and improves the maintenance of the security system and the manage efficiency. The method by which the manager and the proxy can verify each other safely in network transmission includes following steps: A. the proxy determines the encrypted ciphertext and transmits the encrypted ciphertext to the manager; B. said manager encrypts the encrypted ciphertext with the third algorithm and transmits it to the proxy; C. said proxy decrypts the received ciphertext with the inverted altorithm of the third algorithm; D. said proxy determines if the verify is passed by comparing the decrypted ciphertext and the encrypted ciphertext.

Description

网络传输中管理者与代理者相互安全校验的方法  Method for mutual security check between manager and agent in network transmission
技术领域 Technical field
本发明涉及网络中安全校验的方法,特别涉及管理者与代理者相 互安全校险的方法。  The present invention relates to a method for security verification in a network, and in particular, to a method for mutual security calibration between managers and agents.
背景技术 Background technique
近年来,各类通信、传媒以及计算机网络技术获得了长足的进步, 其中网络技术的高速发展更是引人注目。 现代网络所具有的高速化、 开放化、 综合化等特点, 决定了现代网络管理与控制系统的重要性和 复杂性。 自从 1992年国际电信联盟提出了智能网体系结构的概念以 后, 智能化网络管理与控制技术便大行其道, 成为解决现代网络的管 理与控制问题的有效手段。 现有的网络管理与控制体系结构采用远程监控、逻辑管理的系统 管理模型。 具体的说, 系统管理模型的核心是一对系统管理实体: 管 理者和代理者, 它们通过管理通信协议相互联系。 管理者是管理系统 的管理进程的实体, 代理者是被管系统中的对等进程实体。 管理者向 代理者发布管理操作命令,代理者负责对自己所管理的管理信息库中 的被管对象进行访问, 执行管理者下达的操作命令, 并将操作结果报 告给管理者。 另外, 当被管对象发生需要管理者及时了解的事件时, 代理者要将被管对象的通报主动传递给管理者。相关的操作命令、操 作结果以及通报的传递都是依靠相关的标准通信协议,如开放式系统 互连参考模型 (Open Sys tem Interconnect Reference Model , 简称 "OS I" ) , 传输控制协议 /网际协议(Transfer Control Protocol / Internat ional Protocol , 筒称 "TCP/IP" ) 完成。 但是, 在多数场 合, 一个管理节点的角色不是绝对的, 会在管理者和代理者这两者之 间进行变换。 例如, 当一个管理节点向另一个管理节点发布操作命令 时, 它便是管理者; 而当它接受其他管理节点的操作命令时, 它便是 代理者。 因此, 管理者和代理者也可以被看作是一个管理实体的两种角 色, 由管理者和代理者两个角色共同构成的管理实体具有以下特性: 笫一是主动性, 能以管理者角色发布命令或请求; 第二是从动性, 能以代理者角色接受命令或请求, 完成指定的任 务; 第三是感知性, 代理者可以发现所管理的被管对象的异常, 并将 其通报给管理者; 第四是协作性, 代理者在执行管理者命令或请求时, 可以再以管 理者的身份将部分或全部任务转交给其他代理者, 请求它们协助完 成; 第五是交流性,管理者和代理者之间通过标准通信协议进行通信 管理者需要对远程被管对象进行操作时,向被管对象所在处的代理者 下达操作命令, 由代理者具体进行对被管对象的访问。访问结果由代 理者通过通信协议报告给管理者。 在实际的运用中, 网络管理系统的安全管理部分显得尤为重要, 如果数据在传输过程中被恶意捕获或篡改,则理论上功能强效率高的 系统在实际运用中一文不值。 一般而言, 大部分的电信网元管理系统 ( El ement Manage Sys tem, 筒称 "EMS" )扮演管理者的角色, 而网 元扮演代理者角色, 它们之间通过自定义的协议进行交互, EMS作为 一个客户端, 网元作为服务器端, 管理者必须首先登录代理者, 然后 输入用户名和口令, 通过身份验证后才能进行后续管理, 最后由代理 者负责校验是否正确。 在实际应用中, 上述方案存在以下问题: 第一, 每个代理者的用 户管理系统无法独立于管理者系统存在; 第二, 无法解决管理者系统 的复杂度过高的问题; 第三, 无法解决不法用户能够通过网络盗取用 户名和密码的问题。 造成这种情况的主要原因在于, 首先, 管理者登录代理者所使用 的用户及口令信息是代理者安全管理信息的一部分,如果某个代理者 修改了自身的安全管理信息, 例如修改或删除用户, 需要通知其上的 管理者系统做出相应的改动, 才能进行后续的管理。 这种系统管理方 法必然导致代理者的用户管理系统依赖于管理者系统而存在。 其次, 当前较为普遍釆用的是一个管理者管理多个代理者的方 法, 而且每个代理者的口令密码不尽相同, 这样管理者就必须保存和 记录所有这些代理者的口令密码,直接结果就是导致安全管理复杂度 过高, 既增加了维护的工作量, 又降低了系统的安全性。 In recent years, various communications, media and computer network technologies have made great progress, and the rapid development of network technologies is even more remarkable. The high speed, openness, and integration of modern networks determine the importance and complexity of modern network management and control systems. Since the concept of the intelligent network architecture was proposed by the International Telecommunication Union in 1992, intelligent network management and control technology has become popular and has become an effective means to solve the management and control problems of modern networks. The existing network management and control architecture uses a system management model of remote monitoring and logical management. Specifically, the core of the system management model is a pair of system management entities: a manager and an agent, which are interconnected through a management communication protocol. The manager is the entity that manages the management process of the system, and the agent is the peer process entity in the managed system. The manager issues a management operation command to the agent, and the agent is responsible for accessing the managed objects in the management information database managed by the manager, executing the operation command issued by the manager, and reporting the operation result to the manager. In addition, when an event that needs to be understood by the manager occurs in time for the managed object, the agent will actively pass the notification of the managed object to the manager. The transmission of related operation commands, operation results, and notifications depends on relevant standard communication protocols, such as the Open System Interconnect Reference Model (OS I for short), Transmission Control Protocol / Internet Protocol ( Transfer Control Protocol / International Protocol (known as "TCP / IP"). However, in most cases, the role of a management node is not absolute and will change between the manager and the agent. For example, when a management node issues an operation command to another management node, it is a manager; and when it accepts an operation command from another management node, it is an agent. Therefore, the manager and the agent can also be regarded as two roles of a management entity. The management entity composed of the roles of the manager and the agent has the following characteristics: First, it can take the role of manager. Issuing orders or requests; the second is follower, which can accept commands or requests in the role of agent to complete specified tasks; the third is awareness, the agent can discover the exception of the managed object and report it To the manager; the fourth is collaboration, when the agent executes the manager's order or request, the agent can then transfer some or all of the tasks to other agents as the manager and ask them to assist in the completion; the fifth is communication, The manager and the agent communicate through a standard communication protocol. When the manager needs to operate a remote managed object, the manager issues an operation command to the agent where the managed object is located, and the agent specifically accesses the managed object. The result of the visit is reported by the agent to the manager through a communication protocol. In practical applications, the security management part of the network management system appears to be particularly important. If data is maliciously captured or tampered with during the transmission process, theoretically a highly functional and efficient system is worthless in practice. Generally speaking, most telecommunication network element management systems (Elastic Management System, or "EMS" for short) play the role of manager, and network elements play the role of agent, and they interact through custom protocols. The EMS acts as a client and the network element acts as the server. The manager must first log in to the agent, then enter the user name and password, and then perform subsequent management after authentication. Finally, the agent is responsible for verifying the correctness. In practical applications, the above solution has the following problems: first, the user management system of each agent cannot exist independently of the manager system; second, the problem of the complexity of the manager system cannot be solved; third, it cannot Solve the problem that illegal users can steal user names and passwords through the network. The main reason for this is that, first of all, managers use The user and password information is part of the agent's security management information. If an agent modifies its own security management information, such as modifying or deleting a user, the administrator must be notified to make the corresponding changes before the follow-up can be performed. Management. This system management method inevitably leads to the existence of an agent's user management system depending on the manager system. Secondly, the method that one manager manages multiple agents is currently more commonly used, and the passwords and passwords of each agent are different. In this way, the manager must save and record the passwords and passwords of all these agents. The direct result is It is because the complexity of security management is too high, which not only increases the workload of maintenance, but also reduces the security of the system.
第三, 目前某些场合下, 管理者在登录代理者的过程中, 用户名 和密码往往会直接采用明文传递, 一旦被不法分子捕获, 即可被用来 登录代理者, 进行篡改、 删除等破坏性操作, 因此增加了不安全性。  Third, at present, in some occasions, when the administrator logs in to the agent, the user name and password are often directly transmitted in plain text. Once captured by the criminal, they can be used to log in to the agent for tampering, deletion, and other damage Sexual operation, thus increasing unsafety.
发明内容 有鉴于此,本发明的主要目的在于提供一种网络传输中管理者与 代理者相互安全校验的方法 ,使得每个代理者的用户管理系统可以独 立于管理者系统存在,改进了安全体系的可维护性,提高了管理效率。 为实现上述目的,本发明提供了一种网络传输中管理者与代理者 相互安全校验的方法, 包含以下步骤:  SUMMARY OF THE INVENTION In view of this, the main object of the present invention is to provide a method for mutual security verification between managers and agents in network transmission, so that each agent's user management system can exist independently of the manager system, improving security The maintainability of the system improves management efficiency. To achieve the above objective, the present invention provides a method for mutual security verification between a manager and an agent in network transmission, including the following steps:
A代理者确定加密密文, 将加密密文发送给管理者; A agent determines the encrypted ciphertext and sends the encrypted ciphertext to the manager;
B所述管理者使用第三算法对所述加密密文进行加密后发送给所 述代理者; B said manager uses a third algorithm to encrypt said encrypted ciphertext and sends it to said agent;
C 所述代理者使用所述第三算法的反向算法对收到的所述密文 进行解密; C. The agent uses the reverse algorithm of the third algorithm to decrypt the received ciphertext;
D 所述代理者通过比较所述解密后的密文和所述加密密文是否 相等, 确定身份校验是否通过。 所述步骤 A进一步包括:所述代理者将加密密文使用第一算法加 所述步骤 B进一步包括:所述管理者使用第一算法的反向算法对 收到的所述密丈进行解密。 更进一步,步骤 A中所述的加密密文为所述代理者生成的一个随 机数。 所述第三算法和所述第一算法是不同的算法。 实际种, 所述第三算法是自定义的简单算法, 或数据加密标准算 法, 或极小型加密算法。 所述第一算法也可以是自定义的简单算法, 或数据加密标准算 法, 或极小型加密算法。 上面所述管理者是电信网元管理系统, 所述代理者是网元。 通过比较可以发现, 本发明的技术方案与现有技术的区别在于, 首先,本发明的技术方案用对保密算法进行验证的过程取代了原先对 密码进行的验证, 统一了管理者和代理者之间的登录模式, 每个代理 者的用户管理系统可以独立于管理者系统存在,这样就简化了管理者 的安全管理模式。 其次, 本发明的技术方案在管理者和代理者之间实行双向校验, 提高了管理者连接代理者的安全性, 并提高了验证速度, 同时增加了 整个系统的可维护性。 这种技术方案上的区别, 带来了较为明显的有益效果, 即具体的 说, 针对上文中指出的第一个问题, 由于本发明的技术方案使每个代 理者的用户管理系统可以独立于管理者系统存在,从而使得代理者和 管理者不再依赖于各自的安全管理系统。 针对上文中指出的第二个问题,由于本发明的技术方案使代理者 的安全管理独立化,从而使管理者可以不必再保存和记录每个代理者 的口令和密码, 达到了简化管理者安全管理模式的效果。 针对上文中指出的第三个问题,由于本发明的技术方案在管理者 和代理者之间, 通过某种校验机制来保证他们之间的永久相互信任, 使管理者连接代理者的安全性得到保障的同时提高了速度,同时使整 个系统具备良好的可维护性。 D The agent determines whether the identity check passes by comparing whether the decrypted ciphertext and the encrypted ciphertext are equal. The step A further includes: the agent adds the encrypted ciphertext using the first algorithm The step B further comprises: the manager decrypts the received dense secret using a reverse algorithm of the first algorithm. Furthermore, the encrypted cipher text described in step A is a random number generated by the agent. The third algorithm and the first algorithm are different algorithms. Actually, the third algorithm is a custom simple algorithm, or a data encryption standard algorithm, or a very small encryption algorithm. The first algorithm may also be a custom simple algorithm, or a data encryption standard algorithm, or a very small encryption algorithm. The manager described above is a telecommunications network element management system, and the agent is a network element. By comparison, it can be found that the technical solution of the present invention is different from the prior art in that, first, the technical solution of the present invention replaces the original authentication of the password with the process of verifying the security algorithm, unifying the managers and agents. In the login mode of each agent, the user management system of each agent can exist independently of the manager system, which simplifies the manager's security management mode. Secondly, the technical solution of the present invention implements two-way verification between the manager and the agent, which improves the security of the manager's connection with the agent, improves the verification speed, and increases the maintainability of the entire system. This technical solution difference brings relatively obvious beneficial effects. Specifically, in view of the first problem pointed out above, since the technical solution of the present invention enables the user management system of each agent to be independent of The manager system exists, so that agents and managers no longer rely on their respective security management systems. Aiming at the second problem pointed out above, the technical solution of the present invention makes the security management of the agent independent, so that the manager can save the need to save and record the password and password of each agent, thereby simplifying the security of the manager. Effect of management mode. In view of the third problem pointed out above, the technical solution of the present invention With the agent, a certain verification mechanism is used to ensure their permanent mutual trust, so that the security of the manager's connection with the agent is guaranteed, the speed is increased, and the entire system has good maintainability.
在实际运用中, 本发明的技术方案很好地解决了目前 EMS管理系统中 存在的缺点, 能够在保证安全性的前提下, 筒化安全校验步骤, 明显地改 进安全体系的可维护性, 提高管理效率, 具有很高的实际运用价值。  In practical applications, the technical solution of the present invention solves the shortcomings of the current EMS management system well, can simplify the security verification steps under the premise of ensuring security, and significantly improves the maintainability of the security system. Improving management efficiency has high practical value.
附图说明  BRIEF DESCRIPTION OF THE DRAWINGS
图 1是根据本发明一个实施例的网絡传输中用于管理者与代理者 相互安全校验的流程示意图。  FIG. 1 is a schematic flowchart of mutual security verification between a manager and an agent in network transmission according to an embodiment of the present invention.
具体实施方式 为使本发明的目的、技术方案和优点更加清楚, 下面将结合附图 对本发明作进一步地详细描述。 如图 1所示,在根据本发明的一个实施例的管理者与代理者相互 安全校验的流程中, 当管理者准备与代理者建立连接时, 首先执行步 骤 100, 管理者向代理者发送连接请求, 要求校验身份。 连接一般由 管理者发起, 这是因为管理者的工作就是向代理者发布管理操作命 令, 而代理者只负责对自己的管理信息库中的被管对象进行访问, 执 行管理者下达的操作命令, 并将操作结果返回给管理者。 这种分工是 由网络管理与控制体系结构所采用的系统管理模型决定的。 接着执行步驟 110 , 代理者接到管理者发送的连接请求后生成随 机数 M。 需要说明的是, 随机数的产生一般是由某个随机函数生成, 这样生成的随机数前后没有固定的联系, 即使在传输中被捕获, 不法 分子也很难从中发现规律,从而无法破解接受发送双方所采用的加密 算法。 此后执行步骤 120 , 代理者使用第一算法对上一步生成的随机数 DETAILED DESCRIPTION To make the objectives, technical solutions, and advantages of the present invention clearer, the present invention will be described in further detail below with reference to the accompanying drawings. As shown in FIG. 1, in the process of mutual security verification between the manager and the agent according to an embodiment of the present invention, when the manager is ready to establish a connection with the agent, step 100 is first performed, and the manager sends the message to the agent. A connection request requires identity verification. The connection is usually initiated by the manager. This is because the manager's job is to issue management operation commands to the agent, and the agent is only responsible for accessing the managed objects in its own management information database and executing the operation commands issued by the manager. And return the operation result to the manager. This division of labor is determined by the system management model adopted by the network management and control architecture. Then step 110 is executed, and the agent generates a random number M after receiving the connection request sent by the manager. It should be noted that the generation of random numbers is generally generated by a random function. There is no fixed relationship between the generated random numbers. Even if they are captured during transmission, it is difficult for criminals to find the rules, and it is impossible to crack the acceptance of transmission. Encryption algorithm used by both parties. Thereafter, step 120 is performed, and the agent uses the first algorithm to generate the random number generated in the previous step.
M进行加密得到笫一密文, 然后发送到管理者。 其中, 加密所用的算 法有很多种, 可以选择一些筒单的自定义算法, 也可以使用一些标准 的加密算法, 例如最典型的数据加密标准算法 (Da ta Encrypt ion Standard,筒称 "DES" ),又或者如极小型加密算法( Tiny Encrypt ion Algor i thm, 筒称 "TEA" )。 这些算法筒便高效, 密钥筒短, 破译起来 极其困难, 有的甚至在现有技术下是不可能破译的, 这样就有效地保 证了密文传递的安全性。 第一算法和下面要用到的第三算法一样, 要 求双方严格保密。 需要说明,步驟 120所述第一密文可以由代理者确定后直接发送 给管理者, 直接进入步骤 140, 而不进行加密和解密。 当然, 所述第 一密文也可以由双方预先约定。 接着进入步骤 130 , 管理者接收到上述第一密文后, 使用第一算 法的反向算法- -第二算法对第一密文进行解密得到第二密文。由于管 理者对收到的密文要用反向算法进行解密, 因此, 管理者和代理者在 建立连接之前必须事先把要使用的加密算法和相应的反向算法固定 下来, 这样才能够在管理者和代理者分别进行加密和解密。 然后进入步驟 140 , 使用第三算法对刚刚解密得到的第二密文再 次进行加密, 然后将得到的第三密文传送给管理者, 接着代理者执行 步骤 150。 在步驟 150中,代理者使用第三算法的反向一第四算法对第三密 文进行解密, 得到第四密文。 熟悉本领域的技术人员可以理解, 第三 算法与第四算法的关系与上文第一算法与第二算法的关系一样,都是 一对互逆算法,这就使得密文 M经过第一算法、第二算法、笫三算法、 第四算法这四次运算后还是能够还原到密文 M, 本发明的技术方案正 是利用这个原理来进行验证的。 此后执行步驟 160 , 代理者对经过计算的第四密文和初始的随机 数 M进行比较, 如果相等则校验通过, 发送消息给管理者建立连接; 如果不相等, 则校验不通过, 连接终止。 需要说明的是,以上整个流程其实可以归结为管理者和代理者之 间的双向校验的过程,这种校猃在以后双方传输数据的过程中严格保 证了交互双方的身份。 另夕卜, 在网络上传递是经过加密的随机数, 即 便被恶意捕获, 不法分子也无法得知双方的加密算法是如何实现的, 因此具有很高的安全性。 M encrypts to obtain the first ciphertext, and then sends it to the manager. Among them, there are many kinds of algorithms used for encryption. You can choose some custom algorithms or use some standards. The encryption algorithm is, for example, the most typical data encryption standard algorithm (Da ta Encryption Standard, referred to as "DES"), or a very small encryption algorithm (Tiny Encryption Algor i thm, referred to as "TEA"). These algorithms are efficient, the key cylinder is short, and it is extremely difficult to decipher, and some are impossible to decipher under the existing technology, which effectively ensures the security of cipher text transmission. The first algorithm, like the third algorithm to be used below, requires the two parties to keep it strictly confidential. It should be noted that the first cipher text in step 120 may be determined by the agent and then sent directly to the manager, and directly proceeds to step 140 without encryption and decryption. Of course, the first ciphertext may also be agreed in advance by both parties. Then the process proceeds to step 130. After receiving the first ciphertext, the manager uses the reverse algorithm of the first algorithm to decrypt the first ciphertext to obtain the second ciphertext. Because the administrator needs to use a reverse algorithm to decrypt the received cipher text, the manager and the agent must fix the encryption algorithm to be used and the corresponding reverse algorithm before establishing a connection, so that they can be managed in the management. The agent and agent perform encryption and decryption respectively. Then it proceeds to step 140, which uses the third algorithm to encrypt the second ciphertext just decrypted again, and then transmits the obtained third ciphertext to the manager, and the agent executes step 150. In step 150, the agent decrypts the third ciphertext by using the reverse of the third algorithm and the fourth algorithm to obtain the fourth ciphertext. Those skilled in the art can understand that the relationship between the third algorithm and the fourth algorithm is the same as the relationship between the first algorithm and the second algorithm above. They are a pair of reciprocal algorithms, which makes the ciphertext M pass through the first algorithm. After four operations, the second algorithm, the third algorithm, and the fourth algorithm can be restored to the ciphertext M, the technical solution of the present invention uses this principle for verification. After that, step 160 is executed. The agent compares the calculated fourth ciphertext with the initial random number M. If they are equal, the check passes and sends a message to the manager to establish a connection. If they are not equal, the check fails and the connection is established. termination. It should be noted that the above entire process can actually be attributed to the relationship between managers and agents In the process of two-way verification between parties, this kind of calibration strictly guarantees the identity of both parties in the process of data transmission between the two parties in the future. In addition, encrypted random numbers are transmitted on the network. Even if they are captured maliciously, criminals cannot know how the encryption algorithms of both sides are implemented, so they have high security.
虽然通过参照本发明的某些优选实施例, 已经对本发明进行了图 示和描述, 但本领域的普通技术人员应该明白, 可以在形式上和细节 上对其作各种各样的改变, 而不偏离所附权利要求书所限定的本发明 的精神和范围。  Although the present invention has been illustrated and described with reference to certain preferred embodiments of the present invention, those skilled in the art should understand that various changes can be made in form and details, and Without departing from the spirit and scope of the invention as defined by the appended claims.

Claims

权 利 要 求 Rights request
1. 一种网络传输中管理者与代理者相互安全校 ¾^的方法, 其特 征在于, 包括:  1. A method for mutual security calibration between a manager and an agent in network transmission, which is characterized by:
A代理者确定加密密文, 将加密密文发送给管理者; B所述管理者使用第三算法对所述加密密文进行加密后发送给所 述代理者; A agent determines the encrypted ciphertext and sends the encrypted ciphertext to the manager; B said manager uses a third algorithm to encrypt the encrypted ciphertext and sends it to the agent;
C 所述代理者使用所述第三算法的反向算法对收到的所述密文 进行解密; C. The agent uses the reverse algorithm of the third algorithm to decrypt the received ciphertext;
D 所述代理者通过比较所述解密后的密文和所述加密密文是否 相等, 确定身份校验是否通过。 D The agent determines whether the identity check passes by comparing whether the decrypted ciphertext and the encrypted ciphertext are equal.
2. 根据权利要求 1所述的网络传输中管理者与代理者相互安全 校验的方法, 其特征在于, 所述步骤 A进一步包括:所述代理者将加密密文使用第一算法加 密; 所述步驟 B进一步包括:所述管理者使用第一算法的反向算法对 收到的所述密文进行解密。 2. The method for mutual security verification between the manager and the agent in the network transmission according to claim 1, wherein the step A further comprises: the agent encrypts the encrypted cipher text using the first algorithm; The step B further includes: the manager decrypts the received ciphertext using a reverse algorithm of the first algorithm.
3. 根据权利要求 1或 2所述的网络传输中管理者与代理者相互 安全校 ¾^的方法, 其特征在于, 步骤 A中所述的加密密文为所述代理 者生成的一个随机数。 3. The method for securely calibrating a manager and an agent in a network transmission according to claim 1 or 2, wherein the encrypted cipher text in step A is a random number generated by the agent. .
4. 根据权利要求 2所述的网络传输中管理者与代理者相互安全 校脸的方法, 其特征在于, 所述第一算法和所述第三算法是不同的算 法。 4. The method for the manager and the agent to face-check each other securely during network transmission according to claim 2, wherein the first algorithm and the third algorithm are different algorithms.
5. 根据权利要求 1所述的网络传输中管理者与代理者相互安全 校验的方法, 其特征在于, 所述第三算法是自定义的筒单算法, 或数 据加密标准算法, 或极小型加密算法。 5. The method for mutual security verification between the manager and the agent in the network transmission according to claim 1, wherein the third algorithm is a custom package algorithm, or a data encryption standard algorithm, or is extremely small Encryption Algorithm.
6. 根据权利要求 1所述的网絡传输中管理者与代理者相互安全 校验的方法, 其特征在于, 所述第一算法是自定义的简单算法, 或数 据加密标准算法, 或极小型加密算法。 6. The method for mutual security verification between a manager and an agent in network transmission according to claim 1, wherein the first algorithm is a custom simple algorithm, or a data encryption standard algorithm, or a very small encryption algorithm.
7. 根据权利要求 1 所述的网络传输中管理者与代理者相互安全 校验的方法, 其特征在于, 所述管理者是电信网元管理系统, 所述代 理者是网元。  7. The method for mutual security verification between a manager and an agent in network transmission according to claim 1, wherein the manager is a telecommunication network element management system, and the agent is a network element.
PCT/CN2004/001425 2003-12-10 2004-12-07 The safe verify method between the manager and the proxy in network transmission WO2005057845A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200310119341.2 2003-12-10
CN 200310119341 CN1627680A (en) 2003-12-10 2003-12-10 Method of mutual security verification between supervisor and agent in network transmission

Publications (1)

Publication Number Publication Date
WO2005057845A1 true WO2005057845A1 (en) 2005-06-23

Family

ID=34661414

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/001425 WO2005057845A1 (en) 2003-12-10 2004-12-07 The safe verify method between the manager and the proxy in network transmission

Country Status (2)

Country Link
CN (1) CN1627680A (en)
WO (1) WO2005057845A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105893833A (en) * 2016-03-31 2016-08-24 山东超越数控电子有限公司 Hardware interface used for firmware safety management

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905436B (en) * 2005-07-28 2010-05-05 北京航空航天大学 Method for ensuring data exchange safety
CN101321172B (en) * 2008-07-22 2011-07-13 中兴通讯股份有限公司 Check apparatus and method for administration authority consistency of both link ends
US10277559B2 (en) * 2014-05-21 2019-04-30 Excalibur Ip, Llc Methods and systems for data traffic control and encryption

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5590199A (en) * 1993-10-12 1996-12-31 The Mitre Corporation Electronic information network user authentication and authorization system
CN1167381A (en) * 1996-05-20 1997-12-10 索尼公司 Identification signal reording method and device
CN1208296A (en) * 1997-06-17 1999-02-17 株式会社东芝 Equipment authenticator for authenticating equipment by means of bundle of plurality of secret keys
CN1259260A (en) * 1997-06-06 2000-07-05 汤姆森消费电子有限公司 Conditional access system for set-top boxes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5590199A (en) * 1993-10-12 1996-12-31 The Mitre Corporation Electronic information network user authentication and authorization system
CN1167381A (en) * 1996-05-20 1997-12-10 索尼公司 Identification signal reording method and device
CN1259260A (en) * 1997-06-06 2000-07-05 汤姆森消费电子有限公司 Conditional access system for set-top boxes
CN1208296A (en) * 1997-06-17 1999-02-17 株式会社东芝 Equipment authenticator for authenticating equipment by means of bundle of plurality of secret keys

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105893833A (en) * 2016-03-31 2016-08-24 山东超越数控电子有限公司 Hardware interface used for firmware safety management

Also Published As

Publication number Publication date
CN1627680A (en) 2005-06-15

Similar Documents

Publication Publication Date Title
Feng et al. Efficient and secure data sharing for 5G flying drones: A blockchain-enabled approach
US6377691B1 (en) Challenge-response authentication and key exchange for a connectionless security protocol
JP4304055B2 (en) Methods and structures for providing client session failover
US7356601B1 (en) Method and apparatus for authorizing network device operations that are requested by applications
US7506161B2 (en) Communication session encryption and authentication system
US8762726B2 (en) System and method for secure access
US20080195740A1 (en) Maintaining session state information in a client server system
US20090113537A1 (en) Proxy authentication server
WO2003042798A2 (en) Methods, apparatus and computer programs performing a mutual challenge-response authentication protocol using operating system capabilities
US8099602B2 (en) Methods for integrating security in network communications and systems thereof
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
US7363486B2 (en) Method and system for authentication through a communications pipe
CN108289074A (en) User account login method and device
WO2005057841A1 (en) The method for generating the dynamic cryptogram in network transmission and the method for transmitting network data
CN114024698A (en) Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm
US20090113559A1 (en) Stateless challenge-response protocol
WO2005057845A1 (en) The safe verify method between the manager and the proxy in network transmission
CN116633576A (en) Safe and reliable NC-Link agent, control method, equipment and terminal
Zou et al. Information Security Transmission Technology in Internet of Things Control System.
WO2021253852A1 (en) Data center 5g network encryption multicast-based authority authentication method and system
EP1396961B1 (en) Method, system and apparatus for providing authentication of data communication
Buchheim et al. Implementing the intrusion detection exchange protocol
WO2013182151A1 (en) Authentication method and system based on web service application
CN106453336B (en) Method for internal network to actively provide external network host calling service
CN117155717B (en) Authentication method based on identification password, and cross-network and cross-domain data exchange method and system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase